UK intelligence agencies ‘unlawfully’ sharing sensitive personal data, court hears

Britain’s intelligence agencies are sharing highly sensitive data about the population with foreign intelligence services, industry and other UK government agencies, without adequate protections in place, the UK’s most secret court will hear this week.

Campaigning group Privacy International will argue in a hearing at the Investigatory Powers Tribunal (IPT) that intelligence services are sharing huge datasets about largely innocent people with third parties without sufficient controls on how the data will be used.

The case is expected to shed light on the way in which GCHQ, MI5 and MI6 share sensitive information, originally collected for national security purposes, with partner intelligence services in the Five Eyes network, law enforcement and government departments, including HMRC, and with private sector partners and universities.

It emerged during a hearing at Southwark Crown Court on 17 October 2017 that the UK intelligence agencies hold a bulk database containing the records of potentially millions of people’s social media use.

Further disclosures reveal that intelligence watchdog, the Investigatory Powers Commissioner’s Office (IPCO), has raised particular concerns about a lack of safeguards in place to prevent the misuse of systems by private contractors. These contractors are given “administrator” access to the information collected by UK intelligence agencies – contradicting reassurances given by GCHQ.

Privacy International said that the government had failed to provide evidence that there were sufficient safeguards in place to protect the use and security of sensitive data once it had been shared with others. A foreign government, for example, could use the data to support an unlawful detention or torture programme, or use it to identify the target for a lethal operation.

Ben Jaffey, representing Privacy International told the tribunal that: “once the data set is provided outside the agency then control has been lost. For example a foreign partner could hand it on to another foreign partner that the UK would not pass it to, or be used for operations for which the UK would not approve.”

There is no adequate audit of bulk data gathered by analysts at GCHQ, he told the hearing.

The Investigatory Powers Tribunal ruled last year that UK intelligence agencies had been unlawfully collecting the population’s mobile phone and internet data for 17 years, without adequate safeguards or supervision.

The three-day hearing centres the on the lawfulness of GCHQ and MI5 sharing vast intelligence databases, containing highly sensitive details of the individuals, with industry, universities, other government departments, and foreign intelligence agencies.

They include bulk communications data (BCD), which records the populations internet, telephone and location histories, and bulk personal datasets (BPDs), which contain “considerable volumes” of biographical information on individuals’ financial and commercial activities, and travel patterns.

The case comes days after home secretary Amber Rudd called on technology companies to provide the government with back-door access to widely used, encrypted applications, such as What’sApp, despite a later admission that she did not understand encryption.

Watchdog raises concerns over sharing intelligence with private sector partners

GCHQ has confirmed that it shares entire databases of “raw sigint” (signals intelligence) data with industry partners, “contracted to develop new systems and capabilities for GCHQ”.

They may access databases by visiting GCHQ’s premises, interrogate databases through remote access to GCHQ’s networks, or have the data transferring data to their own premises.

The surveillance watchdog, the Investigatory Powers Commissioner’s Office (IPCO), has raised particular concerns about the role of private contractors given “administrator” access to the information UK intelligence agencies collect.

It said it was concerned that there were currently no safeguards in place to prevent misuse of the systems by third party contractors, in a statement which raises questions over the accuracy of statements by GCHQ.

“Neither ISCom [The Intelligence Services Commissioner’s Office] nor IOCCO [The Interception of Communications Commissioners Office] were previously informed by GCHQ that the sharing of BPD/BCD with industry partners, as described in the statement of the GCHQ witness…had occurred,” the IPCO said in a letter dated 19 September 2017.

Separately, the Investigatory Powers commissioner has confirmed that sharing of bulk personal datasets “with industry partners” was not audited, nor were there records of any inspection visits.

“After three years of litigation, just before the court hearing we learn not only are safeguards for sharing our sensitive data non-existent, but the government has databases with our social media information and is potentially sharing access to this information with foreign governments. The risks associated with these activities are painfully obvious,” said Graham Wood of Privacy International.

In one case, a database containing telephone records was transferred from GCHQ Benhall, Cheltenham, to a partner’s premises through a secure courier service. GCHQ confirmed that it did not log the queries made on the data, and that its use has not been examined by an independent commissioner.

