And if it’s happening there, you know it's happening……here

[kscarbel2]

UK security agencies unlawfully collected data for decade

The Guardian  /  October 17, 2016

Investigatory powers tribunal says agencies operated secret regimes to collect vast amounts of communications data for 10 years

The UK’s security agencies have secretly and unlawfully collected massive volumes of confidential personal data, including financial information, on British citizens for more than a decade, top judges have ruled.

The investigatory powers tribunal, which is the only court that hears complaints against MI5, MI6 and GCHQ, has ruled that the security services operated secret regimes to collect vast amounts of personal communications data tracking individual phone and web use and large datasets of confidential personal information without adequate safeguards or supervision for more than 10 years.

The IPT ruling includes the disclosure from an unpublished 2010 MI5 policy statement that the “bulk personal datasets” include material on the nation’s personal financial activities. “The fact that the service holds bulk financial, albeit anonymised, data is assessed to be a high corporate risk, since there is no public expectation that the service will hold or have access to this data in bulk. Were it to become widely known that the service held this data, the media response would most likely be unfavourable and probably inaccurate,” it says.

The ruling comes as the House of Lords debates the final stages of the investigatory powers bill – the snooper’s charter – which will put mass digital surveillance activities on a clear legal footing for the first time since the disclosure by Edward Snowden of the extent of state surveillance in 2013.

The tribunal, chaired by Mr Justice Burton, also reveals internal warnings to the staff of security agencies not to use the databases created to house these vast collections of data to search for or access information “about other members of staff, neighbours, friends, acquaintances, family members and public figures”.

It also reveal concerns within the security agencies themselves about the secretive nature of their bulk data collection activities.

The campaign group Privacy International said despite this warning the ruling showed that internal oversight failed to prevent these highly sensitive databases being treated like Facebook to check on birthdays, and “very worryingly” on family members for “personal reasons”.

In February 2010, a Mr Hannigan, then of the Cabinet Office, wrote of the agencies’ handling of these massive volumes of personal data: “It is difficult to assess the extent to which the public is aware of agencies’ holding and exploiting in-house personal bulk datasets, including data on individuals of no intelligence interest ... Although existing legislation allows companies and UK government departments to share personal data with the agencies if necessary in the interests of national security, the extent to which this sharing takes place may not be evident to the public.”

The ruling says that the regime governing the collection of bulk communications data – the who, where, when and what of personal phone and web communications – failed to comply with article 8 protecting the right to privacy of the European convention of human rights (ECHR) between 1998, when it started, and 4 November 2015, when it was finally made public.

The ruling says that the holding of bulk personal datasets (BPD) – which might include medical records, tax records, individual biographical details, commercial and financial activities, communications and travel also failed to comply with article 8 for the decade it was in operation until its public avowal in March 2015.

In the words of the ruling: “The BPD regime failed to comply with the ECHR principles which we have above set out throughout the period prior to its avowal in March 2015. The BCD regime failed to comply with such principles in the period prior to its avowal in November 2015, and the institution of a more adequate system of supervision as at the same date,” it concludes.

The legal challenge centred on the acquisition, use, retention, and disclosure by the security services of bulk communications data under section 94 of the Telecommunications Act 1984 and the use of bulk personal datasets under a variety of legal powers. The tribunal noted the highly secretive nature of the communications data regime, saying “it seems difficult to conclude that the use of BCD was foreseeable by the public when it was not explained to parliament”.

Mark Scott of Bhatt Murphy Solicitors, instructed by Privacy International in the legal challenge, said: “This judgment confirms that for over a decade UK security services unlawfully concealed both the extent of their surveillance capabilities and that innocent people across the country have been spied upon.”

Millie Graham Wood, legal officer at Privacy International, added: “Today’s judgment is a long overdue indictment of UK surveillance agencies riding roughshod over our democracy and secretly spying on a massive scale.

“There are huge risks associated with the use of bulk communications data. It facilitates the almost instantaneous cataloguing of entire populations’ personal data. It is unacceptable that it is only through litigation by a charity that we have learnt the extent of these powers and how they are used.

“The public and parliament deserve an explanation as to why everyone’s data was collected for over a decade without oversight in place and confirmation that unlawfully obtained personal data will be destroyed.”

Privacy International added that the judgment did not specify whether the unlawfully obtained, sensitive personal data would now be deleted.

A government spokesperson responded to the ruling, saying:” The powers available to the security and intelligence agencies play a vital role in protecting the UK and its citizens. We are therefore pleased the tribunal has confirmed the current lawfulness of the existing bulk communications data and bulk personal dataset regimes.

“Through the investigatory powers bill, the government is committed to providing greater transparency and stronger safeguards for all of the bulk powers available to the agencies.”

A further hearing in the case is scheduled for December to consider a number of outstanding issues.

Alistair Carmichael, Liberal Democrat home affairs spokesperson said the ruling showed: “Mass spying on the British people should be replaced with targeted surveillance of specific individuals suspected of wrongdoing.”

“Allowing the state to collect endless amounts of personal data is not just a gross invasion of a privacy, it is a waste of precious resources. Every pound the government spends monitoring people’s emails, text messages and calls is a pound taken away from community policing,” he added.