Now 16,318+ British Cops, Suits & Spooks Can See Every Website You Visit

Last Updated: March 25, 2017

16,318+ British Cops, Suits & Spooks Can Now See Every Website You Visit...

The Investigatory Powers Act (IPA) is a new law that makes mass surveillance legal in the United Kingdom. All citizens’ mobile phone and internet use will now be logged, and the law also allows the government to secretly bypass encryption, among other things.

The Act specifies a number of job roles that have access to your Internet Connection Records (ICRs). Many people are concerned about just how many people in the government have access to them. And they should be!

In Summary: Who Has Access?

WhoIsHostingThis filed almost 100 Freedom of Information Requests to find out exactly who gets access to your data. We can now reveal that there at least 16,318 employees in government and public sector who have legal access to your ICRs. And this number only accounts for two-thirds of the organizations mentioned in the Act.

Our current total represents a lower bound — the minimum number of people who have access to what you do on your computer. Over time, we will doubtless learn more and revise this total. Here is the current breakdown:

Group Subtotal Total
Police 10,578
  England and Wales 8,716
  Ministry of Defence 138
  Northern Ireland and Scotland 1,724
  Military ?
Intelligence Services ?
  MI5 ?
  MI6 ?
  GCHQ ?
HMRC 2,967
Emergency Services 644
  Marine and Coastguard 11
  Fire and Ambulance 538
Miscellaneous 2,129
Total 16,318

If you wish, you can embed this table into your own webpage by copying the text in the following box. It links back to this page in case anyone wants to see the details.

How We Got These Numbers

Section 4 of the Investigatory Powers Act states the roles required for access to Internet Connection Records. There are two levels of access: Full, or Entities. Entities is a restricted view.

All roles in the Act are the minimum required to access Internet Connection Records. In our Freedom of Information Requests, we asked for the names of all roles senior to the minimum role required, as well as a headcount for each role. Not all organizations provided this, but many did.

Our Purpose

The aim of this article is not to “name and shame” the people with access to your data. After all, many of them never asked for access, may not want it, and may privately oppose the Investigatory Powers Act.

But it’s important to get to grips with the sheer scale of the issue. There are a dizzying number of people with access to your private data. They all have permission to see what you get up to on your laptop or phone. And, in some cases, it isn’t clear how their jobs have anything to do with the supposed reasons the IPA was passed in the first place.

For example, the Department for Work and Pensions and the Food Standards Agency don’t seem to have anything to do with terrorism or human trafficking.

The Numbers In Detail

The figures we present here come from our Freedom of Information Requests and information on the internet. Some organizations did not respond in the allotted time, some requested further information from us, and others are exempt from providing this information. For these reasons, and the complications around how job sharing is reported, these figures should be considered a minimum.

Number of Police With Access

The Investigatory Powers Act allows Police Inspectors to view a truncated version of your Internet Connection Records (including entities in your Internet Connection Records, and links between those entities). Because the data is opened up to senior roles, we know that Chief Inspectors will also get to see this entity data.

England and Wales

According to 2015 figures, there were 7,358 Inspectors and Chief Inspectors in the force in England and Wales.

Full Internet Connection records can be accessed by anyone with the rank of Superintendent or Chief Superintendent, and any member of staff senior to those roles. Based on the 2015 data, that’s 7,358 officers at those ranks and 1,358 officers above. That makes 8,716 officers in the police force in England and Wales with access to ICRs.

Ministry of Defence

The Ministry of Defence (MoD) Police says that it has a total of 119 in the ranks of Inspector or Chief Inspector. There are 19 officers above that rank, for a total of 138 with ICR access.

At this point, it’s worth noting that at least one MoD policeman has been investigated and relieved of duties for misuse of data in recent years. He was suspended after searching police logs for personal information about the ex-footballer Paul “Gazza” Gascoigne, proving that misuse can and does happen.

Northern Ireland and Scotland

In the Northern Ireland police force, there are at least 436 staff with the role of Inspector or higher, and 21 at Superintendent or higher.

