deepagopi2011 - Fotolia

MI5 wrongly told staff it was exempt from privacy safeguards

Security service MI5 carried out a rearguard attempt to avoid requirements to seek independent approval for accessing the public’s internet, web, email and phone records

MI5 wrongly claimed it had been granted a unique exemption, by former home secretary Theresa May, from applying privacy safeguards to access databases containing data on the public’s private phone, email and web browsing activities.

Secret documents released during a court hearing at the end of July 2016 show that the security service misleadingly claimed to its own staff that it was “uniquely exempt” from seeking independent approval for accessing private communications data (CD).  

The documents came to light at a hearing at the Investigatory Powers Tribunal (IPT), brought by the charity Privacy International to challenge the legality and lack of safeguards over intelligence services’ use of bulk personal datasets.

Bulk personal datasets held by MI5, MI6 and GCHQ contain highly sensitive information about the population, including location and travel history, internet and mobile phone use, and financial information.

The intelligence agencies match the data with other databases to find targets of interest. The Home Office published an updated version of its Code of Practice for the Acquisition and Disclosure of Communications Data in March 2015, requiring the intelligence services to seek approval from independent members of staff, known as designated persons (DPs), before accessing private communications data during all investigations.

MI5 wrongly told staff Theresa May had exempted it from code of conduct

But a secret briefing note issued by MI5, dated 27 October 2015, informed employees that the security service had been granted special exemption from seeking independent approval by the home secretary and two regulatory bodies.

“MI5 uniquely and temporarily has an exemption granted by the home secretary from this requirement. This exemption is based on the national security exemption provided for in the code. This approach has also been agreed with the relevant oversight body, IOCCO, and the interception of communications commissioner,” it said.

The document revealed that meant investigative and operational managers could “remain lead authorisers for requests made by officers in their own teams”, effectively over-riding government demands for independent scrutiny of applications to access sensitive communications data.

Government solicitors acknowledge claims were untrue

But in an embarrassing U-turn, treasury solicitors acting for the government wrote to the tribunal, saying guidelines for staff claiming that MI5 had an exemption from Theresa May, and that its approach had been approved by the Interception of Communications Commissioner’s Office (IOCCO), were untrue.

“We are instructed to say that it was not correct to say, as of October 2015, that: the home secretary granted an exemption (indeed neither the current code, or its predecessor, provides the home secretary with the power to “grant an exemption”); or the approach described above had been agreed with the IOCCO or the interception of communications commissioner.”

According to the letter, the Security Service instead relied on a provision in the code that said having ongoing operations or investigations immediately affecting national security issues “could” constitute circumstances where it was not necessary to seek independent approval. “In practice this is the case for all Security Service investigations.”

How MI5 fought a rearguard action against greater oversight

The disclosure is part of a tranche of documents released during the four-day hearing that show the intelligence services have been fighting a rearguard action against greater oversight over its access to communications data for years.

On 28 July, Computer Weekly revealed how MI5 used a secret meeting to persuade judges at the UK’s top intelligence and security court not to disclose any information on sensitive databases holding highly intrusive records about the population.

The Security Service was able to skirt requirements to seek independent approval for accessing communications data under a code of practice introduced in 2007, the letter from the Treasury Solicitors revealed.

MI5 relied on a provision in the code that designated persons “should” not be responsible for granting authorisations in relation to investigations in which they are directly involved. In practice, that allowed MI5 to avoid the requirement entirely.

“The interception commissioner and IOCCO were made aware that this was the case in all Security Service’s investigations at their inspections, and were satisfied that this practice was not in contravention of the code,” the letter stated.

MI5 resisted pressure from Theresa May for independent oversight

Even as late as last year, Andrew Parker, the director general of MI5, had been resisting pressure from the then home secretary, Theresa May, to move away from the practice of allowing investigators to authorise their own access to communications data (see How MI5 resisted pressure for greater scrutiny from Teresa May, below).

In March 2015, he warned May that the appointment of independent designated persons to approve more than 100,000 data requests issued by MI5 each year would cause “significant disruption, reduce our effectiveness and introduce inconsistencies that will have the opposite effect to what is intended”.

“Furthermore, there does not appear to be a pressing litigation or reputational requirement to commit to make these changes now, and we can therefore see no obvious gain in doing so,” he said.

In April, he wrote again to May, warning that MI5 would not meet her deadline to put independent approval in place for investigations into sensitive professions, which included medical doctors, journalists and religious ministers.

Two months later, he warned May that her proposals would require MI5 to extend independent approval more generally, would require more staff, and would pose significant problems. “Implementing operationally independent authorisation for all of our CD requests would be a substantially greater ask.” 

And in December 2015, he wrote to dissuade May from including these safeguarding measures in the forthcoming Investigatory Powers Bill, which will give new rights to law enforcement agencies for suspicionless surveillance.

“I continue to have strong reservations about agreeing now to more widespread changes for targeted CD requests,” he told her. The move would divert effort from the front-line investigations, without any clear benefit.

“Widening access to these would, in my opinion, introduce significant operational risk by extending the knowledge of our most sensitive operations beyond those with a legitimate requirement to know the details, ” he said.

Anthony May raised concerns with MI5 in 2014

The Interception of Communications Commissioner’s Office, which oversees surveillance by the security services, did not raise the question of independent oversight with MI5 until 2014, according to previously secret documents.

In December that year, the IOCCO, run by Anthony May, carried out an inspection of the security service’s compliance with the Human Rights Act, the Regulation of Investigatory Powers Act (Ripa) and its Code of Practice. The heavily redacted inspection report found that, contrary to expected good practice, the designated persons responsible for approving communications requests were aware of the investigations they were being asked to sign off.

It reported that many were not recording the reasons for their decisions. “It is recommended that MI5 reviews this area of the process and implementation measures,” said the report.

