The Investigatory Powers Commissioner is investigating several security arrangements that GCHQ entered into with private IT contractors, enabling the latter to enjoy administrative access over databases that contained sensitive details of millions of citizens.
GCHQ recently admitted in court that many private IT contractors have been given privileged user access to several sensitive databases, thereby giving rise to concerns that such contractors could misuse their access to leak citizens’ details.
Appearing before the Investigatory Powers Tribunal (IPT) in a suit filed by Privacy International, a GCHQ witness recently confirmed that external IT contractors contracted by GCHQ are given administrative and privileged access to systems owned by the organisation so that they can support IT-related issues faced by the systems.
“Following a change in policy introduced a few years ago, there are contractors within GCHQ who are administrators of operational systems. This is because much of the hardware and software from these systems is provided by industry partners, and they are therefore best placed to support those systems,” the witness said.
This statement was in contradiction to previous submissions made by GCHQ before the court. Last year, the GCHQ witness had informed the IPT that external IT contractors were given administrative access only during the design, build and testing phase of a project. Once a project went live, such administrative rights were passed on GCHQ employees.
Privileged access to sensitive databases owned by GCHQ could enable an IT contractor to not only access documents related to the organisation’s legal, commercial, human resources, or financial dealings, but also data that had been obtained by GCHQ using its surveillance capabilities. Such data could include personally identifiable information of millions of citizens.
The fact that an IT contractor could abuse his privileges to access such confidential data has not escaped the attention of the Investigatory Powers Commissioner, who told Computer Weekly that it would investigate allegations that external contractors “could misuse their trusted status to access databases containing intercepted telephone, internet and email records of individuals, or other highly sensitive intelligence records”.
“We recognise the importance of the need for reviewing the security arrangements for contractors which may have access to sensitive data, particularly given the recent leaks by contractors in other countries. We began work last year, and it’s going to be a focus for our inspection activity in 2018,” said a spokesman from the Investigatory Powers Commissioner’s Office (IPCO).
According to Computer Weekly, between 2011 and 2016, the combined spending of GCHQ, MI5 and MI6 on consultants and IT contractors grew from 20% to 30% of their overall budgets. GCHQ also spent £70m every year between 2006 and 2016 on contractors to fill staff vacancies.
“This case is all about safeguards of highly sensitive bulk data. The main witness for GCHQ did not give accurate information to courts. Our contention is the regulators are not being given the correct information. How can they conduct their role as an oversight body without the right information?” said Solicitor Millie Graham Wood who is representing Privacy International.
In October 2016, ruling on a case brought by Privacy International against the Foreign Secretary, the Home Secretary and the GCHQ, MI5 and MI6, the Investigatory Powers Tribunal held that ‘that the Intelligence Agencies had breached Article 8(2) of the European Convention of Human Rights in respect of both the BPD and BCD regimes from their commencement until their public avowal in 2015.’
‘The Tribunal held that, during this period, there was not sufficient foreseeability or accessibility of the existence of the BPD and BCD regimes, nor of the nature of controls over them; in consequence, the regimes could not be said to be “in accordance with law”,’ according to Blackstone Chambers who are representing Privacy International.
The IPT has been told that a select group of researchers at the University of Bristol are also given access to bulk datasets that are stored by the GCHQ. These data sets include every conceivable sensitive information like internet usage logs, call logs, online file transfers and lists of websites visited by citizens.
At the same time, GCHQ also shares bulk datasets with HM Revenue and Customs (HMRC). According to the petitioners, once such datasets are shared with external agencies, control over them is lost. At the same time, such datasets can also be used by intelligence agencies for purposes that may not have official or legal sanction.