Police Scotland confirmed the figures for its force after processing our Freedom of Information Request. There are 861 police inspectors, 240 inspectors, 117 superintendents, 38 Chief Superintendents, 7 Assistant Chief Constables, 3 Deputy Chief Constables, and 1 Chief Constable, adding 1,267 to the total.

That makes a total of 1,724 officers in Northern Ireland and Scotland with access to ICRs.

Army, Navy, Air Force

The Royal Air Force, Navy, and Army police did not reply to our Freedom of Information Request within the allowed time.

We found a 2013 report on (PDF) gov.uk that there are 5,294 personnel at the rank Commander (Royal Navy Police), Lieutenant Colonel (Royal Military Police), and Wing Commander (Royal Air Force Police). But this represents the entire military. At this time, we do not know how many military police officers have this rank. Just as important, we do not know if general military personnel above this rank will have access.

As a result, we cannot provide an estimate for this category at this time.

Policing Totals

Given all the people with access to all of this data, it is of some import that the Chief Constable of Police Scotland was criticized in August 2016 for failing to secure his own personal Facebook page. If the head of the Scottish police has trouble managing his own internet privacy, 58 million UK citizens should surely be concerned that he’s in charge of their data too.

Police total so far: 10,578. Remember: this is based on incomplete data, so it is a low estimate.

We Don’t Know About Access at MI5, MI6, and GCHQ

The intelligence agencies presented a particular problem for our investigation.

MI5

MI5 stands for Military Intelligence, Section 5, and is responsible for domestic counter-intelligence and security. Currently, it employs approximately 4,000 people.

The Act allows General Duties 3 staff (or more senior) to access full Internet Connection Records, and General Duties 4 access to Entities only. We asked MI5 for the number of staff in these roles, but they declined to provide any figures.

MI6

MI6 stands for Military Intelligence, Section 6, and is responsible for gathering intelligence from outside the UK to support certain UK government activities. Full ICRs will also be available to MI6 staff at Grade 6 or above. We do know that MI6 had 2,479 staff in March 2015 and plans to recruit 1,000 more by 2020. We don’t know how many are at Grade 6 or above, and MI6 did not respond to inquiries.

In 2016, MI6 and MI5 were found to have breached human rights law by collecting bulk communications data without consent. This is the kind of activity that the Investigatory Powers Act was designed to legalize.

GCHQ

GCHQ personnel who have a role of GC8 or above also have access to ICRs. But GCHQ has not responded to our inquiries.

As we have no confirmed numbers for this section, we have not added anything. But it is certain that MI5, MI6, and GCHQ would increase our total by a significant amount.

Number of People at HMRC With Access

We already know that Her Majesty’s Revenue and Customs (HMRC) scrapes social media accounts to find data about UK taxpayers. This data is fed into its analytics platform, Connect, and merged with information about UK residents’ wages, pensions, bank accounts, investments, and online shopping habits. Now that dataset will be augmented with the online activity of ordinary UK residents.

Full Internet Connection Records are visible to Senior Officers at HMRC, while entities are available to Higher Officers. In a 2016 summary of junior posts, there were 2,123 Senior Officers, and 844 Higher Officers. All of the people above these roles also have access, but HMRC did not classify exactly which roles would fall into those groups.

So far, this represents 2,967 HMRC employees, by our count, making our running total 13,545 people — which is a very conservative estimate.

Number of People in Emergency Services With Access

At the Marine and Coastguard Agency, 4 staff can see entity data, and 7 other staff have full access to Internet Connection Records. The Maritime Operations Commander is among them, as is the Head of Enforcement. The Marine and Coastguard Agency did not recognize some of the job roles in the wording of the Act, so this figure may be higher.

Even this relatively small figure should concern you. According to a 2016 Freedom of Information request, the Marine and Coastguard Agency’s IT security audit revealed 16 “significant” security risks. It did not, however, provide any information about the nature of those risks.

