Rights group Privacy International has unearthed documents that show UK intelligence services collect data on millions of UK citizens via popular social media platforms such as Facebook and Twitter, and share harvested information with foreign governments and private businesses, without ministerial permission or official oversight.
The exposure represents the first concrete confirmation of the type of information collected and held by UK intelligence agencies, although it remains unclear what aspects of communications they hold and other types of information government agencies are collecting, beyond broad unspecific categories such as biographical details, commercial and financial activities, communications, travel data, and legally privileged communications.
Other documents obtained by Privacy International reveal the Investigatory Powers Commissioner's Office (IPCO), the body tasked with overseeing intelligence agencies' activities, was kept in the dark about intelligence services' sharing of massive databases with foreign governments, law enforcement and industry, potentially for decades — and these activities remain without proper oversight.
This abject lack of supervision comes despite the IPCO specifically raising concerns about the role of private contractors (who are given "administrator" access to such collected information), particularly over the lack of safeguards in place to prevent misuse of systems by third party contractors.
One of the documents — a draft report, summarizing the findings of a 2017 audit of the operation of bulk personal datasets (BPDs), the massive databases of personal information harvested by intelligence services- the IPCO makes a stated reference to "social media data" when discussing how agencies handle different BPD databases, indicating content from consumer social networks such as Facebook and Twitter is indeed ending up within spy agencies' bulk databases.
The UK government has consistently claimed there are effective safeguards in place to prevent misuse, but Privacy International contends the documents show otherwise, with the IPCO stating the Commissioner was never made aware of any practice of GCHQ sharing bulk data with industry.
The use by BPDs by spying agencies was only publicly revealed in March 2015, via an Intelligence and Security Committee report, which raised numerous concerns about the practice. Nonetheless, the report was heavily redacted, with info on exactly how many BPDs are held by different agencies, and where agencies were sourcing the bulk data from, censored from public view.
Privacy International is to challenge of the UK government's collection of data from private company and/or organization databases, and will raise questions about the reliability of government evidence.
The IPCO itself has noted part of the government evidence includes a misleading GCHQ witness statement, which refers to briefing the former Commissioner on the agencies' use of information from private company and organization database — IPCO claim the Commissioner was never made aware of any practice of GCHQ sharing bulk data with industry.
"Intelligence agencies' practices in relation to bulk data were previously found to be unlawful. After three years of litigation, we learn not only are safeguards for sharing sensitive data non-existent, but the government has databases with social media information and is potentially sharing access to this information with foreign governments. The risks associated with these activities are painfully obvious," said Millie Graham Wood, Solicitor at Privacy International.
Privacy International declined Sputnik's invitation to comment further on the story.