UK oversight bodies 'were not aware' of spies' data-sharing

Privacy International finds documents alleging widespread GCHQ data-sharing occurred without safeguards

Privacy International has raised concerns that oversight bodies were not aware that GCHQ or MI5 were allegedly sharing people's social media data with foreign intelligence and law enforcement agencies.

The charity claims that GCHQ accessed this information by gaining access to private companies' databases. IT Pro understands that Facebook and Twitter do not provide governments with direct access to user data.

The Investigatory Powers Commissioner's Office (IPCO) now oversees the intelligence agencies' activities, after subsuming both the the Intelligence Services Commissioner's Office, and the Interception of Communications Commissioner. Both these latter bodies, the charity said, were unaware that UK intelligence agencies were sharing massive databases of people's information with foreign governments, law enforcement and industry - potentially for decades.

Inappropriate and uncontrollable sharing with industry third parties may still be ongoing without proper oversight, the privacy campaign group added, saying that there are contractors who have system access rights that could allow them to enter the intelligence agencies' systems, access and extract data and then cover their tracks.

Advertisement
Advertisement - Article continues below

The charity said it has since seen letters from the IPCO raising concerns about the role of private contractors who are given administrator access to the data. The body was worried that there were no systems in place to prevent the misuse of this data by the contractors.

A GCHQ spokesperson said to IT Pro: "We have always operated within the law, co-operated fully with oversight regimes, and all our activities are authorised, necessary and proportionate."

The information the agencies hold is stored in large databases but it remains unclear what data they have, with Privacy International's documents only revealing broad categories like "biographical details", "financial activities", "travel data" and "legally privileged communications".

The group revealed a tranche of documents detailing the data-sharing activities yesterday, and is in Southwark Crown Court until Thursday to uphold its challenge of the UK government's access to private company and/or organisation databases.

The case is a continuation of the charity's challenge to spy agencies' access to data, being heard by the Investigatory Powers Tribunal (IBT). The IBT previously made a landmark ruling that spy agencies had unlawfully collected communications data between 1998 and 2015 after Privacy International's challenge.

The UK government claims that there are effective safeguards in place around data sharing, which Privacy International disputes. Furthermore, the charity will question the government's evidence after the IPCO flagged that part of the government's evidence includes a misleading GCHQ witness statement. The statement details that the former commissioners were briefed about the agencies' use of information on private company and/or organisation databases. The IPCO stated the commissioners were never made aware of this.

Millie Graham Wood, solicitor at Privacy International, said: "The intelligence agencies' practices in relation to bulk data were previously found to be unlawful. After three years of litigation, just before the court hearing, we learn not only are safeguards for sharing our sensitive data non-existent, but the government has databases with our social media information and is potentially sharing access to this information with foreign governments.

"The risks associated with these activities are painfully obvious. We are pleased the IPCO is keen to look at these activities as a matter of urgency and the report is publicly available in the near future."

The IBT ruled last month that a case brought against the UK's spy agencies last month over the legality of mass surveillance should be taken to the European Court of Justice (ECJ). This means the ECJ will have the final say on whether the UK's collection of bulk communications data, granted under the Investigatory Powers Act, is legal.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/policy-legislation/33407/what-is-the-investigatory-powers-act-2016
Policy & legislation

What is the Investigatory Powers Act 2016?

8 Aug 2019
Visit/server-storage/network-attached-storage-nas/354221/synology-dva3219-review-an-ideal-cctv-system
network attached storage (NAS)

Synology DVA3219 review: An ideal CCTV system

28 Nov 2019
Visit/backup/33385/arcserve-udp-9240dr-review-beef-up-your-backups
backup

Arcserve UDP 9240DR review: Beef up your backups

4 Apr 2019

Most Popular

Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/mobile/mobile-phones/354273/pablo-escobars-brother-launches-budget-foldable-phone
Mobile Phones

Pablo Escobar's brother launches budget foldable phone

4 Dec 2019
Visit/network-internet/wifi-hotspots/354283/industrial-wi-fi-6-trial-reveals-blistering-speeds
wifi & hotspots

Industrial Wi-Fi 6 trial reveals blistering speeds

5 Dec 2019