MI5 failed to disclose failings in handling intercepted data, court hears

MI5 failed to disclose serious failures in the way it handled intelligence data to the Investigatory Powers Tribunal, the surveillance regulator and ministers.

The UK’s most secret court has been asked to reopen a key ruling on the legality of electronic surveillance operations, in the wake of new evidence that the MI5 failed to disclose serious breaches in its handling of intercepted data.

The Investigatory Powers Tribunal (IPT) ruled in 2016 that the intelligence services had unlawfully collected bulk phone and internet data, and maintained sensitive bases of personal data on the population for 17 years between 1998 and 2015.

But in a legal challenge, campaign groups Liberty and Privacy International have asked the IPT to reopen the case. The claim follows disclosures in previously classified documents, that show MI5 failed to disclose serious compliance breaches to the court or the surveillance regulator.

Meg Goulding, lawyer at Liberty told Computer Weekly: “The documents show breaches from as early as 2010. These are core breaches – how you share and copy data and what you do with sensitive data around lawyers and their clients.”

Daniel Cashman, representing Liberty and Privacy International, told a case management hearing at the ITP yesterday that MI5 had failed in its duty of candour to the court. The campaign groups argue that the IPT should revisit its findings that bulk surveillance programmes were conducted lawfully after they were publicly avowed in 2015.

In a written claim, the groups allege that MI5 misled the IPT, and the investigatory powers commissioner, by failing to disclose serious failings in its handling of sensitive intercepted communications data, including legally privileged communications for years after they were first discovered.

According to the claim, MI5 gave inaccurate and materially misleading information to the IPT, which led it to conclude that MI5 had safeguards in place. The groups say new evidence from MI5 and the Investigatory Powers Commissioner’s Office (IPCO) “falsifies that conclusion”.

MI5 accused of misleading ministers

The non-governmental organisations (NGOs) also allege that MI5 has misled ministers and the Investigatory Powers Commissioner, which is responsible for overseeing the intelligence services, to grant surveillance warrants to MI5 on a “false basis” over an extended period.

The management board of MI5 were aware that the security service was in breach of both the requirements of UK law and the European Convention on Human Rights as early as May 2013, the NGOs claim. It did not report the matter to the investigatory powers commissioner until February 2019.

“The true nature of the problems was sufficiently serious that even MI5 itself did not understand the true scale and extent of the (systemic) problems,” the NGOs claim.

They allege that from as early as 2014, MI5 “persistently and knowingly” failed to comply with the safeguards of the Regulation of Investigatory Powers Act (RIPA) and the Investigatory Powers Act (IPA), known as the Snoopers’ Charter.

Read more about MI5 and surveillance

  • The security service, MI5, faces legal action to force it to disclose details of its “unlawful” access and retention of intercepted communications data.
  • The security service, MI5, unlawfully spied on the campaigning group Privacy International.
  • MI5 wrongly claimed it had been granted a unique exemption, by former home secretary Theresa May, from applying privacy safeguards to access databases containing data on the public’s private phone, email and web-browsing activities.
  • MI5 used a secret meeting to persuade judges at the UK’s top intelligence and security court not to disclose any information on sensitive databases holding highly intrusive records about the population.

MI5 was unable to carry out proper searches of its databases to meet legal disclosure requirements for the IPT, and the UK’s regime for oversight of secret surveillance failed to identify serious systemic problems, even when raised at MI5 board level, it was claimed.

Adrian Fulford, the investigatory powers commissioner, responsible for overseeing surveillance, found that the management board of MI5 was clearly aware that there were problems with the way the agency stored data gathered from surveillance warrants by January 2018 – but the board failed to alert the watchdog.

“It seems to me that to have provided assurances to the secretary of state regarding safeguarding warranted data, that, in hindsight, did not comply with MI5s obligations…amounts to an error of notable gravity,” Fulford wrote in documents lodged in the court.

MI5 board warned of failures in ‘technical environment’

The failures were so serious in an area dubbed the “technology environment” that an MI5 board paper in October 2018 warned that they could lead to successful legal challenges, result in the loss of confidence of ministers and the independent judicial commissioners, restrictions on warrants and reputational damage.

“It is clear that for warranted material in the [technology environment], there has been an unquantifiable but serious failure to handle warranted data in compliance with the IPA for a considerable period of time,” Fulford wrote.

He said assurances were made to the secretary of state and to the independent judicial commissioners, responsible for approving surveillance warrants, that were “wrong and should never have been made”.

“Warrants have been granted and judicially approved on an incomplete understanding of the true factual position,” said Fulford. “The failure to report these matters in a timely way is a matter of grave concern.”

Fulford described the situation as serious and inherently fragile. “Without seeking to be emotive, I consider that MI5’s use of warranted data in the [technology environment] [requires] special measures.

“The historical lack of compliance with the law is of such gravity that IPCO will need to be satisfied to a greater degree than usual that it is fit for purpose.”

Court warns MI5 over deleting data

Cashman told the case management hearing yesterday that at a high level, the claim was about the duty of candour of MI5 to the court, the secretary of state and the surveillance regulator, IPCO.

He told tribunal chairman Lord Justice Singh that it would be “highly unfortunate” if there was a repeat of an incident in 2018, when MI5 told the tribunal it had deleted information relevant to the case the day before the hearing.

The court heard that MI5 could not guarantee to preserve all data that might be relevant to the hearing, without specific instructions on what data it should retain.

Andrew O’Connor, representing MI5, told the court that MI5 had existing processes in place that meant data was automatically deleted all the time.          

“That is not something that can simply be changed by making a phone call or sending an email,” he told the court. O’Connor said he would need to submit evidence in closed session that MI5 was unable to stop deletion of data.

