UK Spy Agencies Violated Privacy Laws For 17 Years, Court Rules

The UK Investigatory Powers Tribunal (IPT) found that UK spy agencies have violated the privacy protections in the European Convention on Human Rights. The agencies’ illegal programs have been in effect from 1998 to 2015, when some new safeguards came into place. Privacy International attributes this result to Edward Snowden’s whistleblowing on spy agencies’ activities, without which they wouldn’t have been discovered by the public, the courts, or the Parliament.

Bulk Collection With No Privacy Protections

The illegal programs in question are the Bulk Communications Data (BCD) and Bulk Personal Datasets (BPD) initiatives--where. as the name implies, data of citizens is collected and analyzed in bulk. The programs were re-introduced in the Investigatory Powers Bill, which has yet to pass, although supposedly some privacy protections have been added this time.

However, multiple Parliamentary commissions have already warned that the privacy protections in the IP bill aren’t strong enough and that they have been added only as an afterthought after first defining the agencies’ surveillance powers. The commissions have argued that it should’ve been the other way around, with privacy protections defined for citizens by default, with certain specific exceptions given for various surveillance capabilities.

Reasons For Using Bulk Data Collection

The intelligence agencies wrote to the court concerning the reasons why they say bulk data collection such as BCD and BPD is so necessary.

One of the reasons is that bulk data such as personal financial transactions or communications, for instance, would be too laborious to analyze manually for each individual. Therefore, the agencies prefer to collect everyone’s data of this type and analyze it automatically.

Another reason given is that such analysis could sometimes uncover unknown suspects. The agencies’ argument here is this sort of analysis could help uncover otherwise unknown plots or crimes, before they actually happen, so that they could be prevented.

However, as security expert Bruce Schneier once showed, such data mining can be highly ineffective at preventing attacks, because the numbers simply work against it. Such analysis would almost always result in high numbers of false positives.

Bulk Data Abuses

The Investigatory Powers Tribunal concluded that such data can’t be collected without strict oversight. The Tribunal revealed that UK spy agencies’ staff was abusing the bulk data databases even to check up on other staff members, as well as acquaintances, family members, or public figures. That’s because there was no code of practice nor proper oversight to prevent such abuses.

The court also noted that it would’ve been difficult for the public to discover that the intelligence agencies were abusing their powers when the Parliament itself wasn’t made aware of the agencies’ full range of capabilities. Even the commissioners in charge of intelligence agency audits were limited in knowing how exactly the spies collected, stored, or destroyed data, and their audits weren’t especially detailed.

New Collection Still Possibly Illegal

The IPT court, which deals with surveillance cases, said it’s satisfied with the privacy protections that the agencies have now put in place and believes the agencies’ collection is now legal under the European Convention. However, Privacy International, which launched a lawsuit against the UK intelligence agencies over these issues, isn’t quite as content with the additional oversight measures.

According to the organization, the main issue remains that the bulk data collection requires no judicial or independent authorization, meaning the UK spy agencies are still mostly free to collect whatever data they want. Having a government ministry as the entity that can authorize bulk data collection requests means the government in power can easily abuse its intelligence capabilities. Courts have existed for this reason--as a check--but they seem to have been mostly taken out of the equation when it comes to UK intelligence data requests.

Privacy International also argued that victims of the bulk data collection have no way of knowing whether the government collected their data--not during an investigation, and possibly not ever. This can open up opportunities for abuse, because the agencies can collect and access anyone’s data without any repercussions.

The nonprofit also warned that the agencies can continue to share whole databases of collected bulk data with foreign intelligence agencies, “industry partners” such as contractors, and other local law enforcement agencies. The group believes the Tribunal should have better addressed the necessity and proportionality of collecting so much data about millions of innocent UK citizens.

“Today’s judgment is a long overdue indictment of UK surveillance agencies riding roughshod over our democracy and secretly spying on a massive scale," said Millie Graham Wood, Legal Officer at Privacy International."There are huge risks associated with the use of bulk communications data. It facilitates the almost instantaneous cataloguing of entire populations’ personal data. It is unacceptable that it is only through litigation by a charity that we have learnt the extent of these powers and how they are used. The public and Parliament deserve an explanation as to why everyone’s data was collected for over a decade without oversight in place and confirmation that unlawfully obtained personal data will be destroyed,” she added.

The Investigatory Powers Tribunal will revisit the case again this December to review the legality of the UK agencies’ actions under European Union privacy regulations and the Charter of Fundamental Rights.

Even if the IPT continues to give a pass to UK intelligence agencies (which it seems to have done so far, despite finding its actions were illegal for many years), the case could still be taken to the European Court of Human Rights and the EU’s Court of Justice, which have a history of siding much more often with citizens’ privacy rights.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • HEXiT
    saw this 1 coming a mile off. ever since william hauge said oversight was key... just looking at the guy as he said it, you could see he was lying through his teeth.
    dont get me wrong. if the spy agencies need access to my data they can have it, but they must have good reason and do so with a warrant. this kind of data gathering is not that.

    im starting to wonder who exactly these spy agencies are working for and what there agenda is.
  • fixxxer113
    In other news, spy agencies are spying....
  • fixxxer113
    In other news, Spy agencies that were created for spying, are indeed spying!
    .... I'm shocked...
  • HEXiT
    its not the fact they have been spying, its the fact that they have been operating with impunity outside the law.

    The Tribunal revealed that UK spy agencies’ staff was abusing the bulk data databases even to check up on other staff members, as well as acquaintances, family members, or public figures.

    @fixxxer113 would you be happy if your wife/gf went through your search history then gave it to your friends and neighbours. even if you have nothing to hide?...
    so why should government agencies be allowed to do it without good reason or a warrant, especially when they have been shown to be abusing there power.
  • eriko
    Somebody now needs to see the INSIDE of a jail cell for this.

    Its been long established the government is breaking the law - I couldn't do it and roam free, why can they?
  • daglesj
    All western Intelligence Agencies are doing it. The 1% who run the show are afraid of the 99% waking up one morning and wanting it all back. They have run the numbers and need to avoid what happened in Eastern Europe in the early 90's. So they are monitoring looking out for future political dissent to nip it in the bud. Nothing to do with terrorism.
  • Kimonajane
    Same thing their American counterparts (fascist FED/NSA) in the USA have been doing. They also have willing volunteers (Facebook/Yahoo) who hand over peoples info and other companies who they (Fascist FED) strong arm/blackmail into compliance with their wishes. Want real privacy, don't use electronic communication. One Time Pad maybe.
  • memadmax
    Nothing will come of this however...

    What are they gonna do? Throw very powerful brits in jail?

  • 3ogdy
    Aaaaaaaaaand nobody gets hanged. Why would such an unreasonable thing ever happen in such cases of privacy invasion. Funny how people do the unthinkable and expect "thinkable" consequences. Funny to a point. And that certianly isn't a gunpoint.
  • hoofhearted
    Now that this news is mainstream, I wonder how many hacking organizations are eyeing up this one-stop shopping treasure trove? Maybe one of their disgruntled spies will leak it out.