Now 16,318+ British Cops, Suits & Spooks Can Now See Every Website You Visit

Last Updated: March 25, 2017

The Investigatory Powers Act (IPA) is a new law that makes mass surveillance legal in the United Kingdom. All citizens’ mobile phone and internet use will now be logged, and the law also allows the government to secretly bypass encryption, among other things.

The Act specifies a number of job roles that have access to your Internet Connection Records (ICRs). Many people are concerned about just how many people in the government have access to them. And they should be!

In Summary: Who Has Access?

WhoIsHostingThis filed almost 100 Freedom of Information Requests to find out exactly who gets access to your data. We can now reveal that there at least 16,318 employees in government and public sector who have legal access to your ICRs. And this number only accounts for two-thirds of the organizations mentioned in the Act.

Our current total represents a lower bound – the minimum number of people who have access to what you do on your computer. Over time, we will doubtless learn more and revise this total. Here is the current breakdown:

td {
padding-left: 1em;
padding-right: 1em;
}

If you wish, you can embed this table into your own webpage by copying the text in the following box. It links back to this page in case anyone wants to see the details.

How We Got These Numbers

Section 4 of the Investigatory Powers Act states the roles required for access to Internet Connection Records. There are two levels of access: Full, or Entities. Entities is a restricted view.

All roles in the Act are the minimum required to access Internet Connection Records. In our Freedom of Information Requests, we asked for the names of all roles senior to the minimum role required, as well as a headcount for each role. Not all organizations provided this, but many did.

Our Purpose

The aim of this article is not to “name and shame” the people with access to your data. After all, many of them never asked for access, may not want it, and may privately oppose the Investigatory Powers Act.

But it’s important to get to grips with the sheer scale of the issue. There are a dizzying number of people with access to your private data. They all have permission to see what you get up to on your laptop or phone. And, in some cases, it isn’t clear how their jobs have anything to do with the supposed reasons the IPA was passed in the first place.

For example, the Department for Work and Pensions and the Food Standards Agency don’t seem to have anything to do with terrorism or human trafficking.

The Numbers In Detail

The figures we present here come from our Freedom of Information Requests and information on the internet. Some organizations did not respond in the allotted time, some requested further information from us, and others are exempt from providing this information. For these reasons, and the complications around how job sharing is reported, these figures should be considered a minimum.

Number of Police With Access

The Investigatory Powers Act allows Police Inspectors to view a truncated version of your Internet Connection Records (including entities in your Internet Connection Records, and links between those entities). Because the data is opened up to senior roles, we know that Chief Inspectors will also get to see this entity data.

England and Wales

According to 2015 figures, there were 7,358 Inspectors and Chief Inspectors in the force in England and Wales.

Full Internet Connection records can be accessed by anyone with the rank of Superintendent or Chief Superintendent, and any member of staff senior to those roles. Based on the 2015 data, that’s 7,358 officers at those ranks and 1,358 officers above. That makes 8,716 officers in the police force in England and Wales with access to ICRs.

Ministry of Defence

The Ministry of Defence (MoD) Police says that it has a total of 119 in the ranks of Inspector or Chief Inspector. There are 19 officers above that rank, for a total of 138 with ICR access.

At this point, it’s worth noting that at least one MoD policeman has been investigated and relieved of duties for misuse of data in recent years. He was suspended after searching police logs for personal information about the ex-footballer Paul “Gazza” Gascoigne, proving that misuse can and does happen.

Northern Ireland and Scotland

In the Northern Ireland police force, there are at least 436 staff with the role of Inspector or higher, and 21 at Superintendent or higher.

Police Scotland confirmed the figures for its force after processing our Freedom of Information Request. There are 861 police inspectors, 240 inspectors, 117 superintendents, 38 Chief Superintendents, 7 Assistant Chief Constables, 3 Deputy Chief Constables, and 1 Chief Constable, adding 1,267 to the total.

