Mass collection of data on population ‘illegal’, UK court told

Investigatory Powers Tribunal hearing challenges GCHQ over legality of mass surveillance, as government plans moves to control encryption

The government’s collection of electronic data on the population, including details of phone calls, emails, web browsing, and databases of financial and travel records, are illegal and lack adequate safeguards to protect individuals’ privacy, a court will hear today.

Privacy International, a non-governmental organisation (NGO), claims that the GCHQ, MI5 and MI6 intelligence services’ mass, suspicionless collection of personal data, which can be shared with other government departments, researchers and foreign governments, breaches European law and lacks legally required safeguards.

The case, to be heard by the Investigatory Powers Tribunal – Britain’s most secret court – comes as prime minister Theresa May signalled her intention to require companies to weaken encrypted communication applications, and to require communications companies to disclose the contents of encrypted messages, following the London and Manchester terror attacks.

The pressure group accuses the government of failing to implement a European Court of Justice ruling last year, following a case brought by Labour MP Tom Watson, which ruled that the UK’s collection of phone and internet data cannot be justified in a democratic society.

“One of the key issues is that the government is arguing that the safeguards that come from the Watson judgment and other cases don’t apply, which is very worrying because they are very basic measures,” said Millie Graham Wood, legal officer at Privacy International.

The intelligence services argue that they would be unable to carry out complex and fast-moving investigations, for example to identify members of a terrorist group, if they had to rely on targeted surveillance on suspects, rather than mass collection of data.

The action, heard in the Royal Courts of Justice, follows an earlier challenge by Privacy International at the Interception of Communications Tribunal, which ruled in October 2016 that the intelligence services had collected communications data unlawfully and without adequate checks and balances for 14 years.

Vast scale of data collection

GCHQ collects data of the UK population’s email, internet use and, it has been revealed, stores the location data and phone call history of every mobile phone for one year using powers under section 94 of Telecommunications Act 1984.

GCHQ, MI5 and MI6 also acquire databases on the population – known as bulk personal datasets (BPDs) – from the private sector, government departments, and covertly through computer hacking.

These contain “considerable volumes” of biographical data, data on commercial and financial activities and travel, as well as communications data.

Intelligence agencies can combine bulk communications data with BPDs to create highly detailed profiles of individuals, containing highly sensitive information, including details of religious beliefs, medical conditions and political views, deduced from individuals’ web browsing and their networks of friends and contacts.

Both types of collection lack sufficient legal safeguards and represent a “disproportionate interference” with the right to privacy under the EU Charter of Fundamental Rights and the European Convention of Human Rights, Privacy International claims in court documents.

Once the intelligence services have collected data for “national security” reasons, the data can then be repurposed for other uses that fall far short of national security, and be shared with other government departments, overseas intelligence agencies and the private sector, it claims.

Secret intelligence shared

The pressure group argues that there “appear to be no adequate safeguards” to protect intercepted personal data when the UK intelligence services share it with UK law enforcement, commercial companies or partner intelligence agencies.

Government departments in the UK, such as HM Revenue and Customs, can access GCHQ’s data through a programme codenamed Milkwhite, it says.

GCHQ also frequently releases databases of raw “sig-int data” to industry partners that have been hired to develop new capabilities for GCHQ, but there appears to be no requirement for partners to justify each search of the database in writing, and security clearance is only required “whenever possible”, Privacy International claims.

Documents released by former CIA employee Edward Snowden show that GCHQ gave researchers at the University of Bristol access to its raw datasets, including internet use, telephone call data, websites visited and internet file transfers. They were also given access to GCHQ’s entire targeting database – an exceptionally sensitive dataset.

In one case, a communication service provider asked GCHQ for assurances that its data was not being shared with another jurisdiction, and in other cases, companies said they would be concerned if data was shared with other jurisdictions without their knowledge, according to a report by the interception of communications commissioner.

Five eyes

Privacy International also claims there is inadequate protection for data that the UK intelligence services share with the partner intelligence services that make up the “five eyes” – the UK, Australia, New Zealand, the US and Canada.

GCHQ documents show that the agency shares bulk data with partner intelligence services directly and also provides access to databases through web interfaces.

The only requirement for intelligence analysts at the US National Security Agency to access GCHQ’s data is to tick a box on a website confirming they have the relevant training.

Bulk communications data

  • GCHQ and MI5 obtain bulk communications data under section 94 of the Telecommunications Act 1984.
  • GCHQ collects data on email and telecommunications traffic from telephone and internet service providers, which is merged into data obtained from other forms of interception, including, for example, bulk collection from internet cables.
  • About 5% of GCHQ’s original intelligence is based on material gathered under section 94.
  • MI5 has collected communications data from telephone and internet companies since 2005.
  • The existence of bulk communications data collection remained secret until November 2015, when it was disclosed along with the introduction of the Investigatory Powers Bill.

In one case, NSA documents show that the agency’s director was briefed that the former director of GCHQ, Sir Iain Lobban, was likely to ask whether UK-sourced data might be given by the NSA to the Israeli government to conduct “lethal operations”, during a visit to the US agency.

Privacy International argues that once data has been handed over to a third party, it could be used to support unlawful detention, torture or the violent detention of a suspect, or to identify a target for a lethal operation. It may also be passed on to another country, even though the UK would not pass on information directly, it says.

