A tribunal has been told that UK spy agencies MI5 and MI6 may be breaking the law when they share data with foreign intelligence agencies and industry partners. One of the partners named is the University of Bristol.
Privacy International brought the legal challenge, currently before an Investigatory Powers Tribunal. The civil liberties organisation alleges that MI5 and MI6 have been sharing highly sensitive bulk data with industry partners and breaking the law.
Letters obtained by Privacy International reveal that the body tasked with overseeing intelligence agencies’ activities, the Investigatory Powers Commissioner’s Office (IPCO), was kept in the dark as UK intelligence agencies shared massive databases with foreign governments, law enforcement and industry, potentially for decades.
The tribunal heard that the University of Bristol is one example of an important industry partner for GCHQ that has received “entire raw unselected data-sets, including internet usage, telephone call logs, websites visited, online file transfers and others.”
The tribunal heard that researchers are also given daily access to Government Communications Headquarters’ (GCHQ) targeting database, providing exceptionally sensitive datasets. Inappropriate and uncontrolled/uncontrollable sharing with industry third parties currently remains without any proper oversight, according to Privacy International. The government is arguing that there are effective safeguards in place.
As the Cable reported back in February, mathematicians and computer scientists at the university are working with the GCHQ. Staff at the Heilbronn Institute for Mathematical Research, a national mathematics centre based at the university, are reported to spend as much as half of their time pursuing research directed by GCHQ.
A 2016 leak by the NSA whistleblower Edward Snowden revealed that the university’s Heilbronn Institute provided research findings to GCHQ and other intelligence agencies on bulk data analysis – data that describes and gives information about other data.
Privacy International has seen letters from the body that is tasked with overseeing this large-scale surveillance regime, the IPCO. The IPCO specifically raised concerns about the role of private contractors, who are given ‘administrator’ access to the information UK intelligence agencies’ collect. The investigatory powers commissioner raised concerns that there are currently no safeguards in place to prevent misuse of the systems by third party contractors.
New disclosures also reveal that the UK intelligence agencies hold databases of our social media data. This is the first confirmed concrete example of the type of information collected by the UK intelligence agencies and held in large databases. The social media database potentially includes information about millions of people.
It remains unclear exactly what aspects of our communications they hold and what other types of information the government agencies are collecting, beyond the broad unspecific categories previously identified such as ‘biographical details’, ‘commercial and financial activities’, ‘communications’, ‘travel data’, and ‘legally privileged communications’.
Millie Graham Wood, a solicitor at Privacy International said:
“The intelligence agencies’ practices in relation to bulk data were previously found to be unlawful. After three years of litigation, just before the court hearing we learn not only are safeguards for sharing our sensitive data non-existent, but the government has databases with our social media information and is potentially sharing access to this information with foreign governments.
“The risks associated with these activities are painfully obvious. We are pleased the IPCO is keen to look at these activities as a matter of urgency and the report is publicly available in the near future.”
The hearing continues at Southwark crown court.