MI5 still risks breaking the law on surveillance data through poor controls – years after it was first warned

Exclusive MI5's storage of personal data on espionage subjects is still facing "legal compliance risk" issues despite years of warnings from spy agency regulator IPCO, a Home Office report has revealed.

The sustained legal issues even triggered a Parliamentary statement by Home Secretary Priti Patel, revealing that the domestic spy agency did not have "a culture of individual accountability for legal compliance risk" until external oversight forced change upon the agency.

Answering the question of whether MI5's data holdings are "now legally compliant," a Home Office report, published on June 7, said MI5's "implementation of mitigations" for "identified risks" was still under way.

Government documents in the public domain about the spy agency's law-breaking deliberately omit references to which laws MI5 broke, preferring the euphemism "compliance", but the breaches appear to fall under Part 6 ("bulk warrants") and Part 7 ("bulk personal dataset warrants") of the Investigatory Powers Act 2016, the infamous Snoopers' Charter. References to "warranted data" in external compliance reports published by the government gave the game away.

The latest report, itself a report into an earlier review which made recommendations MI5 hasn't fully complied with, stems back to failures first identified in the mid-2010s.

Senior Conservative backbench MP David Davis told The Register: "When the Investigatory Powers Act was written, it was with major input from all the agencies, including MI6, GCHQ, and of course, MI5.

"Extraordinary powers were given to the agencies under this Act and therefore there is no excuse for non-compliance or inadequate compliance with those restrictions that were set in place."

A public summary of a report written by National Crime Agency non-exec director Mary Calam, quietly published earlier this month, revealed that "further work is needed to fully roll out and test new policies and to reduce reliance on manual processes" for legal compliance within MI5.

While the domestic surveillance agency had cleaned up its act from where it was a few years ago, implementing an internal compliance programme to address 14 formal recommendations made to it, it is still dragging its feet in key areas.

Reports over the years revealed an internal culture within MI5 that seemingly treated legal compliance as an unimportant formality, with spies caught using "boilerplate text in applications" for targeted surveillance warrants. Related allegations of law-breaking are the subject of an ongoing legal case by the Privacy International campaign group, which declined to comment for this article.

Exactly what happened?

Tight-lipped official sources would not say precisely what MI5's data storage blunder was but clues lie in the language used by both IPCO (the Investigatory Powers Commissioner's Office, which audits legal compliance by the spy agencies) and Home Secretaries over the years.

You can see mention of a specific data storage issue in IPCO's annual report [PDF] for 2017, published two years later, which noted: "There was one complex error reported by MI5 in relation to the retention of data on an area within their IT systems. MI5 is undertaking work to remedy this problem and delete data which has been retained erroneously."

• UK spy auditor gives state snoops a big pat on the back for job well done – except MI5
• MI5 slapped on the wrist for 'serious' surveillance data breach
• UK spy overseer: Snooper's Charter cockups are still getting innocents arrested
• MI5: Gosh, awkward. We looked down the sofa and, yeah, we *do* have intel on privacy bods

By 2018 [PDF], IPCO was asking for "demonstrations of MI5's complex IT infrastructure" and didn't like what it was seeing:

The Investigatory Powers Commissioner, Court of Appeal judge Sir Adrian Fulford, wasn't told about this legal compliance failure until February 2019, an issue IPCO branded "a matter of serious concern." This triggered a Parliamentary statement by the then Home Secretary, Sajid Javid, who would only admit "the compliance risks identified are limited to how material is treated after it has been obtained."

In other words, the risk begins once the collected data hits whatever environment or environments MI5 was using, raising concerns that there might be a configuration or access control issue. This appears to be at the heart of the agency's alleged failure to comply with its legal duties to keep surveillance data secure.

More detail emerged in 2019's IPCO report, which castigated MI5 for its "inconsistent approach to controls around the extent to which users were able to copy data and place it into storage areas within the environment". Precisely what the "environment" is was not specified either.

Yet more information about MI5's wrongdoing in the agency's internal Compliance Improvement Report was published in July of that year, containing 14 recommendations to bring MI5 into line with the law. It was this report which Calam was, in turn, reporting upon – and she found that recommendations 2, 3, 4 and 11 had not been met.

While MI5 is trying to improve compliance, the fact that major work is still necessary to achieve it, years after failures were first noted, is troubling.

Davis, the MP and civil liberties activist, thundered: "When MI5 was found not to be fully compliant, it should have taken extraordinary and immediate efforts to bring itself back inside the rules. It is a matter of serious concern that they have failed to do so now three years after this issue was highlighted. They must bring it under control immediately."

Home Office spokesman Ian Kennedy failed to answer The Register's questions about the Calam Report, saying only: "The Home Secretary has outlined her position in the Written Ministerial Statement. Nothing further to add to this."

An IPCO spokeswoman told The Register: "As the CIR [MI5's internal compliance project review] explains, the scale and complexity of the remedial work required have been greater than initially anticipated by the CIR. This has also been significantly compounded by the unprecedented challenges posed by the COVID-19 pandemic."

Compliance failure, meet legal action

IPCO's representative also said that part of the delays in compliance were caused by ongoing legal action from anti-surveillance campaigners: "Following a claim brought by Privacy International and Liberty against MI5 and the Home Office, the matter is now subject to litigation before the Investigatory Powers Tribunal. The litigation has necessitated a pause (by Order of the Tribunal) to some of the remedial work in order to ensure evidence is preserved for the purposes of the proceedings."

The Investigatory Powers Tribunal is a specialised court that hears cases brought against the spy agencies over illegal surveillance. Until a 2019 Supreme Court ruling, the IPT was a pale imitation of a real court.

Parliament's Security and Intelligence Committee did not respond to The Register's request for comment despite the Calam Report having been supplied to its members. The committee forms the main Parliamentary oversight for MI5, MI6, and GCHQ.

IPCO's spokeswoman concluded: "As outlined in IPCO's 2019 Annual Report, IPCO continues to oversee MI5's efforts to manage legal compliance risk regarding its technology environments within the parameters set by the Tribunal. Whilst there is still work to be done, the public can be assured that MI5's compliance approach has improved significantly."

She was echoed by Home Secretary Priti Patel, who told Parliament earlier this month: "I am very grateful to the Director-General of MI5 and his staff, as well as my own officials, for the immense progress that has been made since Sir Martin Donnelly completed his Compliance Improvement Review in June 2019."

It appears that Britain's spy agency overseer has grown teeth — and while the law may not be perfect, bringing MI5 into line with it is a victory for the Investigatory Powers Commissioner. ®