Millions of Facebook and Twitter accounts may have been analysed by UK intelligence agencies and personal data shared with foreign governments and corporations, according to privacy campaigners.
Official letters obtained by Privacy International also reveal that the body tasked with overseeing the activities of MI5 and MI6 – the Investigatory Powers Commissioner – was kept in the dark as intelligence agencies allegedly shared the data.
The revelations have been branded “alarming” and “deeply worrying” amid calls for greater transparency over the data the government collects and better safeguards to protect people’s privacy from state intrusion.
GCHQ collects and accesses information by gaining access to private companies’ databases.
It is the first confirmed example of the type of “bulk” information collected by the UK intelligence agencies, says Privacy International.
The databases in which social media data is held by GCHQ are called Bulk Personal Databases (BPDs). They vary in size but could potentially include information about millions of people.
The use by UK spooks of BPDs was only publicly revealed in March 2015, via an Intelligence and Security Committee report, which also raised various concerns about their use.
Privacy International – a charity that campaigns on privacy issues – has been in court this week as it continues to challenge the UK government’s access to private company databases.
The Investigatory Powers Tribunal (IPT) is sitting at Southwark Crown Court to hear claims by Privacy International regarding the legality of government surveillance and the charity’s complaints against the intelligence services.
The challenge brought by Privacy International alleges that data-sharing regimes and the legal oversight system are illegal. The case has been running for three years.
The evidence uncovered by Privacy International demonstrates the alarming scale of government surveillance Nik Williams, Scottish Pen
Privacy International has seen letters from the body that is tasked with overseeing the surveillance regime, the Investigatory Powers Commissioner’s Office (IPCO).
The IPCO raised concerns about the role of private contractors who are given ‘administrator’ access to the information that UK intelligence agencies collect.
The commissioner also raised concerns that there are currently no safeguards in place to prevent misuse of the systems by third party contractors.
Court documents reveal that bulk communications data is obtained by GCHQ in the same manner as communications data is obtained under RIPA warrants, issued under Part I of the Regulation of Investigatory Powers Act 2000 (RIPA).
One document says: “GCHQ stores the data together in the same database, regardless of the statutory regime under which it was obtained.”
Millie Graham Wood, solicitor at Privacy International pointed out that the intelligence agencies’ practices in relation to bulk data were previously found to be unlawful.
She said: “After three years of litigation, just before the court hearing we learn not only are safeguards for sharing our sensitive data non-existent, but the government has databases with our social media information and is potentially sharing access to this information with foreign governments.”
The risks associated with these activities are “painfully obvious”, she argued. “We are pleased the IPCO is keen to look at these activities as a matter of urgency and the report is publicly available in the near future.”
Scottish Liberal Democrat chief whip Alistair Carmichael MP also voiced concerns. The revelations would “shock the public”, he said.
“What’s more, the fact that the Investigatory Powers Commissioner was kept in the dark for so long over the sharing of intelligence agency databases with foreign governments, law enforcement and industry is a deeply worrying way for intelligence agencies in a democracy to behave.”
He added: “This is a system that is ripe for abuse and raises big questions over the role of the UK intelligence services and third party contractors in allowing these processes to continue for so long.”
It is neither confirmed nor denied whether the [agencies] share or have agreed to share bulk personal data and bulk communications data with foreign partners James Eadie QC, representing the UK Government
Carmichael called for full transparency about how much information the government is collecting and how it is shared. Safeguards needed to be established to prevent abuse of the system, he said.
Nik Williams, of Scottish PEN – an organisation campaigning for freedom of expression – said that the use of bulk personal datasets to capture social media data by the intelligence agencies was “alarming”.
This was due to the “intrusive nature” of these powers and the “inadequacy of all safeguards employed” to govern their use, he said.
“The evidence uncovered by Privacy International demonstrates the alarming scale of government surveillance and the reluctance of the agencies to be transparent and forthcoming with the data they hold and the bodies they share this data with,” Williams continued.
“Without robust oversight, or moves to ignore established oversight mechanisms, we have no way of knowing whether powers are being misused or abused and this is unjustifiable in a modern democracy.”
According to a report by The Guardian, the IPT at Southwark heard this week that the University of Bristol is a partner of GCHQ.
The report said that documents revealed by Edward Snowden, the US whistleblower, indicate that researchers at the University are given access to GCHQ’s entire datasets.
These include internet usage, telephone call logs, websites visited and online file transfers, among others.
Researchers are also given access to GCHQ’s targeting database, supposedly delivered at least once a day, the tribunal was told.
Another partner GCHQ shares data with is HMRC, the tax collection agency, which has access to a datastream called Milkwhite Enrichment Service.
Bulk communications data and personal datasets are shared by sending out information on disks or by allowing outside organisations to access the agency’s databases remotely.
However, the government is arguing that there are effective safeguards in place. James Eadie QC, who represents the Foreign Office, Home Office and intelligence agencies, denied in written submissions to the IPT that any data-sharing was illegal.
He wrote: “It is neither confirmed nor denied whether the [agencies] share or have agreed to share bulk personal data and bulk communications data with foreign partners and [other agencies] or (in the case of [MI6] and MI5) with industry partners.
“However, were they to do so such sharing would be lawful.”
The UK faces serious security and terrorist threats, Eadie added, with the use of bulk data becoming more important.
Cover image: Kevin Krejci | CC | https://flic.kr/p/dQKrGH