GCHQ has told the Investigatory Powers Tribunal that external IT contractors who enjoy administrative and privileged access to systems owned by the organisation pose no security risk and are as safe as internal employees.
The statement is in response to a suit filed by Privacy International in the Investigatory Powers Tribunal (IPT) in which it alleged that external IT contractors who were not employed by GCHQ could abuse their powers and gain unauthorised access to to the organisation's legal, commercial, human resources, or financial dealings, but also data that had been obtained by GCHQ using its surveillance capabilities. Such data could include personally identifiable information of millions of citizens.
External IT contractors given privileged access
Earlier this month, GCHQ had admitted before the Investigatory Powers Tribunal that it did hire external IT contractors and gave them administrative and privileged access to systems owned by the organisation so that they could support IT-related issues faced by the organisation.
However, the statement was in contradiction to GCHQ's previous statement that it made before the court. Last year, a GCHQ witness had informed the IPT that external IT contractors were given administrative access only during the design, build and testing phase of a project. Once a project went live, such administrative rights were passed on GCHQ employees.
According to Computer Weekly, between 2011 and 2016, the combined spending of GCHQ, MI5 and MI6 on consultants and IT contractors grew from 20% to 30% of their overall budgets. GCHQ also spent £70m every year between 2006 and 2016 on contractors to fill staff vacancies.
Privacy International also told the court that a select group of researchers at the University of Bristol are also given access to bulk datasets that are stored by the GCHQ. These data sets include every conceivable sensitive information like internet usage logs, call logs, online file transfers and lists of websites visited by citizens.
It also alleged that GCHQ also shares bulk datasets with HM Revenue and Customs (HMRC). Once such datasets are shared with external agencies, control over them is lost. At the same time, such datasets can also be used by intelligence agencies for purposes that may not have official or legal sanction.
No difference between employees and IT contractors
Appearing before the Investigatory Powers Tribunal, GCHQ's legal counsel James Eadie said that the organisation did not differentiate between internal employees and external IT contractors and that both were subject to similar levels of access and went through same levels of vetting.
“Our position is there is no material difference between employees and contractors. We don’t accept that there is a greater risk from contractors as a basic factual proposition," he said.
In response, Privacy International said that GCHQ's claim that it does not differentiate between employees and contractors is astonishing if true. It added that GCHQ's statement is not in sync with the views of the Investigatory Powers Commissioner who believes that an IT contractor could abuse his privileges to access confidential data stored by the GCHQ.
Earlier this month, the Investigatory Powers Commissioner told Computer Weekly that it would investigate allegations that external contractors "could misuse their trusted status to access databases containing intercepted telephone, internet and email records of individuals, or other highly sensitive intelligence records".
“We recognise the importance of the need for reviewing the security arrangements for contractors which may have access to sensitive data, particularly given the recent leaks by contractors in other countries. We began work last year, and it’s going to be a focus for our inspection activity in 2018,” said a spokesman from the Investigatory Powers Commissioner’s Office (IPCO).