Newly disclosed documents offer a rare insight into the secretive legal regime underpinning the British government’s controversial mass surveillance programs.
The London-based group Privacy International obtained the previously confidential files as part of an ongoing legal case challenging the scope of British spies’ covert collection of huge troves of private data.
Millie Graham Wood, legal officer at Privacy International, said in a statement Wednesday that the documents show “the staggering extent to which the intelligence agencies hoover up our data. This can be anything from your private medical records, your correspondence with your doctor or lawyer, even what petitions you have signed, your financial data, and commercial activities.”
She added: “The agencies themselves admit that the majority of data collected relates to individuals who are not a threat to national security or suspected of a crime. This highly sensitive information about us is vulnerable to attack from hackers, foreign governments, and criminals.”
The documents, published online Wednesday, primarily relate to the opaque rules regulating British spy agencies’ use of so-called bulk personal data sets, which are obtained without any judicial authorization and contain “personal data about a wide range of individuals, the majority of whom are not of direct intelligence interest,” according to the agencies’ own definition of them.
The data sets could cover a wide variety of information, the documents suggest, potentially revealing details deemed particularly “sensitive,” such as people’s political opinions, religious beliefs, union affiliation, physical or mental health status, sexual preferences, biometric data, and financial records. They may also contain data revealing legally privileged information, journalists’ confidential sources, and “details about individuals who are dead,” one document says.
The documents include internal guidance codes for spies who have access to the surveillance systems. One memo, dated June 2014, warns employees of MI6, the U.K.’s equivalent of the CIA, against performing a “self-search” for data on themselves, offering a bizarre example that serves to illustrate the scope of what some of the repositories contain.
“An example of an inappropriate ‘self search’ would be to use the database to remind yourself where you have traveled so you can update your records,” the memo says. “This is not a proportionate use of the system, as you could find this information by another means (i.e. check the stamps in your passport or keep a running record of your travel) that would avoid collateral intrusion into other people’s data.”
Another document warns MI6’s employees that they must not trawl the surveillance databases “for information about other members of staff, neighbors, friends, acquaintances, family members and public figures.” That is, it adds, “unless it is necessary to do so as part of your official duties.” The agency says that it has monitoring systems in place to catch any abuses, but it is unclear whether the checks that are in place are sufficient. One 2010 policy paper from MI6 states there is “no external oversight” of it or its partners’ “bulk data operations,” though the paper adds that this was subject to review.
Elsewhere in the documents, eavesdropping agency Government Communications Headquarters (GCHQ) and domestic intelligence agency MI5 admit that they have obtained the bulk data sets on several occasions dating back more than a decade — GCHQ beginning in 1998, and MI5 in 2005 — under Section 94 of the 1984 Telecommunications Act. The agencies argue that the data has thwarted terror plots and is needed “to identify subjects of interest, or unknown individuals who surface in the course of investigations; to establish links between individuals and groups, or otherwise improve understanding of a target’s behavior and connections; to validate intelligence obtained through other sources; or to ensure the security of operations or staff.”
Last year, The Intercept exposed how GCHQ has in recent years attempted to create what it described as the world’s largest surveillance system, covertly harvesting in excess of 50 billion records every day about people’s emails, phone calls, and web browsing habits. In one program code-named KARMA POLICE, the agency said it was seeking to obtain “a web browsing profile for every visible user on the internet.”
Top photo: Inside GCHQ headquarters in Cheltenham, England.
This is new?
What part of “total information awareness” (or obliviousness, as it turns out) did we miss?
More than a decade ago they could follow me around from place to place, track my wife’s progress to and from work, get video from other cameras when my phone was dead, and do all sorts of ruinous things out of sheer spite, and they did. Someone could pick it up again at any time if I seemed to liven up in the future. This sort of stuff has been going on in the UK and the US and elsewhere for a long time. The threat of abuse is no threat. It is very real. Anyone with the keys to the surveillance machine can do enormous harm, and anyone with such access and hacking ability is a grave threat indeed.
