The GCHQ and its allied intelligence agencies MI5 and MI6 could be harvesting and sharing more sensitive information belonging to citizens than previously believed or officially disclosed.
Privacy International has moved the IPT claiming that GCHQ, MI5, and MI6 are accessing citizens’ data without obtaining legal sanction.
Earlier this year, a survey conducted by Unisys revealed that almost half of all U.K. citizens were concerned that domestic intelligence services ‘can, and will, listen to or watch them via their smart televisions and other smart devices’.
The survey also revealed that security-related concerns of U.K. citizens registered a 40 percent increase compared to 2014 levels. Concerns over the safety of personal data rose by as much as 50 percent.
It now appears that their concerns were legitimate. The investigatory powers tribunal (IPT) is now hearing arguments on how domestic intelligence agencies like the MI5 and MI6 have been processing bulk data belonging to citizens and sharing it with others without following legal safeguards.
Representing Privacy International, Ben Jaffey QC told the IPT that the process of overseeing data collection and processing by intelligence agencies by a team of independent commissioners has been a ‘blatant failure’. He added that legal protections are avoided and intelligence agencies regularly circumvent legal regimes while analysing data belonging to citizens.
Privacy International alleges that bulk personal datasets collected and monitored by MI5 and MI6 contain highly sensitive concent about citizens. These include their activities on social media sites, online dating sites and leave almost nothing to the agencies’ imagination.
“Such datasets are very intrusive. They contain information that goes right to the core of an individual’s private life,” Jaffey contended.
In March 2015, the existence of bulk personal datasets (BPDs) was acknowledged by intelligence agencies. Later that year, they also acknowledged the existence of bulk communications data (BCDs), and that both types of datasets were being monitored routinely by them.
In October of last year, ruling on a case brought by Privacy International against the Foreign Secretary, the Home Secretary and the GCHQ, MI5 and MI6, the Investigatory Powers Tribunal held that ‘that the Intelligence Agencies had breached Article 8(2) of the European Convention of Human Rights in respect of both the BPD and BCD regimes from their commencement until their public avowal in 2015.’
‘The Tribunal held that, during this period, there was not sufficient foreseeability or accessibility of the existence of the BPD and BCD regimes, nor of the nature of controls over them; in consequence, the regimes could not be said to be “in accordance with law”,’ according to Blackstone Chambers who are representing Privacy International.
The IPT has been told that a select group of researchers at the University of Bristol are also given access to bulk datasets that are stored by the GCHQ. These data sets include every conceivable sensitive information like internet usage logs, call logs, online file transfers and lists of websites visited by citizens.
At the same time, GCHQ also shares bulk datasets with HM Revenue and Customs (HMRC). According to the petitioners, once such datasets are shared with external agencies, control over them is lost. At the same time, such datasets can also be used by intelligence agencies for purposes that may not have official or legal sanction.
‘It could be deployed in support of an unlawful detention or torture programme, in the violent interrogation of a suspect, or used to identify a target for a lethal operation.
‘It may be (overtly or covertly) passed on to another country, even though the UK would be unwilling to share directly with that state. There is no evidence that the control principle is operated or respected by the partners with whom data is shared,’ they argued.
‘The intelligence agencies’ practices in relation to bulk data were previously found to be unlawful. After three years of litigation, just before the court hearing we learn not only are safeguards for sharing our sensitive data nonexistent, but the government has databases with our social media information and is potentially sharing access to this information with foreign governments,’ said Millie Graham Wood, a solicitor at Privacy International to The Guardian.
‘The risks associated with these activities are painfully obvious. We are pleased the Investigatory Powers Commissioner’s Office is keen to look at these activities as a matter of urgency and the report is publicly available in the near future,’ she added.
‘It is neither confirmed nor denied whether the [agencies] share or have agreed to share bulk personal data and bulk communications data with foreign partners and [other agencies] or (in the case of [MI6] and MI5) with industry partners. However, were they to do so such sharing would be lawful,’ said James Eadie QC, the counsel representing the intelligence agencies.