That makes a total of 1,724 officers in Northern Ireland and Scotland with access to ICRs.

Army, Navy, Air Force

The Royal Air Force, Navy, and Army police did not reply to our Freedom of Information Request within the allowed time.

We found a 2013 report on (PDF) gov.uk that there are 5,294 personnel at the rank Commander (Royal Navy Police), Lieutenant Colonel (Royal Military Police), and Wing Commander (Royal Air Force Police). But this represents the entire military. At this time, we do not know how many military police officers have this rank. Just as important, we do not know if general military personnel above this rank will have access.

As a result, we cannot provide an estimate for this category at this time.

Policing Totals

Given all the people with access to all of this data, it is of some import that the Chief Constable of Police Scotland was criticized in August 2016 for failing to secure his own personal Facebook page. If the head of the Scottish police has trouble managing his own internet privacy, 58 million UK citizens should surely be concerned that he’s in charge of their data too.

Police total so far: 10,578. Remember: this is based on incomplete data, so it is a low estimate.

We Don’t Know About Access at MI5, MI6, and GCHQ

The intelligence agencies presented a particular problem for our investigation.

MI5

MI5 stands for Military Intelligence, Section 5, and is responsible for domestic counter-intelligence and security. Currently, it employs approximately 4,000 people.

The Act allows General Duties 3 staff (or more senior) to access full Internet Connection Records, and General Duties 4 access to Entities only. We asked MI5 for the number of staff in these roles, but they declined to provide any figures.

MI6

MI6 stands for Military Intelligence, Section 6, and is responsible for gathering intelligence from outside the UK to support certain UK government activities. Full ICRs will also be available to MI6 staff at Grade 6 or above. We do know that MI6 had 2,479 staff in March 2015 and plans to recruit 1,000 more by 2020. We don’t know how many are at Grade 6 or above, and MI6 did not respond to inquiries.

In 2016, MI6 and MI5 were found to have breached human rights law by collecting bulk communications data without consent. This is the kind of activity that the Investigatory Powers Act was designed to legalize.

GCHQ

GCHQ personnel who have a role of GC8 or above also have access to ICRs. But GCHQ has not responded to our inquiries.

As we have no confirmed numbers for this section, we have not added anything. But it is certain that MI5, MI6, and GCHQ would increase our total by a significant amount.

Number of People at HMRC With Access

We already know that Her Majesty’s Revenue and Customs (HMRC) scrapes social media accounts to find data about UK taxpayers. This data is fed into its analytics platform, Connect, and merged with information about UK residents’ wages, pensions, bank accounts, investments, and online shopping habits. Now that dataset will be augmented with the online activity of ordinary UK residents.

Full Internet Connection Records are visible to Senior Officers at HMRC, while entities are available to Higher Officers. In a 2016 summary of junior posts, there were 2,123 Senior Officers, and 844 Higher Officers. All of the people above these roles also have access, but HMRC did not classify exactly which roles would fall into those groups.

So far, this represents 2,967 HMRC employees, by our count, making our running total 13,545 people – which is a very conservative estimate.

Number of People in Emergency Services With Access

At the Marine and Coastguard Agency, 4 staff can see entity data, and 7 other staff have full access to Internet Connection Records. The Maritime Operations Commander is among them, as is the Head of Enforcement. The Marine and Coastguard Agency did not recognize some of the job roles in the wording of the Act, so this figure may be higher.

Even this relatively small figure should concern you. According to a 2016 Freedom of Information request, the Marine and Coastguard Agency’s IT security audit revealed 16 “significant” security risks. It did not, however, provide any information about the nature of those risks.

At fire brigade and ambulance services, Internet Connection Records are available to Watch Managers and Duty Managers in control rooms. These people are in charge of directing the response to incidents. All of the roles senior to these people also have full access to ICRs, including Brigade Managers, Area Managers, Operations Managers, and others.

We made Freedom of Information Requests to each individual fire or ambulance authority, and we confirmed at least 644 people with access across all of the fire and ambulance services that responded.

