We need only look at the Edward Snowden leaks in 2013 to know that the UK government’s surveillance of its citizens has gone far beyond what many people are comfortable with. The government, technology companies and ISPs are all threatening to take away your privacy. Most recently, the recent Online Safety Bill proposed that providers of secure messaging apps implement a way for Ofcom to access unencrypted messages. All of this leads to the following question: what does the UK government know about you?
A brief history of UK data collection
First of all, it’s important to understand how the UK came to be in this situation. The UK has an extensive history of mass data collection. During World War II, it was used in the form of signal intelligence and code breaking. The Government Code and Cypher School (GC&CS) was formed in 1919 and was responsible for breaking the German Enigma codes. However, it was in 1946 that it became the Government Communications Headquarters (GCHQ) as it’s known today.
In 1948, the UK and US signed the UKUSA agreement, a signals intelligence pact that included a no-spy commitment. This agreement was of huge significance to intelligence gathering and has been a factor in the close relationship between the UK and USA ever since. The countries worked together intercepting communications, breaking codes, and then sharing the results. It soon became a multilateral agreement with the addition of Australia, Canada and New Zealand. This intelligence alliance is known as Five Eyes.
UK’s involvement in Five Eyes
The most prominent intelligence agency in Five Eyes is the USA’s National Security Agency (NSA). However, other prominent intelligence agencies include:
- UK’s Government Communications Headquarters (GCHQ)
- Communications Security Establishment Canada (CSEC)
- Australian Signals Directorate (ASD)
- New Zealand’s Government Communications Security Bureau (GCSB)
In the decades that followed the founding of the Five Eyes alliance, surveillance has progressed at an alarming rate. Indeed, with the growth of the internet and the onset of the digital age, there’s now a great deal of emphasis on monitoring the web and your online activity. However, this has also led to some revelations regarding programs and techniques used by Five Eyes intelligence agencies, including the UK’s GCHQ.
While it was once thought that Five Eyes contributors gathered information on their own citizens and shared it with each other, former NSA contractor Edward Snowden’s leaks in 2013 showed that Five Eyes contributors had actually been spying on one another’s citizens in order to circumvent their own domestic regulations on citizen surveillance.
Government Communications Headquarters (GCHQ)
The GCHQ is the UK’s primary intelligence and security organisation. In 2013, the GCHQ faced considerable backlash when Edward Snowden leaked details of the Tempora programme. The programme allowed the GCHQ to collect vast amounts of internet data that, according to documents acquired by Snowden, was shared with the USA’s National Security Agency.
On GCHQ and whether it is worse than the NSA, Edward Snowden said the following:
“…citizens in the United Kingdom and citizens around the world who are targeted by the United Kingdom, by the UK government, by UK systems, by UK authorities, they’re at a much greater risk than they are in the United States.”
First tested in 2008 and introduced into operation in 2011, the Tempora programme gathered phone and internet traffic by tapping into fiber-optic cables. There was plenty of opportunity to do this since the UK is connected to 57 countries by fiber-optic cables (only the US, France and Portugal have more connections).
“Tempora is really proof … that GCHQ has much less strict legal restrictions than other western government intelligence,” said Edward Snowden in a 2014 Guardian interview.
So what information did the Tempora programme gather? It’s said to have included:
- Recordings of telephone calls
- Contents of email messages
- Facebook posts
- Internet history of users
The legality of mass surveillance
Intelligence services in the UK are overseen by the Investigatory Powers Tribunal. Any legal challenges against the security and intelligence agencies go through the Investigatory Powers Tribunal which, in its 15 years, has never found reason to oppose the agencies.
Many of the legal actions against GCHQ have been undertaken by Privacy International, a UK-based charity that fights for the right to privacy. While legal claims against the GCHQ have been limited in success, they were a factor in the creation of the Investigatory Powers Act 2016, which was written to improve the safeguards on the exercise of surveillance powers. Unfortunately, the Investigatory Powers Act also significantly expanded surveillance powers, reducing people’s privacy in the process.
