Documents Reveal Inner-Workings of UK's Spying Databases

The UK government has kept so-called Bulk Personal Datasets (BPDs)—large collections of personal information, the majority of which relates to people not of any interest to intelligence agencies—a closely guarded secret. In January, for example, the Home Secretary Theresa May refused to say whether the country's spies access medical records.

Now, a large cache of internal GCHQ documents obtained by campaign group Privacy International provides more information about how these datasets are obtained, what they potentially contain, and how they are handled by intelligence agencies.

"Although bulk personal datasets constitute only a tiny proportion of the data GCHQ obtains, its retention and use of such datasets represent a significant interference with many people's right to privacy under the European Convention on Human Rights (ECHR)," reads one document. "This interference must be justified in terms of its necessity and proportionality."

Generally, BPDs are collections of data that relate to a wide group of people, "the majority of whom are unlikely to be of intelligence interest," another document reads.

The documents have been released in response to a legal challenge filed by Privacy International in June 2015 to the Investigatory Powers Tribunal, the court tasked with handling complaints around the use of covert techniques by public authorities. The UK government has published some documents related to BPDs in the past, but this newly released collection includes internal policies and procedures from June 2005 to May 2015 for GCHQ and other intelligence agencies.

Broadly, GCHQ acquires BPDs that fall into five different categories: biographical, travel, financial, communications, and commercial, according to one document called "GCHQ Bulk Personal Datasets Closed Handling Arrangements."

Another document, entitled "Bulk Personal Data Acquisition Retention (BPDAR) form January 2016 to present," shows what sort of information analysts have to explicitly flag when filling out the appropriate paper work to obtain a dataset.

"Does this dataset contain any of the following personal information?" the form asks, followed by date of birth, nationality, address, phone number, email address, passport, identity card numbers, bank account, credit card details, financial transaction details, or "other."

Another question marks certain types of information as "sensitive," and includes political opinions, religious beliefs, membership of a trade union, sexual life, legal proceedings and their outcomes, and more.

The cache also hints at where Bulk Personal Datasets may be obtained from. They may come via agreements with third-party voluntary suppliers, by "other non-cover access methods," or by the exercise of statutory powers. The majority of BPDs held by GCHQ are "acquired by means other than interception," according to a document.

Another section reads that Foreign Secretaries have given directions to providers of public electronic communications networks to provide GCHQ "with various sets of bulk communications data in the interest of national security."

"Ideally, authorisation will be sought and granted before GCHQ acquires (or creates) a dataset," one document reads, but adds that authorisation must be obtained before the dataset is actually used.

How various oversight mechanisms work around these BPDs is also detailed in the documents. The ongoing retention of every BPD is reviewed at least every 24 months by the Bulk Personal Data Retention Review Panel, and staff, the same document notes, can be dismissed or otherwise disciplined for inappropriately accessing data.

The term Bulk Personal Dataset was used publicly for the first time last year, in an Intelligence and Security Committee (ISC) report.

"Even the ISC, the Parliamentary Committee that oversees the work of the intelligence
agencies and has full security clearance, was unaware of the use of BPDs until recently," Privacy International said in a statement. "The papers released today act as proof of, and show the sheer scale of, British intelligence agency surveillance of our personal data."

GCHQ did not respond to a request to name any specific BPDs that it has acquired.

A Home Office spokesperson told Motherboard in an email that, "Bulk powers have been essential to the security and intelligence agencies over the last decade and will be increasingly important in the future. Terrorists and criminals have embraced modern communication networks to plan, coordinate and increasingly to execute their attacks, reducing the ability of conventional and targeted intelligence approaches alone to tackle these challenges."

"The acquisition and use of bulk provides vital and unique intelligence that the security and intelligence agencies cannot obtain by any other means," the spokesperson continued. "The security and intelligence agencies use the same techniques that modern businesses increasingly rely on to analyse data in order to overcome the most significant national security challenges."