At the collection point, it is critical to clearly define who is in charge of extracting the data and where and how the extraction devices may be installed. Is the collection administered by the intelligence service, or do private entities (e.g., ISPs) do this on behalf of the intelligence services? This distinction is relevant, as provider intermediation can be an important safeguard against over-collection. In principle, intelligence agencies should not have direct access to the facilities of telecommunications providers. Cases have surfaced, though, in which internet companies agreed to search the data they administer on behalf of an agency. Yahoo, for example, secretly scanned all email accounts for information provided by US intelligence agencies. A legal framework, therefore, has to define how (private) intermediaries may be compelled to cooperate and what means are available for operators to challenge particular measures.
Once data has been acquired by means of untargeted electronic surveillance, it may be subject to additional filtering, depending on the national surveillance regulations. The specifics of the data minimization and filtering processes should be subject to critical review, for they may reveal the extent to which intelligence agencies abide by constitutional and human rights standards. For example, some intelligence laws grant enhanced privacy protection to professions who depend on the confidentiality of information. This may pertain to communications involving priests, lawyers, journalists, and physicians. Whether and how data minimization and filter tools can accurately identify such communications in practice should be of interest to oversight bodies. This may also extend to the review of protected health data and biometric data.
In addition, there are technical questions that come to mind, as they, too, reveal interesting information about the independence of oversight bodies and the extent to which data minimization is an actual priority (or not) within the intelligence community. For instance, how is “surplus information” treated in the collection and filtering process? When data minimization systems, such as the Massive Volume Reduction (MVR) systems of the United Kingdom’s Government Communications Headquarters (GCHQ), are being used, are they subject to independent oversight? More specifically, are the technical equipment and filter programs regularly subject to independent verification, or do the oversight bodies merely rely on the assurances of the intelligence agencies that the data minimization and filtering processes are fit for purpose?