The Investigatory Powers Act 2016
The Investigatory Powers Act 2016 expanded the electronic surveillance powers of the UK intelligence community and police. In particular, web and phone companies are required to store records of websites visited by customers for 12 months.
Infamously dubbed the “Snooper’s Charter”, the Investigatory Powers Act’s provisions include new powers for the bulk collection and interception of communications data. In particular, communication service providers are required to collect Internet connection records (ICRs) and the following information:
- IP address
- Device used to connect to the internet (computer, phone)
- List of websites visited
- List of services used
- Timestamps of connections to websites and services
Furthermore, authorities are allowed to access your Internet connection records without a warrant. These include the following authorities:
- Metropolitan Police Service
- British Transport Police
- Secret Intelligence Service
- Home Office
- National Crime Agency
- HM Revenue & Customs
- Food Standards Agency
- Gambling Commission
- Serious Fraud Office
However, ICRs will reportedly not allow anyone at those agencies to access the specific pages visited within websites or a user’s specific activity on them. In order for such records to be accessed, a person must be of a certain rank. For example, in the case of the police, that person must, at the very least, be an inspector or superintendent.
Regardless of this, many people are still concerned that this information being held by third parties (private companies) is vulnerable to being accessed by hackers. In April 2018, the UK High Court ruled that the Investigatory Powers Act violates EU law while the European Court of Justice (ECJ) ruled it was in violation of EU legislation regarding privacy.
In September 2018, the European Court of Human Rights ruled that the GCHQ had violated the European Convention on Human Rights in its bulk collection of telecom data. According to a court statement, it found there was “inadequate independent oversight of the selection and search processes involved in the operation, in particular when it came to selecting the Internet bearers for interception and choosing the selectors and search criteria used to filter and select intercepted communications for examination…”
List of British intelligence agencies
The UK government operates one of the largest surveillance and data collection plans in the world. The three main agencies are MI5, MI6 and GCHQ. However, the full list is made up of the following intelligence agencies:
- Security Service (MI5)
- Office for Security and Counter-Terrorism (OSCT)
- National Domestic Extremism and Disorder Intelligence Unit (NDEDIU)
- National Crime Agency (NCA)
- National Ballistics Intelligence Service (NBIS)
- National Fraud Intelligence Bureau (NFIB)
- Secret Intelligence Service (SIS/MI6)
- Defence Intelligence (DI)
- Government Communications Headquarters (GCHQ)
- Joint Intelligence Organisation (JIO)
These agencies may be responsible for domestic or foreign intelligence, military intelligence or for espionage or counter-espionage.
Government departments with your personal information
While some of the above intelligence agencies will have information on normal citizens, the government also consists of many departments that require record keeping for operational purposes, be it social security or taxes.
Some of the government departments with your personal information may include:
- Department for Work and Pensions
- Home Office
- Cabinet Office
- Department of Health and Social Care
- Department for Transport
- Department for Education
- Ministry of Defence
- Ministry of Housing
- Ministry of Justice
- Gambling Commission
Generally speaking, government departments will at least hold basic information such as your name, date of birth and address. Beyond the basics, the details held can vary by department. Let’s take a look at what information the Home Office, the Department for Work and Pensions and HM Revenue and Customs might have about you:
The Home Office
The Home Office is responsible for, among other things, MI5, visas and immigration. The varied data it holds on you can include the following:
- Biometric data, such as facial images, fingerprints, and DNA.
- Name, email address, phone numbers, passport information.
- Employment information, such as where you work, what you do — both currently and historically
- Criminal offence data
Under data protection law, you have the right to ask the Home Office for copies of your personal data – as well as the right to ask it to erase, or restrict the processing of, your personal data. To make a request, contact: email@example.com.
Department for Work and Pensions
The Department for Work and Pensions has a database called Customer Information System (CIS). This is one of the government’s largest databases and contains information on tens of millions of people. The CIS has records for anyone who has registered and been issued with a National Insurance number. Under the Social Security Act 1948, all individuals working in the UK or accessing welfare services must have a National Insurance number.