There appears to be little, if any, oversight by intelligence regulators over data shared with other intelligence agencies, and it is unclear whether they are able to audit GCHQ’s activities, the NGO says.

“They have not given us any information on what controls do apply and how they control the data,” said Wood. “Particularly if it goes to foreign governments, it is going to be much harder to control.”

Questions on oversight

Under the Telecommunications Act 1984, the secretary of state can issue “section 94 directions” to phone and internet companies to require them to disclose communications data to intelligence services.

Privacy International argues that the few directions that have been made public to date do not contain any of the safeguards required by the Watson judgment and the EU’s electronic privacy directive introduced in October 2003. As a result, all directions issued since then have been unlawful, it says.

The section 94 directions comprised three paragraphs on one sheet of A4 paper instructing an internet or phone provider to release specified categories of communications data, “to protect the UK from terrorist threat in the interests of national security”.

The directions were amended last year to a five-paragraph notice that gives more detail about the data required, and references the relevant sections of the Regulation of Investigatory Powers Act, but does not explicitly list privacy safeguards.

“The forms raise questions over how much oversight the secretary of state has,” said Wood. “If the form is so limited, is there a complete lack of oversight?”

02 ordered to vet staff

One notice issued to mobile phone company 02 in 2004 required it to carry out security vetting on employees with access to sensitive government information.

It reveals that the company set up a “committee on national security”, headed by company chairman David Varney, to consult with the government on section 94 directions and to keep its deliberations secret from the rest of the company and any board members who did not sit on the committee.

The government and intelligence agencies claim that the European Data Protection Directive and the e-Privacy Directive do not extend to member states on matters of national security.

The safeguards in the Watson judgment “cannot be sensibly applied” to the acquisition of communications data and bulk personal datasets, the government argues in documents lodged with the court.

“To do so would significantly undermine the ability of SIAs [security intelligence agencies] to protect the public by protecting the UK’s national security,” it says.

How GCHQ shared sensitive data with researchers at the University of Bristol

Databases marked “top secret” shared with researchers at the University of Bristol include:

Salamanca: Telephone call record data collected from a wide variety of sources, covering multiple countries. Includes in-country phone call data. As of September 2011, it was collecting 5,000 events per second.

Target Selectors: A dictionary of GCHQ’s targets for surveillance, including phone numbers, email addresses and other “selectors”.

Five Alive: A searchable database of records of internet connections, IP address to IP address, including time, computer port and protocol.

HRMap: Database of http requests, showing websites requested by internet users, and the referring website, when available. Runs on a Hadoop cluster at GCHQ in Bude, Cornwall. As of September 2011, it is was collecting 20,000 events per second.

Signature Knowledge Base: System for tracking file transfers across the internet. Identifies files by its format and a “hash” of its content.

Squeal hits: A signature-based system for detecting electronic attacks. Each hit contains the source and destination IPs and ports, the timestamp, hit details and geolocation for the IP addresses.

Websites of interest: A manually created list of radical and extremist websites.

The agencies claim that the increasing use of encryption makes the collection of communications data and bulk personal datasets more important.

For example, communications data allows GCHQ to “tip off” MI5 when a subject of interest arrives in the UK. Bulk personal data has been used to identify an Al-Qaida suspect by reducing the number of candidates identified by fragmentary information from 27,000 to one.

According to a witness from MI5, “in complex and fast-moving investigations, having access to a database of [bulk communications data] would enable MI5 to carry out more sophisticated and timely analysis”. This would not be possible if the service had to make individual requests to phone and internet companies, the witness said.

GHCQ said in documents that it had used communications data to identify a terrorist group and to understand the links between its members, in a way that would not be possible if it used targeted surveillance, rather than bulk collection of data.

Controls on intelligence sharing

GCHQ has refused to confirm or deny whether it shares data with overseas intelligence partners, but in an anonymous witness statement, a GCHQ official said that if it did, it would follow the handling arrangements and could seek assurances that data would be handled in accordance with safeguards under the Regulation of Investigatory Powers Act.

“Any data shared with other organisations would be shared on the basis that it must not be shared beyond the recipient organisation unless explicitly agreed in advance,” the official said.

Industry partners are required to specify the controls they intend to apply for retention, examination and destruction of data, and to have them approved by GCHQ before data is shared, the official said. Where possible, data would be kept on the premises of GCHQ, and data believed to be confidential would not be shared.

“Any sharing would be of the minimum volume of data necessary to develop or test a system. In all cases, the data would be the least intrusive data that can serve the purpose,” the official said.

MI5 failed to follow own rules

Privacy International began its legal action in August 2014 when it filed a complaint with the Investigatory Powers Tribunal challenging the legality of the UK’s acquisition, use, storage and deletion of bulk communications data and bulk personal datasets.

Documents disclosed during the case revealed that MI5 had used a secret meeting to persuade judges at the UK’s top intelligence and security court not to disclose any information about the existence of its bulk personal datasets that held highly intrusive records about the population.

The documents show that MI5 staff failed to follow the agency’s own rules for accessing details of the population’s email, web browsing and phone use on more than 200 occasions over five years, by requesting communications data verbally rather than in writing, overriding the agency’s own code of practice.

Other documents reveal that GCHQ staff working with bulk personal datasets were told to assume that all data they analysed had been obtained legally and had been correctly targeted.

The case continues this week.

Read more on IT governance