MI5 admits to ‘unlawful’ spying on Privacy International

The UK's intelligence agencies acted unlawfully by intercepting communications data on NGO, Privacy International, the UK's most secret court ruled.

The security service MI5 acted unlawfully by intercepting and accessing private communications data belonging to the campaigning group Privacy International, Britain's most secret court has ruled.

MI5, admitted today (25 September 2018) that it had captured and read private communications data belonging to non-governmental organisation (NGO) Privacy International at a hearing of the Investigatory Powers Tribunal.

It emerged that the Secret Intelligence Service (SIS), or MI6, and GCHQ also unlawfully collected data on the activities of the pressure group, which has been campaigning for greater oversight of the security services.

The revelations came during a hearing today in a long-running legal challenge by Privacy International into the lawfulness of the intelligence agencies’ powers to collect bulk communications data (BCD) and bulk personal datasets (BPD) on citizens (see full details below).

Data collection was 'unlawful'

Tribunal chairman, Michael Burton, made a determination that MI5 had accessed and examined  bulk communications data and bulk personal data relating to Privacy International unlawfully. GCHQ and MI6 had also collected bulk communications data and bulk personal data about Privacy International unlawfully.

Caroline Wilson Palow, general counsel for Privacy International said the ruling had implications for the UK’ surveillance regime the Investigatory Powers Act 2016.

“Not only was Privacy International caught up in the surveillance dragnet, its data was examined by agents from the UK’s domestic-facing intelligence agency, MI5. We do not know why MI5 reviewed Privacy International’s data, but the fact that it happened at all should raise serious questions for all of us,” she said.

The disclosures raised important principles over the protection of the identity of sources who confidentially provide important information to Privacy International, and other NGOs, she said.

The Investigatory Powers Tribunal heard that MI5 had discovered that it had collected and examined communications data from the pressure group following an audit of its intelligence handling arrangements.

“We do not know why MI5 reviewed Privacy International’s data, but the fact that it happened at all should raise serious questions for all of us”
Caroline Wilson Palow, general counsel for Privacy International

Communications data can include the date and times of phone calls, details of their recipients, location data from mobile phones, websites visited, and the source and destination of emails.

The data was discovered in the “workings” area of MI5’s intelligence systems and had been viewed and analysed. But it fell outside the normal safeguards for handling data, because it had not been compiled into an intelligence report, the court heard.

The Security Service has reported the breach to surveillance regulator the Investigatory Powers Commissioner's Office (IPCO).

Representing Privacy International, Thomas De La Mare, told the court that MI5 did not have any policies on how long it could retain “working data”, or when it would be deleted - leaving open the prospect that it could be retained indefinitely. 

 “It suggests the way the product of these bulk databases is handled is defective," he said. "What has become apparent is the product of the use of these databases had fallen through the cracks. The handling safeguards have failed.”

Using a sofa as an analogy, De La Mare told the court:“They found a few cushions, but when they put their hand behind them they found a whole bunch of data”.

Andrew O’Connor, representing the government told the court that MI5 had identified a technical solution to manage the retention and deletion of data in the “workings area” in December 2017, but that it would take some time to implement.

“The solution that is required is not straightforward. It is not as simple as flicking a switch and deleting data. It needs to be an end-to-end process,” he said.

Following a protracted secret hearing - in closed session - O'Connor told the court that MI5 had deleted Privacy Internationals a day earlier on 24 September 2018.

De La Mare QC said that the destruction of the data "rather impedes" any potential investigation by the regulator, IPCO.

The IPT has previously ruled  that the intelligence services' bulk communications data regime was unlawful until 14 October 2016 and that the regime governing bulk personal datasets remained unlawful until the ‘handling arrangements’ were made public on 4 November 2015.

Tribunal chairman, Michael Burton, made a determination at the end of a half day hearing, that the intelligence services had collected bulk communications data, and bulk personal data relating to Privacy International before those dates - and therefore acted unlawfully.

GCHQ held bulk personal data and bulk communications data on the NGO, MI5 also held bulk personal data and bulk communications data on the NGO, and the Secret Intelligence Service (MI6), held bulk personal data on the NGO before the data collection regimes became lawful, he said.

