fresnel6 - Fotolia
British intelligence agencies secretly and unlawfully collected the population’s mobile phone and internet data for more than a decade, a ruling by the UK’s most secret court revealed.
The Investigatory Powers Tribunal ruled on 17 October 2016 that UK intelligence agencies have been collecting bulk data on the population without adequate safeguards or supervision for more than 10 years.
The ruling comes as the Investigatory Powers Bill (IPT), which gives sweeping surveillance powers for law enforcement and the intelligence services, is going through its final stages of approval in Parliament.
It follows a legal complaint by the human rights group, Privacy International, which is challenging the legality of the security agencies collection of bulk communications data and bulk personal datasets containing private and sensitive data on individuals.
“This judgement confirms that for over a decade UK security services unlawfully concealed both the extent of their surveillance capabilities and that innocent people have been spied on,” said Matt Scott of Bhatt Murphy solicitors, who represented Privacy International.
Bulk communications data includes details of websites visited, email contacts, records of email traffic, the location of mobile phones and call data. Although they do not include the content of emails or phone calls, communications data can be used to build a detailed profile of an individual.
GCHQ has been secretly collecting bulk communications data (BCD) on the UK population since 1998. But, with responsibility for oversight split between several regulators, there was no adequate oversight until 2015, the IPT ruling revealed.
“We are not satisfied that, particularly given the fragmented nature of the responsibility apparently shared between the commissioners, there can be said to have been an adequate oversight of the BCD system, until after July 2015,” according to the 70-page judgement.
There have been instances of non-compliance with internal procedures and safeguards in relation to access of BCD databases at GCHQ and MI5, it said.
Communications data collection kept secret from parliament
The collection of bulk communications data had been kept secret from Parliament and the public, the tribunal found, in effect making its practice unlawful under human rights law, particularly article 8 of the European Convention of Human Rights, which guarantees a right to privacy.
Robert Hannigan, then at the Cabinet Office, wrote in 2010: “It is difficult to assess the extent to which the public is aware of agencies holding and exploiting in-house personal bulk datasets, including data on individuals of no intelligence interest.”
According to a previously secret MI5 policy document, the fact that the security service held bulk financial data, even in an anonymised form, was “a high corporate risk’.
“Were it to become widely known that the service held this data, the media response would most likely be unfavourable and probably inaccurate,” it said.
The IPT judgement said: “It seems difficult to conclude that the use of BCD was foreseeable by the public, when it was not explained to Parliament.”
The government missed several opportunities to publicly avow bulk data collection when codes of practice were being introduced or amended, the judgement added.
Read more about bulk communications data
- Documents obtained by charity Privacy International reveal insights into GCHQ’s collection of sensitive bulk data, with analysts told to assume surveillance ‘bulk data’ is legal.
- Judges at the UK’s most secret court were persuaded not to disclose the existence of secret intrusive data on the population after briefings and lunch with MI5’s deputy director general.
- Former NSA technical director and whistleblower Bill Binney talks about the Investigatory Powers Bill and the UK government’s independent review of bulk surveillance powers.
Bulk personal datasets include personal and biographical details about individuals – the vast majority unlikely to be of intelligence interest – details of their travel and financial transactions, and communications records which may include legally and journalistically privileged communications.
“While each of these datasets in themselves may be innocuous, intelligence value is added in the interaction between multiple datasets. One consequence of this is that intrusion into privacy can increase,” the ruling said.
Intelligence agencies began collecting bulk personal data sets in 2006, but operated without statutory oversight until March 2015, according to the judgement.
“There was no statutory oversight of BPD’s by the intelligence services commissioner prior to the March 2015,” it said.
The tribunal found that the regimes for bulk communications data collection and bulk personal data sets are lawful, after the government publicly “avowed” the programmes in 2015.
Questions over Investigatory Powers Bill
Privacy International, however, said oversight is still lacking, with no requirement in the forthcoming Investigatory Powers Bill for judicial authorisation for warrants or procedures for notifying victims when their data has been misused.
The tribunal has not assessed the necessity and proportionality of gathering such intrusive data about UK residents in bulk, said Privacy International, nor has it specified whether illegally obtained sensitive personal data will be deleted.
David Anderson QC, the independent reviewer of terrorism legislation, concluded that there is a proven operational case for the use bulk communications data, and bulk personal datasets, including defending against cyber security, counter-espionage and counter-terrorism to child abuse and organised crime.
Millie Graham Wood, legal officer at Privacy International, said there were huge privacy risks with the use of bulk communications data.
“The public and Parliament deserve an explanation as to why everyone’s data was collected for more than a decade without oversight,” she said.
Bulk personal datasets failed to comply with human rights legislation under the European Court of Human Rights until it was publicly avowed in March 2015. Bulk communications data failed to comply until November 2015, according to the ruling.
A further hearing in December, will consider issues under European Union law, whether collection of communications data under Section 94 of the Telecommunications Act 1984, and the collection of bulk data sets, is proportionate.
The court has also invited further submissions on the sharing of bulk data with foreign partners and law enforcement agencies.
Bulk personal data
It includes “considerable volumes” of biographical data, data on commercial and financial activities, communications and travel, as well as communications data obtained under section 94 of the Telecommunications Act 1984 or by interception under a warrant.
Bulk personal data may be searched by security agencies to discover details about persons of intelligence interest. They are used to:
- help identify subjects of interest or unknown people that surface in the course of investigations;
- establish links between individuals and groups;
- improve understanding of targets’ behaviour and connections;
- verify information obtained through other sources.
BPD can contain sensitive personal data and information covered by legal professional privilege, journalistic material and financial data. The security services may share bulk personal data with foreign partners, or other parts of government.
The existence of bulk personal data sets remained secret until March 2015, when it was disclosed by the intelligence services commissioner.
Bulk communications data
GCHQ and MI5 obtain bulk communications data, under section 94 of the Telecommunications Act 1984.
GCHQ collects data on email and telecommunications traffic from telephone and internet service providers, which is merged into data obtained from other forms of interception including, for example, bulk collection from internet cables.
Around 5% of GCHQ’s original intelligence is based on material gathered under section 94.
MI5 has collected communications data from telephone and internet companies since 2005. MI5 argues that the data is anonymous, as no subscriber details are included. The data is of significant intelligence and security value. It retains bulk communications data for one year.
The existence of bulk communications data collection remained secret until November 2015, when it was disclosed along with the introduction of the Investigatory Powers Bill.
Read more on Privacy and data protection
MI5 accused of withholding surveillance compliance failures from cabinet minister
EU’s top court questions legality of UK phone and internet data surveillance
MI5 slammed by watchdog for failing to delete intercepted phone and internet data
MI5 failed to disclose failings in handling intercepted data, court hears