The security service MI5 acted unlawfully by intercepting and accessing private communications data belonging to the campaigning group Privacy International, Britain's most secret court has ruled.

MI5, admitted today (25 September 2018) that it had captured and read private communications data belonging to non-governmental organisation (NGO) Privacy International at a hearing of the Investigatory Powers Tribunal.

It emerged that the Secret Intelligence Service (SIS), or MI6, and GCHQ also unlawfully collected data on the activities of the pressure group, which has been campaigning for greater oversight of the security services.

The revelations came during a hearing today in a long-running legal challenge by Privacy International into the lawfulness of the intelligence agencies’ powers to collect bulk communications data (BCD) and bulk personal datasets (BPD) on citizens (see full details below).

Data collection was 'unlawful' Tribunal chairman, Michael Burton, made a determination that MI5 had accessed and examined bulk communications data and bulk personal data relating to Privacy International unlawfully. GCHQ and MI6 had also collected bulk communications data and bulk personal data about Privacy International unlawfully. Caroline Wilson Palow, general counsel for Privacy International said the ruling had implications for the UK’ surveillance regime the Investigatory Powers Act 2016. “Not only was Privacy International caught up in the surveillance dragnet, its data was examined by agents from the UK’s domestic-facing intelligence agency, MI5. We do not know why MI5 reviewed Privacy International’s data, but the fact that it happened at all should raise serious questions for all of us,” she said. The disclosures raised important principles over the protection of the identity of sources who confidentially provide important information to Privacy International, and other NGOs, she said. The Investigatory Powers Tribunal heard that MI5 had discovered that it had collected and examined communications data from the pressure group following an audit of its intelligence handling arrangements. “We do not know why MI5 reviewed Privacy International’s data, but the fact that it happened at all should raise serious questions for all of us” Caroline Wilson Palow, general counsel for Privacy International Communications data can include the date and times of phone calls, details of their recipients, location data from mobile phones, websites visited, and the source and destination of emails. The data was discovered in the “workings” area of MI5’s intelligence systems and had been viewed and analysed. But it fell outside the normal safeguards for handling data, because it had not been compiled into an intelligence report, the court heard. The Security Service has reported the breach to surveillance regulator the Investigatory Powers Commissioner's Office (IPCO). Representing Privacy International, Thomas De La Mare, told the court that MI5 did not have any policies on how long it could retain “working data”, or when it would be deleted - leaving open the prospect that it could be retained indefinitely. “It suggests the way the product of these bulk databases is handled is defective," he said. "What has become apparent is the product of the use of these databases had fallen through the cracks. The handling safeguards have failed.” Using a sofa as an analogy, De La Mare told the court:“They found a few cushions, but when they put their hand behind them they found a whole bunch of data”. Andrew O’Connor, representing the government told the court that MI5 had identified a technical solution to manage the retention and deletion of data in the “workings area” in December 2017, but that it would take some time to implement. “The solution that is required is not straightforward. It is not as simple as flicking a switch and deleting data. It needs to be an end-to-end process,” he said. Following a protracted secret hearing - in closed session - O'Connor told the court that MI5 had deleted Privacy Internationals a day earlier on 24 September 2018. De La Mare QC said that the destruction of the data "rather impedes" any potential investigation by the regulator, IPCO. The IPT has previously ruled that the intelligence services' bulk communications data regime was unlawful until 14 October 2016 and that the regime governing bulk personal datasets remained unlawful until the ‘handling arrangements’ were made public on 4 November 2015. Tribunal chairman, Michael Burton, made a determination at the end of a half day hearing, that the intelligence services had collected bulk communications data, and bulk personal data relating to Privacy International before those dates - and therefore acted unlawfully. GCHQ held bulk personal data and bulk communications data on the NGO, MI5 also held bulk personal data and bulk communications data on the NGO, and the Secret Intelligence Service (MI6), held bulk personal data on the NGO before the data collection regimes became lawful, he said. Burton also noted that during the same time period, MI5 had accessed and examined both bulk communications data and bulk personal data about Privacy International.

Privacy International demands action and explanation Privacy International said it would press MI5 to give a full explanation of the circumstances behind its surveillance of the NGO’s data. In a letter to the home secretary, Sajid Javid MP, Privacy International said the database searches ordered by the tribunal showed that: All three intelligence agencies held – or, in the case of GCHQ, most likely held – data relating to Privacy International in its BPDs, while the BPD regime was unlawful.

Both GCHQ and the Security Service held data relating to Privacy International in its BCD, while the BCD regime was unlawful.

The Security Service acquired and selected for analysis data relating to Privacy International as part of one or more investigations. This data was stored indefinitely, with no period for its review and deletion. The data was not discovered in initial searches and the circumstances of its discovery have not been explained, the NGO wrote. “It demonstrates that the agencies are unable to identify accurately and in a timely fashion what data they should hold and where they should hold it, and give a comprehensive and accurate statement to the IPT as to what is held,” it said. Privacy International is also pressing the home secretary for an explanation of how the government planned to change the Investigatory Powers Act, known as the snoopers’ charter, following a landmark ruling by the European Court of Human Rights on 13 September 2018. The European Court found the UK government’s mass interception programme was incapable of keeping interference to individuals rights to that necessary in a democratic society, and violated the right to privacy enshrined in Article 8 of the European Convention on human rights. “The Investigatory Powers Act does not address the court’s concerns,” it said. In particular, the government needs to strengthen the safeguards that govern how the secret intelligence agencies examine data gathered through surveillance.

