nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Court finds GCHQ and MI5 engaged in illegal bulk data collection

I don't believe it! The mad lads have only gone and won a legal case against the spooks!

By Alexander J Martin, 17 Oct 2016

A significant legal blow has been dealt to the British government over its secret mass surveillance activities.

The mysterious Investigatory Powers Tribunal, which oversees Blighty's snoops, has ruled that the bulk collection of personal data — conducted by GCHQ and MI5 between 1998 and 2015 — was illegal.

Responding to a claim brought by Privacy International, the 70-page judgment handed down this morning [PDF] found that the spooks' surveillance activities had been taking place without adequate safeguards or supervision for over a decade; and as such were in breach of Article 8 of the European Convention on Human Rights.

Due to litigation brought by the charity, the Tribunal ruled that there was not adequate oversight of the bulk communications data system by which GCHQ and MI5 secretly collected data from public electronic communications networks (PECNs) through secret directions given under section 94 of the Telecommunications Act 1984, until after July 2015.

Section 94 powers had long unsettled civil libertarians as they allowed secretaries of state to secretly order PECNs to interfere with public communications and withhold the fact that they had done so from Parliament if that was judged to be in the interest of national security.

However the use of section 94 powers were unconfirmed until the 4 November 2015, when Theresa May introduced the draft Investigatory Powers Bill and admitted that the collection had been taking place for years.

It was only through information contained in a book by BBC Security Correspondant Gordon Corera, and oblique references in the independent reviewer of terrorism legislation, David Anderson’s report into mass-surveillance which provided the first information in the public domain which even approached a hint of what was going on, Privacy International told The Register.

It is unacceptable that it is only through litigation by a charity that we have learnt the extent of this powers and how they are used. It is only because of the combined effect of reading an oblique passage contained in David Anderson QC’s report “A Question of Trust”, and a reference in Gordon Corera’s book ‘The Intercept’ that we guessed the intelligence agencies might be using section 94 of the Telecommunications Act 1984 to collect bulk communications data.

We amended our case in September 2015 to fold in bulk communications data and section 94, then again in January 2016 following the avowal. The avowal took place with the introduction of the Investigatory Powers Bill in November 2015, when the Government admitted it was using section 94 in exactly this way - to mandate the provision of bulk communications data.

Today, the Tribunal ruled it was “not satisfied that ... there can be said to have been an adequate oversight of the [bulk communications data] system, until after July 2015” as there were “no Codes of Practice relating to either [bulk communications data] or [bulk personal data] or anything approximating to them.”

As Privacy International noted: “There was no statutory oversight of bulk personal data prior to March 2015 and there has never been any statutory oversight of bulk communications data.”

The group continued to state: “The case exposed inadequate safeguards against abuse, including warnings to staff not to use the databases created to house these vast collections of data to search for and/or access information ‘about other members of staff, neighbours, friends, acquaintances, family members and public figures’. Internal oversight failed, with highly sensitive databases treated like Facebook to check on birthdays, and very worryingly on family members for ‘personal reasons’.

Millie Graham Wood, Legal Officer at Privacy International described the ruling as a “long overdue indictment of UK surveillance agencies riding roughshod over our democracy and secretly spying on a massive scale.”

There are huge risks associated with the use of bulk communications data. It facilitates the almost instantaneous cataloguing of entire populations' personal data. It is unacceptable that it is only through litigation by a charity that we have learnt the extent of these powers and how they are used.

The public and Parliament deserve an explanation as to why everyone’s data was collected for over a decade without oversight in place and confirmation that unlawfully obtained personal data will be destroyed.

A Government spokesperson said: "The powers available to the security and intelligence agencies play a vital role in protecting the UK and its citizens. We are therefore pleased the Tribunal has confirmed the current lawfulness of the existing bulk communications data and bulk personal dataset regimes.

"Through the Investigatory Powers Bill, the Government is committed to providing greater transparency and stronger safeguards for all of the bulk powers available to the agencies." ®

The Register - Independent news and views for the tech community. Part of Situation Publishing