Britain’s intelligence agencies are sharing highly sensitive data about the population with foreign intelligence services, industry and other UK government agencies, without adequate protections in place, the UK’s most secret court will hear this week.

Campaigning group Privacy International will argue in a hearing at the Investigatory Powers Tribunal (IPT) that intelligence services are sharing huge datasets about largely innocent people with third parties without sufficient controls on how the data will be used.

The case is expected to shed light on the way in which GCHQ, MI5 and MI6 share sensitive information, originally collected for national security purposes, with partner intelligence services in the Five Eyes network, law enforcement and government departments, including HMRC, and with private sector partners and universities.

It emerged during a hearing at Southwark Crown Court on 17 October 2017 that the UK intelligence agencies hold a bulk database containing the records of potentially millions of people’s social media use.

Further disclosures reveal that intelligence watchdog, the Investigatory Powers Commissioner’s Office (IPCO), has raised particular concerns about a lack of safeguards in place to prevent the misuse of systems by private contractors, who are given “administrator” access to the information collected by UK intelligence agencies.

The watch dog only became aware of the intelligence community’s practice of sharing data with industry and UK law enforcement, as a result of Privacy International’s legal challenge, and subsequently ordered an immediate inspection, it emerged today.

Lack of safeguards Privacy International said that the government had failed to provide evidence that there were sufficient safeguards in place to protect the use and security of sensitive data once it had been shared with others. A foreign government, for example, could use the data to support an unlawful detention or torture programme, or use it to identify the target for a lethal operation. Ben Jaffey, representing the campaign group told the tribunal that: "once the data set is provided outside the agency then control has been lost. For example a foreign partner could hand it on to another foreign partner that the UK would not pass it to, or be used for operations for which the UK would not approve." There is no adequate audit of bulk data gathered by analysts at GCHQ, he told the hearing. The Investigatory Powers Tribunal ruled last year that UK intelligence agencies had been unlawfully collecting the population’s mobile phone and internet data for 17 years, without adequate safeguards or supervision. Bulk communications data GCHQ and MI5 obtain bulk communications data, under section 94 of the Telecommunications Act 1984.

GCHQ collects data on email and telecommunications traffic from telephone and internet service providers, which is merged into data obtained from other forms of interception including, for example, bulk collection from internet cables.

Around 5% of GCHQ’s original intelligence is based on material gathered under section 94.

MI5 has collected communications data from telephone and internet companies since 2005. MI5 argues that the data is anonymous, as no subscriber details are included. The data is of significant intelligence and security value. It retains bulk communications data for one year.

The existence of bulk communications data collection remained secret until November 2015, when it was disclosed along with the introduction of the Investigatory Powers Bill. The three-day hearing centres the on the lawfulness of GCHQ and MI5 sharing vast intelligence databases, containing highly sensitive details of the individuals, with industry, universities, other government departments, and foreign intelligence agencies. They include bulk communications data (BCD), which records the populations internet, telephone and location histories, and bulk personal datasets (BPDs), which contain “considerable volumes” of biographical information on individuals’ financial and commercial activities, and travel patterns. The case comes days after home secretary Amber Rudd called on technology companies to provide the government with back-door access to widely used, encrypted applications, such as What’sApp, despite a later admission that she did not understand encryption.

Watchdog raises concerns over sharing intelligence with private sector partners GCHQ has confirmed that it shares entire databases of “raw sigint” (signals intelligence) data with industry partners, “contracted to develop new systems and capabilities for GCHQ”. They may access databases by visiting GCHQ’s premises, interrogate databases through remote access to GCHQ’s networks, or have the data transferred to their own premises. The Investigatory Powers Commissioner’s Office (IPCO), has raised particular concerns about the role of private contractors given “administrator” access to the information UK intelligence agencies collect. It said it was concerned that there were currently no safeguards in place to prevent misuse of the systems by third party contractors, in a statement which raises questions over the accuracy of statements by GCHQ. “Neither ISCom [The Intelligence Services Commissioner’s Office] nor IOCCO [The Interception of Communications Commissioners Office] were previously informed by GCHQ that the sharing of BPD/BCD with industry partners, as described in the statement of the GCHQ witness…had occurred,” the IPCO said in a letter dated 19 September 2017. Bulk personal data Bulk personal data is acquired by GCHQ, MI5 and MI6, both overtly, covertly and through computer hacking. It includes “considerable volumes” of biographical data, data on commercial and financial activities, communications and travel, as well as communications data obtained under section 94 of the Telecommunications Act 1984 or by interception under a warrant. Bulk personal data may be searched by security agencies to discover details about persons of intelligence interest. They are used to: help identify subjects of interest or unknown people that surface in the course of investigations;

establish links between individuals and groups;

improve understanding of targets’ behaviour and connections;