Long-running legal battle exposed gaps in regulation Privacy International started its legal action in June 2015 to challenge the UK’s use, retention, storage and deletion of databases containing highly sensitive information on the population, following revelations by Edward Snowden that the UK was engaged in mass surveillance on a huge scale. The NGO’s legal action has led to the disclosure of previously secret information that reveals how the UK intelligence services collect databases of personal information about UK citizens from companies, public bodies, telecommunications companies and internet service providers (ISPs). The case centres on bulk communications data (BCD) obtained by the intelligence agencies from telephone companies and ISPs, and databases containing sensitive personal details of the population, known as bulk personal datasets (BPDs). BPDs hold personal and biographical details about individuals – the vast majority of which are unlikely to be of intelligence interest – including records of travel, financial transactions, social media activities and communications data, which may include legally and journalistically privileged communications. BCDs include details of websites visited, email contacts, records of email traffic, the location of mobile phones and call data. Although they do not include the content of emails or phone calls, communications data can be used to build a detailed profile of an individual. The NGO argues that communications data can be used to build up a “deep and comprehensive” picture of a person’s private life, including what they read online, where they shop, whether they access pornography, what dating sites they use, or whether they visit sites for people with HIV, other medical conditions or seek information on abortion. Mobile telephone data records the user’s location, which can be used to generate a detailed picture of where the person was, his or her destination, and other intimate details such as whether they have visited a doctor, lawyer or attended a religious service. Government bodies access communications data on a large scale. In 2017, for example, more than 700,000 applications for communications data were granted to local authorities and government agencies under the Regulation of Investigatory Powers Act (Ripa).

GCHQ unlawfully collected communications data for a decade In its first judgment following Privacy International's legal challenge the Investigatory Powers Tribunal (IPT) ruled on 17 October 2016 that Britain’s intelligence agencies had secretly and unlawfully collected the population’s phone and internet data for more than a decade. The collection of bulk communications data had been kept secret from Parliament and the public , the tribunal found, in effect making its practice unlawful under human rights law, particularly Article 8 of the European Convention of Human Rights. The government missed several opportunities to publicly avow bulk data collection when codes of practice were being introduced or amended. “It seems difficult to conclude that the use of BCD was foreseeable by the public when it was not explained to Parliament,” the IPT ruled. GCHQ had been collecting bulk communications data on the UK population since 1998, but with responsibility for oversight split between several regulators, there was no adequate oversight until the government publicly "avowed" the programme in November 2015. The intelligence agencies began collecting or bulk personal datasets on the population in 2016. But there was no statutory oversight until March 2015 when the government avowed the existence of bulk personal datasets. “While each of these datasets in themselves may be innocuous, intelligence value is added in the interaction between multiple datasets. One consequence of this is that intrusion into privacy can increase,” the tribunal held. Documents disclosed in Investigatory Powers Tribunal hearings shed light on secret state MI5 used a secret meeting to persuade judges at the UK’s top intelligence and security court not to disclose any information on sensitive databases holding highly intrusive records about the population.

Security service MI5 carried out a rear-guard attempt to avoid seeking independent approval for accessing the public’s internet, web, email and phone records.

Intelligence watchdog did not audit or inspect the way intelligence services share sensitive surveillance databases with industry partners.

Foreign secretaries gave GCHQ ‘unfettered discretion’ The Investigatory Powers Tribunal ruled in a second judgment on 23 July 2018 that successive foreign secretaries had unlawfully given GCHQ “unfettered discretion” to require internet and telephone companies to hand over bulk data about their customers. Evidence disclosed during the case showed that GCHQ’s “Section 94 directions” requiring internet and phone companies to hand over their data were worded in such a way that they allowed the secretary of state to delegate the power to request communications data to the director of GCHQ, or any person authorised by him. GCHQ often made requests orally to telephone and internet companies, leaving no written records of those requests and providing regulators with no practical means to review whether the data handed over was necessary and proportionate. In practice, GCHQ had “carte blanche”. “It was entirely understandable that in the aftermath of the 9/11 attack on New York the directions made in November 2001 should have been drafted broadly so as to allow GCHQ to vary the data it sought as intelligence requirements rapidly developed,” the tribunal ruled. But the scope of those powers should have been reviewed, it said. The tribunal found, in the light of new evidence, that the bulk communications data regime was in breach of article 8(2) of the European Convention on Human Rights, until 14 October 2016 – 11 months longer than it had determined in its first judgment.

GCHQ slammed for misleading evidence The tribunal's second judgment also criticised GCHQ, for providing misleading evidence over directions issued by the foreign security under Section 94 of the Telecommunications Act 1984, which required internet and telecommunications companies to give the intelligence services access to their customers communications data. Privacy International discovered five serious errors in written evidence given by a former senior director responsible for mission policy which later had to be corrected. The director, who gave evidence from behind a screen in an open hearing, claimed that IT contractors may have systems administrator rights during the design, build and testing phase of a project, but that once it was complete those rights were passed to members of GCHQ staff. After the hearing, he submitted a new witness statement retracting his evidence, stating that GCHQ did grant contractors systems administrator rights to live GCHQ IT systems. “Following a change in policy a few years ago, there are contractors within GCHQ who are administrators of operational systems. This is because much of the hardware and software from these systems is provided by industry partners, and they are therefore best placed to support those systems,” the director said. The tribunal said GCHQ had breached its duty of disclosure and raised concerns that it may have passed similarly inaccurate information to the independent commissioners responsible for overseeing its work. “This will have meant the commissioners were not overseeing GCHQ on a complete and accurate picture of what it was actually doing. We are satisfied that the giving of the incorrect information constituted a breach of GCHQ’s duty to make disclosure to the tribunal under s68(6) of Ripa,” it said.