For nearly a decade MI5 knowingly mishandled data collected through surveillance in violation of statutory safeguards. The service also failed to inform the UK government watchdog IPCO of these unlawful errors. The safeguards and oversight system contained in the Investigatory Powers Act of 2016 is thereby little more than window dressing.

It was revealed last year that the UK Security Service (MI5) has knowingly failed to comply for years with statutory safeguards over surveillance. Among other errors, MI5 has neglected the implementation of both serious mechanisms for the review, retention, and destruction of retained data and of effective safeguards relating to lawyer-client communications. These shocking revelations, that emerged through Liberty’s long-running litigation, prove the UK’s Investigatory Powers Act 2016 (IPA) is not fit for purpose.

The IPA — known as the Snoopers’ Charter — provides UK state agencies with the most extensive surveillance powers of any democracy, allowing them to hack and intercept in bulk and store our data. The UK Government reassures us this is fine. It says that spying on ordinary people is acceptable because people are protected by the safeguards and oversight system contained in the IPA.

Although Liberty objects to suspicionless spying as a matter of principle — no matter how ‘strong’ the safeguards — the revelations of last year have emphatically and objectively settled the question of whether we can rely on the IPA’s safeguards and oversight system to keep us safe.

The answer is no. We have learnt that UK state agencies can collect and store our data in blatant disregard of the rules. We have learnt that because of our woefully inadequate system of oversight, this unlawfulness can go unnoticed for many years. Indeed, we have learnt that the oversight system is so inadequate that agencies can give false information to the Investigatory Powers Commissioner’s Office (IPCO) — the surveillance watchdog — and continue to be granted surveillance warrants.

Our rights will never be properly protected under a mass surveillance system. But the risks are even higher under a system where meaningless safeguards can be ignored and surveillance on ordinary people is unfettered.

Even in the UK Government’s own logic, this cannot be lawful.



What happened

MI5’s longstanding and serious failings emerged during Liberty’s legal challenge to the IPA heard last year. Liberty is a UK human rights campaigning organisation with a long history of holding the UK State to account over surveillance.

Because of the UK Government’s ‘duty of candour’ (i.e. obligation to inform the Court of relevant matters), the Government revealed that MI5 has for years knowingly failed to comply with statutory safeguards governing how it handles people’s data collected through surveillance.

The Government disclosed a series of redacted documents including: letters between MI5 and IPCO; a letter from MI5 to the Home Secretary; IPCO inspection reports; an IPCO ‘decision’ on safeguards; a section of an MI5 handbook; and a summary of an independent review into MI5’s failings.

These documents tell an appalling story of unlawful behaviour by MI5 and cover up.

In sum, the documents reveal that:

From as early as 2010, MI5 has persistently and knowingly failed to comply with the safeguards in the Regulation of Investigatory Powers Act 2000 and later with equivalent IPA provisions.

The UK’s regime for oversight of surveillance failed to identify these serious systemic problems, even once raised at MI5 Board level in January 2018. MI5 finally informed IPCO in February 2019, almost a decade after its lawbreaking began.



IPCO ‘decision’

One of the documents disclosed was a ‘decision’ on safeguards issued by the then Investigatory Powers Commissioner (IPCr), Sir Adrian Fulford, on 5 April 2019. In this decision, Fulford considered whether he would continue to grant MI5 warrants under the IPA in light of the serious and systemic issues that had been discovered.

Fulford found that “MI5 has inadequate control over where data is stored; [REDACTED]; and the deletion processes which applied to it.” He identified specific errors including the absence of proper mechanisms for review, retention, and destruction of retained data and an absence of effective safeguards relating to lawyer-client communications. Fulford referred to “the undoubted unlawful manner in which data has been held and handled”.

Other errors include “Copying of Data” and “Access Controls”. This appears to refer to non-compliance with safeguards that require MI5 to minimise the extent of copying of material obtained, the number of persons to whom and extent to which material is disclosed, and to store such material securely.

Fulford concluded: “I consider that MI5’s use of warranted data…is currently, in effect, in ‘special measures’ and the historical lack of compliance with the law is of such gravity that IPCO will need to be satisfied to a greater degree than usual that it is ‘fit for purpose’”.



Letter from MI5 director to IPCO

A letter of 11 March 2019 from an MI5 director to IPCO reveals that an MI5 compliance team identified in January 2016 that “data might be being held in ungoverned spaces in contravention of our policies”. The existence of what MI5 itself calls ‘ungoverned spaces’, in which it holds and uses large volumes of data, is a serious failure of governance and oversight, especially when mass collection of ordinary people’s data is concerned.



MI5 handbook

Another document disclosed was an attachment to MI5’s Handbook for Judicial Commissioners (JCs) (those at IPCO who review the authorisation of warrants) issued on 1 April 2019. This document gives more information on MI5’s non-compliance around legally privileged material. It explains that some of MI5’s systems are unable to flag such material. It also explains that as MI5 only has a manual system for deleting privileged material, “there can be very little assurance” that conditions imposed by JCs on the retention of privileged material have been complied with.



