Claire Cormack

MI5 staff repeatedly overrode data surveillance rules

Security service MI5 is responsible for 210 “clear contraventions” over five years for the way it accessed private internet and telephone data

MI5 staff failed to follow the agency’s rules for accessing details of the population’s email, web browsing and phone use on more than 200 occasions over five years.

Documents reveal that security service investigators requested and authorised access of its database of bulk communications data verbally rather than in writing, overriding the agency’s own code of practice.

MI5 reported the failure to the interception of communications commissioner, Stanley Burnton, in May 2016. He subsequently revealed there had been 210 “clear contraventions of the handling arrangements and the security service’s internal policies”.

According to evidence given by an anonymous deputy director of MI5, staff generally filled in a form later, but admitted: “In a very small number of cases there is no record of written authorisation.”

The evidence was disclosed at Privacy International’s hearing against the security and intelligence agencies at the investigatory powers tribunal in July 2016.

“This is yet another example of how oversight of the collection and use of bulk communication data has been frustrated,” said Privacy International lawyer Caroline Wilson Palow.

“Without written records of when such intrusive datasets are accessed, it’s impossible to know if safeguards were respected or if abuses occurred.”

On 5 August 2016, Privacy International and five comms providers applied to the European Court of Human Rights to challenge GCHQ’s use of bulk hacking outside the UK.

It also filed a high court judicial review of the tribunal’s earlier decision, which determined that the British government can issue general warrants to hack the electronic devices of broad classes of people both inside and outside the UK.

Datasets of the innocent

MI5 first set up a database of bulk communications data – information on the phone calls and internet use of a large group of people, most of whom will be innocent – in 2006, according to the unnamed deputy director’s statement.

Since 2008, the database has held information on communications that took place up to 12 months previously. Since September 2009, its continuing existence has been authorised twice a year by the home secretary.

To access the database records, MI5 investigators and analysts gain authorisation from a “designated person”. They are meant to do this through a form stating their opinion that access is necessary and proportional, and that they have considered the impact of collateral intrusion on innocent people.

On 3 May 2016, an MI5 officer new to the designated person role told its compliance investigations team that some requests had been made and approved verbally.

A day later, the agency reminded its designated persons of the need for advance written justifications. On 20 May, it formally reported the breach to the interception of communications commissioner.

Designated persons not independent

In his July 2016 report, the commissioner noted that MI5’s designated persons are generally not independent from investigations, raising questions about the oversight of access to communications data.

While in “a very small number of cases” there was an urgent requirement to access data without written process, for “the vast majority” this was not the case. He recommended improvements to training and guidance. MI5 was still carrying out a review when the report was published in July 2016.

Documents from the case have revealed that MI5 misled its own staff by saying it was “uniquely exempt” from having to seek independent approval to access communications data.

In 2007, the agency invited six judges from the tribunal to lunch, to persuade them not to reveal the extent of bulk personal data.

The 210 verbal requests, made over five years, represent a small proportion of the whole, given that MI5 made 20,042 applications for communications data in 2015 alone.

Burnton said he was satisfied that the data requested in the 210 cases were accessed for legitimate purposes and that retrospectively written applications met the necessity and proportionality tests.

Medical data not held

The recently released documents include a specific denial by all three intelligence agencies that they maintain databases of medical data.

In a witness statement, a senior leader of the Secret Intelligence Service (SIS or MI6) wrote: “SIS can confirm that it does not currently hold, and has never held, a bulk personal dataset of medical records, whether sourced from UK or overseas healthcare providers, including the NHS.”

However, the officer added that occasionally data on health or medical conditions appears in other datasets, such as “the requirement for a braille passport”.

SIS does not collect bulk communications data, although both GCHQ and MI5 do, according to the agencies’ submission to the tribunal hearing. The agencies’ lawyers refused to accept, but did not deny that the agencies’ retention of communications data covered all mobile telephones in the UK.

GCHQ travel data tool

A 2010 Cabinet Office review of agencies’ use of bulk personal data, released as part of the tribunal process, revealed that GCHQ held flight manifests gathered through interception.

In its witness statement to the tribunal, a GCHQ deputy director wrote that, since 2014, it has run “a new travel data tool that uses various different feeds of information to build a picture of the travel of individuals” that is accessible by analysts at MI5 and SIS.

The deputy director added that the agency introduced an upgraded “corporate tool” in spring 2016. This is so staff could search “target detection indicators”, including email addresses, computer hardware media access control (Mac) addresses, phone numbers and passport numbers. The tool replaced a similar system in use since 2012.

The GCHQ officer added that bulk personal datasets held by the intelligence services might also include the electoral register, phone directories, “financial data (such as data relating to suspicious financial activity)” and data from other intelligence and law enforcement agencies, “such as data about individuals with access to firearms”.

No haystack, no needle, says MI5

The agencies argue that the use of bulk data helps eliminate innocent people from enquiries without more intrusive invasions of privacy.

MI5’s deputy director wrote that in late 2004 and early 2005, a bulk dataset search for an Al-Qaeda operative planning a suicide operation in the UK initially threw up 27,000 potential candidates. Filters reduced this to 3,000, matching with another dataset cut it to 40, and a final check against passport data led to a single match.

“Holding the data in bulk (and holding data relating to persons not of intelligence interest) is an inevitable and necessary prerequisite to being able to use these types of dataset to make the right connections between disparate pieces of information,” he said. “Without the haystack, one cannot find the needle.”

Read more about UK government surveillance

  • Britain’s biggest web companies will be forced to build a national network of massive internet surveillance centres if MPs approve proposals the Home Office wants to rush through parliament.
  • Phone and internet service providers should keep records of customers’ phone calls, email and web browsing history only if it is necessary to tackle serious crime.
  • The UK’s top intelligence court has ordered Police Scotland to pay £10,000 to a former officer after finding that the force unlawfully obtained his communications data.

Read more on Telecoms networks and broadband communications

Data Center
Data Management