Politicians are hamstrung by intelligence forces and their stream of disinformation, even when they have a sense of the danger they pose and the waste of resources their operations entail.
Use a VPN that does not collect logs and allows an open source client, like PIA. Use the Tor browser to access websites autonomously (providing a very common machine environment footprint. Boot your machine to a USB operating system like Tails, if you can take the time to work that out, which includes the Tor browser and many other open source encrypted apps.) Use websites that provide HTTPS. Don’t ever use your real name and email address (and don’t use the same fake name and fake email address across different websites – or even on the same website it they allow it – like here!) Don’t reference anything in your text that can be searched to correlate your posts on other websites. (This is a tough one – algorithms can tell, given enough seed data.) In this way, your content over the wire is as protected as it can get, especially if you’re communicating from your home.
This is no longer tinfoil hat stuff (God bless Snowden!) This is actually required if you expect reasonable (but not ensured) anonymity online. The problem is, all this is a major concern of the Security State authoritarians. What is happening is tens of hundreds of thousands of hacks are happening systematically on private machines in the home in order to harvest incriminating or corroborating evidence of a threat. Given the above precautions, it is much easier for governments to compromise the end-point devise, so all of the above does not matter. (Hence, great idea to boot to a static image of an OS, like Tails.)
There are two key things:
1.) Don’t ever threaten anyone online even if you do think you are anonymous, or you may find yourself legitimately perused and monitored by federal agents. (Who also know if you own a gun, are unemployed, are in debt, diagnosed terminal, etc. etc.)
2.) Teach your children that anything they post (or even read) online can be attributed to them in perpetuity.
It’s like the drug conversation. “Look honey: if you smoke some weed in high school you’ll probably be fine, but if you ever do cocaine once – and I mean once – you preclude yourself from tens of thousands of jobs and entire careers for life, because they will have lie detector examinations. As a young adult you’re going to be free to do what you want, but you need to understand the true repercussions. Repeat back to me how you understand this. Now let’s talk about what you read and post online. Let’s talk about letting your friends use your devices.” Etc.
I believe it is probable that if your 14yo kid spends the afternoon on SuperGnarRacist dot com or whatever for a laugh, it will actually show up in a report as tangible and real evidence of potential terrorism.
I believe that datamining children is absolutely essential for the American Stasi to do their jobs correctly, and identify any form of dissent early. All sub rosa.
@Boatswain…
I think you have good info, but I would have NO idea about using a VPN or PIA. It’s frustrating to me that unless you’re some major tecchie, it’s hard to get even minimal privacy…
Sad to say, I think you have a point about datamining children. There have been several stories of kids toys that record conversations. Scary stuff.
Riding the Internet bareback is a bad idea. Fixing that is actually pretty easy-peasy, but the VPN will cost you a few bucks a month though:
– https://www.privateinternetaccess.com/
– https://www.torproject.org/projects/torbrowser.html.en
Ask questions and understand. Do not be an uninformed victim. Dig in!:
– https://tor.stackexchange.com/
I’m sure it’s been pointed out before, but how friggin’ PERFECT is that?
JTRIG Fan Club Members
Here is the discussion board link to our Anglo compatriots regarding this significant disclosure by Privacy International. If you read the actual documents you’ll find many clear unique and clear descriptions of their generally unenforceable “standards and practices” vis a vis the targeting of innicent civilians by this or similar agencies worldwide.
http://forums.theregister.co.uk/forum/2/2016/04/21/bulk_personal_datasets/
http://www.theregister.co.uk/2016/04/21/press_freedom_index/
In the case of th UK, it’s rather disappointing showing is explained thus:
Terrorist attacks have led to the adoption of draconian security legislation. The government reacted to the London public transport bombings in 2005 with a Terrorism Act the following year that restricts freedom of expression. The Regulation of Investigatory Powers Act (RIPA) adopted in 2000 allows the authorities to obtain the phone records of journalists in cases of threats to national security. Worse still, despite a law protecting the confidentiality of sources, the police have since 1984 been able to ask the courts to order media outlets to hand over unpublished journalistic source material “in the interests of justice”.
