The UK's spy agency auditor has given public sector snoopers a clean bill of health – except for domestic surveillance specialists MI5, whose cloud data storage blunder is still under investigation.
In its annual report for 2018, published this week, the Investigatory Powers Commissioner's Office (IPCO) concluded once again that all is broadly well in the murky world of British state surveillance, where everyone from eavesdropping agency GCHQ to council binmen is legally allowed to spy on you.
Laying the report before Parliament on Thursday, Prime Minister Boris Johnson said in a written statement: "Overall, this report demonstrates that the security and intelligence agencies, law enforcement agencies and other relevant public authorities show extremely high levels of operational competence combined with respect for the law."
Security minister James Brokenshire chipped in to add: "I welcome the independent scrutiny from the Commissioner and am pleased that he recognises the exceptional dedication and professionalism demonstrated by our law enforcement and security agencies."
MI5, however, came in for pointed criticism from Lord Justice Fulford, the previous Investigatory Powers Commissioner, who wrote the agency's latest report. As reported last year, MI5 was being careless with the storage of data it had hoovered up. This week's IPCO report said:
The information initially supplied to IPCO suggested there were serious deficiencies in the way the relevant environment implemented important IPA safeguards, particularly the requirements that MI5 must limit to the minimum necessary the extent to which warranted data is copied and disclosed, and that warranted data must be destroyed as soon as there are no longer any relevant grounds for retaining it.
Moreover, MI5 hadn't locked down access to what appears to have been a cloud server; as IPCO put it, the domestic spy agency had an "inconsistent approach to controls around the extent to which users were able to copy data and place it into storage areas within the environment". The spies were warned they were subject to "ongoing, detailed scrutiny".
Departing MI5 chief: Break chat app crypto for us, kthxbaiREAD MORE
Otherwise, despite the introduction of the so-called "double lock," where a former judge signs off on spying warrants that were first rubber-stamped by a cabinet minister, IPCO broadly ruled all was well and most public sector organisations were abiding by the Snooper's Charter (aka the Investigatory Powers Act), the law that allows them to rifle through your digital dustbins more or less at will.
IPCO did publish how it carries out its audits, which includes snap inspections; targeted, in-depth audits of specific spying operations; close looks at the public sector body's justification for spying; and looking at internal documents. A rather thorough process judging by the report's detailed description, it certainly leaves the impression that the auditor's staff are dedicated to their task.
Under its customary "serious errors" section, the report also detailed how many police (and they were all police) blunders had led to innocents being arrested, their homes raided and missing people not found as a result of typos, time zone confusion and other human but inexcusable errors.
The Register has asked for clarification on one case where a suicidal person died before police found them, following a data oversight. IPCO said after investigating it had "notified the affected person of the fact of the serious error," which on the face of it could not have happened.
Hundreds of lawyers, journalists, doctors and MPs were targeted by the public sector for covert snooping, something that is perfectly legal in the UK. IPCO said that in some of these cases the spying was carried out for witness protection-style reasons.
Sir Brian Leveson, the retired senior judge who currently fills the post of Investigatory Powers Commissioner, said in a canned quote: "Overall, investigatory powers are used responsibly within the UK. However, our investigations have highlighted key areas where our oversight needs to keep pace with those we oversee, including how to approach the impact of new and evolving technology."
The full report can be read from the IPCO website [PDF]. ®