GCHQ could 'grab' UK shopping data, committee told
Proposed new surveillance laws are so broad they could allow spies to monitor people's banking and shopping habits, MPs and peers have been told.
The draft Investigatory Powers Bill includes plans to store the online activity of everyone in the UK.
But a lesser-known clause would let the security services download personal details from "bulk" databases.
Internet privacy campaigner Jim Killock claimed it could even include things like the Tesco Clubcard scheme.
It was revealed earlier this year that GCHQ is downloading large amounts of personal data, known as "bulk personal datasets", under old pieces of legislation.
The Home Office wants to put the practice on a firmer legal footing and has promised tougher safeguards - including six month warrants issued by the home secretary - and judicial oversight.
But Open Rights Group director Jim Killock, giving evidence to the Parliamentary committee examining the draft bill, said it appeared to suggest mass surveillance.
"What is a bulk data set? Which have been accessed and grabbed by GCHQ so far? Who might that apply to?
"Just about every business in the country operates a database with personal information in it.
"This could be Tesco Clubcard information. It could be Experian's data around people's financial transactions, it could be banking details, it could certainly be any government database that you care to mention.
"It's kind of hard to see where surveillance ends with bulk data sets."
'Join the dots'
The draft bill says investigators need to be able to collect information about "a large number of individuals, the majority of whom will not be of any interest to the security and intelligence agencies".
The information from these "bulk personal data sets" is then analysed to enable officers "to join the dots in an investigation and to focus their attention on individuals or organisations that threaten our national security".
The Home Office cites the example of cross-checking people who have access to firearms with records of known terrorists.
The draft bill would also force internet service providers to keep a record of websites visited by everyone in the UK for 12 months.
The Home Office insists the records, which will be searchable by law enforcement officers, will only include domain names and not individual web pages visited.
But civil liberties campaigners and internet experts told the committee it may prove difficult to exclude private details about web activity from searches.
They also warned that holding vast quantities of data on web browsing increased the risk of a Talk Talk-style hacking attack.
The draft bill would also give legal cover to the security services to carry out bulk internet traffic surveillance of the kind uncovered by US whistleblower Edward Snowden.
Shami Chakrabarti, of Liberty, urged the Home Office to come up with a "new bill" to protect the public that did not have such sweeping powers.
She told the committee: "I think my fundamental objection is too much of this is about sanctioning mass surveillance of entire populations and departing from traditional democratic norms of targeted, suspicion-based surveillance for limited purposes, and there are insufficient safeguards against abuse."