Singh said MI5 had a duty of candour and warned that if the security service deleted data relevant to the case, “there would be consequences”.

Culture of ‘permitting unlawful conduct’

The NGOs claim in legal submissions that there is an ingrained institutional culture of accepting and permitting unlawful conduct in MI5. Compliance with the IPA “never became a mission-critical priority for the senior leadership, nor therefore for MI5 staff”, they said.

According to a summary of a compliance review, MI5 was told “it must ensure that all its data can be shown to be held in accordance with legal compliance requirements by June 2020”.

O’Connor told the tribunal that MI5’s legal team was served with the claim at 6.30pm on 31 January and had had only five days to consider it.

“We have not had an opportunity to think carefully about this claim and to sit down and make the proper analysis, simply because we have had it for such a short period of time,” he said.

The case continues.

Court documents reveal MI5 was aware of legal compliance risks from 2010

2010: MI5’s management board is made aware of compliance failure risks.

2011: A compliance review recommends mandatory training for users and the implementation of a retention and deletion policy.

May 2013: MI5 management board discusses a paper setting out serious information management risks. It notes that the work was under-resourced given the scale of the problem, and lacked urgency.

2014: MI5 identifies that it is at risk of substantial “legal or oversight” failure when gathering information for legal discovery.

January 2016: An MI5 lawyer warns there is legal risk that the security service held data in “ungoverned places”. The paper said there was a considerable risk that MI5 would fail to meet its duty under the Security Service Act to hold data only for as long as necessary.

15 January 2016: MI5 reports six instances of non-compliance with the bulk personal dataset (BPD) handling arrangements and 47 instances of non-compliance with bulk communications data (BCD) handling arrangements between 1 June 2014 and 9 February 2016.

October 2016: MI5 concludes that there is a high likelihood that material that should be disclosed under legal discovery process would not be discovered, or that it would be discovered when it should have been deleted, “leading to substantial legal or oversight failure”. MI5 had been aware of the problem since 2014.

July 2016: An MI5 officer states in a witness statement to the Investigatory Powers Tribunal that there was adequate oversight and handling arrangements for BCD and BPDs, which collect sensitive data on the population.

October 2016: A paper produced for the directors of MI5 and others concludes: “There is a significant risk around the absence of compliance with relevant legislation, codes of practice and handling arrangements.”

March 2017: An MI5 report on the “technology environment” identifies significant risks that it did not comply with relevant legislation and codes of practice and handling arrangements.

6 October 2017: MI5 reports that, contrary to its disclosure in February 2017, it held BCD on Privacy International in the “workings” area used by intelligence analysts, which had been collected unlawfully.

October 2017: A paper warning that there remains a legal risk in MI5 failing to find relevant information required for discovery in the “technology environment” is presented to four directors of MI5. It notes that MI5 continues to build some systems that do not have the capability to review, retain and destroy data properly.

January 2018: By now, the MI5 management board knew about serious problems with the way MI5 held data obtained through surveillance warrants in the “technology environment”, including failures to safeguard legal professionally privileged communications. The investigatory powers commissioner, Adrian Fulford, writes that MI5 should have reported the matter to him, and should have considered the legality of continuing to store operational data.

October 2018: An MI5 executive board paper identifies compliance risks in the “technology environment”. This could lead to successful legal challenges, the loss of confidence of ministers, restrictions on warrants and reputational damage. It says MI5 is unable to provide “robust assurances” to oversight bodies.

4 February 2019: A deputy director of MI5 responsible for managing the legal and compliance teams says in a witness statement to the IPT that he is satisfied that MI5’s data-handling requirements are in compliance with RIPA.

27 February 2019: MI5 partially discloses compliance breaches first discovered in January 2016, in an oral briefing to the investigatory powers commissioner Adrian Fulford. IPCO inspectors had not identified the problems during earlier audits.

11 March 2019: MI5 provides a written briefing on its compliance breaches to IPCO. ICPO subsequently orders an audit of MI5 systems.

18- 22 March 2019: IPCO carries out its first inspections of MI5’s “technology environment”.

29 March 2019: IPCO’s first inspection report finds that MI5 had a manual system in place for deleting material covered by legal professional privilege (LLP). However, MI5 can give little assurance that it has complied with any conditions imposed on the use and retention of the material. Some systems within the “technology environment” did not allow LLP material to be highlighted at all, and it was possible that flags marking material as LLP would not be carried over in “file shares”.

1 April 2019: MI5 updates its Handbook for judicial commissioners to highlight “mitigations” that would allow warrants to continue to be issued lawfully.

15-16 April 2019: IPCO carries out further inspections of the “technology environment”.

26 April 2019: IPCO’s second inspection report gives two red warnings – which, if left unfixed, would impact compliance – and three amber warnings on MI5’s “technology environment”.

3 May 2019: MI5 identifies compliance problems in “other areas”, including areas it called “technology environment 2, area 1 and area 2”, associated with bulk data collection. It reports that the area is challenging to investigate and that it has only been able to scan some of the files. MI5 was aware of some of the risks in 2016.

8 May 2019: Investigatory powers commissioner Adrian Fulford says MI5 appears to have been aware of a compliance risks in “technology areas 1 and 2” since 2016. Fulford, who had not been told of the breaches, asks MI5 for an immediate briefing, including whether MI5 had been in breach of the Investigatory Powers Act.

9 May 2019: Home secretary issues a written statement on compliance issues at MI5.

15 May 2019: MI5 discloses to Fulford that it did not know what information was held in “technology environment 2”, nor the associated “working practices” under which data is processed.

June 2019: A compliance improvement review concludes that “MI5 must ensure that all its data can be shown to be held in accordance with legal compliance requirements by June 2020”.

Read more on IT governance

Data Center
Data Management