MI5 faces court ruling over unlawful surveillance warrants

Unlawful handling of surveillance data

The latest legal challenge follows revelations that the intelligence agency handled surveillance data in an “undoubtedly unlawful manner”, and failed to inform surveillance watchdog the Investigatory Powers Commissioner’s Office (IPCO) of serious failures.

Privacy International’s legal director, Caroline Wilson Palow, said that the government had promised robust safeguards under the Investigatory Powers Act – known as the Snooper’s Charter – to ensure that people’s confidential data was not misused, but had failed to deliver them.

“For more than a decade, MI5 has been building massive datasets by systematically collecting our personal information. Such practices are a serious interference with our right to privacy and threaten democratic values. We were promised that robust safeguards were in place so that such data would never be abused, yet it turns out that those safeguards were in some cases illusory,” she said.

MI5’s breaches were revealed in a series of heavily redacted documents, including correspondence between IPCO and the security service, the home secretary, and reports of inspections carried out by IPCO disclosed in court in 2019.

They revealed that senior judges, known as judicial commissioners, issued warrants for bulk surveillance after MI5 wrongly briefed them that it was meeting the data-handling obligations required under the Investigatory Powers Act.

The then Investigatory Powers Commissioner, Adrian Fulford, said it was impossible to reconcile MI5’s explanations of the handling arrangements to the judges “with what MI5 knew over a protracted period of time what was happening”.

The documents revealed that MI5 failed to protect legally privileged material and other key safeguards, resulting in “serious compliance gaps”, said Fulford.

A senior MI5 official told Fulford that personal data collected by MI5 might be stored in “ungoverned spaces”, and a review in 2016 found a “high likelihood” of discovering surveillance material when it should have been deleted. Fulford said that MI5 officials has used “misleading euphemism” to describe the failures.

MI5’s historical lack of compliance was of “such gravity” that the IPCO “will need to be satisfied to a greater degree than usual that it is fit for purpose”, Fulford wrote.

MI5 delayed reporting breaches

The documents show that MI5 delayed reporting failures to the IPCO.

Staff at MI5 first discovered the agency was failing to meet compliance gaps in January 2016. MI5’s board did not become aware of the issue in January 2018 and did not report it to the IPCO until February 2019.

“Without seeking to be emotive, I consider that MI5’s use of warranted data... is currently, in effect, in ‘special measures’,” Fulford wrote. ICPO sent a team of inspectors to MI5 for a week-long investigation after discovering the breaches.

The then home secretary, Sajid Javid, first confirmed that MI5 had breached the Investigatory Powers Act in its handling and retention of data belonging to the public in a statement to Parliament in May 2019.

Javid said the IPCO had concluded that there were serious compliance risks which required mitigation. “The commissioner also expressed concern that MI5 should have reported the compliance risks to him sooner,” he wrote.

The IPCO was due to give a response in its annual report. It has published an annual report for 2017, but has yet to publish reports for 2018 or 2019.

Javid has commissioned an independent review to report back on what lessons could be learned for the future.

Compliance failures

MI5 has a history of compliance failures, and has actively lobbied against independent scrutiny, previously classified documents reported on by Computer Weekly reveal.

In September 2018, the Investigatory Powers Tribunal found that MI5 had unlawfully intercepted and accessed private communications from Privacy International.

MI5 said an audit had discovered data from the pressure group in the “workings” areas of MI5’s intelligence systems and that it had been viewed and analysed. But it had fallen outside the normal safeguards for handling data because it had not been compiled into an intelligence report.

In 2016, it emerged that MI5 had wrongly told its staff that it a “unique exemption” granted by the then home secretary, Teresa May, to access bulk databases on the public’s private phone email and web browsing activities without seeking approval.

Andrew Parker, the former director general of MI5, pushed back on pressure from May for independent scrutiny of data requests, arguing it would cause “significant disruption, reduce our effectiveness and introduce inconsistencies”.

Classified documents revealed that, in 2007, Parker used a lunch meeting to persuade judges at the Investigatory Powers Tribunal to keep the existence of data the agency had on bulk personal data sets secret from people who filed complaints to the tribunal.

Liberty lawyer Megan Goulding said that it was clear the public needed to how the extent of MI5’s unlawful use of interception data.

“It’s clear that the so-called safeguards in our surveillance laws are totally ineffective in protecting our rights. The Snoopers’ Charter needs to be torn up and the government must create a targeted surveillance regime that protects us while respecting our rights and freedoms,” she said.