British spy agencies have collected and shared huge databases of personal and social media information on millions of individuals, and effectively circumvented the investigatory body tasked with surveillance oversight, according to documents newly obtained by Privacy International, a London-based consumer advocacy group.
In the latest episode of a years-long legal challenge, Privacy International told the United Kingdom’s Investigatory Powers Tribunal (IPT) on Tuesday that, for several years, bulk datasets containing a wealth of personal information, including social media data, have been shared with foreign governments, law enforcement agencies, and industry partners.
According to letters disclosed to the group in court, these transfers have taken place behind the backs of the solicitors appointed specifically to hold the intelligence community accountable.
Social media data collected by the Government Communications Headquarters, the British signals intelligence agency, was shared with nation’s security and foreign intelligence services, MI5 and MI6, respectively, the IPT heard Tuesday. The data was also shared among industry partners as well as foreign intelligence agencies.
A leading industry partner identified at the hearing is the University of Bristol, researchers at which, according to classified US documents leaked by Edward Snowden, have been given access to personal and communication datasets amassed by GCHQ. Submissions also showed that GCHQ had shared material with Her Majesty’s Revenue and Customs (HMRC), the British tax collection agency.
The “bulk personal datasets” (BPD) are said to potentially include information on millions of individuals who hold no “legitimate intelligence interest,” according to The Guardian. When GCHQ’s analysts search bulk datasets, they’re supposed to record their rationale, a solicitor for Privacy International told the IPT, yet the court’s commissioners have not been provided those records.
In a statement, Privacy International said that the newly disclosed documents represent the first concrete example of social media information being collected and held in large databases controlled by UK intelligence agencies.
The full nature of the datasets remains unclear; however, Privacy International said it has previously identified categories including “biographical details,” “commercial and financial activities,” “communications,” “travel data,” and “legally privileged communications.” In a draft report summarizing an audit of the BDPs conducted this year, the Investigatory Powers Commissioner’s Office noted not only the collection “social media data,” but of “sensitive medical data” and “financial details” as well.
It was not immediately clear which foreign governments may have been granted access to the data, which was shared on disks or via remote access. The UK, however, is one of five nations—in addition to Australia, Canada, New Zealand, and the United States—party to the UKUSA Agreement, a treaty for joint cooperation in signals intelligence gathering, an intelligence ring colloquially known as “The Five Eyes.”
One fear is that the data, once shared, may be used in operations involving unlawful detention or torture, or to identify targets for extrajudicial killings. “It may be (overtly or covertly) passed on to another country, even though the UK would be unwilling to share directly with that state,” the solicitors argued. “There is no evidence that the control principle is operated or respected by the partners with whom data is shared.”
“The intelligence agencies’ practices in relation to bulk data were previously found to be unlawful,” Privacy International solicitor Millie Graham Wood said in a statement. “After three years of litigation, just before the court hearing we learn not only are safeguards for sharing our sensitive data non-existent, but the government has databases with our social media information and is potentially sharing access to this information with foreign governments.”
Earlier this month, Privacy International challenged the GCHQ’s use of non-specific warrants to authorize the bulk hacking of domestic cellphones, computers, and networks—a complaint before the IPT originally based Snowden’s trove of NSA documents.