This article is from the source 'guardian' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at https://www.theguardian.com/world/2016/oct/17/uk-security-agencies-unlawfully-collected-data-for-decade

The article has changed 5 times. There is an RSS feed of changes available.

Version 2 Version 3
UK security agencies unlawfully collected data for decade, court rules UK security agencies unlawfully collected data for 17 years, court rules
(35 minutes later)
British security agencies have secretly and unlawfully collected massive volumes of confidential personal data, including financial information, on citizens for more than a decade, top judges have ruled.British security agencies have secretly and unlawfully collected massive volumes of confidential personal data, including financial information, on citizens for more than a decade, top judges have ruled.
The investigatory powers tribunal, which is the only court that hears complaints against MI5, MI6 and GCHQ, said the security services operated secret regimes to collect vast amounts of personal communications data, tracking individual phone and web use and large datasets of confidential personal information, without adequate safeguards or supervision for more than 10 years.The investigatory powers tribunal, which is the only court that hears complaints against MI5, MI6 and GCHQ, said the security services operated secret regimes to collect vast amounts of personal communications data, tracking individual phone and web use and large datasets of confidential personal information, without adequate safeguards or supervision for more than 10 years.
The ruling said the regime governing the collection of bulk communications data – the who, where, when and what of personal phone and web communications – failed to comply with article 8 protecting the right to privacy of the European convention of human rights (ECHR) between 1998, when it started, and 4 November 2015, when it was made public. The ruling said the regime governing the collection of bulk communications data (BCD) – the who, where, when and what of personal phone and web communications – failed to comply with article 8 protecting the right to privacy of the European convention of human rights (ECHR) between 1998, when it started, and 4 November 2015, when it was made public.
It said the holding of bulk personal datasets (BPD) – which might include medical and tax records, individual biographical details, commercial and financial activities, communications and travel data – also failed to comply with article 8 for the decade it was in operation until its public avowal in March 2015.It said the holding of bulk personal datasets (BPD) – which might include medical and tax records, individual biographical details, commercial and financial activities, communications and travel data – also failed to comply with article 8 for the decade it was in operation until its public avowal in March 2015.
“The BPD regime failed to comply with the ECHR principles which we have above set out throughout the period prior to its avowal in March 2015. The BCD regime failed to comply with such principles in the period prior to its avowal in November 2015, and the institution of a more adequate system of supervision as at the same date,” the ruling concluded.“The BPD regime failed to comply with the ECHR principles which we have above set out throughout the period prior to its avowal in March 2015. The BCD regime failed to comply with such principles in the period prior to its avowal in November 2015, and the institution of a more adequate system of supervision as at the same date,” the ruling concluded.
The House of Lords is debating the final stages of the investigatory powers bill – the snooper’s charter – which will put mass digital surveillance activities on a clear legal footing for the first time since the disclosure by Edward Snowden of the extent of state surveillance in 2013.The House of Lords is debating the final stages of the investigatory powers bill – the snooper’s charter – which will put mass digital surveillance activities on a clear legal footing for the first time since the disclosure by Edward Snowden of the extent of state surveillance in 2013.
Chaired by Mr Justice Burton, the IPT ruling revealed that security agency staff had been sent internal warnings not to use the databases containing the vast collections of information to search for or access details “about other members of staff, neighbours, friends, acquaintances, family members and public figures”.Chaired by Mr Justice Burton, the IPT ruling revealed that security agency staff had been sent internal warnings not to use the databases containing the vast collections of information to search for or access details “about other members of staff, neighbours, friends, acquaintances, family members and public figures”.
It also revealed concerns within the security agencies about the secretive nature of their bulk data collection activities.It also revealed concerns within the security agencies about the secretive nature of their bulk data collection activities.
In February 2010, a Mr Hannigan, then of the Cabinet Office, wrote: “It is difficult to assess the extent to which the public is aware of agencies’ holding and exploiting in-house personal bulk datasets, including data on individuals of no intelligence interest … Although existing legislation allows companies and UK government departments to share personal data with the agencies if necessary in the interests of national security, the extent to which this sharing takes place may not be evident to the public.”In February 2010, a Mr Hannigan, then of the Cabinet Office, wrote: “It is difficult to assess the extent to which the public is aware of agencies’ holding and exploiting in-house personal bulk datasets, including data on individuals of no intelligence interest … Although existing legislation allows companies and UK government departments to share personal data with the agencies if necessary in the interests of national security, the extent to which this sharing takes place may not be evident to the public.”
The campaign group Privacy International said the ruling showed that despite this warning internal oversight failed to prevent the highly sensitive databases being treated like Facebook to check on birthdays, and “very worryingly” on family members for “personal reasons”.The campaign group Privacy International said the ruling showed that despite this warning internal oversight failed to prevent the highly sensitive databases being treated like Facebook to check on birthdays, and “very worryingly” on family members for “personal reasons”.