Burton also noted that during the same time period, MI5 had accessed and examined both bulk communications data and bulk personal data about Privacy International.

Privacy International demands action and explanation

Privacy International said it would press MI5 to give a full explanation of the circumstances behind its surveillance of the NGO’s data.

In a letter to the home secretary, Sajid Javid MP, Privacy International said the database searches ordered by the tribunal showed that:

  • All three intelligence agencies held – or, in the case of GCHQ, most likely held – data relating to Privacy International in its BPDs, while the BPD regime was unlawful.
  • Both GCHQ and the Security Service held data relating to Privacy International in its BCD, while the BCD regime was unlawful.
  • The Security Service acquired and selected for analysis data relating to Privacy International as part of one or more investigations. This data was stored indefinitely, with no period for its review and deletion.

The data was not discovered in initial searches and the circumstances of its discovery have not been explained, the NGO wrote. “It demonstrates that the agencies are unable to identify accurately and in a timely fashion what data they should hold and where they should hold it, and give a comprehensive and accurate statement to the IPT as to what is held,” it said.

Privacy International is also pressing the home secretary for an explanation of how the government planned to change the Investigatory Powers Act, known as the snoopers’ charter, following a landmark ruling by the European Court of Human Rights on 13 September 2018.

The European Court found the UK government’s mass interception programme was incapable of keeping interference to individuals rights to that necessary in a democratic society, and violated the right to privacy enshrined in Article 8 of the European Convention on human rights.

“The Investigatory Powers Act does not address the court’s concerns,” it said. In particular, the government needs to strengthen the safeguards that govern how the secret intelligence agencies examine data gathered through surveillance.

Long-running legal battle exposed gaps in regulation

Privacy International started its legal action in June 2015 to challenge the UK’s use, retention, storage and deletion of databases containing highly sensitive information on the population, following revelations by Edward Snowden that the UK was engaged in mass surveillance on a huge scale.

The NGO’s legal action has led to the disclosure of previously secret information that reveals how the UK intelligence services collect databases of personal information about UK citizens from companies, public bodies, telecommunications companies and internet service providers (ISPs).

The case centres on bulk communications data (BCD) obtained by the intelligence agencies from telephone companies and ISPs, and databases containing sensitive personal details of the population, known as bulk personal datasets (BPDs).

BPDs hold personal and biographical details about individuals – the vast majority of which are unlikely to be of intelligence interest – including records of travel, financial transactions, social media activities and communications data, which may include legally and journalistically privileged communications.

BCDs include details of websites visited, email contacts, records of email traffic, the location of mobile phones and call data. Although they do not include the content of emails or phone calls, communications data can be used to build a detailed profile of an individual.

The NGO argues that communications data can be used to build up a “deep and comprehensive” picture of a person’s private life, including what they read online, where they shop, whether they access pornography, what dating sites they use, or whether they visit sites for people with HIV, other medical conditions or seek information on abortion.

Mobile telephone data records the user’s location, which can be used to generate a detailed picture of where the person was, his or her destination, and other intimate details such as whether they have visited a doctor, lawyer or attended a religious service.

Government bodies access communications data on a large scale. In 2017, for example, more than 700,000 applications for communications data were granted to local authorities and government agencies under the Regulation of Investigatory Powers Act (Ripa).

GCHQ unlawfully collected communications data for a decade

In its first judgment following Privacy International's legal challenge the Investigatory Powers Tribunal (IPT) ruled on 17 October 2016 that Britain’s intelligence agencies had secretly and unlawfully collected the population’s phone and internet data for more than a decade.

The collection of bulk communications data had been kept secret from Parliament and the public , the tribunal found, in effect making its practice unlawful under human rights law, particularly Article 8 of the European Convention of Human Rights.

The government missed several opportunities to publicly avow bulk data collection when codes of practice were being introduced or amended.

“It seems difficult to conclude that the use of BCD was foreseeable by the public when it was not explained to Parliament,” the IPT ruled.

GCHQ had been collecting bulk communications data on the UK population since 1998, but with responsibility for oversight split between several regulators, there was no adequate oversight until the government publicly "avowed" the programme in November 2015.

