UK government has been illegally collecting data for almost a decade

"The BPD regime failed to comply with the ECHR principles," Investigatory Powers Tribunal's ruling says.

The UK government has been collecting data about UK citizens in bulk for almost a decade now, and it has done it – illegally. This was ruled by the Investigatory Powers Tribunal (IPT). Under Article 8 of the European Convention of Human Rights (ECHR), what the UK government did between 1998, and November 2015 was not legal. 

“The BPD regime failed to comply with the ECHR principles which we have above set out throughout the period prior to its avowal in March 2015,” the ruling, which you can read in full here, states. “The BCD regime failed to comply with such principles in the period prior to its avowal in November 2015, and the institution of a more adequate system of supervision as at the same date.” In March 2015, the government started the process of legalising the practice. The ruling also said the government never informed the Parliament on its actions, making scrutiny basically impossible. 

“It seems difficult to conclude that the use of BCD was foreseeable by the public, when it was not explained to Parliament; and several opportunities arose when legislation or codes of practice were being introduced or amended (and particularly in 2000 when s.80 of RIPA was passed), when the government of the day did not avow the use of section 94 [which governs communications intercepts]," said the IPT.  

The fate of the data gathered is left unclear – it is not known if it will be deleted or not. We do know that the process is now legal – something the IPT disagrees with.

 Jacob Ginsberg, Senior Director at Echoworx commented: “The analysis of metadata is just as intrusive as the analysis of content from web pages or social media. It may appear innocuous but it has the potential to expose the life histories of individuals over time, both personally and professionally. Party politics aside, this is an invasion of people’s privacy.

"For businesses, this is cause for concern and will encourage them to think about jurisdictional shopping, and storing their data in countries that this bill cannot influence. Another issue is the inevitability that data will leak. What happens when this treasure-trove of metadata is made publically available by a malicious attacker?

"We need to think longer and harder about the implications of unavoidable outcomes and the impacts they will have on people’s lives, whether its discrimination over an insurance policy or an outright attack on privacy.”

Image source: Shutterstock/alexskopje