The Troubling Metadata Sharing Program That Was Just Revealed in the UK
Through MILKWHITE, low level agencies such as the Metropolitan Police can access metadata collected by GCHQ.
For years, and in secret, UK law enforcement agencies have had access to metadata collected by the country's powerful signals intelligence agency GCHQ.
The fact this power has only been revealed now raises serious questions around government transparency, especially while Home Secretary Theresa May and others are pushing a controversial surveillance law on the premise that law enforcement need greater visibility into criminals using the internet.
Through a program called MILKWHITE, revealed on Tuesday in Snowden documents published by The Intercept, the Metropolitan Police, Her Majesty's Revenue and Customs (HMRC) and more have been able to dig through GCHQ's intercepts for things such as IP addresses.
According to The Intercept, MILKWHITE stretches all the way back to September 2009, and may include information on British calls, emails and browsing data. (It's not totally clear what amount or exact type of data has been provided to law enforcement—The Intercept suggests it was collected by GCHQ's tapping of undersea cables).
A series of internal updates dating from 2009 to 2011 indicates that information on apps such as WhatsApp, protocols such as XMPP, and social media sites were part of the program.
MI5, the UK's domestic security service, is involved with MILKWHITE, but five law enforcement agencies also have access according to a 2011 document: the Serious Organised Crime Agency (SOCA) (now the National Crime Agency), HMRC, the Metropolitan Police Service, the Police Service of Northern Ireland, and the Scottish Recording Centre.
That access was facilitated by the SOCA hosted "Internet Data Unit" (iDU). According to the document, SOCA and HMRC also received information through "business as usual" channels.
These revelations come at time when the UK government is trying to pass the Investigatory Powers Bill, a piece of legislation that would force internet service providers to store browsing data for all customers, and would include information on when they use things such as WhatsApp.
Richard Tynan, technologist at Privacy International, described the powers as "mission creep."
"While cooperation between different law enforcement agencies on a case-by-case basis is certainly not new and can be beneficial, systemic and wholesale access to these mass surveillance systems is not something any politician has ever disclosed to the public," he said in a statement. "It is vital that truly independent authorisation and oversight is put in place."
Jim Killock, executive director of Open Rights Group said "That vast amounts of metadata were shared by MI5 with a wide number of agencies, such as the Met and HMRC, highlights the lack of transparency, safeguards and accountability."
The National Crime Agency would not say whether the agencies still had access to the MILKWHITE program. Update:A Metropolitan Police spokesperson told Motherboard in an email, "We work closely with various agencies to prevent and detect crime. We do not discuss where we do or don't get information from."