UK oversight bodies 'were not aware' of spies' data-sharing

Privacy International has raised concerns that oversight bodies were not aware that GCHQ or MI5 were allegedly sharing people's social media data with foreign intelligence and law enforcement agencies.

The charity claims that GCHQ accessed this information by gaining access to private companies' databases. IT Pro understands that Facebook and Twitter do not provide governments with direct access to user data.

The Investigatory Powers Commissioner's Office (IPCO) now oversees the intelligence agencies' activities, after subsuming both the the Intelligence Services Commissioner's Office, and the Interception of Communications Commissioner. Both these latter bodies, the charity said, were unaware that UK intelligence agencies were sharing massive databases of people's information with foreign governments, law enforcement and industry - potentially for decades.

Inappropriate and uncontrollable sharing with industry third parties may still be ongoing without proper oversight, the privacy campaign group added, saying that there are contractors who have system access rights that could allow them to enter the intelligence agencies' systems, access and extract data and then cover their tracks.

The charity said it has since seen letters from the IPCO raising concerns about the role of private contractors who are given administrator access to the data. The body was worried that there were no systems in place to prevent the misuse of this data by the contractors.

A GCHQ spokesperson said to IT Pro: "We have always operated within the law, co-operated fully with oversight regimes, and all our activities are authorised, necessary and proportionate."

The information the agencies hold is stored in large databases but it remains unclear what data they have, with Privacy International's documents only revealing broad categories like "biographical details", "financial activities", "travel data" and "legally privileged communications".

The group revealed a tranche of documents detailing the data-sharing activities yesterday, and is in Southwark Crown Court until Thursday to uphold its challenge of the UK government's access to private company and/or organisation databases.

The case is a continuation of the charity's challenge to spy agencies' access to data, being heard by the Investigatory Powers Tribunal (IBT). The IBT previously made a landmark ruling that spy agencies had unlawfully collected communications data between 1998 and 2015 after Privacy International's challenge.

The UK government claims that there are effective safeguards in place around data sharing, which Privacy International disputes. Furthermore, the charity will question the government's evidence after the IPCO flagged that part of the government's evidence includes a misleading GCHQ witness statement. The statement details that the former commissioners were briefed about the agencies' use of information on private company and/or organisation databases. The IPCO stated the commissioners were never made aware of this.

Millie Graham Wood, solicitor at Privacy International, said: "The intelligence agencies' practices in relation to bulk data were previously found to be unlawful. After three years of litigation, just before the court hearing, we learn not only are safeguards for sharing our sensitive data non-existent, but the government has databases with our social media information and is potentially sharing access to this information with foreign governments.

"The risks associated with these activities are painfully obvious. We are pleased the IPCO is keen to look at these activities as a matter of urgency and the report is publicly available in the near future."

The IBT ruled last month that a case brought against the UK's spy agencies last month over the legality of mass surveillance should be taken to the European Court of Justice (ECJ). This means the ECJ will have the final say on whether the UK's collection of bulk communications data, granted under the Investigatory Powers Act, is legal.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.