A whole heap of serious spying information has just landed after an ongoing court case by the UK’s Privacy International (PI) digital rights organization filed back in 2015 has finally borne redacted, PDF-based fruit.
Although the previously confidential documents published today outline the UK spying agencies’ policy to “neither confirm nor deny” the extent of bulk data collection and use of bulk personal datasets, the papers do confirm it, in rather spectacular detail.
That’s not least found in the policies put in place in 2001 to try to stop spies from using these searchable databases for what could be called ‘life admin’:
An example of an inappropriate ‘self search’ would be to use the database to remind yourself where you have travelled so you can update your records. This is not a proportionate use of the system, as you could find this information by another means (i.e. check the stamps in your passport or keep a running record of your travel) that would avoid collateral intrusion into other people’s data.
We’ve seen a few instances recently of individual users crossing the line with their database use, looking up addresses in order to send birthday cards, checking passport details to organise personal travel, checking details of family members for personal reasons. Another area of concern is the use of the database as a ‘convenient’ way to check the personal details of colleagues when filling out service forms on their behalf.
More than 1,000 pages of documents outline the various different laws – including one passed in 1984 before the Web was even invented – that are used by GCHQ, MI5 and MI6 to sanction the acquisition and use of bulk personal datasets.
These “hundreds of millions of records which may be linked together” include travel and financial information, as well as government health data and e-petition signatures. But no one has so far been able to account for just how many are held.
The documents also acknowledge that this spying is in no way limited to people who may represent a threat.
Indeed, in handing the documents over ahead of a court case where its use of personal data will be legally challenged, the intelligence service was already only too aware of the likely embarrassment it would cause in its own ranks.
Millie Graham Wood, Legal Officer at Privacy International, says:
This highly sensitive information about us is vulnerable to attack from hackers, foreign governments, and criminals. The agencies have been doing this for 15 years in secret and are now quietly trying to put these powers on the statute book for the first time, in the Investigatory Powers Bill, which is currently being debated in Parliament. These documents reveal a lack of openness and transparency with the public about these staggering powers and a failure to subject them to effective Parliamentary scrutiny.
Privacy International will have its case heard at an Investigatory Powers Tribunal scheduled for July 2016.