MI5 unlawfully tapped Privacy International's communications, and was unable to accurately identify or locate all the information it held on the NGO, the Investigatory Powers Tribunal (IPT) has heard.
The campaign group was today in court as part of its long-running case against the British intelligence agency's mass slurping of comms and personal data, at a hearing in front of the shadowy body that oversees Blighty's snoops and spies.
The hearing was the latest in a long-running legal battle brought by Privacy International, and focused on MI5's admissions that it had initially failed to identify the data it held on the charity.
The case was first lodged in 2015, and relates to the government's collection of bulk personal datasets (BPD) and bulk communications data (BCD) – which the state first copped to in March and November 2015 respectively.
In October 2016, the IPT ruled that neither regime was lawful until this avowal, and recently extended this decision in relation to GCHQ, saying that agency's regime wasn't lawful until 14 October 2016.
As part of the case, the spooks were asked if they held data relating to Privacy International while the regimes were unlawful.
All three agencies – MI5, MI6, and GCHQ – were today determined to have held BPD, BCD or both in the period deemed unlawful, while MI5 had also accessed or examined BPD and BCD pre-avowal.
MI5 failed to show its 'Workings'
MI5's admission was the focus of today's proceedings because it had initially said it held no such data on the charity pre-avowal – but last year amended its position.
Moreover, the discovery of that data has exposed a previously unknown cache of information that officers have amassed while working on cases – and one that MI5 admitted lacked the safeguards that exist for other regimes.
In court, Privacy International's counsel, Thomas De la Mare, equated the situation to an "MI5 sofa".
The agency initially "had a look under the cushions" and found nothing, he said, but when it later poked down the back it dug up "a whole bunch of data" about his clients.
The area in which the information was found was referred to as "Workings" in documents released today as part of the case (published by Privacy International here) – and it is thought that this is the first time its existence has been publicly discussed in detail.
The data in this area is generated from searches of BCD or BPD held by the agencies – which is thought to be why Privacy International's info is there – but it is also likely to contain data from other sources.
In an amended statement submitted to the court, the government described it thus:
It was established that, in an area known as ["Workings"], officers could (if they needed to do so) save the results of their analysis (arising from a particular investigation) and that these saved "workings" could include (amongst other things) the results from searches that they had undertaken, including the results of searches of MI5's BPD holdings and MI5's BCD database.
De la Mare told the court that, not only was it clear that the processes for the initial search were "inadequate" – in that they didn't turn up this extra info – there were also major questions raised about the way this dataset was managed.
"This does reveal that something has fallen between the cracks," he said, adding that the implication was that some information held by the government has "some kind of intermediary status".
This, he said, was information that hadn't yet reached the stage of being "finished intelligence" - at which point there would be safeguards in place - but was not part of the bulk datasets.
MI5 has admitted that there is no review, retention and deletion (RRD) period prescribed for the data that officers saved in "workings" – as is required for other regimes.
IPT chairman Michael Burton summarised the situation:
"We've now discovered that there's a working platform into which products, not only from BCD and BPD, but also searches and other warrants... is at any rate stored or replaced that doesn't have an adequate retention period."
But we told IPCO – and we've deleted your data...
The government stressed it had reported itself to the Investigatory Powers Commissioner's Office (IPCO) – which oversees the snoops' work – over its failure to disclose the data.
Burton noted that IPCO would now have to look at the "workings" area and see if it can continue to exist without proper retention and deletion periods, and how it can be brought into compliance with information handling regulations.
Andrew O'Connor, counsel for the government, said he could only say in open proceedings that a solution had been agreed internally last year, but that implementation was expected "in the near future". He said the solution was not a straightforward case of "flicking the switch and deleting data".
However, the government later revealed the data relating to Privacy International was deleted from the "Workings" area yesterday.
Not only is this likely to be cold comfort to other groups or individuals whose data may be in the "Workings" area, but De la Mare also expressed concern about whether this meant IPCO didn't have a copy of the material to use in its probe.
"[It] rather impedes a potential investigation if the material improperly obtained is improperly discharged," he observed.
The government promised to draw up a witness statement within 14 days to confirm the deletion.
'A serious oversight'
Privacy International had also called for the government to publish a witness statement about how MI5 was able to erroneously claim it held no BPD or BCD data about Privacy International when it did.
But Burton rejected this request. Although he said it was "a serious oversight by MI5 which is not to be forgiven and indeed must be condemned" – he added there was "no point in raking over the coals" now that the information had been disclosed.
Meanwhile, Privacy International has used the opportunity to write an open letter to the home secretary Sajid Javid slamming the agencies' collection – and in MI5's case, examination – of data on the charity.
"We are writing to express our grave concern and to request your urgent action following today's disclosures regarding the interception of data by the Security and Intelligence Agencies," the letter (PDF) stated.
As well as outlining the points in this case, the charity also argued that the UK's Investigatory Powers Act did not fall in line with this month's ruling from the European Court of Human Rights that the UK's snooping regime broke human rights rules.
"We are therefore writing to ask that you confirm what changes you will make to the IPA as a result of last week's ECHR judgment," it said. ®