The US, meanwhile, comes in a tad behind the UK – in 41st place. RSF notes:
US media freedom, enshrined in the First Amendment to the 1787 constitution, has encountered a major obstacle – the government’s war on whistleblowers who leak information about its surveillance activities, spying and foreign operations, especially those linked to counter-terrorism. Furthermore, US journalists are still not protected by a federal “shield law” guaranteeing their right not to reveal their sources and other confidential work-related information.
I’m sorry, but I think Reporters Without Borders is totally nuts on this one. The “war on whistleblowers” may be bad for career reporters who like an easy exclusive, and it is a burden to some high-placed state officials who had promised to keep their mouths shut. But in terms of freedom of speech you can’t compare the U.S. unfavorably to a country with mandatory film rating, that now prohibits video of female ejaculation because it’s “dangerous”, that has a terrible track record of Official Secrets Act absurdities, terrible libel laws, mandatory BAE black boxes surveilling people’s internet usage, prohibitions on “hate speech”, and threats to prosecute people for viewing “extremist” web sites. We have trouble all over, but the U.S. shouldn’t forget that it has some hard-won freedoms left that are worth protecting!
I think the volume of comments here shows just how outraged the public is by these revelations.
@S –
Yeah, I’m a) surprised that more TI’ers haven’t commented on this, especially any from the UK——-
and b) that there really doesn’t seem to be the real level of outrage that there should be, nowhere near a tipping point that might lead to some REAL pushback.
I wonder sometimes if folks get tired of one outrage and move on to the next: surveillance was hot for a while; the Panama Papers seem to grab hold for a moment, but I wonder how long even interest in that will last. There was a GREAT article (I’ll find the link if anyone really wants tor read it) – called “The Crisis of the Now.” How one problem seems to pop up and we forget whatever we were railing about before. I confess, there are So many outrages that it’s exhausting trying to keep up with news on all of them; let alone really advocate AGAINST them.
Anyway, we’d all better start raising our voices; it’s getting LATE!!!
Maybe people, and in particular people from the UK don’t want to comment as they know whatever they write will be tracked, logged, added to their burgeoning profile.
GHCQ is Edgar J. Hoover on steroids.
“The agencies themselves admit that the majority of data collected relates to individuals who are not a threat to national security or suspected of a crime”
@a1a –
Ya know what you say is a real possibility. And yes, most of this surveillance is of innocents—– but try to get that across to some people.
So I think there’s no single reason, then, but several issues which need to be addressed to get a tipping point going. I hope a) people wake up and b) really do start raising their voices.
The volume of comments here illustrates the chilling effects of mass surveillance.
How many comments on this story did you see at the New York Times and Washington Post?
http://www.theguardian.com/world/2016/apr/21/uk-spy-agencies-collected-bulk-personal-data-since-1990s
I’d say that it’s more that this website isn’t frequented by Joe Public.
I’ve tried to spread the word to as many of my fellow John Q’s as possible, but sadly, most have never heard of the site. Honestly, I only discovered it because different NPR programs have given some of the journalists a platform to spread their stories.
When I explain TI origin story, the reaction is almost exclusively a semi-interested, “ohhh,”. A rare few have even suggested Mr. Greenwald and Mr. Snowden are CIA plants.
If I’m being honest, some of regular commenters can be a little intimidating to an average Joe. There are some exceptionally bright people that contribute here. Often, I feel that I personally have nothing of any real substance to add to the conversation because whatever thoughts or sentiments the piece illicited have usually been expressed by someone demonstrably smarter than myself.
