Britain’s spy agencies collected bulk data on UK citizens — including social media, medical and financial details — and shared it with foreign intelligence agencies and commercial partners without appropriate oversight, a tribunal has heard.
The harvesting and sharing of bulk personal data on UK citizens who are not specific targets of intelligence investigations is supposed to be subject to stringent oversight by independent judicial commissioners, including the newly appointed Investigatory Powers Commissioner’s Office.
But the Investigatory Powers Tribunal, sitting at Southwark Crown Court, heard that the IPCO’s predecessors were unaware of the situation until told by Privacy International, which is bringing a case against the intelligence services, alleging that they shared the data illegally.
Millie Graham Wood, a solicitor at Privacy International, said that the IPCO has now begun an investigation into the collection and sharing of bulk data.
“This is the first time on record we know bulk personal data sets contain social media data and sensitive medical records,” said Ms Graham Wood. “To know they have large-scale social media data on an untargeted basis is pretty shocking. We don’t know how long it’s been going on for, or whether it’s shared with foreign governments, industry and other departments like HMRC. If you think about how sensitive social media data are, it’s so dangerous if there is no oversight.”
In August and September this year, the IPCO conducted its first ever audit of bulk personal data held by the intelligence agencies, including MI5, MI6 and GCHQ, Britain’s electronic intelligence agency, according to documents revealed on Tuesday.
Specifically, it looked at what data may have been shared and why, and whether the sharing was a one-off or continuous process. It hasn’t yet looked into whom the data are being shared with.
“As overseers, we need reassurances about how that data are being used, because if a foreign country uses it unlawfully, then the UK agency who shares it becomes complicit, in a way,” an IPCO spokesperson said.
The audit revealed for the first time that the types of data being collected by the agencies included “sensitive medical data or financial details” as well as social media data.
Facebook and Twitter both said that if the bulk data did come from their platforms, it was without their knowledge. Twitter said: “We prohibit developers using [Twitter] data products from allowing law enforcement — or any other entity — to use Twitter data for surveillance purposes. Period.” Facebook also said it did not provide any government with direct access to people’s data.
The IPCO specifically raised concerns about the role of private contractors, who are allowed “administrator” access to the information spy agencies collect.
The commissioner recommended that GCHQ in particular needed better systems to allow a “more thorough inspection . . . in particular, to assess what [bulk communications data] was accessed and the justifications as to why it was necessary and proportionate.”
“We have just started our audit process and will continue to do a series of inspections on whether [spy agencies’] practices are lawful or not,” the IPCO spokesperson said.
Although it remains unclear which foreign governments may be receiving bulk data relating to UK citizens, it is well-known that the UK belongs to the anglophone “five-eyes” intelligence-sharing alliance comprised of Australia, Canada, New Zealand, the UK and the US.
GCHQ and the Home Office did not immediately respond to a request for comment.