That brings our total to 14,189 that are known.

Number of People With Access Elsewhere

Here are the responses to our FOI requests, along with the figures we were given:

• 279 people at the Competition and Markets Authority
• 326 at the Department of Health Medicines and Healthcare Products Regulatory Agency
• 10 at the Department of Health Anti-Fraud Unit
• 59 at the Department for Work and Pensions
• 3 at the Common Services Agency for the Scottish Health Service
• 13 at the Criminal Cases Review Commission
• 537 at the Department for Communities in Northern Ireland
• 5 at the Department for the Economy in Northern Ireland
• 11 at the Department of Justice in Northern Ireland
• 13 at the Financial Conduct Authority
• 45 at the Food Standards Agency
• 5 at Food Standards Scotland
• 56 at the Gambling Commission
• 45 at the Health and Safety Executive (HSE)
• 10 at the Independent Police Complaints Commission (IPCC)
• 75 at the Information Commissioner’s Office (ICO)
• 13 at the National Health Service Business Services Authority
• 3 at the Northern Ireland Health and Social Care Regional Business Services Organisation
• 548 people at the Office of Communications
• 16 at the Office of the Police Ombudsman for Northern Ireland
• 2 at the Police Investigations and Review Commissioner
• 49 at the Serious Fraud Office
• 6 at the Northern Ireland Fire and Rescue Board.

This makes for a total of 2,129 more people who have access to Internet Connection Records, bringing our total to 16,318.

There are doubtless many more – based just on the lack of information about MI5, MI6, and GCHQ. But there are potentially thousands more that remain uncounted.

Why This Matters

Again: this isn’t an attempt to shame people with access to your personal data. But it is an attempt to shock you into recognizing how wide-open the access is.

Small-scale data protection breaches happen all the time; large scale hacks aren’t that rare. And the UK government has a long track record of losing personal data accidentally, too.

UK councils also have a dubious record when it comes to misusing surveillance in the past. For example:

• RIPA, a similar, but less intrusive law from 2000, was allegedly misused for surveillance of citizens by 186 different councils in the UK according to a 2016 report. Some of its uses were allegedly as trivial as “spying on people walking dogs, feeding pigeons, and fly-tipping [illegal disposing of waste].”
• A previous report from 2010 cites RIPA being used in surveillance, including by local councils spying on their own employees.
• Some local councils in Scotland have been criticized for having a “dangerously lax attitude” towards civil liberties.

Some misuse may be intentional, while some may be the result of simple ignorance. At least one of the organizations that we approached did not provide an answer to our questions because the respondent did not know what Internet Connection Records are, even after we provided a link to the Act.

The more people that can access the data, the more potential there is for that data to be accessed illegally, or used unethically. And that can compromise your safety and your liberty.

Appendix

Upwards of one hundred FOI requests were filed for this article. Of these, 76 were completed and used in the final version of this article. As we gather more data, we will add to this article. Here are PDFs containing each FOI document we have used:

