MI5 slapped on the wrist for 'serious' surveillance data breach

Home Secretary Sajid Javid has confessed to Parliament that MI5 bungled the security of "certain technology environments used to store and analyse data," including that of ordinary Britons spied on by the agency.

In a lengthy Parliamentary statement made last week, Javid obliquely admitted that spies had allowed more people to help themselves to its treasure troves of data on British citizens than was legally allowed.

The Home Secretary's statement referred to how "certain [data] processing" by MI5 and other spy agencies "is kept to the minimum necessary for the statutory purpose, including the number of people to whom material is made available, the number of copies made and the length of time it is retained."

Given how notoriously lax UK law is when it comes to allowing state employees to trawl through whatever personal data they fancy with few meaningful prior permissions required (known in the jargon as "lawful interception"), Lord Justice Fulford, the Investigatory Powers Commissioner and head of audit agency IPCO, characterised the breach as "serious" and requiring "immediate mitigation".

Javid, however, hid behind an ongoing legal case brought by the Liberty pressure group, aimed at getting the Investigatory Powers Act toughened up, as an excuse for not giving full details to Parliament. He only told MPs that "the compliance risks identified are limited to how material is treated after it has been obtained. They do not relate in any way to the manner in which MI5 acquires information in the first instance or the necessity and proportionality of doing so."

MI5's uses of the data that Britain's dragnet surveillance operations hoover up is audited after the event by the Investigatory Powers Commissioner's Office (IPCO). In its annual report for 2017/18, the last public report issued by IPCO, IPCO criticised MI5 for using "boilerplate text" in internal applications to spy on particular people and groups, suggesting that the spies weren't taking existing permissive laws seriously.

Lord Justice Fulford said in a statement: "I first became aware of the compliance risks identified by MI5 at an oral briefing meeting on 27 February 2019, and I immediately requested a comprehensive written description of all the matters that had then been outlined. This was provided on 11 March 2019."

He continued: "I am reassured that MI5 has taken immediate steps to introduce a series of mitigating actions in the light of that thorough review, and these actions – along with a programme of further measures that will be progressively implemented – provide sufficient reassurance that MI5's handling arrangements within the particular area of concern are now satisfactory as regards warranted material."

A team of IPCO investigators was sent into MI5 for a week to investigate the breach. There was no information from IPCO or Javid's statement suggesting that anyone was identified, caught, disciplined or charged with an offence as a result of the breach.

A lawyer for Liberty, Megan Goulding, said in a statement: "The breach in itself is deeply concerning but on top of that the way this has unfolded – with IPCO only finding out because MI5 reported it, and the wider public only knowing apparently because of our legal case – shows how fatally flawed the oversight system for security services is." ®

Bootnote

In pop culture, the answer to threats from a police worker is to say "get a warrant!" Taking this at face value, the UK merely has the Home and Foreign Secretaries (as ministers for domestic spy agency MI5 & GCHQ, and foreign spy agency MI6, respectively) sign so-called "thematic" warrants that authorise almost anything the spy agencies fancy doing, on a blanket, non-specific basis.

They've got a warrant. It's just not the type you wanted it to be.