A year later, IOCCO warned in its 2015 inspection report that the situation had become even more critical. “The Security Service must devise a strategy and implement procedures to ensure that DPs are independent from operations,” it insisted.

MI5 claimed it was acting in line with code of conduct

MI5 argued that its processes were in line with the code of conduct – “which has been agreed by your office and the Home Office for several years” – according to a letter from the deputy director, interception and digital intelligence, in March 2015.

The code, it said, “allows for public authorities which have ongoing operations or investigations immediately impacting on national security issues to not need to call upon a designated person who is independent from their operations and investigations”, he said.

According to evidence at the July tribunal, MI5 was reminded of the need for checks and balances on its use of communications data in 2010, when Robert Hannigan, now the director of GCHQ, published a report advocating greater safeguards.

Criticism over MI5’s use of the Telecommunications Act 1984 to gather personal data

Privacy International’s legal action has shed light on the use made by MI5 and GCHQ of the Telecommunications Act 1984 to obtain bulk data on the population, rather than the Regulation of Investigatory Powers Act 2000, which requires stronger privacy safeguards.

The practice was acknowledged publicly for the first time by May as home secretary in November 2015. According to evidence presented at the tribunal, “bulk communications data…involves large amounts of data, most of which relates to individuals who are unlikely to be of any intelligence interest”.

The interception of communications commissioner, Swinton Thomas, expressed reservations about the practice as early as 2004 in a long chain of letters with GCHQ.

Swinton finally acquiesced, telling GCHQ in November that year: “I have … reached the conclusion, not without some difficulty, that the present system for retrieval of data pursuant to a Section 94 direction is lawful.

“The requirement of a Ripa…authorisation would cause real difficulties which could not have been envisaged by Parliament when Ripa was enacted. I am, therefore, content that you should proceed as proposed,” he said.

MI5 admits staff looked up records of 20 celebrities

But does the lack of independent approval for searches of bulk personal data matter? Evidence presented at the tribunal suggests it does.

According to the government, intelligence agents in MI5 have used bulk databases to carry out searches of 20 celebrities, which were not operationally justifiable.

Between 2009 and 2012, three different users carried out searches of high-profile individuals, without authorisation.

And there were 17 searches of high-profile individuals between 2009 and 2011, which may not have been operationally justifiable. However, the Secret Intelligence Service has no formal records of conversations with their line managers to be able to confirm one way or another.


How MI5 resisted pressure for greater scrutiny from Teresa May

19 March 2015

Andrew Parker, director general of MI5, wrote to the then home secretary, Theresa May, raising concerns about proposals to require intelligence agencies to seek independent authorisation for accessing communications data, with a report from David Anderson due in only a few weeks’ time.

“My chief concern is that apparently small changes made to the way we do our business, and particularly how we authorise and oversee it, can – if they are not considered in the round and managed carefully – cause significant disruption, reduce our effectiveness and introduce inconsistencies that will have the opposite effect to what is intended,” he said.

Parker revealed that the Security Service makes more than 100,000 requests for communications data a year. The suggestion that the Security Service reorganises its structures to ensure those signing off requests to access communications data are more independent from the investigation “would add additional bureaucracy to investigators’ jobs and would increase the processing time for requests because those taking the decisions would not be familiar with the relevant investigative context”.

“Furthermore, there does not appear to be a pressing litigation or reputational requirement to commit to make these changes now, and we can therefore see no obvious gain in doing so,” he said.

27 March 2015

In a letter to Parker, May emphasised the importance of strengthening independent oversight for access to communications data.

She asked Parker to appoint “designated persons to approve requests to access the data of professions with duties of confidentiality, such as lawyers and journalists, by April 2015. She also asked him to give careful consideration to how independent authorisation could be introduced more generally.

21 April 2015

Parker wrote to May, informing her that he was taking steps to change MI5’s business model and IT systems to introduce independent authorisation for collecting communications data of professionals in sensitive areas.

“We are making good progress, but will not hit your deadline,” he said.

3 June 2015

May wrote to ask Parker to update her on the Security Service’s plans to introduce independent authorisation to access communications data, which includes telephone calls, email conversations and web browsing activity.

30 June 2015

Parker confirmed that MI5 had put procedures in place for independent authorisation of the collection of communications data from members of sensitive professions. “We cannot yet estimate the impact but our instinct is that the number of requests will be small and manageable,” he said.

But he warned May that “implementing operationally independent authorisation for all of our CD requests would be a substantially greater ask.” The additional burden, he said, would necessitate that MI5 added an undisclosed number of additional people to the task. “Given current operational pressures, re-allocating their time for independent authorisation work would have a significant impact…Taken together with the additional system and process changes which would be necessary and the uncertainty of the shape of the Investigatory Powers Act, we think there are significant risks from implementing independence from all CD authorisations at this point.”

18 December 2015

Parker wrote to May again, objecting to proposals for independent approval for accessing communications data, particularly in the forthcoming Investigatory Powers Bill.

“I continue to have strong reservations about agreeing now to more widespread changes for targeted CD requests,” he told her. “We submitted a total of more than 100,000 individual requests for CD in 2014, through 40,000 applications. If we were to switch to an arrangement where each of these had to be authorised by someone within MI5 who is unfamiliar with the case…we would be adding a non-trivial amount of administrative burden,” he wrote.

The impact, he said, would be to divert effort from frontline investigations, without any clear benefit.

“Our main priority would be to protect security around the most sensitive cases. Widening access to these, would, in my opinion, introduce significant operational risk by extending the knowledge of our most sensitive operations beyond those with a legitimate requirement to know the details,” wrote Parker.

Read more about the Investigatory Powers Bill

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Data protection, backup and archiving

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close