Privacy rights group Privacy International says it has obtained evidence for the first time that UK spy agencies are collecting social media information on potentially millions of people.

It has also obtained letters it says show the intelligence agencies’ oversight body had not been informed that UK intelligence agencies had shared bulk databases of personal data with foreign governments, law enforcement and industry — raising concerns about effective oversight of the mass surveillance programs.

The documents have come out as a result of an ongoing legal challenge Privacy International has brought against UK intelligence agencies’ use of bulk personal data collection as an investigatory power. (The group also has various other active legal challenges, including to state hacking).

It says now that the Investigatory Powers Commissioner’s Office (IPCO) oversight body “sought immediate inspection when secret practices came to light” as a result of its litigation.

The use by UK spooks of so-called bulk personal datasets (BPDs) — aka massive databases of personal information — was only publicly revealed in March 2015, via an Intelligence and Security Committee report, which also raised various concerns about their use.

Although the report revealed the existence of BPDs it was heavily redacted — for example scrubbing info on exactly how many BPDs are held by the different agencies. Nor was it clear where exactly agencies were sourcing the bulk data from.

It did specify that the stored and searchable data can include details such as an individual’s religion, racial or ethnic origin, political views, medical condition, sexual orientation, and legally privileged, journalistic or “otherwise confidential” information. It also specified that BPDs “vary in size from hundreds to millions of records”, and can be acquired by “overt and covert channels”.

A key concern of the committee at the time was that rules governing use of the datasets had not been defined in legislation (although the UK government has since passed a new investigatory powers framework that enshrines various state surveillance bulk powers in law).

But at the time of the report, privacy issues and other safeguards pertaining to BPDs had not been considered in public or parliament.

While access to BPD data had been authorized internally without ministerial approval. And there were no legal penalties for misuse — and perhaps unsurprisingly the report also revealed all intelligence agencies had dealt with cases of inappropriate access of BPDs.

The documents obtained by Privacy International now put a little more meat on the bones of BPDs. “New disclosure reveals that the UK intelligence agencies hold databases of our social media data,” the group writes today. “This is the first confirmed concrete example of the type of information collected by the UK intelligence agencies and held in large databases.

“The social media database potentially includes information about millions of people,” it further writes, adding: “It remains unclear exactly what aspects of our communications they hold and what other types of information the government agencies are collecting, beyond the broad unspecific categories previously identified such as ‘biographical details’, ‘commercial and financial activities’, ‘communications’, ‘travel data’, and ‘legally privileged communications’.”

In one of the new documents — a draft report from last month summarizing the findings of a 2017 audit of the operation of BPDs — the IPCO, which only took over oversight duties for UK investigatory powers last month, makes a stated reference (below) to “social media data” when discussing how agencies handle different BPD databases; indicating that content from consumer social networks such as Facebook and Twitter is indeed ending up within spy agencies’ bulk databases. (Though no services are mentioned by name.)

Additional documents in the new bundle obtained by Privacy International show the IPCO flagging the role of private contractors that are given ‘administrator’ access to the information UK intelligence agencies’ collect — and raising concerns that there are currently no safeguards in place to prevent misuse of the systems by third party contractors.

Part of the UK government’s defense to the group legal challenge over intelligence agencies’ use of BPDs is that there are effective safeguards in place to prevent misuse. But Privacy International’s contention is that the new documents show otherwise — with the IPCO stating the Commissioner was never made aware of any practice of GCHQ sharing bulk data with industry.

Commenting in a statement, Privacy International solicitor Millie Graham Wood said: “The intelligence agencies’ practices in relation to bulk data were previously found to be unlawful. After three years of litigation, just before the court hearing we learn not only are safeguards for sharing our sensitive data non-existent, but the government has databases with our social media information and is potentially sharing access to this information with foreign governments.

“The risks associated with these activities are painfully obvious. We are pleased the IPCO is keen to look at these activities as a matter of urgency and the report is publicly available in the near future.”

The six additional documents were disclosed to Privacy International on October 13, which also notes it is back in court today for the BPDs litigation.

A full list of the disclosure and documents pertaining to its bulk personal datasets challenge can be found here.