The intelligence agencies began collecting or bulk personal datasets on the population in 2016. But there was no statutory oversight until March 2015 when the government avowed the existence of bulk personal datasets.

“While each of these datasets in themselves may be innocuous, intelligence value is added in the interaction between multiple datasets. One consequence of this is that intrusion into privacy can increase,” the tribunal held.

Documents disclosed in Investigatory Powers Tribunal hearings shed light on secret state

  • MI5 used a secret meeting to persuade judges at the UK’s top intelligence and security court not to disclose any information on sensitive databases holding highly intrusive records about the population.
  • Security service MI5 carried out a rear-guard attempt to avoid seeking independent approval for accessing the public’s internet, web, email and phone records.
  • Intelligence watchdog did not audit or inspect the way intelligence services share sensitive surveillance databases with industry partners.

Foreign secretaries gave GCHQ ‘unfettered discretion’

The Investigatory Powers Tribunal ruled in a second judgment on 23 July 2018 that successive foreign secretaries had unlawfully given GCHQ “unfettered discretion” to require internet and telephone companies to hand over bulk data about their customers.

Evidence disclosed during the case showed that GCHQ’s “Section 94 directions” requiring internet and phone companies to hand over their data were worded in such a way that they allowed the secretary of state to delegate the power to request communications data to the director of GCHQ, or any person authorised by him.

GCHQ often made requests orally to telephone and internet companies, leaving no written records of those requests and providing regulators with no practical means to review whether the data handed over was necessary and proportionate. In practice, GCHQ had “carte blanche”.

“It was entirely understandable that in the aftermath of the 9/11 attack on New York the directions made in November 2001 should have been drafted broadly so as to allow GCHQ to vary the data it sought as intelligence requirements rapidly developed,” the tribunal ruled. But the scope of those powers should have been reviewed, it said.

The tribunal found, in the light of new evidence, that the bulk communications data regime was in breach of article 8(2) of the European Convention on Human Rights, until 14 October 2016 – 11 months longer than it had determined in its first judgment.

GCHQ slammed for misleading evidence

The tribunal's second judgment also criticised GCHQ, for providing misleading evidence over directions issued by the foreign security under Section 94 of the Telecommunications Act 1984, which required internet and telecommunications companies to give the intelligence services access to their customers communications data.

Privacy International discovered five serious errors in written evidence given by a former senior director responsible for mission policy which later had to be corrected.

The director, who gave evidence from behind a screen in an open hearing, claimed that IT contractors may have systems administrator rights during the design, build and testing phase of a project, but that once it was complete those rights were passed to members of GCHQ staff.

After the hearing, he submitted a new witness statement retracting his evidence, stating that GCHQ did grant contractors systems administrator rights to live GCHQ IT systems.

“Following a change in policy a few years ago, there are contractors within GCHQ who are administrators of operational systems. This is because much of the hardware and software from these systems is provided by industry partners, and they are therefore best placed to support those systems,” the director said.

The tribunal said GCHQ had breached its duty of disclosure and raised concerns that it may have passed similarly inaccurate information to the independent commissioners responsible for overseeing its work.

“This will have meant the commissioners were not overseeing GCHQ on a complete and accurate picture of what it was actually doing. We are satisfied that the giving of the incorrect information constituted a breach of GCHQ’s duty to make disclosure to the tribunal under s68(6) of Ripa,” it said.

Sharing of bulk data with foreign spy agencies is lawful

The tribunal ruled the UK intelligence services were able to lawfully share sensitive data on UK citizens with overseas intelligence agencies, law enforcement and industry partners, rejecting arguments by Privacy International that the practices lacked adequate oversight.

According to its ruling on 23 July 2018, sharing sensitive data did not breach Article 8(2) of the European Convention on Human Rights which enshrines the right for individuals to privacy.

The tribunal also found that intelligence agencies’ use and collection of bulk personal data and bulk communications data complied with the European Convention.

European Court of Justice to rule lawfulness of bulk surveillance

The Investigatory Powers Tribunal asked the Court of Justice of the European Union (CJEU) to answer a series of questions over the lawfulness of the UK’s bulk communications regime, under European law, following a ruling on  8 September 2017.

The tribunal is seeking to resolve whether a landmark judgment by the CJEU, following a legal claim brought by MP Tom Watson, applies to bulk communications data.

