UK spy agencies illegally collected data for years, court rules

The UK's secret intelligence agencies breached European human rights legislation by secretly collecting communications and personal data in bulk

The U.K.'s spy agencies breached the European Convention on Human Rights for years by secretly collecting almost everything about British citizens' communications except their content, a U.K. court has ruled.

However, now that the U.K. government has admitted what it is doing, the collection is legal, the Investigatory Powers Tribunal ruled Monday.

It has yet to rule on the issue of proportionality, or whether the agencies' actions were reasonable given the threat they sought to counter.

Responding to a June 2015 complaint by campaign group Privacy International, the tribunal said the secret intelligence agencies had breached the ECHR for years because of the way they gathered bulk communications data (BCD) and bulk personal data (BPD).

The bulk communications data at issue included who contacted whom, when, where and with what equipment, who paid for the call, and how much they paid.

"Just about the only information not included is the content of communications," the tribunal said in its ruling. Legally collecting that content would have required an interception warrant.

In principle, the government may allow the intelligence agencies to collect communications data from network operators under a 1984 law, the tribunal ruled.

However, whether that collection was necessary and proportional is another matter: When the 1984 law was drafted, the tribunal noted, there were no mobile phones and no public internet. Subscriber information was for the most part published in printed directories, so all that network operators could have offered the Security Service and the then officially non-existent Government Communications Headquarters (GCHQ) was subscriber information for unlisted numbers, and call records, the tribunal noted.

The agencies also gathered bulk personal data, including passport databases, telephone directories, and banking records -- even though, the spy agencies acknowledged in a court filing, the majority of the people affected are unlikely to be of intelligence interest.

Rules for collection of bulk personal data are not defined in legislation, the tribunal noted. The bulk data gathering remained secret until March 2015, while the collection of bulk communication data was only admitted by the U.K. government in November 2015.

While it remained a secret, the collection of both types of data was in breach of the ECHR. After the government admitted what it was doing, and set out oversight rules and a code of practice for the data collection, it became "foreseeable," and so legal, as the citizens being spied on could foresee the consequences of their actions, the tribunal ruled.

Following the ruling, Privacy International legal officer Millie Graham Wood said the use of bulk communications data poses huge risks.

"It is unacceptable that it is only through litigation by a charity that we have learned the extent of these powers and how they are used," she said. She called for public confirmation that unlawfully obtained personal data will be destroyed.

Join the CSO newsletter!

Error: Please check your email address.

More about European Convention on Human RightsGCHQPrivacy International

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Peter Sayer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts