According to Alexander J Martin reporting on The Register, more than 760,000 “items of communication” were obtained by British spooks and others in 2015, according to the Interception of Communications Commissioner’s Office (IOCCO) annual report.
|Much of the data related to mobile phones|
The report, which was published today and covers the annual year 2015, revealed for the first time an accurate scale of communications slurped by public Authorities in the UK.
Previous figures reported by IOCCO weren’t able to show how much surveillance was taking place in the nation as only the number of notices given to ISPs were recorded, not the amount of communications data which the notices covered.
As shown in today’s 92-page publication [PDF], 761,702 items of communications data were acquired by public authorities during 2015. An item of data is a request for data on a single identifier or other descriptor. IOCCO offers the example of 30 days of incoming and outgoing call data for a mobile phone as a single item of data.
145 public authorities acquired data in 2015, and most of these requests came from the UK’s police forces and law enforcement agencies. Law enforcement officers acquired 93.7 per cent of all data requested by public authorities in 2015. Only 5.7 per cent of data was acquired by the intelligence agencies, and a mere 0.6 by public authorities such as the Financial Conduct Authority, which have the statutory ability to investigate criminal offences.
0.1 per cent of requests came from local authorities such as councils.
IOCCO conducted 72 inspections in 2015, looking at approximately 15,000 randomly selected applications for communications data in detail, with a further 117,000 applications being subjected to query-based examinations; IOCCO has an internally-developed query method on the records of applications to allow the office to “identify trends, patterns and compliance issues across large volumes of applications.”
In November last year, IOCCO said it wanted to be given full access to public authorities’ technical systems as it needed to “develop our technical audits on the interception side of the business, particularly where the collection of material and data is at scale and in order to do so we need explicit provision to access systems.”
This audit ability has not yet been granted.
A whopping 1,199 errors were reported in 2015, a 20 per cent increase year-on-year. IOCCO reported:
The main causes for the overall rise are a larger number of incorrect identifiers being submitted by applicants on their applications or, both applications and [Single Points of Contact] acquiring data over the incorrect date or time period. Once again we highlight that a significant number of these errors relate to Internet Protocol addresses being incorrectly resolves to subscribers, which can have serious consequences.
23 of these errors were considered “serious” in 2015; nine of them caused by technical system errors and 14 were attributed to human error. The nine technical system errors resulted in “multiple consequences and a large number of erroneous disclosures (2036)” while the human errors were not dissimilar to those reported by IOCCO last year, in which a typo led to a police force raiding the wrong house.
There were 17 search warrants executed at the wrong premises in 2015, which resulted in 13 arrests, although IOCCO did not give any more details on the circumstances of those. Six of those serious consequences involved people unconnected to the investigations being “visited” by police, and on seven occasions—as happened last year—welfare checks on vulnerable people, including children, were delayed.
Joanna Cavan, the head of IOCCO who has just a few weeks left at the oversight body before joining GCHQ's tech help desk, informed The Register that the most frequent error was caused by transposing the days and months when accommodating the American format of presenting the time.
Still surveilling journalists? Yup
Back in February last year IOCCO published an inquiry report [PDF] into police forces acquiring journalists’ communications data to identify and determine journalistic sources. The law was subsequently changed to revise a code of practice to include a provision designed to protect the public interest in the confidentiality of journalistic sources by forcing the cops to seek judicial approval instead of signing off on them themselves.
The revised code of practice—which requires the police to seek judicial approval before attempting to identify journalists’ sources—came into effect back in March 2015. However, IOCCO discovered it had been breached during four investigations, and in one case the commissioner, Sir Stanley Burton, determined that the conduct was serious and reckless.
IOCCO informed the four victims of Police Scotland’s unlawful surveillance of their targeting by the force and ability to bring their complaint to the Investigatory Powers Tribunal. In August, the Investigatory Powers Tribunal refused to award damages to the sources who had blown the whistle on a bungled murder investigation.
What kinda of data?
IOCCO’s report records only the collection of communications data, or metadata, by public authorities. Of all of the data which was collected by public authorities, a full half of it was subscriber information. This is data held, or obtained, by a communications service provider about a customer and can include the recorded name and address of the subscriber, a telephone number or the account holder of an email address.
48 per cent regarded traffic information, such as email headers, which is the metadata of a communication which identifies the sender and recipient, as well as the location and time at which it may have been sent.
Only two per cent of requests regarded service use information, which IOCCO defines as “data relating to the use made by any person of a communication service and may be the kind of information that biannually used to appear on a CSP’s itemised billing document to customers.”
The vast majority of the data collected, 82.6 per cent, related to telephony identifiers. Only 14.1 per cent of the data regarded internet identifiers, including email addresses and internet protocol addresses, with the remaining data relating to postal addresses, bank account, or credit card numbers.
The commissioner stated:
There is significant public debate not only about the privacy implications of the public authorities’ use of these intrusive powers, but also about the capabilities that the public authorities might require, the adequacy of the safeguards in the proposed legislation and, the effectiveness of the proposed oversight mechanisms.
We shall continue to work with Parliament and the Government to ensure that the UK has legislation governing interception and communications data techniques that provides sufficient clarity, foreseeability and transparency, which contains adequate human rights protections and safeguards, and which provides effective oversight and remedy mechanisms.