Secret UK surveillance policies leaked online

UK spy agencies routinely slurp data from what could be thousands of public and private firms, NHS records and the details of those who sign online petitions.
Written by Charlie Osborne, Contributing Writer

GCHQ in Cheltenham.


We are not heading towards Orwell's 1984 -- it seems we've been there for some time already, with the UK's own version of Big Brother gathering what could be every scrap of recorded information about us.

On Thursday, privacy advocate Privacy International released a cache of previously confidential documents which show just how deep-rooted and ingrained surveillance and spying in the United Kingdom has become over the past 15 years.

The documents, obtained by Privacy International in an ongoing case concerning 'Bulk Personal Datasets' and the Telecommunications Act (.PDF) -- ironically established in 1984 -- show that UK intelligence groups, the GCHQ, M15 and M16 "routinely requisition personal data from potentially thousands of public and private organisations," according to the agency.

"This includes data held by financial institutions and may also include anything from confidential NHS records to databases of people who have signed electronic petitions," the London-based firm says.

The Bulk Personal Datasets (BPDs), which only came to light thanks to a Intelligence & Security Committee (ISC) report (.PDF) in 2015, contain vast amounts of data on individuals -- many of which are "unlikely to be of interest" to UK intelligence, according to one of GCHQ's own leaked internal documents (.PDF).

The BPDs include sensitive information on these individuals, including race, origin, religious and political beliefs, trade union memberships, "sexual life," and criminal records.

A dataset on you may even contain details of physical and mental health -- which suggests UK spies have access to records held by the UK's National Health Service (NHS).

In addition, the BPDs are not limited to the living, as one document admits datasets may be based on those who have shuffled off the mortal coil.

The sheer scale of the collected data is immense, potentially including everything from blood group to eye colour, internet and phone feeds, government records, travel activities and information concerning any commercial activities the individual is involved in.

According to the separate Bulk Personal Data Policy (.PDF), biometric data, information relating to journalists or members of parliament and financial data may also be included in the datasets.

When it comes to usage, searching and sharing of the data, the documents claim stringent checks are in place -- and agents are advised (.PDF) not to check-up on themselves, family members or public figures unless there is a true reason to do so. However, the reports are vague on just how the system and any potential abuse is monitored.

The document reads:

"Although we brief the Home Secretary on MI5's use of these techniques. independent oversight by the Intelligence Services Commissioner provides a third party view of the arrangements that have been agreed. It also affords an independent view on our judgements that provides assurance to both MI5, the Home Secretary and the Prime Minister.

The Home Secretary is informed annually of BPD use within MI5 via the Operational Policies document."

Privacy International says that even the ISC -- which oversees intelligence agencies in the UK -- was unaware of the use of BPDs until recently, which does not bode well for how our government operates if agencies are secretly granting themselves such powers without informing their overseers.

Millie Graham Wood, Legal Officer at Privacy International said:

"The information revealed by this disclosure shows the staggering extent to which the intelligence agencies hoover up our data. This can be anything from your private medical records, your correspondence with your doctor or lawyer, even what petitions you have signed, your financial data, and commercial activities.
This data is integrated into databases that could be used to build detailed profiles about all of us."

The documents give us a rare glimpse into how widespread surveillance is -- but how are UK spy agencies able to get away with such mass data collection? The answer lies in the 1984 Telecommunications Act, which despite being established pre-internet, is now being used to uphold mass information gathering.

"This highly sensitive information about us is vulnerable to attack from hackers, foreign governments, and criminals," Wood added. "The agencies have been doing this for 15 years in secret and are now quietly trying to put these powers on the statute book for the first time, in the Investigatory Powers Bill, which is currently being debated in Parliament. These documents reveal a lack of openness and transparency with the public about these staggering powers and a failure to subject them to effective Parliamentary scrutiny."

A Home Office spokesperson told Motherboard that bulk powers have become "essential" to spy agencies in the last decade, and will "be increasingly important in the future."

Even if you say the reason is national security, it does seem the modern-day government's thirst for data is unquenchable -- even if innocent people are caught in the crossfire.

See also: UK surveillance bill will force tech companies to disclose new products before they launch

Earlier this week, reports highlighted a new draft code of practice included as part of the UK government's overhaul of its surveillance systems. The document stipulates that internet, phone and technology firms will be required by law to inform the UK government of new products and services ahead of public launch -- especially if major alterations prevent UK spies from intercepting communication or accessing data within devices.

10 steps to erase your digital footprint

Read on: Top picks

Editorial standards