icon bookmark-bicon bookmarkicon cameraicon checkicon chevron downicon chevron lefticon chevron righticon chevron upicon closeicon v-compressicon downloadicon editicon v-expandicon fbicon fileicon filtericon flag ruicon full chevron downicon full chevron lefticon full chevron righticon full chevron upicon gpicon insicon mailicon moveicon-musicicon mutedicon nomutedicon okicon v-pauseicon v-playicon searchicon shareicon sign inicon sign upicon stepbackicon stepforicon swipe downicon tagicon tagsicon tgicon trashicon twicon vkicon yticon wticon fm
7 Jul, 2016 16:18

Exposed: MI5, GCHQ have 15 secret bulk data collection warrants in force

Exposed: MI5, GCHQ have 15 secret bulk data collection warrants in force

Fifteen “secret warrants” are in force to enable British intelligence services to collect bulk data about online and phone traffic, the Interception of Communications Commissioner’s Office (IOCCO) has revealed.

The number of orders imposed on telephone and internet companies under Section 94 of the Telecommunications Act has been published for the first time by the surveillance watchdog.

A further eight warrants are in place to provide for emergency services, civil contingencies and to protect security personnel.

The directions were acquired by the government’s electronic monitoring agency GCHQ and the national security service MI5.

The watchdog says all Section 94 directions are subject to secrecy restrictions, which severely limits what it is able to say about the directions and the actions taken as a result of them.

They are related to traffic data and do not include the content of calls or emails.

Parliament does not have to be notified of Section 94 directions. Until last year they were not subject to formal oversight from any watchdog.

Their operation will be recognized under the Investigatory Powers Bill, also known as the ‘snoopers’ charter,’ which is currently under review in the House of Lords.

Commissioner Sir Stanley Burnton says the IOCCO is pressing for stronger oversight of bulk communications data collection, and the review of Section 94 had been very challenging.

“Our report highlights clearly the difficulties when statutes are operated in secret and without codified statutory procedures,” he said in a statement.

“We make extensive recommendations that the intelligence and law enforcement agencies must implement to clarify and bring consistency to their procedures, to remedy the lack of record-keeping requirements and to ensure that we can oversee properly how Section 94 directions are given and used.”

The report recommends there be a clear and mandatory process for the application, authorization, review, modification and cancellation of any directions.

It says a lack of codified procedures made it challenging to piece together what Section 94 notes had been given, by whom and when, which ones had been modified and whether they were still extant.

Some service providers subject to bulk collection orders were worried about publicity and whether information would be shared with foreign intelligence, the report says.

In 2015, GCHQ “identified 141,251 communications addresses or identifiers of interest from communications data acquired in … pursuant to Section 94 directions, which directly contributed to an intelligence report.”

In the same year, MI5 made 20,042 applications to access communications data under the section.

Millie Graham Wood, a legal officer at campaign group Privacy International, told the Guardian the report was a “damning verdict” of the government and intelligence agencies use of vague powers as a justification of mass surveillance.

She says it is “shocking and unacceptable” there had never been a public or parliamentary debate about the use of powers.

“The agencies have used this vague power to demand our internet and telephone network providers hand over huge swaths of our personal data.

“The intelligence agencies tell us that they need this data to conduct large searches, however in 2015 GCHQ and MI5 searched bulk communications databases for 263,830 communication addresses or identifiers.

“This is hardly looking for the needle in the haystack. We need a robust oversight and a transparent authorisation process for access to data.”