Letters from MI5’s “Oversight and Errors Team” to IPCO

In a letter of 3 May 2019 to IPCO, MI5’s “Oversight and Errors Team” noted that MI5 was in the early stages of identifying further “issues” associated with “[other areas]” and “[two areas of another technology environment…]”. More information on these further “issues” has not been disclosed. It is apparent from this letter, however, that there is still not a lawful system of retention, use and destruction by MI5.

In a subsequent letter of 15 May 2019, the “Oversight and Errors Team” admitted that MI5 did not even know what data is held in the other technology environment nor the associated “working practices”. If those within MI5 responsible for compliance — let alone the IPCr/IPCO — do not know what data MI5 stores or the relevant practices, there cannot be proper oversight or an effective system of control.



Independent review summary report

Also disclosed was the June 2019 summary of the independent review into MI5’s failings that was ordered by the Home Secretary. The summary strongly criticises MI5 for its ingrained culture of accepting non-compliance and sets out a series of recommendations to engender a “compliance culture”. Strikingly, the report notes that the issues have not been resolved and it sets a seemingly random date of June 2020 for MI5 to ensure compliance.



MI5 dishonesty

Another astonishing feature of last year’s revelations is the fact that MI5 knew of its lawbreaking and yet kept it secret for years.

The summary of the independent review notes that compliance risks were first identified at MI5 in 2010; however, IPCO’s inspection reports from last year, disclosed in Liberty’s litigation, mention 2014 as the earliest that MI5 was aware of problems. This suggests that MI5 has still not been candid with IPCO about the extent of its historical knowledge of its failings.

Either way, 2010 or 2014, MI5 was aware of its non-compliance for years before it informed IPCO. IPCO’s first inspection report of 29 March 2019 sets out the development of MI5’s knowledge: in January 2016, a senior lawyer identified the problems; in October 2017, a paper for directors acknowledged that MI5 “continue[d] to build some [systems] without” the capability to review, retain and destroy data properly; by January 2018, MI5’s Management Board had seen a paper which meant, according to IPCO, that MI5 had “a clear view of some of the compliance risks… to the extent that they should have carefully considered the legality of continuing to store and exploit operational data”.

Not only did MI5 fail to report to IPCO when it should have done, MI5 also gave JCs false information and warrants were therefore issued on a basis that MI5 knew to be incorrect. Fulford sets this out in his 5 April ‘decision’.

In his ‘decision’, Fulford also recognises the severe limitations of IPCO in supervising MI5: “…we are dependent on staff being trusted to act in a lawful manner and the role of the inspectors is to ensure ex post facto that their approach is in accordance with the law”.



Liberty’s concerns

Violation of our rights

MI5’s systemic and serious failings expose the fallacy of the UK Government’s position that our rights are protected by IPA safeguards and oversight. Given MI5 (and other UK state agencies) can collect and store our data without suspicion, it could be any one of us whose data has been unlawfully retained, accessed, copied, or whose conversations with lawyers have not been properly marked as privileged.

Our data should never have been collected in the first place. To intercept our private communications, hack into our devices, or otherwise collect our sensitive data without suspicion is a violation of our fundamental rights to privacy and free expression. To then store it for longer than is lawful and copy or grant access to it unlawfully is scandalous.

Our rights will not be protected until we achieve a truly targeted, suspicion-based surveillance system, in which ordinary people’s data is not scooped up, stored and treated with disdain. Our data reveals the most intimate details about us — our politics, our sexuality, our health, our religion, our innermost thoughts and feelings. No state should have such intrusive powers to access and then abuse that information.

Further, warrants cannot be lawfully granted under the IPA unless certain safeguards are in place. It follows that all the warrants issued to MI5 while it was in breach of these safeguards were unlawful and void.



Toothless oversight system

IPCO failed to spot serious lawlessness that went on for almost a decade. As Fulford himself admitted in his 5 April ‘decision’, the IPCr and IPCO rely on trust to supervise MI5 (and other UK state agencies). That is not a robust system, especially when MI5 has proven itself untrustworthy.

Also, the whistleblower provisions in the IPA clearly provide inadequate protections for whistleblowers; in addition to an absence of reporting by management, no MI5 employee felt able to report to IPCO either.



Public in the dark

MI5’s lawbreaking emerged because of Liberty’s IPA litigation. It was the UK’s Government’s ‘duty of candour’ which obliged it to inform the Court — and thus the public — of what it knew. It was only after pressure from Liberty that further details were revealed and some original redactions in the disclosed documents were removed.

Even now, many of the facts remain unknown and the documents are heavily redacted. We do not know whose or how much data has been unlawfully retained, whose or how much data has been unlawfully copied or shared, and with who, and which lawyer-client communications have not been flagged and unlawfully kept.

If we cannot learn the full facts of such an egregious tale of lawlessness and cover up, how can we trust we will be informed about other breaches of the IPA in the future?



Conclusion

Liberty, together with Privacy International, have within the last month launched legal action against MI5 in respect of its breaches. We will be calling on the Court to declare MI5’s actions unlawful, order the destruction of unlawfully retained data, and quash warrants issued to MI5.

But while this case will hopefully deal with past breaches, the only way to ensure our data is safe and our fundamental rights are protected moving forwards is to tear up the Snoopers’ Charter.