The watchdog that inspects the intelligence services has revealed that there has never been an audit of the way security services share sensitive bulk databases of the population, including phone call, email and internet browsing records, with industry partners of the intelligence agencies.
Graham Webber, head of the Office of Interception of Communications and Intelligence Services Commissioners, admitted in a letter disclosed in court this week that there had never been an inspection of data-sharing.
He was responding to a request by the Investigatory Powers Tribunal for information on what “active oversight” the Intelligence Services Commission or the Interception of Communications Commssioner’s Office had over sharing bulk communications data (BCD) containing internet, email and phone records and bulk personal datasets (BPD), which can include financial, travel and other records of the population.
Webber’s letter was disclosed at a hearing of the Investigatory Powers Tribunal on Monday, during a legal challenge brought by Privacy International.
The non-governmental organisation is challenging the legality of the UK’s mass surveillance of the population, which gathers up highly sensitive communications data and BPD, irrespective of whether the people involved are suspected of crime, or pose a national security threat.
The privacy group argues that the government lacks sufficient oversight in the way people’s personal data is collected and used, particularly when the intelligence services share sensitive data with overseas intelligence services and industry partners.
GCHQ, for example, gave researchers at the University of Bristol access to its raw datasets containing highly sensitive data on individuals, including their internet use, telephone call data, websites visited and internet file transfers they had made.
Bristol’s researchers were also given access to GCHQ’s entire targeting database – an exceptionally sensitive dataset, documents released by Edward Snowden reveal.
In his letter, Webber declined to “confirm or deny whether any active oversight of the sharing of BCD had taken place, because to do so would reveal whether there has been sharing of BCD”.
The matter was disclosed during a four-day hearing into the case brought by Privacy International against the secretary of state for the Home Office and the Foreign Office as well as GCHQ, the Security Service and Security Intelligence Service (MI5 and MI6).
Data ‘no less sensitive than content’
Thomas de la Mare, QC for Privacy International, told the court that the “old-fashioned distinction between content and collected data traffic is no longer fit for purpose,” with 24-hour digital communication, and high mobile phone and internet use.
The boundary between the two, which may have worked in the past, was “unsafe”, he said, arguing that aggregated communications data is no less sensitive.
Gathering everyone’s data could show patterns that “mark out an individual as a potential terrorist suspect”, said de la Mare.
“Suppose you develop an algorithm looking at shopping patterns for a group or individual to see what they have been purchasing – items that are contained in home-made bombs,” he said.
“It can reveal places and travel patterns, related within terrorism. Or you can isolate patterns of phone or internet use or non-use.
“Someone who is security aware may have turned it [the phone] off, not take the phone with them or may have purchased a phone with a detachable battery [which may indicate suspicion].”
The weapons used in last weekend’s attack on London Bridge and Borough Market and the attack on Westminster Bridge were “low-tech weapons”, said de la Mare.
The implication – not voiced in the court hearing – was that the attacks were less likely to have been detected by electronic intelligence gathering.
“The lower-tech the attack, the less planning it might need,” he said.
Intelligence impact on privacy
Earlier, de la Mare told the tribunal that records gathered by the intelligence services had the potential to reveal details of innocent people’s private information.
“These patterns are only discernible if the available data of people is gathered,” he said. “The problem with this is that it may be used or stolen to discover other patterns.”
For example, a sequence of someone visiting medical sites, then their GP surgery’s site, then a medical insurance company and then a hospice “may reveal a person has terminal cancer”, said de la Mare.
He said “inferences” could also be drawn about visits to the website of a pay-by-the-hour hotel, a florist and chocolate company. If someone was looking at websites belonging to certain companies and law sites, that could indicate a takeover was about to happen.
“This type of data has massive importance and may be useful for the state and for theft, or a blackmailer may use it for material gain,” said de la Mare.
Section 94 orders ‘looked at’
Webber said in his letter that inspectors looked at GCHQ and MI5’s use of section 94 directions of the 1984 Telecommunications Act, which are used to acquire bulk communications data about the public from internet service and telecommunications providers.
Each case is discussed with senior managers, analysts and those responsible for internal audits, said Webber.
“The low number of section 94 directions means we have been able to consider everyone in this way,” he explained in the letter to the IPT.
Inspectors are given “direct access” to the system MI5 uses to “authorise and enable queries against the BCD”, said Webber. This means inspectors can look at a cross-section of applications of BCD and consider the necessity and proportionality of their use.
He added that GCHQ’s system did not currently allow a similar audit of its analysts’ use of BCD.
The case continues.
Read more on Business intelligence software
Investigatory Powers Tribunal finds UK spy agencies unlawfully collected personal data
MI5 accused of withholding surveillance compliance failures from cabinet minister
EU’s top court questions legality of UK phone and internet data surveillance
Neo4j 4.0 major update boosts graph database security, scalability