Police, security services and other public bodies bungled nearly 1,000 requests for citizens' communications data in a year, a new report has revealed.
Communication service providers (CSPs, which include ISPs and telcos) were also blamed for some of the cock-ups: the study for 2011 found that two people were wrongly arrested as a result of typos on information interceptions.
"Unfortunately in two separate cases where a CSP disclosed the incorrect data, the mistakes were not realised and action was taken by the police forces on the data received," said Interception Communications Commissioner Sir Paul Kennedy, the report's author.
He continued: "Regrettably, these errors had very significant consequences for two members of the public who were wrongly detained / accused of crimes as a result of the errors."
Kennedy noted that in those instances, which both have investigations underway, it was the same unnamed CSP at fault and not the public authority that had requested the data.
The snooping-on-the-snoopers commissioner added that after being initially unhappy with the CSP's explanations about what went wrong, the company had since introduced "sensible measures" that - it is hoped - should prevent similar errors in the future.
However, while it was decided that a CSP was responsible for the two worst cases of communications data request errors last year, the commissioner's report actually showed that public authorities were largely to blame for admin cock-ups resulting in the wrong British citizens being spied on.
Sir Paul's report was published as parliamentarians scrutinised Home Secretary Theresa May's drafted internet surveillance law, aka the Communications Data Bill.
Requests in numbers
In 2011, a total of 494,078 requests were made by public authorities including local councils, the UK Border Agency, the police and spooks, during which time 895 errors were reported to Sir Paul's office.
He said that approximately 80 per cent of those failures to submit the correct information had been down to public authorities, while CSPs were to blame for the remaining 20 per cent of communications data request errors.
The same report also highlighted the incompetence of two local councils for acquiring communications data by relying on "approval" from an individual who lacked the necessary authority to grant such access.
"In total 52 requests were made by these two local authorities and regrettably this data was therefore not acquired in accordance with the law," Sir Paul said.
"It was also shocking to find that the same person had acted as the applicant, SPoC [single point of contact] and DP [designated person] in one of those local authorities," he said. "Not only does this represent non-compliance with the Code of Practice, it also means that the requests had a complete lack of scrutiny in the individual local authority as they were effectively self-authorised."
He added that there had been two instances in which local councils had requested traffic data from CSPs, even though they are restricted from doing so under the The Regulation of Investigatory Powers Act (RIPA).
The commissioner's inspectors also uncovered one incident where a local authority had acquired communications data that did not meet the "necessity criteria" under RIPA.
Sir Paul explained that the "application related to an allegation that a parent living outside the catchment area of a school provided an address within the catchment area in order to secure a school place."
However, communications data was requested without the council in question specifying any criminal offences to justify the probe.
The commissioner said that "communications data must only be acquired for the purpose of preventing or detecting crime and where there is an intention to gather evidence for use in legal proceedings".
Just last week, Paul Bettison of the Local Government Association - who appeared before MPs and peers scrutinising the Home Office's draft communications law - dismissed accusations that local authority officials had abused their RIPA powers and said he wanted to "dispel the myths that we've been frivolous in the past".
During that same confab, it was revealed that public bodies including councils could yet - via secondary legislation - be granted access to communications data under May's proposed new law.
The Home Secretary had offered a tiny concession to Lib Dem opponents of her bill earlier this year, by proclaiming that councils and other public bodies would be excluded from such access requests, even though the vast majority of applications to spy on British citizens comes from spooks and the police.
On Friday, Prime Minister David Cameron said in a ministerial statement responding to the commissioner's report:
There have, regrettably, been breaches and errors in the use of these powers. While these have been few in number relative to the overall number of applications, the government is not complacent; the causes of these breaches and errors will need to be addressed.
Sir Paul's report can be viewed here [PDF]. ®