verify information obtained through other sources. BPD can contain sensitive personal data and information covered by legal professional privilege, journalistic material and financial data. The security services may share bulk personal data with foreign partners, or other parts of government. The existence of bulk personal data sets remained secret until March 2015, when the intelligence services commissioner disclosed it. The Investigatory Powers commissioner has confirmed that sharing of bulk personal datasets “with industry partners” was not audited, nor were there records of any inspection visits. In one case, a database containing telephone records was transferred from GCHQ Benhall, Cheltenham, to a partner’s premises through a secure courier service. GCHQ confirmed that it did not log the queries made on the data, and that its use has not been examined by an independent commissioner. GHCQ also confirmed in a witness statement that one database of bulk personal data had been accessed by a small number of people – less than 20 – working for industry partners, but that it had no record of what information they accessed. The University of Bristol is one of GCHQ’s most important industry partners. Researchers were given access to GCHQ’s entire datasets, covering people’s internet use, telephone call data and the websites they visited. They also had access to GCHQ’s entire targeting database – a highly sensitive database – that was delivered to the university at least once a day, documents released by National Security Agency (NSA) whistleblower Edward Snowden revealed. “After three years of litigation, just before the court hearing we learn not only are safeguards for sharing our sensitive data non-existent, but the government has databases with our social media information and is potentially sharing access to this information with foreign governments. The risks associated with these activities are painfully obvious,” said Graham Wood of Privacy International.

UKUSA and data sharing between the Five Eyes The UK and US agreed to share intelligence data in a now declassified agreement known as UKUSA, which was first signed in March 1946. The document forms the basis of the reciprocal intelligence sharing principles between the Five Eyes, intelligence agencies, Britain, US, Canada, Australian and New Zealand. The agreements have since been updated but remain highly classified, while the number of intelligence agencies that share information – with varying degrees of cooperation – has grown from 5 to more than 40. The UK government has refused to confirm or deny whether the UK intelligence agencies share BPDs and BCD with overseas intelligence agencies – a position that Privacy International claims is untenable. “You would expect governments to be conducting some form of sharing with foreign governments. So to neither confirm nor deny it is a bit ludicrous, because everyone would expect it – the average person would expect it, a criminal would expect it, a terrorist would expect it,” said Graham Wood. The Intelligence and Security Committee said in a report in March 2015 that while controls over how data is used, stored, retained and disclosed apply within the secret intelligence agencies, they “do not apply to overseas partners with whom the agencies may share datasets”. Data may be passed to another country, even though the UK would be unwilling to share the data directly with that state, the non-govermental organisation (NGO) argued, while permitting remote access allows third parties to quickly search vast quantities of data, without having to process the data itself. Documents leaked by Snowden show that the only requirement at the NSA to access GCHQ’s data is that analysts click a box to show that they have the relevant training. The director of the NSA was briefed that the former director of GCHQ, Iain Lobban, was likely to ask whether UK-source data might be given by the NSA to the Israeli government to conduct “lethal operations” during a visit to the US agency, one leak revealed. Telephone and internet service providers (ISPs) have raised concerns with intelligence agencies about the sharing of their data overseas. In one case, a communications company asked an intelligence agency not to share their data outside the UK. In other cases, communication companies said they “would be very concerned if data was shared with other jurisdictions without their knowledge,” according to a report by the Interception of Communications commissioner, Stanley Burnton.

Repurposing data collected for national security Once the intelligence data has been collected for purposes of national security, it can then be repurposed for uses which fall far short of national security – such as checking up on people’s tax status. Under one programme, codenamed Milkwhite, GCHQ made huge volumes of data about people’s online activities available to MI5, the Metropolitan Police, the then Serious Organised Crime Agency, the Police Service of Northern Ireland, the Scottish Recording Centre, and Her Majesty’s Revenue and Customs (HMRC) on a “business as usual” basis. GCHQ has been collecting BCD on the UK population’s internet, email and phone use since 1998, under the Telecommunications Act 1984. The practice remained secret until November 2015, when the government “avowed” the practice with the introduction of the Investigatory Powers Bill. Under the Telecommunications Act 1984, the secretary of state can issue “section 94” directions to phone and internet companies to require them to disclose communications data to the intelligence services. But evidence disclosed in earlier hearings suggest that GCHQ’s section 94 directions are worded in such a way that allows the power to request BCD to be delegated to the director of GCHQ, or any person authorised by him. Graham Wood said while the secretary of state is supposed to have independent oversight of requests for BCD, in reality, ministers have little control over how the power is used. “It means that no one is checking how this power is being used or the extent to which it is being used. In fact, a minister isn’t fully aware of what is going on when they should be,” she said. This makes the directions unlawful under UK domestic and EU law and is in breach of Article 8 of the European Convention on Human Rights, which guarantees the right of privacy, the NGO argues.