The UK’s intelligence services have unlawfully engaged in mass surveillance of the populous for over a decade, hiding their activity from the public, a top court has ruled.
The Investigatory Powers Tribunal – a special court set up to deal with complaints against MI5, MI6 and GCHQ – ruled that the secret and illegal collection of bulk data was done without adequate safeguards or supervision.
Collection of Bulk Communications Data (BCD) – the "who, where, when and what" of phone and online communications – and Bulk Personal Datasets (BPD), which may include other details such as medical and tax records, failed to comply with the European Convention on Human Rights (ECHR).
The Tribunal ruled: "we are not satisfied that ... there can be said to have been an adequate oversight of the BCD system, until after July 2015" with "no Codes of Practice relating to either BCD or BPD or anything approximating to them."
It added that “it seems difficult to conclude that the use of BCD was foreseeable by the public when it was not explained to parliament".
The judgement concluded:
“The BPD regime failed to comply with the ECHR principles which we have above set out throughout the period prior to its avowal in March 2015. The BCD regime failed to comply with such principles in the period prior to its avowal in November 2015.”
Safeguards and internal oversight were deemed insufficient to prevent staff using these vast databases of citizens’ private information to search for info about other members of staff, neighbours, friends, acquaintances, family members and public figures.
“There are huge risks associated with the use of bulk communications data. It facilitates the almost instantaneous cataloguing of entire populations' personal data. It is unacceptable that it is only through litigation by a charity that we have learnt the extent of these powers and how they are used,” argued Privacy International legal officer Millie Graham Wood.
“The public and parliament deserve an explanation as to why everyone’s data was collected for over a decade without oversight in place and confirmation that unlawfully obtained personal data will be destroyed."
The news comes as the House of Lords debates the controversial Investigatory Powers Bill or “Snoopers’ Charter,” which seeks to enshrine powers of mass surveillance in law for the first time.
Rafael Laguna, CEO of Open-Xchange, argued the bulk data collection powers slammed by the Investigatory Powers Tribunal are “the tools of a dictatorship.”
“There’s no telling how or why government staff accessed these databases. Unfortunately, much the same applies to the upcoming IP Bill which shows equal disregard for democratic oversight,” he added.
Jacob Ginsberg, senior director at encryption firm Echoworx, argued that there are security implications associated with storing metadata.
“The analysis of metadata is just as intrusive as the analysis of content from web pages or social media. It may appear innocuous but it has the potential to expose the life histories of individuals over time, both personally and professionally,” he explained.
“Another issue is the inevitability that data will leak. What happens when this treasure-trove of metadata is made publicly available by a malicious attacker? We need to think longer and harder about the implications of unavoidable outcomes and the impacts they will have on people’s lives, whether its discrimination over an insurance policy or an outright attack on privacy.”