Privacy International's Legal Challenge Against MI6, MI5, And GCHQ's Secret Surveillance Practices That Go Beyond The Edward Snowden Revelations
Tomorrow, on 26 July, the main hearing will begin in Privacy International's legal challenge against MI6, MI5, and GCHQ's collection of bulk communications data and bulk personal datasets. Previously secret documents will be made public at the hearing, and Privacy International will brief attending journalists about the significance of the disclosed documents.
The hearing will include references to important documents detailing the collection of data on every citizen in the UK including: location information, numbers dialed by the telephone and calls received, duration of calls, time and date calls made and received, operating system, browsing history, billing information, IP addresses, instant messaging data, and physical mail data. The documents will demonstrate the far reaching nature of secret government surveillance of UK citizens that go beyond the Edward Snowden revelations.
Camilla Graham-Wood, Legal Officer at Privacy International, will be able to brief journalists about the significance of this previously secret material at the start of the hearing, as part of our challenge to key planks of the Government's mass surveillance apparatus.
Date: Tuesday 26 July 2016
Location: Rolls Building, 7 Rolls Buildings, Fetter Lane, London EC4A 1NL
Press inquiries: Call 020 3422 4321 and ask to speak to Camilla Graham-Wood
Notes to editor
The intelligence and security agencies obtain bulk communications data (BCD) using section 94 of the Telecommunications Act 1984. This broad law allows the Secretary of State to require telecommunications companies 'to do or not to do a particular thing' in the interests of national security or government relations. It has been used to request regular feeds of communications data from telecommunications companies. Communications data includes, among other things:
- locations from which communications are initiated or received,
- numbers dialed,
- call or communication duration,
- browsing history,
- billing information,
- operating system used,
- and IP addresses.
Bulk personal data-sets (BPDs) are large databases containing personal information about a wide range of people, the majority of whom are not of intelligence interest. Current BPDs are admitted to include flight manifests, bulk travel data, bulk untargeted communications metadata, anonymised records of financial transactions, bulk databases obtained by computer hacking and internet network management data logs. Multiple data-sets are joined together to enable profiling.
As a result of the litigation Privacy International has learned that:
- Prior to the publication of the Investigatory Powers Bill, the use of s.94 to collect BCD was kept secret
- BCD contains large amounts of data, most of which relates to individuals who are unlikely to be of any intelligence interest.
- GCHQ & MI5 collect and holds BCD
- GCHQ & MI5 rely on s.94 Telecommunications Act 1984 as its legal basis for collecting BCD
- MI5 generally retains BCD for one year
- BCD contains communications data in the form of 'traffic data' and 'service use information' or the 'who, where, when and how of a communication.' BCD may contain subscriber information.
- BCD may include locational data from mobile and fixed line telephones and internet devices
- GCHQ's BCD collection includes bulk internet communications data
- Bulk Internet Communications Data includes the 'who, where, when and how' of any communication on the internet, including automated communications between machines.'
- BCD may be disclosed to persons outside the agency holding the BCD.
- The existence of section 94 directions was not disclosed in the two Strasbourg cases of Liberty v UK, Kennedy v UK or the Davis & Watson proceedings in the Court of Appeal
- BCD Handling Arrangements that came into force on 4 November 2015 have not been approved by the Intelligence Services Commissioner or the Interception of Communications Commissioner.
- There have been instances of non-compliance with internal procedures and safeguards in relation to access of BCD databases at GCHQ and MI5
- GCHQ & MI5 & MI6 collect and holds BPDs
- BPDs are held (or acquired for holding) on the analytical systems of the intelligence agencies
- BPDs consist of large amounts of personal data
- The majority of individuals whose personal data is contained in a BPD will be of no intelligence interest
- Multiple BPDs are analysed together to obtain search results
- BPD may be acquired through overt and covert channels
- GCHQ holds BPDs in the following categories:
- commercial; communications; financial; identity; and travel
- SIS holds BPDs in the following categories:
- Biographical; Communications; Financial; and Travel
- MI5 holds BPDs in the following categories:
- LEA/Intelligence; Travel; Communications; Finance; Population; and Commercial
- BPDs can contain sensitive personal data as defined under section 2 of the DPA 1998
- BPDs can contain information covered by legal professional privilege, journalistic material, financial data.
- GCHQ, MI5 and SIS share BPDs
- BPDs may be shared with the agencies foreign partners
- MI5, GCHQ and SIS each acquire BPDs from other Government Departments
- BPDs may be disclosed to persons outside the agencies
- Medical data may appear in BPDs
- BPD Handling Arrangements that came into force on 4 November 2015 have not been approved by the Intelligence Services Commissioner or the Interception of Communications Commissioner.
- There have been instances of non-compliance with BPD safeguards at GCHQ, MI5 and SIS
- There are no publicly available rules governing the international transfer of data-sets
- There was no statutory oversight of BPDs by the Intelligence Services Commissioner prior to the ISC report
- Prior to the publication of the ISC report, the holding of BPDs was kept secret. There was no public or parliamentary consideration of them.
- There is no procedure to notify victims of any misuse of BPD so that they can seek a remedy before the Tribunal.