GCHQ Collects Mass Social Media Data on Millions in UK—Report

British intelligence agency Government Communications Headquarters (GCHQ) may have been collecting mass amounts of social-media data on millions of UK residents for decades—and sharing it with foreign intelligence and other law enforcement agencies.

Privacy International (PI), a privacy watchdog, claims to have documents that show that the spy agency collected and continues to access social-media information from private companies’ databases. It also has mounted litigation to expose the practice, challenging the right of the UK government to have such access.

PI said that it has obtained letters that confirm that “inappropriate and uncontrolled/uncontrollable sharing with industry third parties” is ongoing, without any proper oversight. It also alleges that government contractors have system access rights which could allow them to enter an agency’s system, extract data and then cover their tracks.

“It remains unclear exactly what aspects of our communications they hold and what other types of information the government agencies are collecting, beyond the broad unspecific categories previously identified, such as ‘biographical details’, ‘commercial and financial activities’, ‘communications’, ‘travel data’, and ‘legally privileged communications’,” PI added.

"This is the first time on record we know bulk personal data sets contain social media data and sensitive medical records," Millie Graham Wood, a solicitor at PI, told the International Business Times. "To know they have large-scale social media data on an untargeted basis is pretty shocking. We don't know how long it's been going on for, or whether it's shared with foreign governments, industry and other departments like HMRC [Revenue and Customs]. If you think about how sensitive social media data are, it's so dangerous if there is no oversight."

PI also said that the Investigatory Powers Commissioner was unaware of the collection activities until PI brought it to light in the lawsuit, and that it has sought immediate inspection.

"We have just started our audit process and will continue to do a series of inspections on whether [intelligence agencies'] practices are lawful or not," an IPCO spokesperson told the IBT.

As for the validity of the accusations, Lee Munson, security researcher at Comparitech.com, said that they seem feasible.

"If GCHQ has collected a massive amount of information on every man, woman and child in the United Kingdom I do not think anyone can really be surprised,” he said, via email. “After all, we have known for many years that former Home Secretary, and now Prime Minister, Teresa May was keen for the security services to have access to as much data as possible, via the Investigatory Powers Act 2016.”

That act, aka the “Snoopers Charter”, has been highly controversial. It requires service providers to store the browsing history of the entire populace—as well as their emails, phone call and text records—for a year. They can then be handed over to the authorities for analysis at will. It also gives the government broad powers to read communications and listen in on calls without requiring suspicion of criminal activity; and bulk personal datasets, which allows agencies to acquire mass databases held by public or private sector bodies, which could contain highly personal details on things like religion, ethnic origin, sexuality, political leanings and health problems.

Muson added, “The fact that the legislation explicitly mentions bulk communications data acquisition would, I suspect, make any collection of social media, financial or health data at this time quite legal, even without any kind of court warrant being required,” Munson added. “Of course, the legality of any such bulk data swipes prior to 2016 are questionable, as is the collection of information from private databases, if true, but the fact remains that GCHQ almost certainly has far more information at its finger tips than many people realize.”

Social networking sites, especially, are a goldmine.

“The moral of this story is for people to think twice about the information they share willingly with their actual or virtual friends online because, one day, whether or not they have something to hide will be irrelevant as they will have voluntarily given up all of their privacy rights anyway,” Munson said.

This is of course not the first time a government has been found collecting social media data and other information on its citizens. Famously, Edward Snowden revealed the extent to which the NSA surreptitiously gathered information on US citizens.  

What’s Hot on Infosecurity Magazine?