According to a document published by the Department for Work and Pensions, “CIS is a computer system used by the Department for Work and Pensions (DWP) to store basic identifying information about you such as your name, address, date of birth, National Insurance number and so on.”
CIS details a wide range of information including the following:
- Date of birth
- Marital status
- National Insurance number
- Immigration status
HM Revenue and Customs (HMRC)
The HRMC is in possession of various personal and financial information of members of the public as well as businesses, customers and clients, employees, offenders and more. Such information is collected in a variety of ways such as when you submit your Income Tax and other tax returns or when you register for one of HMRC’s services, for example.
However, your personal information may also be collected from third parties such as your employer, bank or via another government department. Data collected by the HMRC can be shared with third parties such as service providers, law enforcement agencies and debt collection agencies. Data collected by the HMRC includes the following:
- Telephone number
- Email address
- Marital status
- National Insurance number
- Bank account details
- Information about income
- Information about employment
Third parties with your personal information
Beyond government departments and intelligence organisations, third parties often have a wealth of information about you. Some of these are independent bodies that work closely with the government.
For example, the Electoral Commission was created to independently regulate party and election finance, as well as setting standards for how elections should be run. It holds the voting information of millions of UK residents.
However, most third-party organisations are private for-profit entities. These may be subject to government requests for consumer information. For example, in a six-month period in 2022, the UK government made 9,994 requests for data to Facebook (Meta). This is excluding any requests made under the Investigatory Powers Act from the UK pursuant to the US-UK Data Access Agreement.
Tech companies are particularly concerning as they can collect personal data on far large scale that the UK government.
“We know where you are. We know where you’ve been. We can more or less know what you’re thinking about,” said Eric Schmidt, former Executive of Google in 2010 in an interview with The Atlantic. Such a statement may seem an exaggeration but on closer examination, there’s some truth to Schmidt’s comment.
Google offers many different apps, products and services, all of which gather some aspect of your personal information. For example, Google Maps may be a handy tool to have, but it provides Google with information on where you’re going, when you’re going and how you might be getting there.
Gmail and Hangouts have access to your contacts and conversations and Google Calendar knows your appointments. Add all of this together and Google may even know where you’re going, who you’re meeting and what you’ll be talking about. This is particularly worrying when you consider the risk of this private data being accessed by the UK government or even being stolen by hackers and sold to the highest bidder.
From everything you’ve searched online, the websites you’ve most frequently visited, to your very likes, dislikes and beliefs, Google is able to build up a profile about you. All of this is before we even consider the facial recognition in Google Photos and voice recognition in Android devices and Google Home. Thanks to these, Google even knows what you look and sound like.
To give you an idea of what the UK government can find out if they gain access to Google’s records, here’s a list of some examples:
- Search history
- Websites visited
- Emails (sent and received)
- Plans and appointments
- Locations visited
- Your appearance
- Your voice
- Videos watched
- News stories read
- Books read
- Products searched
National databases in the UK
One of the many ways in which the UK government can know more about you is through national databases. There are many national databases in the UK maintained by various government bodies. These databases are controlled and restricted under the Protection of Freedoms Act 2012. Two of the largest national databases in the UK include the National DNA Database (NDNAD) and that of the National ANPR Data Center (NADC).
First introduced in 1995, the UK’s National DNA Database (NDNAD) is one of the largest DNA databases in the world. According to National DNA Database statistics, as of September 2018, the database holds DNA records of 5.4 million people – some 8% of the UK’s population.
The database consists largely of samples recovered from crime scenes or taken from police suspects. Data for those not charged of an offence or found not guilty is then deleted from the database. It’s worth noting that recordable offences include begging and taking part in an illegal demonstration.
Automatic Number Plate Recognition (ANPR) technology is used in the UK. It records and tracks road vehicle movements through a network of approximately 13,000 cameras which automatically read vehicle number plates. This network allows for the capture of somewhere in the region of 60 million records on a daily basis.