At fire brigade and ambulance services, Internet Connection Records are available to Watch Managers and Duty Managers in control rooms. These people are in charge of directing the response to incidents. All of the roles senior to these people also have full access to ICRs, including Brigade Managers, Area Managers, Operations Managers, and others.

We made Freedom of Information Requests to each individual fire or ambulance authority, and we confirmed at least 644 people with access across all of the fire and ambulance services that responded.

That brings our total to 14,189 that are known.

Number of People With Access Elsewhere

Here are the responses to our FOI requests, along with the figures we were given:

  • 279 people at the Competition and Markets Authority
  • 326 at the Department of Health Medicines and Healthcare Products Regulatory Agency
  • 10 at the Department of Health Anti-Fraud Unit
  • 59 at the Department for Work and Pensions
  • 3 at the Common Services Agency for the Scottish Health Service
  • 13 at the Criminal Cases Review Commission
  • 537 at the Department for Communities in Northern Ireland
  • 5 at the Department for the Economy in Northern Ireland
  • 11 at the Department of Justice in Northern Ireland
  • 13 at the Financial Conduct Authority
  • 45 at the Food Standards Agency
  • 5 at Food Standards Scotland
  • 56 at the Gambling Commission
  • 45 at the Health and Safety Executive (HSE)
  • 10 at the Independent Police Complaints Commission (IPCC)
  • 75 at the Information Commissioner’s Office (ICO)
  • 13 at the National Health Service Business Services Authority
  • 3 at the Northern Ireland Health and Social Care Regional Business Services Organisation
  • 548 people at the Office of Communications
  • 16 at the Office of the Police Ombudsman for Northern Ireland
  • 2 at the Police Investigations and Review Commissioner
  • 49 at the Serious Fraud Office
  • 6 at the Northern Ireland Fire and Rescue Board.

This makes for a total of 2,129 more people who have access to Internet Connection Records, bringing our total to 16,318.

There are doubtless many more — based just on the lack of information about MI5, MI6, and GCHQ. But there are potentially thousands more that remain uncounted.

Why This Matters

Again: this isn’t an attempt to shame people with access to your personal data. But it is an attempt to shock you into recognizing how wide-open the access is.

Small-scale data protection breaches happen all the time; large scale hacks aren’t that rare. And the UK government has a long track record of losing personal data accidentally, too.

UK councils also have a dubious record when it comes to misusing surveillance in the past. For example:

Some misuse may be intentional, while some may be the result of simple ignorance. At least one of the organizations that we approached did not provide an answer to our questions because the respondent did not know what Internet Connection Records are, even after we provided a link to the Act.

The more people that can access the data, the more potential there is for that data to be accessed illegally, or used unethically. And that can compromise your safety and your liberty.

Appendix

Upwards of one hundred FOI requests were filed for this article. Of these, 76 were completed and used in the final version of this article. As we gather more data, we will add to this article. Here are PDFs containing each FOI document we have used:

