Your data handed over: no questions asked
Service providers have been accused of passing data to intelligence agencies on “gentlemen’s agreement”
Service providers have been accused of passing data from millions of Britons to intelligence agencies on a “gentlemen’s agreement”.
TELECOMS COMPANIES AND GCHQ have been criticised after a judicial tribunal ruled that the eavesdropping agency had wrongly been given unfettered access to data from millions of Britons for more than a decade.
According to Privacy International, which took the matter to the Investigatory Powers Tribunal that oversees intelligence bodies, telcos often handed over data without checking that there was a legal basis for doing so.
“The judgement highlighted that the telcos didn’t really ask for anything and were just given oral assurance, although it should be said the judges weren’t critical of the telcos, but instead the failures by GCHQ,” said Millie Graham Wood, a solicitor with Privacy International.
“It was kind of like a gentlemen’s agreement, that GCHQ would contact providers and say ‘we want this kind of communications data’ and without asking for any documentation or looking at any lawful authority they would just hand it over.”
The data gathered – from at least 2001 until 2016 – included bulk personal datasets and bulk communications data, which was demanded under laws such as section 45(2) of the Telecommunications Act 1983 and section 94(1) of the Telecommunications Act 1984.
Verbal agreement
The lax way in which orders for data were dealt with by service providers was also shown in case notes from the tribunal. Although any requirements should have been set out in writing, they were often communicated verbally – and the provider complied.
“In some cases, a letter was sent by GCHQ to the CSP [communications service provider] which specified the categories of communications in respect of which data was required by GCHQ. However in most of the relevant cases such letters cannot be found on the files of GCHQ or the CSP,” the case notes read.
“As was accepted by the GCHQ witness, the likelihood is that in such cases the requirement to provide communications data and the specification of such data was communicated only orally.”
The tribunal heard several examples of data requests where no letter was sent and details were handed over on the back of a conversation. “In a sense, the oral agreements were just an extension of something that appears to have been going on for many years prior to the use of section 94 of the Telecommunications Act, without the telcos asking for any legal documentation,” said Graham Wood, adding that the cosy relationship was different to what may be demanded by more recently established companies.
“The average person would expect that if GCHQ approached a telco or companies like Facebook or Google seeking vast quantities of data, the
It was impossible to know how the data had been used, or if it had been shared with other government bodies
companies would ask to see a warrant and evidence of legal basis,” she said.
“It would be shocking if GCHQ could just turn up, say ‘Hi, we want this data’ and the companies wouldn’t ask to see anything.”
In the ruling, the tribunal found that successive foreign secretaries up until 2016 delegated data request decisions to GCHQ, when any data requirements should have been overseen by the foreign secretary. (Oddly, GCHQ comes under the purview of the Foreign Office and not the Home Office.)
The government had previously argued that the Foreign Office had overseen all data requests, but was forced to change its position after new evidence came to light.
Because the data was collected without the required oversight, the tribunal found that “in relation to many directions made prior to October 2016 by the foreign secretary to communications service providers to provide data to GCHQ, they were not in accordance with law”.
Although very little has changed in the way that data is shared between service providers and GCHQ, such data requests are now deemed legal because they have proper oversight from the foreign secretary.
Fixed data deposit
Privacy International also expressed its concerns that GCHQ was allowed by a previous ruling to retain the data, and could share it with third parties and foreign agencies.
“Unfortunately the tribunal found that even though the regime was unlawful they weren’t going to provide any relief or say that GCHQ has to delete it,” said Graham Wood. “They effectively said, ‘Even though it’s unlawful we’ll just tell you off, but won’t impose any sanction on you’.”
According to Privacy International, it was impossible to know how the data had been used, or if it had been shared with other government bodies. “The data could have been shared with police, departments or foreign agencies,” said Graham Wood.
“However, the case looked at these types of sharing on a hypothetical basis and so we will not know the extent of this and whether there has been any misuse or abuse of vast amounts of personal data.”