The Home Office has unlawfully allowed MI5 to gather vast amounts of the public’s data by wrongly approving bulk surveillance warrants, Britain’s most secret court heard on 25 July 2022.
The human rights groups Liberty and Privacy International told the Investigatory Powers Tribunal that MI5 has provided false information to obtain warrants for bulk surveillance. The Home Office failed to investigate breaches by MI5, some of which date as far back as 2010, the court heard.
Liberty lawyer Megan Goulding said that the case showed that the UK’s surveillance laws are not fit for purpose and fail to offer adequate safeguards to protect the public from abuse.
“For 10 years, MI5 has been knowingly breaking the rules and failing to report it, and the government has failed to investigate clear red flags. There has been no proper investigation into MI5’s breaches by the Home Office despite having been put on notice by briefings,” she said.
“Instead, the home secretary continued to issue unlawful warrants, and MI5 kept information from authorities about how it mishandled our data,” she added.
The Security Service has admitted during the course of legal hearings that it stored the public’s data when it had no legal right to do so, and that it failed to disclose the problems either to the Home Office or to oversight bodies.
According to submissions presented to the Investigatory Powers Tribunal, MI5 broke key legal safeguards by unlawfully retaining and using individual’s private data gathered through covert surveillance.
In particular, MI5 breached safeguards governing how long it could lawfully retain data and who had access to it, according to legal submissions filed by the human rights groups.
The Security Service also failed to follow safeguards designed to protect legally privileged material which includes private correspondence between lawyers and their clients.
The tribunal was told today that the Home Office and successive home secretaries failed to investigate MI5’s failures despite having information that indicated MI5 was acting outside the law.
Home secretaries can only approve surveillance warrants if they are satisfied that MI5 is meeting safeguards to ensure that intercepted data is handled lawfully. But Privacy International and Liberty argue that the government has repeatedly ignored signs of MI5’s unlawful handling of data and that the Home Office continued to unlawfully sign-off on surveillance warrants.
The groups say in legal submissions that MI5 was aware of systematic compliance risks in its electronic surveillance operations as far back as 2010, but did not take steps to understand or fix the problems for a number of years.
The Security Service failed to report its non-compliance to the Home Office and regulators, and failed to disclose it to the Investigatory Powers Tribunal during relevant litigation for several years.
MI5 also gave false information about its legal compliance to the home secretary and the Investigatory Powers Commissioner’s Office (IPCO), which regulates surveillance, which led to further unlawful warrants being issued.
MI5 failed to disclose data handling failures
The tribunal heard today that MI5 had “extraordinary” and “unparalleled” access to “highly private” information, but there were “systematic failings” in MI5’s data handling practices, and it had failed in its duty to disclose the problems to the Home Office and regulators.
Tom De La Mare QC said: “What you have is a moving target of non-compliance and a series of counter measures taken [by MI5] against disclosures.”
That lasted over a period of three to four years, at least – although it’s likely to be as many as nine years, he said, adding: “The respondent suggests they [the problems under consideration] have been [addressed and fixed since they emerged] – we suggest they haven’t been.”
The tribunal heard that MI5 email correspondence dated just weeks before the hearing described the data-handling problems under consideration as “systemic”.
De La Mare said: “Having declared that the problem had been fixed around three years ago...it has become apparent that it is still ongoing.”
MI5 ‘lost control’ of its information management system
Ben Jaffey QC told the tribunal: “There is a mystery as to how MI5 officers applying for warrants felt able to give assurances to the secretary of state.”
Retaining data you no longer need constitutes a grave breach of privacy for any organisation, Jaffey added. “When you no longer need data, you have to get rid of it and you have to get rid of it promptly,” he said.
Jaffey told the tribunal that MI5 did not have a full sense or understanding of the data it held, in part due to its retention practices. This, he said, “is an indication that MI5 has lost control of its own information management system”.
The IPCO and home secretary were both “not told what was happening” with bulk data handling in 2018. That led to growing voices of concern within MI5, Jaffey told the tribunal.
