Spooky! UK security services found guilty of data misuse. (So it’s not just the Americans!)

(Pixabay )

It’s been common in recent years, since the intervention of Edward Snowden, to accuse the US security services of being intrusive when it comes to data snooping and retention. It’s a fair accusation, even today, but it’s important to note that other nations who often take the moral high ground have dirty hands here too.

Yesterday the UK’s domestic security agency MI5 was found guilty of “serious failings” by an independent tribunal. The spooks have been found wanting when it comes to complying with safeguards relating to the possession and handling of personal data across a number of years.

The Investigatory Powers Tribunal (IPT), headed up by Judge Andrew Edis, issued a written judgement talking about “serious failings in compliance” under the Regulation of Investigatory Powers Act 2000 and the Investigatory Powers Act 2016, for a period between late 2014 to April 2019. It also picked out the UK Home Office as failing to make "adequate enquiries" while approving the bulk surveillance warrants between 2016 until April 2019.

The ruling followed legal challenges by charity Privacy International and Liberty, the human rights group, who said that the case was about MI5’s:

failures to follow surveillance safeguards and inform its oversight bodies about its law-breaking. The wrongdoing has happened for more than a decade, enabled by the weaknesses in the controversial Snoopers’ Charter. Successive Home Secretaries repeatedly ignored the signs and failed to investigate MI5’s unlawful handling of our data, and continued to sign off on surveillance warrants unlawfully.

The organizations alleged that MI5 unlawfully gave false information to its oversight bodies, so that it could keep getting surveillance warrants, and of storing the public’s data when it had no legal right to do so, failing  to disclose this to the Home Office and other oversight bodies.

In an explainer on the Liberty website, the groups said:

No matter who we are, or what we believe in, we all have basic rights to privacy and free expression. But under the Snoopers’ Charter – the Government has the power to spy on anyone. They can collect, store and examine our data when we’ve done nothing wrong. For years, Liberty has been saying that that the safeguards in the Snoopers’ Charter are insufficient to protect our rights. And we’ve been right – MI5 has been able to ignore surveillance safeguards, handle data however it wanted, and no one spotted what was going wrong…We need our surveillance laws to be targeted and suspicion-based, proportionate and heavily restricted to prevent abuse of power.

Conclusion

In the event, the IPT has backed this argument up to a point, ruling that MI5 did indeed hold large amounts of data, with at least one database lacking the appropriate safeguards around retention, review and deletion:

The holding and handling of data in those circumstances was unlawful on the basis that under the relevant provisions of RIPA and IPA satisfactory safeguards relating to RRD were not in place…We have made findings of serious failures by MI5 and the Secretary of State.

But although it cited what it called a “widespread corporate failure” and said that its findings would be sent to Prime Minister Rishi Sunak, the tribunal fell short of singling out any individual at MI5 or the Home Office for blame. It argued that there was no evidence to suggest that any MI5 officers sought to mislead ministers. So, no heads roll.

The tribunal also dismissed Liberty and Privacy International's wider challenge to the safeguards in place under the Investigatory Powers Act, or to quash any warrants that might have been unlawfully issued. It also failed to drive MI5 to delete any unlawfully retained data on the grounds that this would be “very damaging to national security”.

Liberty noted that the IPT stopped short of finding that the safeguards contained in the UK’s IPA 2016 are ineffective in practice:

We argued - and still argue - that the fact that oversight bodies such as the Investigatory Powers Commissioner and the Home Office did not find out about MI5’s compliance failures until 2019, after they had been ongoing since (at least) 2016, illustrates that existing safeguards for the protection of our rights are not adequate or effective. In our view, they are therefore not compatible with the fundamental right to privacy. In summary, the safeguards currently in place have systematically failed to provide effective oversight and restraint to prevent unlawful interferences with people’s fundamental rights.

We are also disappointed that the IPT refused to grant further relief including the quashing of warrants issued during the period of unlawful handling and the Home Office’s failed oversight, destruction of data, and damages. Effective oversight and accountability need to include concrete consequences when core safeguards are not followed. The government should take this into consideration during the ongoing Investigatory Powers Act 2016’s review.

The current Home Secretary Suella Braverman did concede in a written ministerial statement to Parliament that various of her predecessors had acted unlawfully:

The IPT judgment in this case has found that MI5 unlawfully held data within the relevant technology environment between late 2014 and April 2019, and that the relevant home secretaries acted unlawfully for the period from December 2016 to April 2019, by approving warrants.

I would also like to reassure you that while this case has outlined widespread corporate failings between the Home Office and MI5, these issues are historic and the Home Office has taken steps internally to increase collaboration with MI5 and ensure there is appropriate resourcing in place within the relevant Home Office teams responsible for investigatory powers.

Earlier this month Braverman appointed Lord David Anderson to carry out an independent review of the Investigatory Powers Act 2016. Section 260 of the Act requires that the Secretary of State prepares a report on the operation of the act during a 6 month period between May 2022 and November 2022. Lord Anderson’s review will be “entirely independent” from the Home Secretary’s statutory report and will assess the case for legislative change, now or in the future. The review will focus in particular on the effectiveness of the bulk personal dataset regime, criteria for obtaining internet connection records, the suitability of certain definitions within the act, and the resilience and agility of warranty processes and the oversight regime.

My take

I can’t imagine what Sir Harry Pierce from BBC’s Spooks would have made of it all. Will Anderson’s review have teeth? Or will the comfort blanket of ‘national security’ be wrapped around its conclusions to smothering effect? Time will tell…but I’d be willing to hazard a guess…