The IPT ruling included the disclosure from an unpublished 2010 MI5 policy statement that the “bulk personal datasets” included material on the nation’s personal financial activities. “The fact that the service holds bulk financial, albeit anonymised, data is assessed to be a high corporate risk, since there is no public expectation that the service will hold or have access to this data in bulk. Were it to become widely known that the service held this data, the media response would most likely be unfavourable and probably inaccurate,” it said. The IPT ruling included the disclosure from an unpublished 2010 MI5 policy statement that the BPDs included material on the nation’s personal financial activities. “The fact that the service holds bulk financial, albeit anonymised, data is assessed to be a high corporate risk, since there is no public expectation that the service will hold or have access to this data in bulk. Were it to become widely known that the service held this data, the media response would most likely be unfavourable and probably inaccurate,” it said.
The legal challenge centred on the acquisition, use, retention and disclosure by the security services of bulk communications data under section 94 of the Telecommunications Act 1984 and the use of bulk personal datasets under a variety of legal powers. The tribunal noted the highly secretive nature of the communications data regime, saying “it seems difficult to conclude that the use of BCD was foreseeable by the public when it was not explained to parliament”. The legal challenge centred on the acquisition, use, retention and disclosure by the security services of BCD under section 94 of the Telecommunications Act 1984 and the use of BPDs under a variety of legal powers. The tribunal noted the highly secretive nature of the communications data regime, saying “it seems difficult to conclude that the use of BCD was foreseeable by the public when it was not explained to parliament”.
Mark Scott, of Bhatt Murphy Solicitors, who was instructed by Privacy International in the legal challenge, said: “This judgment confirms that for over a decade UK security services unlawfully concealed both the extent of their surveillance capabilities and that innocent people across the country have been spied upon.”Mark Scott, of Bhatt Murphy Solicitors, who was instructed by Privacy International in the legal challenge, said: “This judgment confirms that for over a decade UK security services unlawfully concealed both the extent of their surveillance capabilities and that innocent people across the country have been spied upon.”
Millie Graham Wood, legal officer at Privacy International, said the ruling was “a long overdue indictment of UK surveillance agencies riding roughshod over our democracy and secretly spying on a massive scale”. Millie Graham Wood, legal officer at Privacy International, said: “[The ruling is] a long overdue indictment of UK surveillance agencies riding roughshod over our democracy and secretly spying on a massive scale.”
She said the use of bulk communications data carried huge risks. “It facilitates the almost instantaneous cataloguing of entire populations’ personal data. It is unacceptable that it is only through litigation by a charity that we have learnt the extent of these powers and how they are used. She said the use of BCD carried huge risks. “It facilitates the almost instantaneous cataloguing of entire populations’ personal data. It is unacceptable that it is only through litigation by a charity that we have learnt the extent of these powers and how they are used.
“The public and parliament deserve an explanation as to why everyone’s data was collected for over a decade without oversight in place and confirmation that unlawfully obtained personal data will be destroyed.”“The public and parliament deserve an explanation as to why everyone’s data was collected for over a decade without oversight in place and confirmation that unlawfully obtained personal data will be destroyed.”
Privacy International said the judgment did not specify whether the unlawfully obtained, sensitive personal data would be deleted.Privacy International said the judgment did not specify whether the unlawfully obtained, sensitive personal data would be deleted.
A government spokesperson said in response to the ruling: “The powers available to the security and intelligence agencies play a vital role in protecting the UK and its citizens. We are therefore pleased the tribunal has confirmed the current lawfulness of the existing bulk communications data and bulk personal dataset regimes. A government spokesperson said the ruling showed that the regimes used to hold and collect data since March and November 2015 respectively were legal.
“The powers available to the security and intelligence agencies play a vital role in protecting the UK and its citizens. We are therefore pleased the tribunal has confirmed the current lawfulness of the existing bulk communications data and bulk personal dataset regimes.
“Through the investigatory powers bill, the government is committed to providing greater transparency and stronger safeguards for all of the bulk powers available to the agencies.”“Through the investigatory powers bill, the government is committed to providing greater transparency and stronger safeguards for all of the bulk powers available to the agencies.”
A further hearing of the case is scheduled for December to consider a number of outstanding issues.A further hearing of the case is scheduled for December to consider a number of outstanding issues.
Alistair Carmichael, the Liberal Democrat home affairs spokesperson said the ruling showed “mass spying on the British people should be replaced with targeted surveillance of specific individuals suspected of wrongdoing”. Alistair Carmichael, the Liberal Democrat home affairs spokesman, said the ruling showed “mass spying on the British people should be replaced with targeted surveillance of specific individuals suspected of wrongdoing”.
“Allowing the state to collect endless amounts of personal data is not just a gross invasion of privacy, it is a waste of precious resources. Every pound the government spends monitoring people’s emails, text messages and calls is a pound taken away from community policing.” He added: “Allowing the state to collect endless amounts of personal data is not just a gross invasion of privacy, it is a waste of precious resources. Every pound the government spends monitoring people’s emails, text messages and calls is a pound taken away from community policing.”