1. Avon Fire and Rescue Service
2. Bedfordshire and Luton Fire and Rescue Service
3. Buckinghamshire Fire and Rescue Service
4. Cambridgeshire Fire and Rescue Service
5. Cheshire Fire and Rescue
6. Cleveland Fire Brigade
7. Common Services Agency for the Scottish Health Service
8. Competition and Markets Authority
9. Cornwall Fire and Rescue Service
10. County Durham and Darlington Fire and Rescue Service
11. Criminal Cases Review Commission
12. Department for Communities Northern Ireland
13. Department for the Economy in NI
14. Department for Work and Pensions
15. Department of Health Anti-Fraud Unit
16. Derbyshire Fire and Rescue Service
17. Dorset and Wiltshire Fire and Rescue Service
18. East Midlands Ambulance Service NHS Trust
19. East of England Ambulance Service NHS Trust
20. East Sussex Fire and Rescue Service
21. Essex County Fire and Rescue Service
22. Financial Conduct Authority
23. Food Standards Scotland
24. Gambling Commission
25. Gloucestershire Fire and Rescue Service
26. Hampshire Fire and Rescue Service
27. Health and Safety Executive
28. HMRC
29. Independent Police Complaints Commission
30. Information Commissioner
31. Isle of Wight Fire and Rescue Service
32. Isles of Scilly Fire and Rescue Service
33. Kent Fire and Rescue Service
34. Lancashire Fire and Rescue Service
35. Leicestershire Fire and Rescue Service
36. Lincolnshire Fire and Rescue Service
37. London Ambulance Service NHS Trust
38. London Fire Brigade
39. Maritime and Coastguard Agency
40. Medicines and Healthcare Products Regulatory Agency
41. Merseyside Fire and Rescue Service
42. MI5
43. Ministry of Defence Police
44. National Health Service Business Services Authority
45. Norfolk Fire and Rescue Service
46. Northamptonshire County Council Fire and Rescue Service
47. North East Ambulance Service NHS Foundation Trust
48. Northern Ireland Ambulance Service
49. Northern Ireland Health and Social Care Regional Business Services Organisation
50. Northern Ireland Prison Service
51. Northumberland Fire and Rescue Service
52. North West Ambulance Service NHS Trust
53. North Yorkshire Fire and Rescue Authority
54. Nottinghamshire Fire and Rescue Service
55. Office of Communications OFCOM
56. Oxfordshire Fire and Rescue
57. Police Investigations and Review Commissioner
58. Police Ombudsman of Northern Ireland
59. Royal Berkshire Fire and Rescue Service
60. Scottish Ambulance Service
61. Scottish Criminal Cases Review Commission
62. Serious Fraud Office
63. Shropshire Fire and Rescue Service
64. South Central Ambulance Service
65. South East Coast Ambulance Service NHS Foundation Trust
66. South Western Ambulance Service NHS Foundation Trust
67. Operational Structure
68. Staffordshire Fire and Rescue Service
69. Suffolk Fire and Rescue Services
70. Surrey Fire and Rescue
71. Tyne and Wear Fire and Rescue Service
72. Warwickshire Fire and Rescue Service
73. Welsh Ambulance Services NHS Trust
74. West Midlands Ambulance Service NHS Foundation Trust
75. West Sussex Fire and Rescue
76. West Yorkshire Fire and Rescue Service
77. Yorkshire Ambulance Service
78. Norther Ireland Fire and Rescue
79. Greater Manchester Fire and Rescue
80. Hertfordshire Fire and Rescue
81. Police Scotland

Organizations that Did Not Reply

A number of organizations failed to provide the information we asked for by the legal deadline. Note that there are any number of reasons why this may be – it is not necessarily the fault of the organization in question. We will continue to work on getting data from these organizations:

81. Cumbria Fire and Rescue Service
82. Gangmasters and Labour Abuse Authority
83. GCHQ
84. Home Office
85. Humberside Fire and Rescue Service
86. MI6
87. Ministry of Justice
88. National Crime Agency
89. Police Service of Scotland
90. Royal Air Force Police
91. Royal Military Police
92. Royal Navy Police
93. Scottish Criminal Cases Review Commission
94. West Midlands Fire Service

In addition to these, the Ministry of Defence did respond to our inquiry (PDF) via traditional mail. As a result, we received it only shortly before publication. More important, it did not provide information, but rather asked for additional details. We will continue to pursue this matter.

Update (March 25, 2017)

We eliminated our total for the military police because we cannot confirm the number from public records and have received no responses from the Royal Air Force, Navy, and Army. We have increased our numbers because of late arriving FOI responses. We increased the numbers for Police Scotland up to 1,267, Greater Manchester Fire and Rescue to 83, Hertfordshire Fire and Rescue to 12, and Northern Ireland Fire and Rescue to 6.