Reaction: For me the Snowden revelations had a chilling effect. Whether paranoid delusions or legitimate concerns, I was a little scared, especially after the interview with Brian Williams. I think I only posted maybe five or ten comments in the three years that followed the Snowden revelations after being a prolific and provocative commenter on various Yahoo articles. I am just starting to feel somewhat safe again expressing my opinions but it seems it was too soon. I think I’ll end my plan with Verizon and scuttle my Droid Mini, but then I’d be giving up TI which has become an invaluable resource to provide balance to the larger media narrative.
@JeremyS –
I hope you do continue to find ways to let your voice be heard, as much as you feel comfortable doing. And please don’t feel intimidated to post here. Just post away; you never know who might really need to read something you have in mind.
“Even what petitions you have signed”?
I would scarcely expect the government to miss open sources on the internet. Hell, the real question there is what businesses collect the list of your petition signatures, and what they do with them. (Indeed, it need not even be sinister, as for example if sold to a primary political campaign to recruit volunteers. But … nowadays, who knows?)
@Wnt –
Ah, I’m sure you’re aware; it’s not businesses that can arrest you or someday pass laws that might criminalize something you do or have done.
It’s not businesses that can use your data (such as fitbit data –this was mentioned in a Trevor Timm column) against you in court.
Now if you want to be concerned, what about business sharing your data with gov’t and LE?
What about Google et al. and their subsidiaries selling background checks? Viewed the wrong forum 12 years ago? Don’t get a job. Insurance not granted. Home loan denied. Etc.
The threat of business abusing big data is just as real and pernicious as a government. They don’t have the nominal controls we’d like to think we have over our governments (snickering as I write that.)
@Boatswain…
Forgive me the truncation as I’m a terrible typist.
Good point. Of course I think the gov’t is the most potentially abusive, things like what you describe are certainly problematic. With all the third party software and cookies and whatnot, yes, it’s very possible abuses can/will occur.
I’d almost forgotten about folks getting in trouble with employers over social media posts —- sometimes done at home/on own time.
We should think about getting some safeguards in this respect as well as safeguards against gov’t abuses.
And why do folks have to buy the next, more intrusive gadget anyway?
The real crime in my mind is that all this mass of information exists and yet the Government can’t seem to track down tax dodgers, armament dealers, drug barons or other criminals.
Ryan, why does the media never ask this question?
Why is a Panama Papers style leak required when every financial transaction is electronic and therefore captured by these spy agencies and yet no journalist seems to recognise this missed opportunity to pursue real crime.
How can it be that no journalist sees this opportunity and pursues it? In fact, I have never even seen it mentioned in the doezns of articles I’ve read about the spying by Governments, including this current article.
Please explain the media’s blindness to this opportunity? Thanks.
“The real crime in my mind is that all this mass of information exists and yet the Government can’t seem to track down tax dodgers, armament dealers, drug barons or other criminals”
Perhaps because “they” (MI5, GCHQ, whoever) don’t want to explicitly reveal the extent to which “their” collection methods are effective ?
Or in other words, only at such time as the “guilt of the offender” can be established without recourse to “secretive collection methods” will such prosecution follow ?
Who knows, perhaps there already is a database of “Financial Transactions” for when the time is right …
the enemy is YOU
…meanwhile the sheeple are deep in denial.
Thanks for the report, Ryan G. You and the other reporters need to keep highlighting these threats to —- well, whatever privacy we have left.
Him – Hello dear, would you like to go out for dinner tonite?
Her – sure. That would be very nice.
Him – ok. I have a nice place i want to try but before we go, let me alert the “people-watchers” that we are about to depart.
Her – oh dont bother. They have a monitor in our vehicle and will record our entire trip. Best we dont speak while in the car.
Him – ok. Lucky for us the place accepts cash.
This is not a world for human beings.
And while they are out, the U.S. Stasi may do a quick “sneak and peek”…and just for fun may vandalize, steal, gaslight…