GCHQ told analysts to assume surveillance 'bulk data' is legal

Analysts told to assume all data is legal

A compliance guide which has been in operation since 2014, released as part of the cache, shows that GCHQ analysts have been told to assume that the data collected by GCHQ is legal.

“You can assume the data you analyse has been legally obtained, as long as policies on collection and targeting have been properly followed,” it claims.

Analysts are told to abide by three key tenets when searching datasets held on individuals – that their searches be authorised; necessary for the purposes of national security, the economic well-being of the UK, or the prevention of serious crime; and proportionate.

The documents disclosed to Privacy International show that the UK government’s intelligence services – GCHQ, MI5, and MI6 – routinely requisition personal data from potentially thousands of public and private organisations.

This includes data held by financial institutions and may also include anything from confidential NHS records to databases of people who have signed electronic petitions, the organisation said.

“The information revealed by this disclosure shows the staggering extent to which the intelligence agencies hoover up our data. This can be anything from your private medical records, your correspondence with your doctor or lawyer, even what petitions you have signed, your financial data and commercial activities,” said Millie Graham Wood, legal officer at Privacy International.

“This data is integrated into databases that could be used to build detailed profiles about all of us. The agencies themselves admit that the majority of data collected relates to individuals who are not a threat to national security or suspected of a crime,” she said.

Intelligence agencies have been collecting the data sets secretly for the past 15 years and are now trying to quietly put the powers on the statute book, through the Investigatory Powers Bill, for the first time, the pressure group said.

Legal profession alarmed by lack of oversight

The revelations have raised concerns among the legal professionals who claim state surveillance is undermining the legal professional privilege between lawyers and their clients, potentially undermining the right to a fair trial.

Jonathan Smithers, president of the law society, told Computer Weekly: “Legal professional privilege is vital to the administration of justice. It protects a client’s fundamental right to be candid and confidential with their legal adviser without fear that someone is listening in.

“It is essential that the Investigatory Powers Bill, currently before Parliament, contains stronger safeguards for legal professional privilege,” he said.

Evidence given by the Bar Council claimed that safeguards to protect lawyer-client privilege only covered some of the extensive surveillance powers introduced by the draft legislation, and those that exist are inadequate.

Journalists and members of Parliament have raised concerns that the Investigatory Powers Bill will make it impossible for whistleblowers to reveal wrong-doing or corruption to the press without risk of reprisals.

“The investigatory powers bill contains extremely intrusive and unnecessary surveillance powers that trample over the very principles of journalism, the bill will be a death knell for whistle-blowers of the future,” said Michelle Stanistreet, general secretary of the National Union of Journalists.

Bulk data sets criticised by Intelligence and Security Committee

The existence of BPDs was first revealed in an Intelligence and Security Committee (ISC) report, published in March 2015.

The report acknowledged that their collection and search “may be highly intrusive” and “impacts on large number of people.”

There has been minimal oversight and no clear legal regime governing the use of BPDs, and that GCHQ, MI5 and SIS had abused BPDs in the course of their work, the ISC said.

Subsequently, it emerged that the security services had used section 94 of the 1984 Telecommunications Act to force communications services providers to give bulk access to communications data.

Revealed: GCHQ guidelines for sensitive professions

The GCHQ compliance guide sets out cases where GCHQ’s surveillance targets have a higher expectation of privacy, notably when GCHQ gathers information that could affect fair trials, freedom of the press and freedom of religion.

Analysts are required to obtain a Combined Policy Authorisation (Copa), ratified by a senior government official before being signed off in GCHQ, the document reveals. Material subject to legal privilege must not be shared or acted on without GCHQ itself taking legal advice.

Each query-based system that makes data available to GCHQ analysts requires a justification under the Human Rights Act and must be logged for future audit, the document claims.

Privacy International aims to obtain declarations that both the use of BPDs and the use of section 94 powers are illegal, and is seeking orders against the government to discontinue their use.