Greater clarity is needed over the mass collection of bulk data sets on innocent members of the UK public, Conservative MP David Davis (pictured) has told the Joint Select Committee set up to analyse the draft Investigatory Powers Bill proposals.
The mass collection of bulk personal data sets was revealed for the first time earlier this year by the Intelligence and Security Committee in a report titled Privacy and Security: A modern and accountable legal framework.
It was acknowledged that, with little oversight, the scooping up of bulk data sets by spy agencies including GCHQ has been going on for years without ministerial approval.
These data sets reportedly include medical, travel, financial and biometrics records of UK citizens who are not suspected of committing a crime.
Additionally, spy agencies are reportedly collecting credit references, membership records and information on loyalty card schemes, but no agency has yet provided a comprehensive list of the data they retain.
Given this extensive gathering of data Davis said it was vital more clarity was given on what is being collected and why.
"This is very intrusive information for a state to hold. We are pretty sure they have all the communications data, they have got flight data, they have almost certainly got financial data, and they may well have Automatic Number Plate Recognition data," said Davis.
"It's not for me to give the committee advice, but if I was going to point at something that needs to be looked at I would look very hard at [bulk personal data sets] because this has been explicitly disavowed as an approach by the Americans and others."
Indeed, the introduction of the USA Freedom Act this year signalled the curtailing of this form of mass surveillance by the National Security Agency (NSA).
The collection of these records on a mass scale by British intelligence, under the protection of ‘national security', is being subject to increasing scrutiny owing to the inclusion of the topic in the draft Investigatory Powers Bill.
The personal data sets are described in the text in surprisingly candid detail. "Bulk personal data sets are sets of personal information about a large number of individuals, the majority of whom will not be of any interest to the security and intelligence agencies," it states.
"The data sets are held on electronic systems for the purposes of analysis in the security and intelligence agencies. Examples of these data sets include the telephone directory or the electoral roll."
Alongside bulk equipment interference, mass data retention and communications interception, the latest spying bill aims to legitimise the powers that have been in use without parliamentary oversight by UK spies for years.
Davis told the committee that the backlash to bulk data set collection is reminiscent of the opposition to UK national identity cards.
"The primary argument about the identity card was not carrying a plastic card, it was the existence of a central national database of personal data of every citizen. And it seems to me as though we have had that since 2005 and possibly 2001," he said.
"We have been having arguments for about 10 years about whether or not we should have a central database for ID cards, whether or not we should have communications data and hence the stalling of the so-called Snoopers' Charter when in fact this has existed all through that."
The veteran Conservative MP, who has long been a vocal opponent of mass state surveillance, also told the committee about the sheer scale of information these data sets provide to spy agencies.
"One of the things I would hope the committee would come to a view on is what's in this, because there are arguments that there are hundreds of data sets here and that's hundreds of data sets per person and that's very serious," he said.
"Until [March] there was no oversight whatsoever. I am afraid in a democracy it is necessary to look at what you are doing and you can only do that by discussing it."
The draft Investigatory Powers Bill proposes a warrant system with increased oversight by the secretary of state and the judicial commissioner. "Warranting is good but, frankly, the extent to which much of this database should exist is very debatable," Davis argued.
Snooping on a mass scale
Davis is not alone in his concern regarding bulk personal data sets. Ross Anderson, professor of security engineering at the University of Cambridge, told V3: "The government already gives medical data to law enforcement wholesale, and I have experience while in the banking industry years ago of transaction data being collected, but I am not allowed to say any more.
"Quite apart from this, the government is creating four regional data centres for research, one for each constituent country of the UK, which have not just medical data but tax returns, welfare payments and other bulk personal data held by central government.
"This will even be available to university researchers with appropriate ethical clearance; it's simply unimaginable that the spooks don't have access to that too."
Anderson previously appeared before the scrutiny committee at the start of December alongside former GCHQ director Sir David Omand and Dr Paul Bernal, a lecturer in IT, intellectual property and media law at the University of East Anglia.
Following his appearance, Anderson told V3 that bulk personal data sets are an intrusive method of collecting information that can span every facet of daily life.
"A big question is whether [GCHQ] will have access to all our bank and credit card statements. Certainly they already have access to your credit reports and your Tesco Clubcard (as companies can just buy this access), and it's clear that the bill gives them the power to demand all your detailed bank statements too," he said.
"If they don't plan to take it, then let's have an amendment on the face of the bill saying they can't take it."
The draft Investigatory Powers Bill looks set to take the place of the current Data Retention and Investigatory Powers Act 2014 which expires in December 2016. The current proposals have met with opposition from a number of technology firms and privacy groups, many voicing strong opposition to the approaches on encryption, bulk surveillance and hacking.
Intel wants to get inside your car, despite missing out on mobile
'We'll keep fighting to fight to keep the web free and open,' claim EFF
Breached in March by the same attackers, claim 'insiders'
And all for less than £150, according to Keith