The UK has failed to minimise the impact of intrusive gathering and sharing of highly sensitive data by the intelligence services, Britain’s most secret court has heard.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
The UK, as the only European member of the Five Eyes intelligence-sharing network, has intelligence capabilities that are “a long way ahead” of other European countries, the Investigatory Powers Tribunal was told last week.
It uses pioneering techniques, such as automated decision-making and algorithms, to conduct wide-ranging broad sweeps to identify whether people might be of intelligence interest, said Ben Jaffey, representing Privacy International against the government and the UK’s intelligence services.
“There needs to be real care taken to minimise the privacy of these processes, and it simply hasn’t been done,” he told the hearing at Southwark Crown Court.
Jaffey was speaking on the third day of a legal challenge brought by Privacy International against the UK government and the intelligence services over the lawfulness of sharing huge databases containing highly sensitive data on the population with partner intelligence services, government departments, law enforcement and industry partners.
The data includes records of the population’s internet activity, data on emails, phone calls, their location and travel history, financial records and social media history.
The judicial commissioners responsible for overseeing the intelligence agencies’ use of bulk data have never looked into it, still less approved it, and the present commissioner does not yet have the technical resources to do so, he said.
“Oversight has failed because all of these issues could and should have been dealt with some years ago, and they were not,” said Jaffey.
Jaffey said the government’s arguments were “a dog’s breakfast” that have been iteratively improved, step by step, durng the legal proceedings until the oral hearing at the tribunal.
The government’s claims about the safeguards in place for bulk communications data (BCD) and bulk personal data (BPD) sharing were not backed up by written handling arrangements or by statements from witnesses from the intelligence agencies, said Jaffey.
“It is still a bit of a mess as far as an officer of the agencies on the ground trying to work out what they can do with a bulk dataset, or not, is concerned,” he said.
The government’s policy of neither confirming nor denying whether the UK intelligence agencies share databases containing highly sensitive data on British citizens with overseas intelligence services was challenged by new evidence disclosed at the hearing.
A partially unredacted document, released on 18 October, reveals for the first time that the commissioners responsible for overseeing collection of bulk data appeared to be aware that UK intelligence services were sharing personal data with overseas intelligence agencies.
“There is material in the corporate record of ISCom [Intelligence Services Commissioner] and Iocco [Interception of Communications Commissioner’s Office] that Iscom and Iocco addressed whether any sharing had taken place,” the document said.
Burton’s office was abolished under the Investigatory Powers Act, and it is not yet clear whether IPCO will continue with the review, the court heard.
“The fact that the commissioners were aware of foreign sharing comes as no surprise to us,” said Jaffey. “What is interesting and what is important and what remains redacted is whether or not the commissioners actually conducted any audit or oversight about this.”
Vital data needed for audit
The court heard that GCHQ had kept an audit database of the legal justifications used by its intelligence analysts to carry searches on bulk databases that was available to the commissioner, Iocco, to audit on demand.
But an inspection report dated April 2017 from Iocco showed that, in practice, the commissioner had not been made aware of the existence of the data and had never inspected it.
“The relevant point is that Iocco has never looked at any of the justifications for any searches that have taken place,” said Jaffey.
Neither the search terms used by analysts of the results of their searches were routinely given to GCHQ’s internal auditors, GCHQ disclosed in written evidence – and were therefore unavailable to the independent auditor for checking, the court heard (see GCHQ box).
This still left the system open to abuse, said Jaffey. “So an officer searches for an illegitimate and improper purpose the auditor would not know… similarly, Iocco would not see that,” he said.
In these circumstances, it was not possible to conduct a meaningful audit – it was an audit in name only, said Jaffey.
Neither the Intelligence Services Commissioner nor the Interception of Communications Commissioner had carried out any inspections of bulk data sharing between the intelligence community and law enforcement, according to a letter from the Investigatory Powers Commissioner’s Office to the tribunal, dated 19 September.
“It certainly should have been the subject of consideration by at least one of the commissioners – but it wasn’t,” said Jaffey.
Questions were also raised over whether GCHQ had adequately briefed the foreign secretary on data sharing and whether there was adequate ministerial oversight in this area.
Concerns over GCHQ compliance
The Investigatory Powers Commissioner’s Office (IPCo), which became the sole commissioner responsibility for oversight in September 2017, raised separate concerns about the access to databases by staff outside the UK intelligence services, including contractors, industry partners and academics.
GCHQ told IPCo that it does not give contractors or academics access to bulk personal datasets for running queries, and they would not have access to the search interface.
As far as possible, dummy data is used for testing BPD systems, but in some cases, contractors may have systems administrator rights, the intelligence agency said.
IPCo warned: “This would not preclude a contractor with system access rights going into the system, extracting data and then covering their tracks,” a redacted draft report from IPCO dated 15 September 2017 disclosed at the hearing reveals.
Jaffey questioned the government’s argument that GCHQ shared only a minimal amount of bulk data with industry. That was based on an assertion by GCHQ that a databases containing bulk signals intelligence are not bulk datasets.
“It is common ground that bulk Sigint data was shared on a substantial basis with industries,” he said.
The court heard that the requirement for third parties to demonstrate “equivalence” in security and privacy practices before GCHQ will share bulk datasets with them was put forward in oral hearings, but does not appear in GCHQ’s written guidelines.
“The problem that GCHQ have is they never wrote it down until they produced a witness statement in this case,” said Jaffey. “And until they write it down, there is no prospect whatsoever of GCHQ officers knowing about it and, therefore, complying with it.”
Similarly, the court heard that MI5 and MI6 required “substantial equivalence” in oversight before sharing data with a third party, but the requirement is not recorded in writing and staff of the agencies would not have been aware of it.
“The oral submissions are markedly different from either the unwritten policies or the written policies,” said Jaffey. “It is plainly not good enough and it doesn’t pass either with the Strasbourg [European Court of Human Rights] or the EU law tests.”
Section 94 orders questioned
Thomas De La Mare, representing Privacy International, challenged the legality of orders GCHQ gave to telecoms and internet companies requiring them to hand over vast databases of data under Section 94 of the Telecommunications Act 1984.
The law requires the orders to come from the secretary of state. But sample orders disclosed by GCHQ require communications companies to hand over their data “if requested to do so by GCHQ, acting through the director of GCHQ, or any person authorised by him”.
GCHQ had to attach a letter or list of instructions to the order to make it clear what data had to be disclosed, implying that GCHQ, rather than the secretary of state, was behind the authorisation, the court heard.
GCHQ also faced difficulties minimising intrusion into people’s privacy when sharing unstructured databases such as records of activities on social media, because they did not contain defined database fields that could easily be removed, said Jaffey.
“If you have a social media database, which is the example given by IPCo, you can’t simply say you have a field for a name, you have a field for an address, you have a field for an ethnic origin – so how are you going to minimise that type of complex dataset?” he said.
The court plans a closed hearing in November to consider classified evidence and submissions.