Oversight of intelligence agencies’ data sharing has ‘failed’, court hears

UK’s intelligence services lack adequate oversight and written guidelines when sharing databases of sensitive information, Privacy International argues in secret court

The UK has failed to minimise the impact of intrusive gathering and sharing of highly sensitive data by the intelligence services, Britain’s most secret court has heard.

The UK, as the only European member of the Five Eyes intelligence-sharing network, has intelligence capabilities that are “a long way ahead” of other European countries, the Investigatory Powers Tribunal was told last week.

It uses pioneering techniques, such as automated decision-making and algorithms, to conduct wide-ranging broad sweeps to identify whether people might be of intelligence interest, said Ben Jaffey, representing Privacy International against the government and the UK’s intelligence services.

“There needs to be real care taken to minimise the privacy of these processes, and it simply hasn’t been done,” he told the hearing at Southwark Crown Court.

Jaffey was speaking on the third day of a legal challenge brought by Privacy International against the UK government and the intelligence services over the lawfulness of sharing huge databases containing highly sensitive data on the population with partner intelligence services, government departments, law enforcement and industry partners.

The data includes records of the population’s internet activity, data on emails, phone calls, their location and travel history, financial records and social media history.

The judicial commissioners responsible for overseeing the intelligence agencies’ use of bulk data have never looked into it, still less approved it, and the present commissioner does not yet have the technical resources to do so, he said.

“Oversight has failed because all of these issues could and should have been dealt with some years ago, and they were not,” said Jaffey.

‘Dog’s breakfast’

Jaffey said the government’s arguments were “a dog’s breakfast” that have been iteratively improved, step by step, durng the legal proceedings until the oral hearing at the tribunal.

The government's claims about the safeguards in place for bulk communications data (BCD) and bulk personal data (BPD) sharing were not backed up by written handling arrangements or by statements from witnesses from the intelligence agencies, said Jaffey.

“It is still a bit of a mess as far as an officer of the agencies on the ground trying to work out what they can do with a bulk dataset, or not, is concerned,” he said.

The government’s policy of neither confirming nor denying whether the UK intelligence agencies share databases containing highly sensitive data on British citizens with overseas intelligence services was challenged by new evidence disclosed at the hearing.

Read full coverage of the case

A partially unredacted document, released on 18 October, reveals for the first time that the commissioners responsible for overseeing collection of bulk data appeared to be aware that UK intelligence services were sharing personal data with overseas intelligence agencies.

“There is material in the corporate record of ISCom [Intelligence Services Commissioner] and Iocco [Interception of Communications Commissioner’s Office] that Iscom and Iocco addressed whether any sharing had taken place,” the document said.

It has also emerged that Stanley Burton, the former interception of communications commissioner, had conducted a review into any sharing of BCD by GCHQ, which has yet to report.

Burton’s office was abolished under the Investigatory Powers Act, and it is not yet clear whether IPCO will continue with the review, the court heard.

“The fact that the commissioners were aware of foreign sharing comes as no surprise to us,” said Jaffey. “What is interesting and what is important and what remains redacted is whether or not the commissioners actually conducted any audit or oversight about this.”

Vital data needed for audit

The court heard that GCHQ had kept an audit database of the legal justifications used by its intelligence analysts to carry searches on bulk databases that was available to the commissioner, Iocco, to audit on demand.

But an inspection report dated April 2017 from Iocco showed that, in practice, the commissioner had not been made aware of the existence of the data and had never inspected it.

 “The relevant point is that Iocco has never looked at any of the justifications for any searches that have taken place,” said Jaffey.

Neither the search terms used by analysts of the results of their searches were routinely given to GCHQ’s internal auditors, GCHQ disclosed in written evidence – and were therefore unavailable to the independent auditor for checking, the court heard (see GCHQ box).

This still left the system open to abuse, said Jaffey. “So an officer searches for an illegitimate and improper purpose the auditor would not know… similarly, Iocco would not see that,” he said.

GCHQ’s safeguards on bulk data searches

A witness statement from GCHQ, disclosed during the hearing, said GHCQ had to provide auditors with information to justify their use of bulk personal data.

Analysts need to specify an authorised purpose, secondly a cross-reference indicating an intelligence requirement, and a justification of necessity and proportionality.

“This justification must be sufficiently detailed to allow another analyst not directly involved in operational activity to determine whether it makes a sufficient necessity and proportionality case,” the anonymous official wrote.

All these elements are transferred to an internal audit system, which is made available to the judicial commissioner, Iocco, on demand, the witness said.

However, the search terms used by analysts were not routinely presented to GCHQ’s auditors.

“The specific search terms used in the query are also transferred to the auditing system,” the witness said. “At the time of the Iocco inspection, these were not routinely presented to the auditors, but were retained and could be accessed if necessary.”

GCHQ also disclosed that its own internal auditors did not have access to the data analysts had sought access to.

“The data returned by the query is not itself transferred to the audit system,” the witness said. “This is because GCHQ does not consider it proportionate routinely to retain such data for such a long period.”

Although the same information available to GCHQ’s internal auditors was available to the judicial commissioner for external review, in practice, Iocco has never asked for it.

In June, GCHQ’s policy changed, and search terms have since been routinely made available to GCHQ’s internal auditors.