  1. Avon Fire and Rescue Service
  2. Bedfordshire and Luton Fire and Rescue Service
  3. Buckinghamshire Fire and Rescue Service
  4. Cambridgeshire Fire and Rescue Service
  5. Cheshire Fire and Rescue
  6. Cleveland Fire Brigade
  7. Common Services Agency for the Scottish Health Service
  8. Competition and Markets Authority
  9. Cornwall Fire and Rescue Service
  10. County Durham and Darlington Fire and Rescue Service
  11. Criminal Cases Review Commission
  12. Department for Communities Northern Ireland
  13. Department for the Economy in NI
  14. Department for Work and Pensions
  15. Department of Health Anti-Fraud Unit
  16. Derbyshire Fire and Rescue Service
  17. Dorset and Wiltshire Fire and Rescue Service
  18. East Midlands Ambulance Service NHS Trust
  19. East of England Ambulance Service NHS Trust
  20. East Sussex Fire and Rescue Service
  21. Essex County Fire and Rescue Service
  22. Financial Conduct Authority
  23. Food Standards Scotland
  24. Gambling Commission
  25. Gloucestershire Fire and Rescue Service
  26. Hampshire Fire and Rescue Service
  27. Health and Safety Executive
  28. HMRC
  29. Independent Police Complaints Commission
  30. Information Commissioner
  31. Isle of Wight Fire and Rescue Service
  32. Isles of Scilly Fire and Rescue Service
  33. Kent Fire and Rescue Service
  34. Lancashire Fire and Rescue Service
  35. Leicestershire Fire and Rescue Service
  36. Lincolnshire Fire and Rescue Service
  37. London Ambulance Service NHS Trust
  38. London Fire Brigade
  39. Maritime and Coastguard Agency
  40. Medicines and Healthcare Products Regulatory Agency
  41. Merseyside Fire and Rescue Service
  42. MI5
  43. Ministry of Defence Police
  44. National Health Service Business Services Authority
  45. Norfolk Fire and Rescue Service
  46. Northamptonshire County Council Fire and Rescue Service
  47. North East Ambulance Service NHS Foundation Trust
  48. Northern Ireland Ambulance Service
  49. Northern Ireland Health and Social Care Regional Business Services Organisation
  50. Northern Ireland Prison Service
  51. Northumberland Fire and Rescue Service
  52. North West Ambulance Service NHS Trust
  53. North Yorkshire Fire and Rescue Authority
  54. Nottinghamshire Fire and Rescue Service
  55. Office of Communications OFCOM
  56. Oxfordshire Fire and Rescue
  57. Police Investigations and Review Commissioner
  58. Police Ombudsman of Northern Ireland
  59. Royal Berkshire Fire and Rescue Service
  60. Scottish Ambulance Service
  61. Scottish Criminal Cases Review Commission
  62. Serious Fraud Office
  63. Shropshire Fire and Rescue Service
  64. South Central Ambulance Service
  65. South East Coast Ambulance Service NHS Foundation Trust
  66. South Western Ambulance Service NHS Foundation Trust
  67. Staffordshire Fire and Rescue Service
  68. Suffolk Fire and Rescue Services
  69. Surrey Fire and Rescue
  70. Tyne and Wear Fire and Rescue Service
  71. Warwickshire Fire and Rescue Service
  72. Welsh Ambulance Services NHS Trust
  73. West Midlands Ambulance Service NHS Foundation Trust
  74. West Sussex Fire and Rescue
  75. West Yorkshire Fire and Rescue Service
  76. Yorkshire Ambulance Service
  77. Norther Ireland Fire and Rescue
  78. Greater Manchester Fire and Rescue
  79. Hertfordshire Fire and Rescue
  80. Police Scotland

Organizations that Did Not Reply

A number of organizations failed to provide the information we asked for by the legal deadline. Note that there are any number of reasons why this may be — it is not necessarily the fault of the organization in question. We will continue to work on getting data from these organizations:

  1. Cumbria Fire and Rescue Service
  2. Gangmasters and Labour Abuse Authority
  3. GCHQ
  4. Home Office
  5. Humberside Fire and Rescue Service
  6. MI6
  7. Ministry of Justice
  8. National Crime Agency
  9. Police Service of Scotland
  10. Royal Air Force Police
  11. Royal Military Police
  12. Royal Navy Police
  13. Scottish Criminal Cases Review Commission
  14. West Midlands Fire Service

In addition to these, the Ministry of Defence did respond to our inquiry (PDF) via traditional mail. As a result, we received it only shortly before publication. More important, it did not provide information, but rather asked for additional details. We will continue to pursue this matter.

Update (March 25, 2017)

We eliminated our total for the military police because we cannot confirm the number from public records and have received no responses from the Royal Air Force, Navy, and Army. We have increased our numbers because of late arriving FOI responses. We increased the numbers for Police Scotland up to 1,267, Greater Manchester Fire and Rescue to 83, Hertfordshire Fire and Rescue to 12, and Northern Ireland Fire and Rescue to 6.

Now 16,318+ British Cops, Suits & Spooks Can See Every Website You Visit by
Twitter Facebook

Discussion

What Do You Think?

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>