GHCQ also confirmed in a witness statement that one database of bulk personal data had been accessed by a small number of people – less than 20 – working for industry partners, but that it had no record of what information they accessed.

The University of Bristol is one of GCHQ’s most important industry partners. Researchers were given access to GCHQ’s entire datasets, covering people’s internet use, telephone call data and the websites they visited.

They also had access to GCHQ’s entire targeting database – a highly sensitive database – that was delivered to the university at least once a day, documents released by National Security Agency (NSA) whistleblower Edward Snowden revealed.

UKUSA and data sharing between the Five Eyes

The UK and US agreed to share intelligence data in a now declassified agreement known as UKUSA, which was first signed in March 1946. The document forms the basis of the reciprocal intelligence sharing principles between the Five Eyes, intelligence agencies, Britain, US, Canada, Australian and New Zealand.

The agreements have since been updated but remain highly classified, while the number of intelligence agencies that share information – with varying degrees of cooperation – has grown from 5 to more than 40.

The UK government has refused to confirm or deny whether the UK intelligence agencies share BPDs and BCD with overseas intelligence agencies – a position that Privacy International claims is untenable.

“You would expect governments to be conducting some form of sharing with foreign governments. So to neither confirm nor deny it is a bit ludicrous, because everyone would expect it – the average person would expect it, a criminal would expect it, a terrorist would expect it,” said Graham Wood.

The Intelligence and Security Committee said in a report in March 2015 that while controls over how data is used, stored, retained and disclosed apply within the secret intelligence agencies, they “do not apply to overseas partners with whom the agencies may share datasets”.

Data may be passed to another country, even though the UK would be unwilling to share the data directly with that state, the non-govermental organisation (NGO) argued, while permitting remote access allows third parties to quickly search vast quantities of data, without having to process the data itself.

Documents leaked by Snowden show that the only requirement at the NSA to access GCHQ’s data is that analysts click a box to show that they have the relevant training.

The director of the NSA was briefed that the former director of GCHQ, Iain Lobban, was likely to ask whether UK-source data might be given by the NSA to the Israeli government to conduct “lethal operations” during a visit to the US agency, one leak revealed.

Telephone and internet service providers (ISPs) have raised concerns with intelligence agencies about the sharing of their data overseas. In one case, a communications company asked an intelligence agency not to share their data outside the UK.

In other cases, communication companies said they “would be very concerned if data was shared with other jurisdictions without their knowledge,” according to a report by the Interception of Communications commissioner, Stanley Burnton.

Repurposing data collected for national security

Once the intelligence data has been collected for purposes of national security, it can then be repurposed for uses which fall far short of national security – such as checking up on people’s tax status.

Under one programme, codenamed Milkwhite, GCHQ made huge volumes of data about people’s online activities available to MI5, the Metropolitan Police, the then Serious Organised Crime Agency, the Police Service of Northern Ireland, the Scottish Recording Centre, and Her Majesty’s Revenue and Customs (HMRC) on a “business as usual” basis.

GCHQ has been collecting BCD on the UK population’s internet, email and phone use since 1998, under the Telecommunications Act 1984. The practice remained secret until November 2015, when the government “avowed” the practice with the introduction of the Investigatory Powers Bill.

Under the Telecommunications Act 1984, the secretary of state can issue “section 94” directions to phone and internet companies to require them to disclose communications data to the intelligence services.

But evidence disclosed in earlier hearings suggest that GCHQ’s section 94 directions are worded in such a way that allows the power to request BCD to be delegated to the director of GCHQ, or any person authorised by him.

Graham Wood said while the secretary of state is supposed to have independent oversight of requests for BCD, in reality, ministers have little control over how the power is used.

“It means that no one is checking how this power is being used or the extent to which it is being used. In fact, a minister isn’t fully aware of what is going on when they should be,” she said.

This makes the directions unlawful under UK domestic and EU law and is in breach of Article 8 of the European Convention on Human Rights, which guarantees the right of privacy, the NGO will argue this week.

Show More

Related Articles