In these circumstances, it was not possible to conduct a meaningful audit – it was an audit in name only, said Jaffey.

Neither the Intelligence Services Commissioner nor the Interception of Communications Commissioner had carried out any inspections of bulk data sharing between the intelligence community and law enforcement, according to a letter from the Investigatory Powers Commissioner's Office to the tribunal, dated 19 September.

“It certainly should have been the subject of consideration by at least one of the commissioners – but it wasn’t,” said Jaffey.

Questions were also raised over whether GCHQ had adequately briefed the foreign secretary on data sharing and whether there was adequate ministerial oversight in this area.

Concerns over GCHQ compliance

The Investigatory Powers Commissioner’s Office (IPCo), which became the sole commissioner responsibility for oversight in September 2017, raised separate concerns about the access to databases by staff outside the UK intelligence services, including contractors, industry partners and academics.

GCHQ told IPCo that it does not give contractors or academics access to bulk personal datasets for running queries, and they would not have access to the search interface.

As far as possible, dummy data is used for testing BPD systems, but in some cases, contractors may have systems administrator rights, the intelligence agency said.

IPCo warned: “This would not preclude a contractor with system access rights going into the system, extracting data and then covering their tracks,”  a redacted draft report from IPCO dated 15 September 2017 disclosed at the hearing reveals.

Inspector gives MI5 and MI6 clean bill of health

The Investigatory Powers Commissioner’s Office (IPCO) carried out the first stage of an audit of bulk personal data held by MI5, MI6 and GCHQ in August and September 2017.

Its aimed  to discover what data may have been shared, and for what purpose, whether sharing was carried out in a way that minimised intrusion to privacy, whether there was adequate oversight of handling arrangements, and whether there was adequate security in place.

Another aim was to check whether bulk communications data or bulk personal data shared with non-UK intelligence community partners was deleted when no longer needed.

A letter from IPCO to the Investigatory Powers Tribunal, dated 15 September 2017, reports that the commissioner found no issues with MI5.

The Secret Intelligence Service, MI6, showed a “thorough and thoughtful process” for sharing bulk personal data, it said, and went on: “SIS’s compliance process demonstrated that clear steps were in place to monitor the continued necessity and proportionality of sharing, as well as adherence to the handling instruction and any MoU [memorandum of understanding].”

The draft report raises the point that GCHQ had not demonstrated the necessity and proportionality of any sharing that might take place and that it would be in accordance with the legislation and GCHQ’s handling arrangements.

In particular, it said that “when questioned, staff were not considering steps to minimise the level of intrusion from any sharing” and “there was some question whether the foreign secretary has provided ministerial oversight”.

GHCQ has responded, saying the report did not reflect the IPCO’s discussions with GCHQ’s intelligence analysts. “Inspectors asked about processes for managing what data might be shared and were told that any files would be formatted before sharing, and would only contain agreed fields,” it said.

GCHQ said it does not need to seek approval from the foreign secretary for difficult cases: “It is not really surprising that we have had less engagement with current or previous secretaries of state”.

Jaffey questioned the government’s argument that GCHQ shared only a minimal amount of bulk data with industry. That was based on an assertion by GCHQ that a databases containing bulk signals intelligence are not bulk datasets.

“It is common ground that bulk Sigint data was shared on a substantial basis with industries,” he said.

The court heard that the requirement for third parties to demonstrate “equivalence” in security and privacy practices before GCHQ will share bulk datasets with them was put forward in oral hearings, but does not appear in GCHQ’s written guidelines.

“The problem that GCHQ have is they never wrote it down until they produced a witness statement in this case,” said Jaffey. “And until they write it down, there is no prospect whatsoever of GCHQ officers knowing about it and, therefore, complying with it.”

Similarly, the court heard that MI5  and MI6 required “substantial equivalence” in oversight before sharing data with a third party, but the requirement is not recorded in writing and staff of the agencies would not have been aware of it.

“The oral submissions are markedly different from either the unwritten policies or the written policies,” said Jaffey. “It is plainly not good enough and it doesn’t pass either with the Strasbourg [European Court of Human Rights] or the EU law tests.”

Section 94 orders questioned

Thomas De La Mare, representing Privacy International, challenged the legality of orders GCHQ gave to telecoms and internet companies requiring them to hand over vast databases of data under Section 94 of the Telecommunications Act 1984.

The law requires the orders to come from the secretary of state. But sample orders disclosed by GCHQ require communications companies to hand over their data “if requested to do so by GCHQ, acting through the director of GCHQ, or any person authorised by him”.

GCHQ had to attach a letter or list of instructions to the order to make it clear what data had to be disclosed, implying that GCHQ, rather than the secretary of state, was behind the authorisation, the court heard.

GCHQ also faced difficulties minimising intrusion into people’s privacy when sharing unstructured databases such as records of activities on social media, because they did not contain defined database fields that could easily be removed, said Jaffey.

“If you have a social media database, which is the example given by IPCo, you can’t simply say you have a field for a name, you have a field for an address, you have a field for an ethnic origin – so how are you going to minimise that type of complex dataset?” he said.

The court plans a closed hearing in November to consider classified evidence and submissions.

Read more on Privacy and data protection

Data Center
Data Management