At the start of that year, MI5 highlighted shortfalls in its procedures for retaining, deleting and destroying confidential material, particularly relating to legal professional privilege, according to internal documents.
In December 2018, five to seven months after the Investigatory Powers Act came into force, MI5’s information policy director prepared a note recommending that MI5 brief the Home Office and the IPCO over MI5’s compliance failures.
“Failure to report in a timely fashion, would, if discovered by IPCO or by the Investigatory Powers Tribunal, be considered a significant breach of trust and is likely to lead to public censure, damage to reputation and calls to curb our powers,” the note said.
The report said that MI5 could choose not to report compliance issues, but there was a risk that if IPCO or the ICO learned of the issues “through a whistleblower, a data loss, forced disclosure in an IPT hearing, the failure to report would significantly undermine the trust we have built up with IPCO and would be likely to lead to public criticism and censure.”
“If we report voluntarily, rather than appear to have the information forced from us, IPCO may be less likely to take a hard-line response,” the note said.
The internal communications showed that the risk of regulators learning of MI5’s compliance issues was considered as an argument to notify oversight bodies such as the IPCO in 2018 – but, crucially, this did not happen.
Suggestion that MI5 misled Parliament
There is a suggestion that MI5 failed in its “full and frank disclosure” duty and even misled Parliament when the Investigatory Powers Bill was being debated and developed, De La Mare told the tribunal.
This raises questions as to whether the legislation was therefore underpinned by an incomplete, if not “misleading”, picture of MI5’s data-handling practices and alleged overreach, he said.
MI5 had recognised the importance of the deletion of files and intercepted bulk data before Edward Snowden’s disclosure of US and UK’s interception capabilities in 2013, the tribunal heard.
Ben Jaffey QC argued said that this shows “the idea that MI5 were not aware of this before 2014 or 2015” is non-credible.
He pointed to an MI5 letter asking for a “full account” of retention, storage and destruction practices and policies, given that Snowden’s disclosures had caused considerable “public concern”.
Instead of addressing data-handling failures, MI5’s approach at this point was to “accept the risks” of its approach and to downplay their implications and consequences by recasting them in “euphemistic language”.
Liberty’s legal challenge
Details of MI5’s failure to comply with legal safeguards for a period of 10 years first emerged in 2019 as part of a legal challenge by Liberty into the Investigatory Powers Act (IPA) 2016, also known as the Snooper’s Charter.
The government disclosed documents, including correspondence between MI5, IPCO and the Home Office, along with IPCO inspection reports.
They revealed that MI5 unlawfully held surveillance data in “ungoverned spaces” in its IT systems, while IPCO’s reports found that MI5 stored and handled data in an “undoubted unlawful manner”.
Although no information has been disclosed on whose data has been mishandled, the human rights groups believe it is likely to include data on many people who are not suspected of wrong-doing.
Under the Investigatory Powers Act 2016, MI5 and other state bodies are allowed to collect and store wide-ranging data on any member of the public.
The human rights groups are calling for the court to quash all unlawfully issued surveillance warrants and to destroy all unlawfully obtained data. They also argue that the Investigatory Powers Act should be found unlawful.
Privacy International’s legal director Caroline Wilson Palow said that MI5’s persistent failure to follow the law is inexcusable.
“For years, they have ignored safeguards put in place to protect us from abuse. These safeguards are a fundamental check on the vast power intelligence agencies can wield over all of us, especially when they engage in mass surveillance,” she said.
Privacy International campaigned against the Investigatory Powers Act in 2015 when the human rights group raised concerns that the safeguards against abuse were not strong enough.
“Here we are, seven years later, with the rules that are enshrined in law being ignored in practice. Those rules need a radical overhaul,” said Wilson Palow
The case continues.
Read more on Regulatory compliance and standard requirements
MI5 unlawfully collected and held millions of people’s data
Secret court asked to quash a decade of MI5 surveillance warrants following ‘systemic breaches’
Spy agencies need ‘independent authorisation’ to access telecoms data, say judges
Investigatory Powers Tribunal finds UK spy agencies unlawfully collected personal data