Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

MI5 'broke law' with serious breaches of safeguards for intercepted data

Home secretary launches independent review as campaigners hit out at 'snooper's charter'

Lizzie Dearden
Security Correspondent
Tuesday 14 May 2019 11:32 EDT
Comments
'UK intelligence agencies treat protection of personal information seriously,' Sajid Javid says
'UK intelligence agencies treat protection of personal information seriously,' Sajid Javid says (Reuters)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

MI5 broke the law by breaching surveillance safeguards that are meant to limit how spies use, share and retain intercepted material, it has emerged.

Home secretary Sajid Javid has launched an independent review to consider “what lessons can be learned” after a watchdog identified serious risks that the intelligence agency did not report quickly enough.

He said MI5 breached parts of the Investigatory Powers Act that regulates the processing of material obtained under a warrant, including intercepted data.

In a written ministerial statement, Mr Javid said the law requires spies to “ensure certain processing is kept to the minimum necessary for the statutory purpose, including the number of people to whom material is made available, the number of copies made and the length of time it is retained”.

He added: “A report of the Investigatory Powers Commissioner’s Office (Ipco) suggests that MI5 may not have had sufficient assurance of compliance with these safeguards within one of its technology environments. The report of the Ipco into these risks concluded that they were serious and required immediate mitigation.

“The Commissioner also expressed concern that MI5 should have reported the compliance risks to him sooner.”

Data accessed under the Investigatory Powers Act can include private messages, browsing history and location information.

The human rights group Liberty condemned authorities for refusing to disclose details of the breach, what information had been put at risk and how long for.

One of their lawyers, Megan Goulding, said the case was deeply concerning and showed how “fatally flawed the oversight system for security services is”.

She added: “This is a clear cut example of how the supposed safeguarding and oversight system is failing to protect us from the excessive and unwarranted surveillance and data retention powers created under the snooper’s charter. It is possible, from what is known, that millions of innocent people’s data is being shared widely with foreign governments. If the government has its way, we will never know if this is the case.

“If the UK’s surveillance regime is to have a semblance of legitimacy, the public needs to know what happened, and how badly our privacy and the security of our information were put at risk.”

Mr Javid said he could not give further information for national security reasons but further details would be included in Ipco’s annual report.

Edward Snowden on reforming surveillance

“The work MI5 do is absolutely critical, at a time when the threat from terrorism persists and continues to diversify,” he added. “It is of course paramount that UK intelligence agencies demonstrate full compliance with the law. In that context, the interchange between the commissioner and MI5 on this issue demonstrates that the world leading system of oversight established by the Act is working as it should.”

The Investigatory Powers Commissioner, Lord Justice Fulford, said he was first notified at a meeting in February and immediately requested written information that was received in March.

“I then asked a team of inspectors from my office to spend a week in MI5 investigating the extent of the compliance risks that had been identified,” he added.

“I am reassured that MI5 has taken immediate steps to introduce a series of mitigating actions in the light of that thorough review, and these actions – along with a programme of further measures that will be progressively implemented – provide sufficient reassurance that MI5’s handling arrangements within the particular area of concern are now satisfactory as regards warranted material.”

Ipco has carried out a follow-up inspection and will conduct regular reviews.

The home secretary said MI5 had taken “immediate and substantial mitigating actions” in response to the Ipco report and that implementation was being monitored.

“The compliance risks identified are limited to how material is treated after it has been obtained,” he said.

“They do not relate in any way to the manner in which MI5 acquires information in the first instance or the necessity and proportionality of doing so,” he added.

“All UK intelligence agencies treat protection of personal information seriously.”

It came as Liberty mounts a wider legal challenge to the Investigatory Powers Act, which will be heard at the High Court next month.

Campaigners are to argue that bulk surveillance that captures messages, browsing history and other large datasets without suspicion “dangerously undermines privacy and free expression”.

Last year, the High Court found the power to order private companies to store communications data, including internet history, so that state agencies can access it breached the right to privacy.

In September, the European Court of Human Rights found that the UK’s previous regime for bulk interception of communications data was unlawful before it was replaced by the 2016 Investigatory Powers Act

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in