UK intelligence agency MI5 admits “unlawfully spying” on Privacy International

Thames House in London: the home of MI5 (Photo Credit: Wikimedia Commons)

Thames House in London: the home of MI5 (Photo Credit: Wikimedia Commons)

The UK’s domestic-facing intelligence agency MI5 – the Security Service – has admitted that it captured and read registered charity Privacy International’s private data as part of its Bulk Communications Data (BCD) and Bulk Personal Datasets (BPD) programmes, which hoover up massive amounts of the public’s data. In further startling legal disclosures, all three of the UK’s primary intelligence agencies – namely MI5, MI6 and GCHQ – also admitted that they unlawfully gathered data about Privacy International or its staff.

According to Privacy International, the intelligence agencies have repeatedly denied that their BPD and BCD programmes are tantamount to mass surveillance of people not suspected of any wrongdoing. Documents published today, however, demonstrate that Privacy International, an international NGO, has been caught up in MI5’s investigations because its data was part of the UK intelligence agencies’ own vast databases.

These revelations came during the course of Privacy International’s challenge to the BPD and BCD powers, which is currently pending before the Investigatory Powers Tribunal (IPT), a court which is set up to hear claims against the UK’s intelligence services. The IPT is required to inquire into any unlawful activity by the UK intelligence agencies, and to provide a summary of such activity to any claimant that comes before it.

Judgement by the ECHR

Today’s news comes in the wake of last week’s judgement by the European Court of Human Rights (ECHR), as reported by Risk Xtra, which found another of the UK’s mass surveillance programmes – the mass interception of Internet communications – to be unlawful. A major aspect of the ECHR’s criticism of the mass interception programmes was the lack of oversight and safeguards surrounding how the data is collected, searched and accessed. The new revelations highlight the danger that can arise from such a lack of safeguards, the absence of which has allowed an intelligence agency to extract data about a Human Rights charity from that massive trove.

As a result, Privacy International has written to the Home Secretary, Sajid Javid, to request that urgent action is taken. In particular, Privacy International is asking that Javid confirms what changes will be made to the Investigatory Powers Act (more commonly known as the Snoopers’ Charter) provisions as a result of last week’s ECHR judgement. Privacy International is also calling on MI5 to provide a full explanation of the circumstances behind its surveillance of the organisation.

Troubling revelations

Caroline Wilson Palow, General Counsel for Privacy International, said: “Today’s revelations are troubling for a whole host of reasons. The UK intelligence agencies’ bulk collection of communications data and personal data has been shown to be as vast we have always imagined. It sweeps in almost everyone, including Human Rights organisations like Privacy International. Not only was Privacy International caught up in the surveillance dragnet, but its data was actually examined by agents from the UK’s domestic-facing intelligence agency MI5. We do not know why MI5 reviewed Privacy International’s data, but the fact that it happened at all should raise serious questions for all of us.”

Wilson Palow continued: “Should a domestic intelligence agency charged with protecting national security be spying on a Human Rights organisation based in London? Shouldn’t such spying, if permitted at all, be subject to the strictest of safeguards? In an era when Human Rights and democracy are under threat all over the world, the UK should demonstrate leadership by protecting its defenders.”

In conclusion, Wilson Calow stated: “Privacy International urges the Government to critically examine its mass surveillance powers as enshrined in the Investigatory Powers Act 2016. They have now been called into question twice in two weeks, by today’s revelations and by last week’s judgement at the European Court. The UK should be a beacon of light in a world where democracy is under threat. Its refusal to curtail the mass surveillance powers of its intelligence agencies casts a shadow over us all.”

Background to the case

The challenge to the acquisition, use, retention, disclosure, storage and deletion of ‘Bulk Personal Datasets’ (BPDs) and Bulk Communications Data (BCDs) by the UK intelligence agencies was commenced by Privacy International on 8 June 2015 (https://privacyinternational.org/sites/default/files/2018-03/A1.%20Claimant%27s%20re-amended%20statement%20of%20grounds.pdf).

The existence of the BPD and BCD regimes was initially secret. The BPD regime was first publicly acknowledged in March 2015, and the BCD regime in November 2015. Until this case, there was very little public knowledge that GCHQ was gathering information about all citizens through a wide range of databases requisitioned from a wide range of telecommunications operators, companies and public bodies.

In October 2016, the Investigatory Powers Tribunal held that the intelligence agencies had breached the right to privacy enshrined in Article 8(2) of the European Convention of Human Rights in respect of both the BPD and BCD regimes, from their commencement over a decade earlier until their public avowal in 2015. The Tribunal held that, during this period, there was not sufficient foreseeability’ or accessibility of the existence of the BPD and BCD regimes, nor of the nature of controls over them. In consequence, the regimes could not be said to be “in accordance with the law.” (https://privacyinternational.org/sites/default/files/2018-03/Privacy%20International%20v%20Secretary%20of%20State%20for%20Foreign%20And%20Commonwealth%20Affairs%20%26%20Ors%20%28Rev%202%29%20%5B2016%5D_0.pdf)

Outstanding issues to be addressed

A number of outstanding issues remained to be addressed at subsequent hearings between June 2017 and July 2018. The June 2017 hearing (https://privacyinternational.org/sites/default/files/2018-03/IPT%20BULK%20DATA%20ORDER%20FOR%20REFERENCE%20TO%20CJEU.pdf) concerned whether the regimes were in compliance with EU law. On this matter, on 8 September last year, the Investigatory Powers Tribunal decided to refer questions to the Court of Justice of the European Union concerning the collection of BCD by the security intelligence agencies from mobile network operators (https://privacyinternational.org/feature/1695/bpdbcd-reference-cjeu-october-2017).

In the course of proceedings, it was revealed that a GCHQ witness statement contained serious errors. As a result, Privacy International had the unprecedented opportunity to cross-examine a GCHQ witness in open court (https://privacyinternational.org/press-release/1641/press-notice-unprecedented-opportunity-pi-cross-examine-gchq-open-court).

Unfettered discretion

On 23 July this year, the Investigatory Powers Tribunal held that successive Foreign Secretaries wrongly gave GCHQ unfettered discretion to collect vast quantities of BCD from telecommunications companies and, as a result, the BCD regime was not ‘in accordance with the law’ as required under Article 8(2) ECHR until 14 October 2016 (https://www.ipt-uk.com/judgments.asp?id=45).

Whether and what determination the Investigatory Powers Tribunal will make in relation to the intelligence agencies’ holdings of Privacy International’s data is the subject of the current hearing.

*All disclosures and documents can be found at https://privacyinternational.org/legal-action/bulk-personal-datasets-bulk-communications-data-challenge

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts