Government ‘unlawfully delegated’ bulk data powers to GCHQ, court hears

Privacy International urges Britain’s most secret court, the Investigatory Powers Tribunal, to rule that the government illegally collected surveillance data from internet and phone companies until at least September 2017

The government unlawfully delegated powers to GCHQ to order phone and internet companies to hand over sensitive data on the public, it was claimed in the UK’s most secret court yesterday (12 March 2018).

The Investigatory Powers Tribunal heard that, in practice, GHCQ’s officials were responsible for deciding what data to demand from communications companies, despite legal requirements that these decisions should be made by a secretary of state.

A team within GCHQ, known as the sensitive relationship team (SRT), made decisions on what specific data to obtain from telecoms companies and consulted with them on what data they could supply.

This amounted to unlawful delegation of powers from the secretary of state to GCHQ, and undermined the independent oversight that should have been provided by the secretary of state using powers under Section 94 of the Telecommunications Act 1984, the court heard.

“The real decisions seem to have been taken by members of the SRT or those sitting above them in GCHQ,” Thomas de la Mare, representing Privacy International, told the court on the first day of a two-day hearing.

The arrangement had far-reaching implications for the domestic legality of the GCHQ regime and its compliance with Article 8 of the European Convention of Human Rights, the campaign group claimed in legal submissions.

Evidence of the close relationship between communications companies and GCHQ emerged during cross-examination of GCHQ’s deputy director of mission policy – known as witness X – who gave evidence from behind a curtain at a hearing on 26 February 2018.

There were “consensual” arrangements between telecoms companies and GCHQ officials to hand over their customers’ communications data, the court heard.

The SRT sometimes made requests for telecommunications data in writing, but in many cases requests were made verbally and not recorded by GCHQ or the communications companies.

The wording of Section 94 directions disclosed in court implied that requests would be signed either by the director of GCHQ or by a senior member of the SRT, rather than a secretary of state. At least one of the directions gave powers to a nominated GCHQ official to “make, renew, or modify requests”.

Did GCHQ withhold evidence from regulator?

Lawyers for Privacy International questioned whether GCHQ had provided the independent regulator, Stanley Burnton, with full access to its documentation during an audit inspection into Section 94 powers.

Witness X, who was responsible for GCHQ’s legal compliance until January this year, told the tribunal at an earlier hearing that GCHQ had provided Burnton, the interception of communications commissioner, with complete access to the agency’s documentation on Section 94 orders.

In a report published in July 2016, Burnton said GCHQ’s systems were operating properly, that commissioners responsible for independent oversight had made recommendations and GCHQ made changes, and that the oversight systems were working as intended.

But Privacy International told the court that the commissioner could not have reached the conclusions he reached had he read the Section 94 notices and “trigger” letters GCHQ had issued to telecoms and internet companies, which were disclosed to the court.

“What we have learned in the context, in particular from witness X, was that Stanley Burnton was either misled or, if witness X’s evidence is correct, was given the whole package [of information] but did not use it,” said Privacy International’s De la Mare. Either way, he said, the oversight system had failed.

No proper oversight of contractors

Lawyers for the campaigning group told the tribunal there had been no proper independent oversight of contractors working for GCHQ.

The NGO said contractors posed a greater risk to security than permanent members of staff, as they have only made a short-term commitment to the agency, have high levels of access to computers holding sensitive data, and may have in-depth technical knowledge of the systems they are working on.

Witness X initially claimed in written evidence that contractors would only have access to small amounts of test data but would not have systems administrator rights on operational systems.

He changed his evidence three months later, disclosing that GCHQ employed 100 contractors who had administrator rights to GHCQ’s computer systems holding bulk personal datasets – which may include records of the population’s phone calls, mobile phone location data, bank account details and social media use.

A contractor with systems administrator rights could set up a fake account, under a false name, have full access to development tools, then delete the logs. They could also add software to the system and use it to export data, the court heard.

“No matter how agencies try, someone will steal one of these databases and put it on the internet, and someone will be able to look up where anyone has been over the past year,” said Ben Jaffey QC.

