Privacy International are arguing in a secret hearing of the Investigatory Powers Tribunal (IPT) that UK intelligence services are actively sharing huge datasets with third parties, without “sufficient controls on how the data will be used.”
Following the number of concerns raised over big data profiling being used illicitly in both the Brexit vote and Trump elections, with access being granted to Russian Intelligence Services, it transpires GCHQ have been unaccountably sharing one of the world’s largest datasets with third parties, without an audit process.
They have also been sharing their data with universities, who have also been consistently targeted with hacking operations aimed at data theft. Bristol University has full access to GCHQ’s systems data.
GCHQ work particularly closely with external third parties, including BAE Systems, who have previously seen scandal involving the sale of secrets arising from their dealings with the security services.
BAE have also been selling a surveillance system which looks very much like GCHQ’s own system to repressive regimes for profit.
Another third party known to work with the British defence services is controversial SCL Group, the parent of Cambridge Analytica – from 2010 they were paid £150,000 for the “Procurement of Target Audience Analysis” and training.
Since working for the Trump Administration they have been angling for Pentagon contracts. It is unknown if SCL or its affiliates have had direct access to GCHQ’s data, but due to the lack of audit trail and SCL’s links it is more than probable.
A further concern regarding third party access arises from the developing scandal around loss of NSA secrets by a contractor who had Kremlin monitoring software Kaspersky installed on his personal network.
MI6, our foreign security services arm dealing with threats outside of the UK, relies heavily on GCHQ’s bulk interception of communications and both MI6 and MI5 (the domestic security service) utilise GCHQ’s systems to obtain personal travel data.
UK Security Service data-sharing now extends well beyond Five Eyes too.
While mostly classified, it is known sharing now takes place with up to 40 foreign intelligence services and what happens once the data leaves the UK is completely unregulated.
This position has been officially confirmed in one 2015 report, with the Intelligence and Security Committee writing controls: “Do not apply to overseas partners with whom the agencies may share datasets.”
In short, GCHQ have been sharing huge amounts of information, gathered illegally, with no security around what happens to that data afterwards domestically and internationally.
David Anderson, the man charged with an independent review of terrorism legislation wrote in one report: “Bulk powers, by definition, involve potential access by the state to the data of large numbers of people whom there is not the slightest reason to suspect of threatening national security or engaging in serious crime. Any abuse of those powers could thus have particularly wide-ranging effects on the innocent.”
The Investigatory Powers Commissioner’s Office (IPCO) also raised raised the alarm over a safeguards around the misuse of systems by private contractors. This centres around third parties who are granted “administrator” privileges to the information.
In fact, IPCO only found out about this through the Privacy International legal challenge to GCHQ.
“Neither ISCom [The Intelligence Services Commissioner’s Office] nor IOCCO [The Interception of Communications Commissioners Office] were previously informed by GCHQ that the sharing of BPD/BCD with industry partners, as described in the statement of the GCHQ witness…had occurred,” IPCO responded in writing during September 2017.
According to Computer Weekly, whose reporting of this case is second to none: “Privacy International said that the government had failed to provide evidence that there were sufficient safeguards in place to protect the use and security of sensitive data once it had been shared with others. A foreign government, for example, could use the data to support an unlawful detention or torture programme, or use it to identify the target for a lethal operation.”
“the government had failed to provide evidence that there were sufficient
safeguards in place to protect the use and security of sensitive data
once it had been shared with others. A foreign government, for example,
could use the data”
Ben Jaffey, a lawyer for Privacy International said: “once the data set is provided outside the agency then control has been lost. For example a foreign partner could hand it on to another foreign partner that the UK would not pass it to, or be used for operations for which the UK would not approve.”
Graham Wood of Privacy International added: “After three years of litigation, just before the court hearing we learn not only are safeguards for sharing our sensitive data non-existent, but the government has databases with our social media information and is potentially sharing access to this information with foreign governments. The risks associated with these activities are painfully obvious.”
GCHQ has confirmed that it shares entire databases of “raw sigint” (signals intelligence) data with industry partners, “contracted to develop new systems and capabilities for GCHQ”.
In 2016, the Investigatory Powers Tribunal ruled UK intelligence agencies had been unlawfully collecting the population’s mobile phone and internet data for 17 years.