Meet the UK's PRISM program

British police can access millions of UK mobile customers' data without a warrant.
Written by Zack Whittaker, Contributor
Image: ZDNet/CBS Interactive

British police have access to an automated data demand system, which is regularly used to acquire data belonging to customers of three of the four major UK mobile networks.

According to a report first published on Friday by The Guardian, customer data is handed over "like a cash machine" to British police, in many cases automatically and without the direct consent each time of the phone companies.

EE, the company behind T-Mobile and Orange, along with Vodafone and Three give police "click of a mouse" access to tens of millions of UK mobile customers.

A fourth operator, O2, is the only major phone network requiring staff to review police requests, the newspaper cited the company as saying. 

Although the system "mirrors" the US PRISM program, the name of the UK program is not known.

For more than a decade, every single mobile, cellular, and landline operator in the UK has been obligated under British law, specifically the Regulation of Investigatory Powers Act (RIPA), to store communications data for up to two years. That includes calls made, when, for how long, and to whom. 

RIPA was introduced in 2000, pre-dating a mass surveillance effort in the US following the September 11 attacks a year later. It acts as the US' equivalent of the Patriot Act and the Foreign Intelligence Surveillance Act (FISA), which can force a company to hand over data — often in secret — without public judicial oversight.

Such laws have been the basis of the modern-day UK-USA agreement, which has been used to conduct surveillance on a massive scale — not just on citizens but also governments, politicians, private companies, and journalists.

There is little oversight for RIPA, either. A senior police officer must give the authority to access the UK's PRISM system, but in many cases these can be conducted without any significant checks and balances from the British courts.

But to date, it's believed that not a single UK mobile operator has released figures showing how many data demands they are served each year under British surveillance laws, either through RIPA, or through warrants or court orders.

Vodafone, however, became the first UK operator to disclose that in some countries law enforcement has "direct access" to its networks. Thanks to the new report by The Guardian, that also includes the UK.

Earlier this year, the European Court of Justice struck down a crucial data retention law that forced phone networks to store communications data, ruling it unlawful. The data retention laws were critical for British police and intelligence agencies to acquire this data. It took a matter of weeks for the British parliament to create its own emergency data retention laws to allow the UK's PRISM program to continue.

"Without these capabilities we run the risk that murderers will not get caught, terrorist plots will go undetected, drug traffickers will go unchallenged, child abusers will not be stopped, and slave drivers will continue in the appalling trade in human beings," UK Home Secretary Theresa May said at the time.

One of the more recent concerns with US surveillance laws was the allegation that there were "two versions" of the Patriot Act: one that was written in the public law books, and a secret interpretation developed and used by the US Justice Department.

However, by contrast, RIPA is relatively straightforward and lays out much of what British police and intelligence agencies can do. 

The UK has been working to expand its snooping powers during the Cameron-Clegg coalition administration, but failed due to strong opposition. But in the Queen's Speech in 2013, the proposals to widen the tracking of people's internet and phone activities were rekindled.

These proposals, although still in Home Office development, remain vastly under wraps.

Editorial standards