UK spy agencies systematically amass data on innocent people, legal challenge reveals

Privacy campaign group Privacy International says documents it has obtained through a legal challenge to the UK security agencies data-harvesting practices illustrate the extent to which spies have systematically and secretly amassed a cache of data on UK citizens for the past 15 years — regardless of whether a particular individual is suspected of a crime.

Aka: mass surveillance.

The cache of 46 documents relate to policies, procedures and guidance in place for one aspect of UK state investigatory powers — so-called Bulk Personal Datasets (BPDs) — as well as covering Section 94 (of the Telecommunications Act 1984) directions for GCHQ, MI5 and MI6.

In several documents, including one pertaining to security and intelligence agency policy, agencies observe that the “majority” of the data amassed in these databases contains “personal data about a wide range of individuals, the majority of whom are not of direct intelligence interest”.

The policy document, dated February 2015, also warns staff to brace for “more onerous authorisation processes (beyond our current largely internal ones), as well as enhanced external oversight” as a consequence of the government considering changes to investigatory powers law.

“At the very least we should expect increased and significant public interest and debate,” it adds.

In another document pertaining to the handling of BPDs by GCHQ, the agency notes the elevated risk of privacy rights infringement from using this type of data:

Although bulk personal datasets constitute only a tiny proportion of the data GCHQ obtains, its retention and use of such datasets represent a significant interference with many people’s right to privacy under the European Convention on Human Rights (ECHR). This interference must be justified in terms of its necessity and proportionality, in accordance with Article 8(2) of the ECHR. The use of such data for operational purposes is also especially sensitive and carries an elevated degree of corporate risk. GCHQ has therefore established special arrangements to ensure appropriate handling of such data throughout its life-cycle, both within and, where applicable, beyond GCHQ.

The UK government is in the midst of pushing a new surveillance law through parliament which aims to expand the intrusive capabilities available to domestic police and security services. Yet, at the same time, the Home Secretary Theresa May has repeatedly rejected claims domestic security agencies are engaged in mass surveillance of citizens — preferring the euphemism term ‘bulk collection’.

Back in January she rebutted criticism that state agencies engage in mass surveillance, waspishly telling a parliamentary committee scrutinizing the draft Investigatory Powers Bill that: “We do not collect all the data, all of the time.”

However the documents obtained by Privacy International, as part of a legal challenge, show domestic intelligence agencies have been collecting, if not every last bit and byte, then certainly very large troves of data on UK citizens. And doing so for a very long time.

According to Privacy International, requisitioned data can include medical records, travel records, financial records, population data, commercial data (details of corporations and individuals involved in commercial activities), regular feeds from internet and phone companies, billing data or subscriber details, content of communications (including with lawyers, MPs and doctors), and records from government departments.

It adds that the documents indicate such data is routinely requisitioned.

Aka: mass surveillance.

“The papers released today act as proof of, and show the sheer scale of, British intelligence agency surveillance of our personal data,” it asserts. “It goes far beyond monitoring our text messages, email messages, and social media posts. The intelligence agencies have secretly given themselves access to potentially any and all recorded information about us.”

The use of BPDs as an investigatory tool was only revealed in March last year, via an Intelligence and Security Committee (ISC) report. Yet these large databases had been used in secret for scores of years, apparently sanctioned under a law that pre-dates the rise of the commercial Internet. (The documents confirm Section 94 of The Telecommunications Act 1984 has been used by the UK state to access data in bulk.)

The ISC report previously described BPDs as “large databases containing personal information about a wide range of people” — which it said are used by intelligence agencies to “identify individuals during the course of their investigations, to establish links between Subjects of Interest, and to verify information that they have gathered through other means”.

And Home Secretary May has described them as an invaluable tool for the security agencies, arguing that “bulk capabilities” are important to retrospectively sift through a target’s communications as part of an active investigation.

“You need to be able to acquire the communications in the first place and when the target is overseas bulk interception obviously is one of the key means, and indeed it may be the only means, by which it’s possible to obtain communications,” she told a parliamentary committee back in January, adding: “It is about keeping people safe and secure.”

The flip-side of that argument is of course that amassing gigantic databases containing sensitive personal data on every citizen in the country is not only a massive and disproportionate privacy infringement but also vastly increases the volume of data the intelligence agencies have to sift through — thereby increasing the signal to noise ratio and making effective, targeted intelligence work harder.

And if May wants to assert that gigantic intelligence databases are necessary to ‘keep people safe’, it’s worth making the obvious point that the UK security agencies’ bulk data collection habits did not prevent the 7/7 co-ordinated terror attack in London, in July 2005. Nor the slaying of solider Lee Rigby in a London street three years ago by two men who were in fact already known to the security services. The evidence that mass surveillance/bulk collection keeps people safe is as apparently elusive as the targets spy agencies are tasked with seeking.

Last year’s ISC report which first disclosed the existence of BPDs also revealed there are hundreds of millions of these databases, which it said may be linked together. Privacy International’s suggestion now is these databases “could be used to build detailed profiles about all of us”.

“The information revealed by this disclosure shows the staggering extent to which the intelligence agencies hoover up our data. This can be anything from your private medical records, your correspondence with your doctor or lawyer, even what petitions you have signed, your financial data, and commercial activities,” said Millie Graham Wood, Legal Officer at Privacy International, in a statement.

“This data is integrated into databases that could be used to build detailed profiles about all of us. The agencies themselves admit that the majority of data collected relates to individuals who are not a threat to national security or suspected of a crime. This highly sensitive information about us is vulnerable to attack from hackers, foreign governments, and criminals.

“The agencies have been doing this for 15 years in secret and are now quietly trying to put these powers on the statute book for the first time, in the Investigatory Powers Bill, which is currently being debated in Parliament. These documents reveal a lack of openness and transparency with the public about these staggering powers and a failure to subject them to effective Parliamentary scrutiny.”

The organization also notes that in recent years only three cases of non-compliance or misuse of BPDs have resulted in staff being disciplined. “It is not apparent that any victims have been notified,” it adds.

Privacy International’s legal challenge was originally filed with the Investigatory Powers Tribunal oversight body in June last year — focused on “whether the acquisition, use, retention, disclosure, storage and deletion of Bulk Personal Datasets is in accordance with the law and necessary and proportionate”. It subsequently updated and re-amended its case to incorporate additional intelligence service disclosures, such as pertaining to the use of the Telecommunications Act to authorize BPDs.

It says it is in the process of reviewing “the large amounts of disclosure” and intends to post more detailed analysis in due course. (The full cache of documents are available to review online here.)