Algorithms and machine learning questioned

Privacy International told the court that it was questionable whether the data analysis techniques used by the intelligence services were proportionate in law.

Staff at MI5 and MI6, for example, search through the entire range of bulk datasets held by the agencies – which contain highly sensitive records on individuals – by default, without any assessment of whether such a wide search is justified, Jaffey told the court.

“If I am at MI6 and I need to know someone’s passport number and when they got on a flight, I would come back with far more information than I asked for,” he said.

The secret history of Section 94

Telephone and internet companies have been able to voluntarily disclose communications data, showing the times, dates and parties to phone calls, emails and which websites their customers visited, to GCHQ and other intelligence agencies since 1985.

The Interception of Communications Act 1985 gave legal cover to communications companies to hand over their customers’ data, as long as they did so “in the interests of national security or in pursuance of an order of the court”.

The practice of voluntary disclosure continued until October 2000, when the communication companies’ legal protections were removed following the enforcement of parts of the Regulation of Investigatory Powers Act (Ripa).

The government responded by resorting to the novel use of Section 94 of the Telecommunications Act 1984 to legitimise voluntary disclosure of data to GCHQ and the intelligence services.

The practice remained secret until November 2015, when the government “avowed” its use with the introduction of the Investigatory Powers Bill, which became law in 2016.

Despite claims by GCHQ that the secretary of state provided independent oversight, in practice the secretary of state often issued broad authorisations, allowing GCHQ officials to negotiate with the phone and internet companies over the specific data they should provide, disclosures made to the Investigatory Powers Tribunal have revealed.

There had been no independent scrutiny of complex algorithms and machine learning techniques used by the intelligence agencies to sift through intercepted data. They may have built-in biases and may be discriminatory on the grounds of race or sex, Jaffey told the court.

“Let us assume that the algorithm is one that sweeps too widely, it has a tendency to produce information that is of low intelligence value, but tends to breach privacy. If such an algorithm exists, that is disproportionate, how is that to be dealt with?” he said.

Jaffey argued that the IPT should re-open its October 2016 judgment which found that UK intelligence services had been collecting bulk data on the population illegally until 2015.

Evidence disclosed in the case showed that the earliest point bulk data collection could have become legal was September 2017, when the Investigatory Powers Commissioner’s Office (IPCO) was set up as an oversight body under the Investigatory Powers Act, Privacy International told the court.

Secretary of state can delegate to GCHQ

James Eadie, representing the government and the intelligence services, told the court that it was not unlawful for the secretary of state to issue wide-ranging orders to telecoms and internet companies to disclose data and then allow GCHQ officers to decide what subset of that data they wanted.

Secretaries of state have authorised a breadth of data from communications service providers, and GCHQ has asked for a subset of that data. “What has the secretary of state authorised? The greater. It follows as a matter of authority, he also authorised the latter,” he said.

Privacy International said it would invite the tribunal to consider making a costs order against the government to reflect the multiple additional hearings the case has required as a result of the government’s conduct during earlier hearings.

Inspections reveal security breaches by contractors in intelligence agencies

There have been two serious breaches where contractors “had undertaken unnecessary queries of bulk data with no proper business justification”, a 2014 report by the intelligence services commissioner revealed.

A report by the commissioner the following year raised concerns that a contractor at MI5 had breached bulk person data – some of the most sensitive intelligence held by the agency – while other contractors were responsible for less serious abuses.

It recommended that “MI5 should make it plain to seconders and contractors that they are subject to MI5 rules of conduct regarding access to data and ensure all people working on MI5 premises know the consequences of misuse”.

GCHQ disclosed that a database containing bulk personal data had been accessed remotely by fewer than 20 individuals working for industry, but that it was unable to demonstrate what data had been accessed.

In another case, GCHQ transferred a telephony database containing at least some data obtained under Section 94 to a partner, using an encrypted laptop sent by secure courier service, but the agency said it had no record of what data was included in the transfer.

Read more on IT legislation and regulation

Data Center
Data Management