As the UK prepares for new surveillance laws, a court has ruled that prior bulk communication data collection was being conducted illegally between 1998 and 2015.
Rights group Privacy International has claimed a victory in a challenge it mounted against the UK government over the nation’s intelligence agencies’ unchecked use of bulk communications data.
The Investigatory Powers Tribunal ruled on Monday the agencies were illegally and secretly collecting data on UK residents without adequate oversight for over a decade.
The case centered on the bulk communications data (BCD) and the bulk personal datasets (BPD) regimes. BCD is the equivalent to Section 215 of the Patriot Act which a US court ruled illegal last year, following its disclosures in 2013 by former NSA contractor Edward Snowden over surveillance programs in the UK and US.
BCD contains mobile phone call metadata, such as location, subscriber and call information, and is retained by carriers for one year for access by GCHQ and MI5. BPD refers to combined large datasets about a person’s biography, commercial and financial activities, communications and travel. BPD can be searched by GCHQ, MI5 and MI6. As the complaint notes, most people in the the BPD system are unlikely to be of intelligence or security interest.
The tribunal ruled that neither regime complied with Article 8 of the European Convention of Human Rights until 2015 when the UK government added statutory oversight. Article 8 upholds the right to private life in the home and in correspondence.
While it was intended for fighting crime and terror, the case brought to light internal oversight failures “with highly sensitive databases treated like Facebook to check on birthdays, and very worryingly on family members for ‘personal reasons’”, said Privacy International.
“Today’s judgment is a long overdue indictment of UK surveillance agencies riding roughshod over our democracy and secretly spying on a massive scale,” said Millie Graham Wood, legal officer at Privacy International.
“There are huge risks associated with the use of bulk communications data. It facilitates the almost instantaneous cataloguing of entire populations’ personal data. It is unacceptable that it is only through litigation by a charity that we have learnt the extent of these powers and how they are used. The public and Parliament deserve an explanation as to why everyone’s data was collected for over a decade without oversight in place and confirmation that unlawfully obtained personal data will be destroyed,” said Wood.
"The powers available to the security and intelligence agencies play a vital role in protecting the UK and its citizens," said the Home Office in a statement to BBC.
"We are therefore pleased the tribunal has confirmed the current lawfulness of the existing bulk communications data and bulk personal dataset regimes.”
- As breach reports pile up, improving Australian cybersecurity needs better language, sharing: ACSC
- Business shut over fake Microsoft and Apple malware pop-up ads
- Police arrest man suspected of LinkedIn’s 2012 mega breach
- Securing the enterprise in the age of connecting things: How to keep your devices safe