Petrovich12 - Fotolia
Innocent people have been questioned by police, had computer equipment confiscated and faced arrest when suspected of serious crimes following errors made by internet service providers (ISPs), telecoms companies, police and other public bodies in gathering intelligence through electronic surveillance.
Police and other government agencies have reported 24 serious errors in accessing the public’s email, web browsing and phone history from telephone and internet providers.
The errors have had potentially “grave” repercussions for people wrongly suspected of crimes and their families, according to investigatory powers commissioner Adrian Fulford.
Police wrongly arrested 19 people and visited the work or home addresses of another innocent 10 people, and welfare checks on six vulnerable people were delayed following errors by public bodies accessing private internet, phone and email data, the Investigatory Powers Commissioner’s Office (IPCO) revealed.
The commissioner’s first report, covering the year 2017, warned that surveillance errors could have serious consequences for the individuals affected.
“This is particularly evident when homes or offices are searched and the nature of the investigation is revealed to members of the individual’s family and his or her neighbours or employer,” Fulford wrote in his annual report to the prime minister.
“Children are at risk of being taken into care, and individuals in notifiable, and other, occupations may be suspended or dismissed. Strict bail conditions can result in a suspect having to leave his or her home.”
Wrongly accused people can be left without access to their computers, tablets and telephones while they are subject to protracted forensic analysis, said Fulford.
Adrian Fulford, IPCO
“Often, it is only when investigators find nothing of suspicion that consideration is given to the possibility that authorities may have made an error transcribing the information which links an address or a device to communications data gathered through electronic surveillance,” he wrote.
IPCO formerly took over as watchdog for electronic surveillance and the intelligence services in September 2017, replacing three earlier oversight bodies, following the introduction of the Investigatory Powers Act 2016, known as the snoopers’ charter.
The number of errors, which are self-reported by police forces and other public bodies to the Investigatory Powers Commissioners Office (IPCO), are small compared with the total volume of communications data – some 750,000 items in 2017 collected by government bodies each year.
But the consequences for individuals who are wrongly investigated because of mistakes made in accessing their data can be highly damaging.
Read more about the Investigatory Powers Commissioner’s Office
- Home Office refuses academic and privacy campaigner Eric King security clearance for a senior role at the intelligence services watchdog, despite high-level backing from officials.
- IPCO signals to government that it will take a tough line when scrutinising surveillance warrants under the controversial Investigatory Powers Act.
- Investigatory powers commissioner reviews security arrangements for IT contractors with access to live computer systems at GCHQ holding highly sensitive records on the UK population.
Innocent people arrested
In one case, police investigating the sexual exploitation of two children raided the home of an innocent family and seized computer equipment were found to have misinterpreted subscriber information linked to two IP addresses.
In another case, police investigating peer-to-peer sharing of indecent images of children searched and seized equipment from eight innocent households, after making mistakes identifying the IP addresses of the suspects. The case is still under investigation.
Police also arrested and interviewed an innocent person after government officials misinterpreted incoming call data, after receiving a call from someone reporting where a body had been left.
Public bodies self-report errors
IPCO’s report revealed that public authorities reported 926 errors in 2017, of which 33 were considered serious enough to demand further investigation.
Many of the surveillance errors were due to typing errors, the IPCO report revealed, because much of the information required to order the disclosure of internet or phone records has to be typed into computer systems manually from crime or intelligence reports.
“The error can be as simple as getting one digit of a telephone or IP address wrong, which can result in erroneous data being returned,” Fulford wrote in the report.
“If the identifying information is not entered exactly, wholly innocent people can be suspected of crimes they did not commit (such as sharing indecent images of children) with dire consequences.”
Hundreds of government bodies have access to public’s data
More than 500 public bodies have access to the public’s telephone and internet data under the Regulation of Investigatory Powers Act. In addition to the intelligence services, they include local authorities, the Communications and Markets Authority, HM Revenue and Customs, and other bodies.
They are empowered to compel internet service providers and phone companies to disclose data about the public’s web browsing history, emails or phone calls. They can also order libraries, businesses, hotels, restaurants, or airport lounges that provide Wi-Fi services to disclose data.
In 2017, public authorities retrieved more than 750,000 items of data – a figure in line with 2016 and 2015 – the vast majority of which was acquired by law enforcement for preventing and detecting crime, particularly drugs and sexual violence.
The UK intelligence services, which have their own sophisticated technology for intercepting and collecting the public’s communications, requested more than 49,000 items of data from communications service providers, just 6.5% of the total.
Aside from the Metropolitan Police, the largest consumers of the public’s internet, phone and email data include the West Midlands Police, the National Crime Agency, and the police forces in Merseyside and West Yorkshire, the report revealed.
The mistakes that led to innocent people receiving visits from the police
An innocent man was arrested and interviewed by police investigating sexualised chats on social media with a young child, after police mistyped the suspect’s online username while accessing his subscriber information.
Misidentification on social medial
A government body obtained IP log-on and access history to track down a vulnerable missing person from a social media account. Police visited the premises to find that the person shared the same name but had no connection with the person they were looking for.
IPCO’s analysis revealed that the introduction of the internet protocol IPv6 could also cause problems for investigating authorities. In one case, police investigating online harassment visited the home of an innocent family after investigators used a corrupt and out-of-date macro to convert IPv6 internet addresses to a different format.
Wrong time codes
Two innocent people were arrested and interviewed by police investigating sexualised chat over the internet with a child. The investigators made errors ascribing the time of the activity when making a request for communications information under the Regulation of Investigatory Powers Act (Ripa). The investigation began in 2015, but the error was not reported to IPCO until 2017.
Police investigating a suspect alleged to have been grooming a young female through social media made transposition errors which led to them identifying incorrect IP addresses. As a result, they visited two families unconnected with the investigation and took statements from them.
Crossed telephone wires
Police made three visits to the home of an innocent family, seized equipment and instituted safeguarding procedures during an investigation into peer-to-peer sharing of illegal images. It later emerged that the communications service provider had crossed two wires in its street cabinet, leading to the wrong household being identified.
ISP gets the time wrong
An internet service provider changed the format of how it recorded time in its records from a 24-hour clock to a 12-hour clock, without notifying public authorities. When the matter came to light, an investigation revealed 173 surveillance incidents, including three reportable errors. It resulted in a search warrant being issued against an innocent person.
ISP held wrong address data
A communications service provider discovered that it had inaccurate address data on its billing database. Police investigating peer-to-peer sharing of indecent images arrested and searched the home of an innocent person, after acting on the data, and welfare visits to vulnerable people were delayed.
ISP makes clerical blunder
Investigators looking into the uploading of illegal images contacted the chairman of a company that had no involvement in the crime after an ISP confused two companies with similar names.
ISP uses wrong time zone
A communications service provider reset the time zone used to record its Wi-Fi usage data, resulting in its records being an hour out. It identified 19 potential errors in access requests made by 14 public bodies. The errors resulted in a search warrant being executed against an innocent person and their devices seized.
Read more on Managing IT and business issues
EncroChat: Top lawyer warned CPS of risk that phone hacking warrants could be unlawful
Dutch accuse UK of ‘damaging confidence’ by disclosing details of EncroChat police collaboration
Surveillance expert ‘unfairly’ refused job at intelligence regulator after MI5 intervened
MI5 accused of withholding surveillance compliance failures from cabinet minister