A watchdog has criticised MI5 for unlawfully storing and accessing data about people’s telephone and internet activities.
The Security Service failed to inform the Office of the Investigatory Powers Commissioner of serious “compliance risks” for at least a year after it became aware of them, a report the Investigatory Powers Commissioner reveals.
MI5 showed “serious deficiencies” in meeting legal requirements to limit sharing of intercepted phone, email and web browser data and to destroy it when it was no longer needed, the Investigatory Powers Commissioner said yesterday.
MI5 collects bulk data on the population’s phone calls, phone location, email and web browsing activities under warrants approved by the Home Secretary and independent judicial commissioners.
It also accesses databases, known as bulk personal datasets, which contain biographical data and records of the commercial and financial activities, travel and communications of people in the UK, the majority of whom are of no intelligence interest.
In a report published yesterday, Adrian Fulford, who stepped down as Investigatory Powers Commissioner in October 2019, said it was a matter of “serious concern” that MI5 did not bring compliance failures to his attention at an earlier stage.
MI5 was aware that the IT systems, known as “technology environments” used to store and analyse data, were at risk of breaching legally required privacy safeguards since at least 2018, and “probably considerably earlier”, he said in ICPO’s 2018 annual report.
MI5 should have considered whether it could legally continue to collect surveillance data on systems that failed to meet the legal safeguards laid down in the Investigatory Powers Act 2016, also known as the Snoopers’ Charter.
“We judge that, by January 2018 (indeed, most probably considerably earlier), MI5 had a clear understanding of the principle compliance risks associated with these technology environments, to the extent that they should have carefully considered the legality of continuing to store and exploit operational data on those systems,” Fulford wrote.
The report gives only a partial account of the problems discovered at MI5, however documents seen by Computer Weekly reveal that MI5 board was alerted to serious risks in the way it managed information as early as May 2003.
In early 2016, an MI5 lawyer warned that the service held data in “ungoverned spaces” and there was a considerable risk that MI5 would fail to meet its duty under the Security Services Act to hold data only for as long as necessary.
And in October that year, a paper produced for the directors of MI5 concluded “there is a significant risk around the absence of compliance with relevant legislation and codes of practice and handling arrangements”.
Fulford found that MI5 had provided assurances to the secretary of state and to the independent judicial commissioners responsible for approving surveillance warrants that were “wrong and never should have been made”, according to documents seen by Computer Weekly.
“Warrants have been granted and judicially approved on an incomplete understanding of the true factual position,” he said. “The failure to report these matters in a timely way is a matter of grave concern.”
Serious compliance problems
According to Fulford’s latest annual report, MI5 reported serious compliance problems with the computer systems used by MI5 officers to analyse information from a range of sources including surveillance data.
An investigation by IPCO found that MI5 had no review, retention and deletion policies to ensure that intelligence officers did not unlawfully retain private data when it was no longer necessary for intelligence purposes.
The Investigatory Powers Tribunal, which hears national security complaints, subsequently found that MI5 had unlawfully stored and analysed intercepted data after spying on the campaigning group Privacy International.
The Security Service deleted Privacy International’s data before it could be independently scrutinised. However, IPCO said it was able to review a documentary record of the data MI5 collected, and concluded there were no concerns about the necessity and proportionality of the actions taken.
IPCO began a detailed investigation into MI5’s IT systems, which identified serious deficiencies, including inconsistent controls over the way MI5 personnel could copy data from one area to another, after MI5 reported compliance risks in February 2019.
The Investigatory Powers Commissioner found that MI5 was capable of handling intercepted data in compliance with the safeguards under the Investigatory Powers Act in April 2019, after MI5 put in place measures to mitigate the problem.
But it said that MI5 would be subject to further detailed inspections as the security service has yet to fully implement mitigations to address its compliance failures.