The court of justice found that European Union (EU) law did not permit member states to adopt legislation that allows general and indiscriminate retention of data.

According to the European Court's ruling, an independent body must authorise any access to data, only the data of those suspected of serious crimes could be accessed, and that those who had their data accessed must be notified.

“The fact that the data is retained without the users of electronic communications services being informed of the fact is likely to cause the persons concerned to feel that their private lives are the subject of constant surveillance. Consequently, only the objective of fighting serious crime is capable of justifying such interference.” .

The question of the applicability of Watson judgment is complicated by the e-Privacy Directive (EPD) and Article 4 of the Treaty on European union (TEU), which states that national security is the sole responsibility of each member state – issues which the tribunal is waiting for the European Court of Justice to resolve.

This article was updated on 26 September 2018

Privacy International at the Investigatory Powers Tribunal

25 September 2018

Privacy International asks the Investigatory Powers Tribunal (IPT) to make a determination on unlawful behaviour by the intelligence services.

23 July 2018

The IPT rules that the government acted unlawfully by allowing intelligence agencies to gather data on UK citizens without proper oversight from the foreign secretary, following new powers after the 2001 attacks on the World Trade Centre. The tribunal criticises GCHQ for giving materially inaccurate evidence. It updates its first judgment in the case to say GCHQ had operated illegally until 14 October 2016, rather than 4 November 2015. It holds that the government had not breached the European Convention on Human Rights by sharing intercepted communications data with law enforcement or industry partners, and that collection and retention of bulk personal data was proportionate in law.

12-13 March 2018

The IPT hears evidence that the foreign secretary had unlawfully delegated authority for obtaining bulk communications data from telecoms internet companies to GCHQ staff, following disclosure of further evidence by intelligence agencies. Privacy International questions the legality of GCHQ giving systems administrator rights to sensitive databases, and the proportionality in law of mass collection of citizens’ personal data.

26 February 2018

A witness from GCHQ gives evidence in a public hearing of the IPT for the first time, from behind a screen. Much of the evidence focuses on the security issues surrounding GCHQ’s use of contractors with systems administrator rights to sensitive IT systems.

10 January 2018

Tribunal hears evidence from MI5, MI6 and GCHQ in a secret “closed” session.

1 December 2017

Privacy International asks the tribunal to reconsider its judgment in October 2016, following the disclosure of further evidence which challenges the adequacy of oversight of the intelligence agencies.

17-19 October 2017

Privacy International argues that the UK’s intelligence agencies are unlawfully sharing huge datasets containing sensitive information about the population with industry partners, government departments and overseas intelligence agencies, without adequate independent oversight. The government says there were sufficient safeguards in place.

It emerged during the hearings that the UK intelligence agencies hold a bulk database containing the records of potentially millions of people’s social media use; independent commissioners had been kept in the dark about the data sharing between the intelligence agencies and other organisations; GCHQ was given “amber” warning lights for non-compliance following a regulatory inspection; and GCHQ can legally repurpose information gathered for “national security reasons” for use for  “the prevention and detection of crime” and share it with other agencies.

8 September 2017

The IPT refers questions to the Court of Justice of the European Union, over the legal compliance of the intelligence services’ bulk communications data regime with EU law.

5-9 June 2017

Privacy International argues in a five-day hearing at the IPT that the government’s collection of electronic data on the population, including details of phone calls, emails, web browsing and databases of financial and travel records, are illegal and lack adequate safeguards. The intelligence watchdog discloses it had never audited intelligence agencies’ sharing of data with industry.

17 October 2016

The tribunal rules that the intelligence agencies illegally collected data on UK citizens in bulk personal datasets (BPD) and bulk communications datasets (BCD) for over a decade.

26-29 July 2016

The tribunal hears arguments over the legality of use by the intelligence services of Section 94 of the Telecommunications Act 1984 to harvest bulk communications data, in effect by passing the safeguards in the Regulation of Investigatory Powers Act 2000. The practice remained secret until November 2015. During the hearings, tribunal judges admit that they lack the technical understanding to assess the impact of state surveillance on the privacy of individuals.


Read more on Privacy and data protection

Data Center
Data Management