Secret court asked to quash a decade of MI5 surveillance warrants following ‘systemic breaches’

The culture at MI5 was to ‘prioritise’ missions ‘over everything else’, including compliance with safeguards designed to protect the public, the UK’s most secret court heard yesterday

Warrants for bulk surveillance of UK citizens have, for more than a decade, been obtained illegally and should be quashed, a tribunal has heard.

Human rights organisations Liberty and Privacy International are seeking through a joint claim to nullify the MI5 data capture warrants signed off by a series of home secretaries.

The warrants, which allowed MI5 to intercept vast amounts of private and sensitive information, had been “obtained as a result of material non-disclosures”, according to Tom De La Mare QC, acting for the two human rights groups.

The Investigatory Powers Tribunal, the UK’s most secret court, heard that MI5 had unlawfully gathered vast amounts of information that may have extended to millions of citizens, including lawyers and journalists.

De La Mare told the tribunal that the warrants should therefore be quashed, since full and frank disclosure – on which there had been a “conscious failure” to engage within MI5 – would have revealed that they were unlawful.

The tribunal heard that not acting to quash the warrants would reward “systemic” wrongdoing among intelligence agencies.

“Leaving the warrants in place” will have “wide remedial consequences”, said De La Mare, preventing many future claims from being brought against those responsible for the alleged overreach and data retention failures since 2010.

MI5’s data handling systems have been in a “parlous state” during this time, the tribunal heard, with one “technical environment” used to store intercept material described as “akin to the Wild West”, in an internal MI5 document.

Culture of ‘systemic’ non-compliance

The tribunal was told that “systemic” breaches in the obtaining, storage and retention of the public’s data were embedded and widespread practices within MI5.

This, Liberty and Privacy International’s legal representatives argued, was due to a series of deep-rooted cultural factors “baked into” the organisation.

The culture at MI5 was to “prioritise” missions “over everything else”, according to the transcript of an internal interview submitted to the court.

“Staff are hugely motivated. The challenge can be that the mission is prioritised over everything else. Compliance can often be at conflict at times. The organisation is more used to considering security issues and this trumping the mission. Compliance is not yet seen in the same way in the organisation,” the document reads.

In one case, when an MI5 team raised a compliance issue, those at “the top of the office” were clear that it needed fixing immediately, the transcript read. “Perhaps the priority [of compliance] is not understood at the lower levels where the mission is seen as the top priority.”

“It is still [MI5’s] case that there has been no breach of full and frank disclosures. There’s no evidence they understand or hold any insight into their legal liabilities”
Ben Jaffey QC

According to Ben Jaffey QC, there was “a very strong desire in MI5 to do everything they could to withhold information” from oversight bodies and from the court process.

He said there was “a high level of knowledge” of the breaches and other failures “within MI5”.

“It is still the respondents’ case that there has been no breach of full and frank disclosures,” he told the court. “There’s no evidence they understand or hold any insight into their legal liabilities.”

However, the court heard that widespread breaches had been noted within MI5 as recently as 2022. De La Mare pointed to internal communications dated earlier this year, which indicated that such problems were still “systemic” within the agency.

The Security Service reported its “failure to adhere to safeguards” to the Investigatory Powers Commissioner in June 2020, after discovering that it had retained authorised information in the “technical environment” when there were no longer any grounds to keep it.

“We therefore assess that this case may be symptomatic of a more systemic issue, that there is likely to be further warranted or authorised material that has been stored in [the technical environment] for longer than is necessary and proportionate,” MI5 wrote in its report to the regulator.

“The failure to enforce the necessary safeguards is likely to have resulted in the occurrence of further breaches,” it added.

The landmark case brought by Liberty and Privacy International seeks to challenge the sweeping powers granted to intelligence services bodies by the 2016 Investigatory Powers Act (or Snoopers’ Charter).

The full extent of data interceptions is not known, but is believed to cover millions of citizens’ communications – including sensitive material shared with journalists and confidential, privileged legal correspondence.

‘Heads would roll’

“Heads would roll” if similar failures had occurred in a police force, De La Mare told the tribunal. “Or, if there’d been a cover-up [of similar scale and seriousness] at a firm like Google, there would be huge fines.”

“If any of this happened in a criminal context, in the seeking of criminal warrants by the police…there’d be a tsunami of judicial reviews and of civil cases.”

De La Mare argued that the “weighty responsibilities” of national security concerns had led MI5 to disregard its legal responsibilities in an apparently consequence-free manner.

The organisation, once it became aware of the legal breaches, failed to notify its oversight body, the Investigatory Powers Commissioner’s Office (IPCO) and the Investigatory Powers Tribunal (IPT), as well as seeking to play down the gravity of the breaches by recasting them in “euphemistic language”.

De La Mare said, however, that “these are matters of the gravest importance”.

He told the tribunal that there was “conscious non-disclosure” of this legal non-compliance “at the highest levels of MI5” from at least 2018 onwards, if not earlier. One of the consequences of such practices was that MI5 may have misled the Secretary of State and Parliament, he added, when the Investigatory Powers Act bill was being debated by lawmakers.

At the beginning of 2018, MI5 highlighted shortfalls in its procedures for retaining, deleting and destroying confidential material, particularly relating to legal professional privilege, according to internal Security Service documents.

De La Mare spoke of “conscious data breaches for more than a year and a half…concerning data of this ilk and sensitivity. And not a single person has yet been disciplined”.

He added: “This catalogue of failings, in any other area of public service, would lead to huge fines.”

‘Discrete’ area of operations

Legal representatives acting for the state bodies argued that the problems highlighted with MI5’s electronic surveillance operations were not as critical or as deeply embedded within the organisation as had been suggested to the court.

Acting for the government and for MI5, James Eadie QC told the tribunal that the issues under consideration related only to “discrete” areas of MI5 operations and that the claims of a non-compliance culture at the agency were contradicted by evidence submitted to the tribunal.

“The problems were, of course, serious, but relate to a discrete area of MI5’s operations,” he said, referring to the ‘technical environment’ in MI5, an area that was found not to be compliant with required data safeguards.

Eadie told the tribunal that no evidence submitted to the court suggested that highly confidential information had been at risk of exposure to “hostile actors”, arguing “the outer perimeter was safe”.

Citing a review undertaken by Sir Martin Donnelly, a former permanent secretary, and views expressed by the IPCO regulator, he also said: “The assertions of cultural non-compliance run directly contrary to the opinions of others who have considered these precise issues.”

Eadie, however, conceded there had been unlawful practice in MI5’s data handling practices. There were, he said, therefore “obvious remediation issues that needed to be grappled with”.

The tribunal had heard during the first day of evidence submissions that home secretaries had simply taken MI5 at its word when approving data capture warrants. Successive secretaries of state at the Home Office also failed to investigate MI5 even after they had received indications the intelligence agency was acting outside of the law.

Eadie said of the home secretary’s role: “Of course the secretary of state can’t completely abandon her responsibility and just rely on MI5 oversight…but the point is that the secretary of state is entitled to rely on the expertise and mastery of MI5.”

The rest of the case will be heard during three days of secret “closed” hearings, which will consider further legal arguments and testimony from unidentified witnesses.

The case continues.

Read more about MI5

Read more on IT legislation and regulation

Data Center
Data Management