According to UK police, ANPR is “used to help detect, deter and disrupt criminality at a local, force, regional and national level, including tackling travelling criminals, Organised Crime Groups and terrorists.” Records are stored for up to two years in the National ANPR Data Centre (NADC). This database can be accessed and used as evidence in investigations by UK law enforcement agencies.
The UK has one of the largest CCTV networks in the world. While figures vary, there are several million CCTV cameras in the UK, the majority of which are operated by companies or private individuals. However, tens of thousands are operated by UK government bodies. A report from the British Security Industry Association (BSIA) estimated that there’s between 4 million and 5.9 million CCTV cameras in the UK.
The Surveillance Camera Code of Practice was published by the Home Office in 2013, under the Protection of Freedoms Act 2012. This controls and restricts the collection, storage and use of CCTV footage by local governments and police forces.
5 ways to protect your privacy in the UK
Snowden’s 2013 leaks did change some things for the better with services such as Facebook, Skype and Whatsapp now offering end-to-end encryption as a security feature — though this is currently under threat by the UK government’s proposed Online Safety Bill. More than anything, Snowden’s leaks served to raise public awareness when it comes to surveillance and online data.
However, many would argue that little has changed in surveillance practices, particularly when you consider the introduction of laws such as the Investigatory Powers Act. This only served to expand government surveillance powers. Yet there are things you can do in order to protect your privacy and maintain your online anonymity:
One of the most essential things you can do in order to protect your data is to encrypt it. By using encryption, you can protect your data from unwelcome parties. When data is encrypted, only the person holding the keys can unlock it. You can encrypt your email, cloud storage files, messages and even your devices such as your laptop and mobile phone. Even if your data was requested by the UK government or hacked, it would remain unreadable.
Related: Common types of encryption explained
Short for virtual private network, a VPN redirects your internet connection through a VPN provider’s server. This serves to hide your IP address and your location. A quality VPN allows you to browse the internet anonymously and should feature 256-bit encryption, DNS leak protection and a kill switch. Be sure to choose a VPN that’s based in a country outside of Five Eyes and isn’t subject to data retention requests. Keep in mind that the safest VPNs don’t keep any logs of your activity.
3. Privacy browser
Popular web browsers such as Google Chrome are known to collect vast amounts of your data which is sold to third party advertisers. For this reason, privacy-focused browsers have grown in popularity in recent years. Privacy browsers include plenty of security features including forced HTTPS and ad-blockers. Combined with a privacy search engine that doesn’t track everything you do online, a privacy browser can help keep your data private.
4. Anonymous email
Google has admitted that it reads your emails in order to provide more accurate, targeted advertising. Needless to say, this has caused some concern. However, an anonymous email should have no identifiable connection to you and offer end-to-end encryption which means only the sender and recipient can read a message. A good anonymous email provider won’t keep any IP logs and should also be open source.
Read more: How to encrypt your email
Even if you’re using an anonymous browser and encrypting your data, you may need to make a payment or donation online. The problem with credit cards and third party services such as PayPal is that they often involve excessive fees and are obviously not anonymous. While cryptocurrency is still in its infancy, an increasing number of merchants are accepting the likes of Bitcoin (you can pay anonymously in bitcoin by using a mixing service beforehand) and other cryptocurrencies such as Monero – a popular privacy coin.
The UK government may know more about you than you thought
If you’re a UK citizen or resident, the UK government knows a lot about you. From basic information such as your name, date of birth and address to more detailed information such as your online browsing history, the UK’s involvement in Five Eyes and legislation such as the Investigatory Powers Act reduces your level of privacy.
It’s not just the government either. Third parties also gather plenty of your personal information and sell it to advertisers or even pass this information on to the UK government when requested. However, by taking measures such as encrypting your online data and using a secure VPN as well as an anonymous browser, you can take back a level of control and regain your privacy.