Liberty investigation reveals MI5 “unlawfully” handled bulk surveillance data

According to an investigation by Human Rights campaign group Liberty, MI5 has been “unlawfully” retaining innocent people’s data for years. Apparently, and again according to Liberty, the British Security Service has also failed to give senior Judges accurate information about repeated breaches of its duty to delete bulk surveillance data. In addition, MI5 has been criticised for “mishandling” sensitive legally privileged material.

The Investigatory Powers Act (IPA) – known in certain circles as The Snoopers’ Charter – provides the security services with extremely broad powers under warrants issued by ‘Judicial Commissioners’, allowing them to hack computers and phones and intercept people’s communications. These powers permit the Government to carry out what’s known as ‘bulk surveillance’ on huge numbers of individuals who are of no intelligence interest. That information is then stored by the security services for potential investigations in the future.

The Investigatory Powers Commissioner’s Office (IPCO) is responsible for ensuring that privacy protections contained in the IPA are upheld. The IPCO is also there to uphold safeguards around the storage of data and ensure that guidelines for the timely deletion of data are met.

Following the initial revelation last month that MI5 had breached IPA privacy safeguards, a series of ten documents and letters from MI5 and the IPCO, disclosed during the course of Liberty’s ongoing legal challenge to the IPA, have revealed more detail of those breaches, including the finding that MI5 has failed to meet its legal duties “for as long as the IPA has been law”.

Despite heavy redaction by MI5, the documents reveal how “a litany of failures and false assurances” has led to what the Investigatory Powers Commissioner, Lord Justice Fulford, has concluded to be the “undoubtedly unlawful” conduct of the UK’s leading Security Service.

The documents show:

Illegal actions The Commissioner concluded that the way MI5 was holding and handling people’s data was “undoubtedly unlawful”, stating that: “Without seeking to be emotive, I consider that MI5’s use of warranted data is currently, in effect, in ‘special measures’ and the historical lack of compliance is of such gravity that the PCO will need to be satisfied to a greater degree than usual that it is ‘fit for purpose’”

MI5 knew for three years before informing the IPO MI5 failed to maintain key safeguards, such as the timely destruction of material and the protection of legally privileged material. This, says Lord Justice Fulford, created “serious compliance gaps” in its legal duties. Shockingly, these gaps first became clear to MI5 staff in January 2016 and the MI5 Board in January 2018, but were only brought to the IPCO’s attention in February this year. Even then, Fulford accuses MI5 officials of continuing to use “misleading euphemism” when describing their failure

False assurances Warrants for bulk surveillance were issued by senior Judges (known as Judicial Commissioners) on the understanding that MI5’s data handling obligations under the IPA were being met when they were not. The Commissioner has pointed out that warrants would not have been issued if breaches were known.  The Commissioner has stated that “it’s impossible to sensibly reconcile the explanation of the handling of arrangements the Judicial Commissioners were given in briefings with what MI5 knew over a protracted period of time was happening.”

In a remarkable admission to the Commissioner, MI5’s deputy director general acknowledges that personal data collected by MI5 is being stored in “ungoverned spaces”, while the MI5 legal team claims that there’s “a high likelihood [of material] being discovered when it should have been deleted in a disclosure exercise leading to substantial legal or oversight failure.”

Liberty commented: “In another example of the disrespect the Government has for transparency and the public’s right to know, it has applied for further details on MI5’s breaches to be provided to the Court through secret evidence and private hearings.”

Liberty lawyer Megan Goulding informed Risk Xtra: “These shocking revelations expose how MI5 has been illegally mishandling our data for years and storing it when it has no legal basis to do so. This could include our most deeply sensitive information – our calls and messages, our location data and our web browsing history. It’s unacceptable that the public is only now learning about these serious breaches after the Government has been forced into revealing them in the course of Liberty’s legal challenge. In addition to showing a flagrant disregard for our rights, MI5 has attempted to hide its mistakes by providing misinformation to the Investigatory Powers Commissioner who oversees the Government’s surveillance regime. Despite a light being shone on this deplorable violation of our rights, the Government is still trying to keep us in the dark over further examples of MI5 seriously breaching the law.”

Breach of safeguards

Liberty revealed back in May that MI5 had breached safeguards outlined in the IPA for handling the public’s data. So serious was the breach that, when first notified, the IPCO sent a team of inspectors to MI5 for a week-long investigation.

In a statement issued by Home Secretary Sajid Javid, it was confirmed that MI5 had breached the IPA in its handling and retention of data belonging to the public. According to the statement, the IPCO concluded those risks were “serious and required immediate mitigation”. Javid has said that he will launch an independent review of this incident.

The IPA became law in late 2016. It was intended to introduce transparency to state surveillance following Edward Snowden’s revelations of unlawful mass monitoring of the public’s communications. However, it legalised the practices he exposed and introduced what Liberty believes to be hugely intrusive new powers.

The IPA allows the state to collect the content of people’s digital communications and records about those communications created on devices and to hack computers, phones and tablets on an industrial scale. It also allows the creation and linking of huge ‘bulk personal data sets’. The state can keep data on these databases even if it doesn’t suspect individuals of a crime or other threat.

Challenging the surveillance regime

In September last year, Liberty – along with 13 other Human Rights and journalism groups and two individuals, won its challenge to the UK’s previous surveillance regime at the European Court of Human Rights. The European Court found that the UK’s previous regime for bulk interception of  data was unlawful.

The IPA replaced, replicated and expanded the intrusive surveillance powers that the European Court found to breach rights to privacy and free expression.

Jon Baines, data protection advisor at Mishcon de Reya, observed: “The IPCO has apparently placed MI5 in ‘special measures’ over its use of data gathered under warrants. This may be significant, not just for the current court case, but also because, as Brexit negotiations continue, this could negatively affect any assessment as to the adequacy of the UK’s data protection laws. If the UK cannot guarantee the security and privacy of people’s data, the European Commission is unlikely to agree to measures regarding the transfer of personal data between the EU and a post-Brexit UK. This might then exert a hugely adverse impact on trade and commerce.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts