News has emerged that the British intelligence agency, GCHQ, may be analyzing people’s Facebook and Twitter accounts. According to previously unseen government documents acquired by Privacy International, British spies appear to have been collecting data from millions of social media accounts. Shockingly, the UK has been sharing those databases with law enforcement, foreign government agencies, and even “industry partners” with absolutely no oversight.
The documents came to light during an ongoing court case involving Privacy International. They reveal that GCHQ has collected people’s social media data by allegedly intercepting private databases belonging to social media sites. In addition, Privacy International has managed to get its hands on letters that reveal that the UK’s Investigatory Powers Commission - the body tasked with overseeing GCHQ - was kept in the dark about the intelligence agency’s activities.
Although Facebook and Twitter aren’t specifically mentioned by name in the documents, Millie Graham Wood, an attorney working for Privacy International, told me,
“Given it is social media data what do you suggest it could otherwise be? In the context of the size and stated complexity of these datasets, we should be concerned not only the intrusive data they hold on many people, which is a honeypot for cybercriminals, but also that this is being shared without any oversight at all.”
I contacted Facebook to ask the social media giant if it had any direct involvement in granting database access to GCHQ. Facebook told me that it only ever complied with specific requests for data when it was ordered to do so with a warrant. Facebook states that it has never granted any intelligence agency backdoor access to its databases.
With that in mind, it would appear that British intelligence has been sharing Bulk Personal Datasets (BPDs) - which include information taken from social media data - without the knowledge of the social media sites themselves. In addition to social media data, GCHQ has allegedly been sharing sensitive medical data, financial details, biographical details, commercial activities, communications, travel data, and legally privileged communications with its strategic partners.
According to the skeleton arguments for the ongoing court hearing, GCHQ shared access to these vast repositories of information about people not only with foreign governments and law enforcement agencies, but also with “industry partners.”
Yesterday, the Investigatory Powers Tribunal (IPT) heard that one of those partners, Bristol University, was granted access to the BPDs during the course of academic research. As such, even students have been analyzing datasets that relate to UK citizens who are not of “legitimate intelligence interest.”
Privacy International believes those activities may have included sharing massive databases of social media data with foreign governments and law enforcement, presumably as part of the Five Eyes agreement. Most shocking of all is that British intelligence has been using social media data to spy on citizens “potentially for decades.”
What’s more, Privacy International submitted evidence that suggests GCHQ has been using algorithmic data analysis techniques on those data sets. Privacy International told ProPrivacy.com:
“The existence of Bulk Personal Datasets only came to light in 2015 yet were used in secret for nearly a decade (and in relation to Bulk Communications Data since 1998). In a previous judgment, the court found that the BPD regime was unlawful until March 2015 when its existence was publicised.
"The previous court hearing exposed inadequate safeguards against abuse, in relation to the collection and retention of bulk data, including warnings to staff not to use the databases created to house these vast collections of data to search for and/or access information ‘about other members of staff, neighbours, friends, acquaintances, family members and public figures.’”
Back in Court
The current hearing focuses on the sharing of this bulk data with industry, foreign governments, and other government departments, such as HMRC and law enforcement. GCHQ contends that all of its partners uphold similarly high processing standards when accessing the bulk datasets. However, Ben Jaffey QC, for Privacy International, told the IPT that sharing with foreign regimes could mean that local protections are avoided:
“The effect will be the circumvention of the UK legal regimes.”
The manner in which the data is shared raises questions about the security and privacy of the data. A statement made by a GCHQ witness during the case concedes that datasets are shared with partners in one of three ways:
“The circumstances in which and the means by which industry partners access GCHQ data may be divided into three categories. First, industry partners access GCHQ data whilst using GCHQ equipment on GCHQ premises – i.e. in the same way that GCHQ staff access such data. Second, industry partners can be given remote access to GCHQ networks from their own premises. Third, data can be transferred to industry partners’ premises for them to use at those premises.”
This rings some pretty major alarm bells in terms of privacy and cybersecurity. Firstly, because remote access to the database raises concerns about possible hacking at the hands of cybercriminals. Secondly, because the transfer of the datasets to secondary locations further increases the chances of datasets being compromised by cybercriminal groups or even hackers acting on behalf of foreign states.
For now, the case goes on, but it would appear that massively invasive databases about the British general public exist, are being shared, and are likely circumventing British legal restrictions by being processed by strategic partners in the Five Eyes global surveillance agreement.
Opinions are the writer's own.
Title image credit: Privacy International logo.
Image credits: Gil C/Shutterstock.com, ESB Professiona/Shutterstock.com