MI5's Uncontrolled Bulk Data Collection

Uploaded on 2016-06-13 in NEWS-Cybersecurity News, INTELLIGENCE--Europe, GOVERNMENT-National, FREE TO VIEW

The watchdog that monitors interception of emails and phone calls by the intelligence services allowed MI5 to escape regular scrutiny of its bulk collection of communications data, according to newly released confidential correspondence.

A highly revealing exchange of letters from 2004 has been published by Privacy International (PI) before a parliamentary debate on the investigatory powers bill, sometimes called the snooper’s charter. 

The campaign group argues that the letters demonstrate the relationship between government agencies and the independent organisation that is supposed to oversee and regulate their activities has been too “cozy”.

The correspondence has been disclosed in the course of legal action between PI and the government at the investigatory powers tribunal (IPT) which is due to be heard in full this year. The IPT deals with complaints about the intelligence services and surveillance by public bodies. GCHQ is alleged to be illegally collecting “bulk personal datasets” from the phone and internet records of millions of people who have no ties to terrorism and are not suspected of any crime.

The letters were sent by Home Office legal advisers, GCHQ and Sir Swinton Thomas, who was the interception of communications commissioner. The organisation is now called the Interception of Communications Commissioner’s Office (IOCCO).

In May 2004, a Home Office legal adviser wrote to Thomas backing an MI5 proposal that collecting bulk data from communication service providers for its “database project” be authorised under section 94 of the 1984 Telecommunications Act because, at that stage, there were no human rights implications or breach of privacy concerns. Using that act would not require a notice to be put before parliament because it could be used secretively on the grounds that “disclosure of the direction would be against the interests of national security”. 

Thomas wrote back the following month, expressing reservations about such clandestine authorisation. He proposed that it would be better to use the more modern and exacting Regulation of Investigatory Powers Act 2000 (Ripa), which involves more open legal procedures and safeguards.

The Home Office responded, saying that, although Ripa might be engaged, it did not think that meant it must be used. The letter continued: “The only practical difference between the two sets of provisions is if [Ripa] were used, a new notice would need to be issued every month … involving a fresh consideration of the necessity and proportionality issues. This would not be the case under section 94 [of the Telecommunications Act].”

Thomas backed down, replying that, “on reconsideration”, use of Ripa was not mandatory. He added: “I am also impressed by the considerable and, if possible to be avoided, inconvenience in following the [Ripa] procedure in the database procedures.”

GCHQ wrote to Thomas in October that year after he had visited its Cheltenham headquarters. “Huges volumes of data are acquired (about 40m bits of data a day),” it informed him. “In the interests of security and commercial confidentiality, GCHQ prefers to keep all the telephony material together in one database … to disguise its source, as the origin of some of the material is extremely sensitive.”

GCHQ also asked whether access to communications data for its databases would be lawful under the Telecommunications Act rather than the more burdensome Ripa.

Thomas said it was not a straightforward problem but eventually acquiesced, saying: “I have, therefore, reached the conclusion, not without some difficulty, that the present system for retrieval [under the Telecommunications Act] is lawful. As you say, adhering to the spirit of the legislation is important.”

The debate goes some way to explain official thinking on the legal distinction between anonymised bulk data collection and a second stage of interception where material may be matched to individuals.

The latest revelation follows an earlier release of confidential documents by PI last month that showed how GCHQ, MI5 and MI6 obtain personal data from public and private organisations, including financial institutions, the NHS, electronic petitions record databases and others.

Guardian

« First LinkedIn, Now Twitter ... Hacked User IDs For Sale
Connected: The Mobile Police Station »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

SealPath

SealPath

SealPath enables companies to protect and control their documents wherever they are: In their PC, in their corporate network, on a partner’s network, in the cloud.

baramundi software

baramundi software

baramundi software AG provides companies and organizations with efficient, secure, and cross-platform management of workstation environments.

OneLogin

OneLogin

OneLogin simplifies identity management with secure, one-click access,for employees, customers and partners, through all device types, to all enterprise cloud and on-premise applications.

ControlCase

ControlCase

ControlCase provide solutions that address all aspects of IT-GRCM (Governance, Risk Management and Compliance Management).

AMETIC

AMETIC

AMETIC, is the Association of Electronics, Information and Communications Technologies, Telecommunications and Digital Content Companies in Spain.

VMRay

VMRay

VMRay delivers advanced threat analysis and detection that combines a unique agentless hypervisor-based network sandbox with a real-time reputation engine.

IntaPeople

IntaPeople

IntaPeople are IT and engineering recruitment specialists. We have specialist teams for job sectors including Cybersecurity, IT infrastructure and DevOps.

CyVolve

CyVolve

Cyvolve is the next great leap forward in data security, ensuring constant encryption and pervasive control over all your data.

Neosecure

Neosecure

NeoSecure is a specialist Cybersecurity Solutions and Managed Services provider in Latin America.

Hunter Strategy

Hunter Strategy

Hunter Strategy focuses on delivering solutions that are concise, scalable, and target our customer’s complex technical challenges.

SubRosa Cyber Solutions

SubRosa Cyber Solutions

SubRosa Cyber Solutions solves its clients’ most tenacious information security, risk and compliance challenges through a multitude of information technology services and expertise.

Secret Intelligence Service (SIS - MI6)

Secret Intelligence Service (SIS - MI6)

The UK’s Secret Intelligence Service, also known as MI6, has three core aims: stopping terrorism, disrupting the activity of hostile states, and giving the UK a cyber advantage.

Punk Security

Punk Security

Punk Security are specialists in integrating security into DevOps pipelines, enabling rapid and secure development.

Focus Digitech

Focus Digitech

Focus Digitech helps you with your digital transformation journey with our main core offerings of Cloud, Cybersecurity, Analytics and DevOps.

Infodot Technologies

Infodot Technologies

Infodot Technologies specialize in a co-managed IT support and services approach, where businesses share their IT responsibilities with a skilled Managed IT Services Provider (MSP).

INTfinity Consulting

INTfinity Consulting

The INTfinity team brings together decades of professional experience in cybersecurity. We're here to apply that same experience and proficiency in defending your networks.