The UK government has today published a report by Sir Mark Waller, the Intelligence Services Commissioner, into the activities of British intelligence agencies (including GCHQ).
The annual report, which was presented to Prime Minister David Cameron, uncovers something which must have caused a few red faces in Cheltenham – the home of GCHQ.
Turns out that not only was GCHQ spying on its employees communications (to be fair, you would expect and can understand that), but that the internal monitoring of staff captured more information about employees’ communications than it was authorised to.
In short, GCHQ spied on its staff too much.
“In 2014, GCHQ reported one error to me which happened when an internal monitoring system of some staff communications was found to be capturing more information than it was authorised to. I followed up on this error during my May inspection and the team explained that because of a lack of understanding of the systems’ full capability more data than had been authorised had been collected.”
“It was clear to me that this was a technical error and not deliberate. Following the discovery of the error GCHQ deleted the captured data and reconfigured the system to ensure that it only collected the information that it was authorised to collect.”
I know, I know. Hard to believe that GCHQ would be found guilty of excessive surveillance.
As The Guardian reports, this over-exuberant snooping was one of 43 errors by intelligence services uncovered by the 2014 report.
Concerns documented in the report include two data breaches, where security service contractors carried out “unnecessary queries” of bulk personal datasets (BPD – the extensive and highly personal information held by intelligence agencies on named individuals). After an investigation, the individuals concerned had their contracts revoked, says the report.
More recently an SIS (aka MI6) officer was found using the BPD system, after moving to a role where he should no longer have had access:
“The access was for a legitimate work purpose but still unacceptable and a breach notice was issued. However, I informed SIS that the corporate failure which allowed the officer to retain access to the system was a more serious breach. BPD systems hold highly personal data and it is vital that staff only have access if they have a business need.”
Sir Mark Waller says that he has asked MI6 to to investigate if any more staff have access bulk data when they do not have a business need, and to inform him what has been done to ensure people are removed from the bulk data register when they change job role.
Yes, it seems that intelligence agencies might be as bad as regular corporations at keeping tabs on what systems staff should be allowed access to, and which they should be prevented from using.
Leave a comment if you like, telling us how comfortable that makes you feel about the amount of information which they collect about individuals.
By the way, don’t confuse GCHQ (Government Communications Headquarters) with GCHQ (Graham Cluley HQ’s newsletter – HQ might either stand for the newsletter coming from my house, or that it’s high quality. Your choice).
As some people seem to get the two GCHQs mixed up, I’m considering politely asking them to change their name to something simpler and friendlier like “Snoopsville” or “Britannia’s Big Brother”.