MI5 “unlawfully” handled bulk surveillance data, Liberty litigation reveals

MI5 also failed to give senior judges accurate information about repeated breaches of its duty to delete bulk surveillance data, and has been criticised for mishandling sensitive legally privileged material.

The Investigatory Powers Act (IPA) – known as the Snoopers’ Charter – provides the security services with extremely broad powers, under warrants issued by ‘Judicial Commissioners’,  to hack computers and phones and intercept people’s communications. These powers allow the Government to carry out “bulk surveillance” on huge numbers of people who are of no intelligence interest. That information is then stored by the security services for potential investigations in the future.

The Investigatory Powers Commissioner’s Office (IPCO) is responsible for ensuring that privacy protections contained in the IPA are upheld, including that safeguards around storage and timely deletion of data are met.

Following the initial revelation last month that MI5 had breached IPA privacy safeguards, a series of 10 documents and letters from MI5 and IPCO – disclosed during the course of Liberty’s ongoing legal challenge to the IPA – have revealed more detail of those breaches, including that MI5 has failed to meet its legal duties for as long as the IPA has been law.

Despite heavy redaction by MI5, the documents reveal how a litany of failures and false assurances has led to what the Investigatory Powers Commissioner, Lord Justice Fulford, has concluded is the “undoubtedly unlawful” conduct of the UK’s leading security service.

The documents show:

• Illegal actions: The Commissioner concluded that the way MI5 was holding and handling people’s data was “undoubtedly unlawful”, setting out that: “Without seeking to be emotive, I consider that MI5’s use of warranted data… is currently, in effect, in ‘special measures’ and the historical lack of compliance… is of such gravity that IPCO will need to be satisfied to a greater degree than usual that it is ‘fit for purpose'”.
• MI5 knew for three years before informing IPCO: MI5 failed to maintain key safeguards, such as the timely destruction of material and the protection of legally privileged material. This, says Lord Justice Fulford created “serious compliance gaps” in its legal duties. Shockingly, these gaps first became clear to MI5 staff in January 2016, and the MI5 board in January 2018, but were only brought to IPCO’s attention in February 2019. Even then Fulford accuses MI5 officials of continuing to use “misleading euphemism” when describing their failure.
• False assurances: Warrants for bulk surveillance were issued by senior judges (known as Judicial Commissioners) on the understanding that MI5’s data handling obligations under the IPA were being met – when they were not. The Commissioner has pointed out that warrants would not have been issued if breaches were known.  The Commissioner states that “it is impossible to sensibly reconcile the explanation of the handling of arrangements the Judicial Commissioners were given in briefings…with what MI5 knew over a protracted period of time was happening.”

In a remarkable admission to the Commissioner, a senior MI5 official acknowledges that personal data collected by MI5 is being stored in “ungoverned spaces”, while the MI5 legal team claims there is “a high likelihood [of material] being discovered when it should have been deleted, in a disclosure exercise leading to substantial legal or oversight failure”.

And in yet another example of the disrespect the Government has for transparency and the public’s right to know, it has applied for further details on MI5’s breaches to be provided to the Court through secret evidence and private hearings.

Megan Goulding, Liberty lawyer, said:

“These shocking revelations expose how MI5 has been illegally mishandling our data for years, storing it when they have no legal basis to do so. This could include our most deeply sensitive information – our calls and messages, our location data, our web browsing history.

“It is unacceptable that the public is only learning now about these serious breaches after the Government has been forced into revealing them in the course of Liberty’s legal challenge. In addition to showing a flagrant disregard for our rights, MI5 has attempted to hide its mistakes by providing misinformation to the Investigatory Powers Commissioner, who oversees the Government’s surveillance regime.

“And, despite a light being shone on this deplorable violation of our rights, the Government is still trying to keep us in the dark over further examples of MI5 seriously breaching the law.”

BACKGROUND

Liberty revealed in May that MI5 had breached safeguards outlined in the IPA for handling the public’s data.

So serious was the breach that, when first notified, IPCO – the body responsible for overseeing government surveillance practices – sent a team of inspectors to MI5 for a week-long investigation.

In a statement quietly released by Home Secretary Sajid Javid, it was confirmed that MI5 had breached the IPA in their handling and retention of data belonging to the public. According to the statement, IPCO concluded those risks were “serious and required immediate mitigation”. Home Secretary Sajid Javid has said that he will now launch an independent review of this incident.

The IPA became law in late 2016. It was intended to introduce transparency to state surveillance following Edward Snowden’s revelations of unlawful mass monitoring of the public’s communications. However, it legalised the practices he exposed and introduced hugely intrusive new powers.

The IPA allows the state to collect the content of people’s digital communications and records about those communications created by our devices, and hack computers, phones and tablets on an industrial scale. It also allows the creation and linking of huge ‘bulk personal datasets’. The state can keep data on these databases even if it does not suspect individuals of a crime or other threat.

In September last year, Liberty, along with 13 other human rights and journalism groups and two individuals, won its challenge to the UK’s previous surveillance regime at the European Court of Human Rights. The European Court found that the UK’s previous regime for bulk interception of  data was unlawful.

The IPA replaced, replicated, and expanded the intrusive surveillance powers that the European Court found to breach our rights to privacy and free expression.

Liberty instructs Shamik Dutta at Bhatt Murphy Solicitors, Martin Chamberlain QC and David Heaton of Brick Court Chambers, and Ben Jaffey QC of Blackstone Chambers.