MI5's Uncontrolled Bulk Data Collection

The watchdog that monitors interception of emails and phone calls by the intelligence services allowed MI5 to escape regular scrutiny of its bulk collection of communications data, according to newly released confidential correspondence.

A highly revealing exchange of letters from 2004 has been published by Privacy International (PI) before a parliamentary debate on the investigatory powers bill, sometimes called the snooper’s charter. 

The campaign group argues that the letters demonstrate the relationship between government agencies and the independent organisation that is supposed to oversee and regulate their activities has been too “cozy”.

The correspondence has been disclosed in the course of legal action between PI and the government at the investigatory powers tribunal (IPT) which is due to be heard in full this year. The IPT deals with complaints about the intelligence services and surveillance by public bodies. GCHQ is alleged to be illegally collecting “bulk personal datasets” from the phone and internet records of millions of people who have no ties to terrorism and are not suspected of any crime.

The letters were sent by Home Office legal advisers, GCHQ and Sir Swinton Thomas, who was the interception of communications commissioner. The organisation is now called the Interception of Communications Commissioner’s Office (IOCCO).

In May 2004, a Home Office legal adviser wrote to Thomas backing an MI5 proposal that collecting bulk data from communication service providers for its “database project” be authorised under section 94 of the 1984 Telecommunications Act because, at that stage, there were no human rights implications or breach of privacy concerns. Using that act would not require a notice to be put before parliament because it could be used secretively on the grounds that “disclosure of the direction would be against the interests of national security”. 

Thomas wrote back the following month, expressing reservations about such clandestine authorisation. He proposed that it would be better to use the more modern and exacting Regulation of Investigatory Powers Act 2000 (Ripa), which involves more open legal procedures and safeguards.

The Home Office responded, saying that, although Ripa might be engaged, it did not think that meant it must be used. The letter continued: “The only practical difference between the two sets of provisions is if [Ripa] were used, a new notice would need to be issued every month … involving a fresh consideration of the necessity and proportionality issues. This would not be the case under section 94 [of the Telecommunications Act].”

Thomas backed down, replying that, “on reconsideration”, use of Ripa was not mandatory. He added: “I am also impressed by the considerable and, if possible to be avoided, inconvenience in following the [Ripa] procedure in the database procedures.”

GCHQ wrote to Thomas in October that year after he had visited its Cheltenham headquarters. “Huges volumes of data are acquired (about 40m bits of data a day),” it informed him. “In the interests of security and commercial confidentiality, GCHQ prefers to keep all the telephony material together in one database … to disguise its source, as the origin of some of the material is extremely sensitive.”

GCHQ also asked whether access to communications data for its databases would be lawful under the Telecommunications Act rather than the more burdensome Ripa.

Thomas said it was not a straightforward problem but eventually acquiesced, saying: “I have, therefore, reached the conclusion, not without some difficulty, that the present system for retrieval [under the Telecommunications Act] is lawful. As you say, adhering to the spirit of the legislation is important.”

The debate goes some way to explain official thinking on the legal distinction between anonymised bulk data collection and a second stage of interception where material may be matched to individuals.

The latest revelation follows an earlier release of confidential documents by PI last month that showed how GCHQ, MI5 and MI6 obtain personal data from public and private organisations, including financial institutions, the NHS, electronic petitions record databases and others.

Guardian

« First LinkedIn, Now Twitter ... Hacked User IDs For Sale
Connected: The Mobile Police Station »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CynergisTek

CynergisTek

CynergisTek is a top-ranked cybersecurity and information management consulting firm dedicated to serving the healthcare industry.

Cyscale

Cyscale

Cyscale is a consultancy and development agency helping Enterprises adopt and migrate to the Cloud by providing an Automated Cloud Security Platform.

Crashtest Security

Crashtest Security

Crashtest Security is a cyber security company that helps digital companies to continuously create secure software with the help of automated vulnerability assessments.

AU10TIX

AU10TIX

AU10TIX’s smart forensic-level ID authentication technology links physical and digital identities, meets compliance mandates, and ensures your customers know their trust and safety come first.

Stratus Cyber

Stratus Cyber

Stratus Cyber is a premier Cyber Security company specializing in Managed Security Services. Our services include Blockchain Security, Pentesting, and Compliance Assessments.

Quantum Generation

Quantum Generation

Quantum Cyber Security for a new age of communications. We are developing the largest decentralized orbital, and ground quantum mesh network based on blockchain technology.

Kasm Technologies

Kasm Technologies

Kasm Browser Isolation - Protect your organization from malware, ransomware and phishing by using zero-trust containerized browsers.

HunCERT

HunCERT

HunCERT's mission is to assist Hungarian Internet Service Providers in applying appropriate procedures to address the risks of computer network incidents and to respond to such incidents.

Profian

Profian

Profian’s hardware-based solutions maintain your data's confidentiality and integrity in use, providing true confidential computing to meet regulatory and audit requirements.

iVision

iVision

iVision is a technology integration and management firm that engineers success for clients through objective recommendations, process and technology expertise and best-of-breed guidance.

Trustmarque

Trustmarque

Trustmarque delivers customer-centric IT solutions that enable better outcomes. We combine the technology, expertise and services to release value at every stage of the IT lifecycle.

Three Wire Systems

Three Wire Systems

Three Wire is a leader in innovative and efficient technology solutions for government agencies and large enterprise corporations.

Cenobe Cyber Security

Cenobe Cyber Security

Cenobe provides customized solutions to keep you ahead of potential threats and ensure the security of your organization's systems and data.

Miggo Security

Miggo Security

Miggo is the first Application Detection and Response (ADR) platform on a mission to stop application breaches.

Barquin Solutions

Barquin Solutions

Barquin Solutions is a full-service information technology consulting firm focused on supporting U.S. federal government agencies and their partners.

CorePLUS Technologies

CorePLUS Technologies

CorePlus solutions are designed to empower organizations with the tools they need to ensure the utmost protection for their assets, people, and information.