UK oversight bodies 'were not aware' of spies' data-sharing

Privacy International finds documents alleging widespread GCHQ data-sharing occurred without safeguards

Privacy International has raised concerns that oversight bodies were not aware that GCHQ or MI5 were allegedly sharing people's social media data with foreign intelligence and law enforcement agencies.

The charity claims that GCHQ accessed this information by gaining access to private companies' databases. IT Pro understands that Facebook and Twitter do not provide governments with direct access to user data.

The Investigatory Powers Commissioner's Office (IPCO) now oversees the intelligence agencies' activities, after subsuming both the the Intelligence Services Commissioner's Office, and the Interception of Communications Commissioner. Both these latter bodies, the charity said, were unaware that UK intelligence agencies were sharing massive databases of people's information with foreign governments, law enforcement and industry - potentially for decades.

Inappropriate and uncontrollable sharing with industry third parties may still be ongoing without proper oversight, the privacy campaign group added, saying that there are contractors who have system access rights that could allow them to enter the intelligence agencies' systems, access and extract data and then cover their tracks.

The charity said it has since seen letters from the IPCO raising concerns about the role of private contractors who are given administrator access to the data. The body was worried that there were no systems in place to prevent the misuse of this data by the contractors.

A GCHQ spokesperson said to IT Pro: "We have always operated within the law, co-operated fully with oversight regimes, and all our activities are authorised, necessary and proportionate."

The information the agencies hold is stored in large databases but it remains unclear what data they have, with Privacy International's documents only revealing broad categories like "biographical details", "financial activities", "travel data" and "legally privileged communications".

The group revealed a tranche of documents detailing the data-sharing activities yesterday, and is in Southwark Crown Court until Thursday to uphold its challenge of the UK government's access to private company and/or organisation databases.

The case is a continuation of the charity's challenge to spy agencies' access to data, being heard by the Investigatory Powers Tribunal (IBT). The IBT previously made a landmark ruling that spy agencies had unlawfully collected communications data between 1998 and 2015 after Privacy International's challenge.

The UK government claims that there are effective safeguards in place around data sharing, which Privacy International disputes. Furthermore, the charity will question the government's evidence after the IPCO flagged that part of the government's evidence includes a misleading GCHQ witness statement. The statement details that the former commissioners were briefed about the agencies' use of information on private company and/or organisation databases. The IPCO stated the commissioners were never made aware of this.

Millie Graham Wood, solicitor at Privacy International, said: "The intelligence agencies' practices in relation to bulk data were previously found to be unlawful. After three years of litigation, just before the court hearing, we learn not only are safeguards for sharing our sensitive data non-existent, but the government has databases with our social media information and is potentially sharing access to this information with foreign governments.

"The risks associated with these activities are painfully obvious. We are pleased the IPCO is keen to look at these activities as a matter of urgency and the report is publicly available in the near future."

The IBT ruled last month that a case brought against the UK's spy agencies last month over the legality of mass surveillance should be taken to the European Court of Justice (ECJ). This means the ECJ will have the final say on whether the UK's collection of bulk communications data, granted under the Investigatory Powers Act, is legal.

Featured Resources

Humility in AI: Building trustworthy and ethical AI systems

How humble AI can help safeguard your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Leadership compass: Privileged Access Management

Securing privileged accounts in a high-risk environment

Download now

Why you need to include the cloud in your disaster recovery plan

Preserving data for business success

Download now

Recommended

What is the Investigatory Powers Act 2016?
Policy & legislation

What is the Investigatory Powers Act 2016?

6 Jul 2020
Webhose and Signal Corp boost data breach detection
Security

Webhose and Signal Corp boost data breach detection

7 Oct 2020
ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020

Most Popular

Huawei Mate 40 Pro 5G review: A tragically brilliant Mate
Mobile Phones

Huawei Mate 40 Pro 5G review: A tragically brilliant Mate

26 Nov 2020
What is phishing?
phishing

What is phishing?

25 Nov 2020
Microsoft Teams no longer works on Internet Explorer
Microsoft Office

Microsoft Teams no longer works on Internet Explorer

30 Nov 2020