Oops! GCHQ accidentally spied on its own staff too much

GCHQThe UK government has today published a report by Sir Mark Waller, the Intelligence Services Commissioner, into the activities of British intelligence agencies (including GCHQ).

The annual report, which was presented to Prime Minister David Cameron, uncovers something which must have caused a few red faces in Cheltenham – the home of GCHQ.

Turns out that not only was GCHQ spying on its employees communications (to be fair, you would expect and can understand that), but that the internal monitoring of staff captured more information about employees’ communications than it was authorised to.

In short, GCHQ spied on its staff too much.

Sign up to our free newsletter.
Security news, advice, and tips.

GCHQ report

“In 2014, GCHQ reported one error to me which happened when an internal monitoring system of some staff communications was found to be capturing more information than it was authorised to. I followed up on this error during my May inspection and the team explained that because of a lack of understanding of the systems’ full capability more data than had been authorised had been collected.”

“It was clear to me that this was a technical error and not deliberate. Following the discovery of the error GCHQ deleted the captured data and reconfigured the system to ensure that it only collected the information that it was authorised to collect.”

I know, I know. Hard to believe that GCHQ would be found guilty of excessive surveillance.

As The Guardian reports, this over-exuberant snooping was one of 43 errors by intelligence services uncovered by the 2014 report.

MI6 offices, London

Concerns documented in the report include two data breaches, where security service contractors carried out “unnecessary queries” of bulk personal datasets (BPD – the extensive and highly personal information held by intelligence agencies on named individuals). After an investigation, the individuals concerned had their contracts revoked, says the report.

More recently an SIS (aka MI6) officer was found using the BPD system, after moving to a role where he should no longer have had access:

“The access was for a legitimate work purpose but still unacceptable and a breach notice was issued. However, I informed SIS that the corporate failure which allowed the officer to retain access to the system was a more serious breach. BPD systems hold highly personal data and it is vital that staff only have access if they have a business need.”

Sir Mark Waller says that he has asked MI6 to to investigate if any more staff have access bulk data when they do not have a business need, and to inform him what has been done to ensure people are removed from the bulk data register when they change job role.

Yes, it seems that intelligence agencies might be as bad as regular corporations at keeping tabs on what systems staff should be allowed access to, and which they should be prevented from using.

Leave a comment if you like, telling us how comfortable that makes you feel about the amount of information which they collect about individuals.

By the way, don’t confuse GCHQ (Government Communications Headquarters) with GCHQ (Graham Cluley HQ’s newsletter – HQ might either stand for the newsletter coming from my house, or that it’s high quality. Your choice).

As some people seem to get the two GCHQs mixed up, I’m considering politely asking them to change their name to something simpler and friendlier like “Snoopsville” or “Britannia’s Big Brother”.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

8 comments on “Oops! GCHQ accidentally spied on its own staff too much”

  1. Matt Haitch

    Finally the answer to "Quis custodiet ipsos custodes?" is revealed as "notitia servi"

  2. Winston Smith

    I'm sad to say that my first response was, "Of course they did…", but that does not mean I am any less angry and worried.
    “Power is not a means; it is an end. One does not establish a dictatorship in order to safeguard a revolution; one makes the revolution in order to establish the dictatorship. The object of persecution is persecution. The object of torture is torture. The object of power is power.”
    Thanks for what you do, Graham.

  3. David N

    "error"? "deleted"? Funny how words have different meanings in different contexts ;)
    [Can they actually delete from their backups / business continuity protections? If so, aren’t they potentially tampering with evidence?]

  4. 0z_

    Official Statement from Government Communications Headquarters:
    "Yo dawg, we heard you like spying. So we spied on the spies who spy spies."

  5. Coyote

    "I know, I know. Hard to believe that GCHQ would be found guilty of excessive surveillance."

    Actually I think there is something else that is harder to believe than that. I find it harder to believe they aren't saying the opposite. Surely they really mean they aren't spying enough. Maybe they're actually trying to put on the act that you would expect of spies – misdirection, misleading and so on? I find it incredibly hard to believe they could think it possible to spy too much… you know, they might find a citizen, government official or even terrorist, trying to plan an attack! What is the difference? terrorist? government official? For that matter, what about a citizen? They could be working together! In the end they need to make sure they have as much knowledge as possible (which indeed means practically nothing…) so as to prevent attacks (not counting their own of course). So keep it up GCHQ, NSA and every other spying organisation! Despite it being an excuse for more power (not even power ^ +infinite is enough!), we know you need to do it and we're all OK with it because you're making us all safe. I don't need to tell you any of this, of course, because you see all… (at least we can be thankful not everything is visible)

  6. Austin

    This honestly does not surprise me at all. The GCHQ is about intelligence and I'm sure they want to ensure their employees are not leaking classified information. I'm confident the NSA here in the U.S> is guilty of the same.

    1. Coyote · in reply to Austin

      Of course they are (well, okay, I am not thinking of intelligence in the truest sense of the word). But the NSA has always been this way, haven't they? (Actually, for the NSA it is far better; see last paragraph). They did an amazing job with Snowden though, that is for sure. Great job at keeping secrets secret (the only true secrets, though, were the specific instances of spying technology, not that they spied on all… but ask yourself if you feel safe with them having your information). One wonders if they can prevent that next time. I think not; indeed, if you read this post entirely you'll see what I mean.

      As for the NSA, let's go to the issue of encryption: they had issues with encryption before 9/11 and that is why I have stated here (and to people in person and written elsewhere) that terrorism is just an excuse. Let me rephrase that. It is one reason of many (after all, it isn't like this isn't a centuries old thing; espionage is as old as mankind and excuses will be made for anything if it fits the entity and their purpose, espionage related or not). They had a hissy-fit before 9/11 it is just they had different excuses (ultimately leading to weaker encryption). The want is the same but the excuses change. There is a reason there exists export grade encryption (the concept).

      This all boils down to one thing: they will do whatever they are capable of and are allowed (or otherwise can get away with.. of course they love the fact laws have loopholes.. and they love how easy it is to spread and abuse fear/propaganda) to and that is how it always will be. That is why laws exist, I suppose; those with a moral compass will be fine anyway but laws exist to try to keep control over a situation. In the end some won't care whether something is legal or illegal; they'll do whatever they want. Those that do try to follow the law, however, can be somewhat tamed by the law (where otherwise they might not have a problem with whatever) so it comes down to the lawmakers which are often aligned with organisations like the NSA (if not the same).

      If you want a better idea, take a guess which organisation wanted export grade encryption (which results to 'weaker') for the US. If you guessed the NSA you guessed correctly. This was quite a long while before 9/11 or even the 2000s (and it was and is a legal issue you don't want to deal with). Not so ironically the NSA was affected by this brain-dead idea of theirs (see the FREAK issue earlier this year). A view on this can be found here: http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html .. and is a good example of just how stupid backdoors/etc. are (which is to say that backdoors can be used by anyone). If it wasn't for it affecting others I would just agree that it serves them right for wanting to make everyone less safe in the first place.

  7. Mike Hulse

    Wonder if 'The GCHQ' are aware of how many of there current staff are openly published on LinkedIn and it's quite easy to search for Intelligence personnel (including personal photos) on there? Looks like GCHQ are out in the back garden looking for four leaf clovers whilst leaving the front door wide open. Not very intelligent.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.