The UK’s most secret court has been asked to reopen a key ruling on the legality of electronic surveillance operations, in the wake of new evidence that the MI5 failed to disclose serious breaches in its handling of intercepted data.
The Investigatory Powers Tribunal (IPT) ruled in 2016 that the intelligence services had unlawfully collected bulk phone and internet data, and maintained sensitive bases of personal data on the population for 17 years between 1998 and 2015.
But in a legal challenge, campaign groups Liberty and Privacy International have asked the IPT to reopen the case. The claim follows disclosures in previously classified documents, that show MI5 failed to disclose serious compliance breaches to the court or the surveillance regulator.
Meg Goulding, lawyer at Liberty told Computer Weekly: “The documents show breaches from as early as 2010. These are core breaches – how you share and copy data and what you do with sensitive data around lawyers and their clients.”
Daniel Cashman, representing Liberty and Privacy International, told a case management hearing at the ITP yesterday that MI5 had failed in its duty of candour to the court. The campaign groups argue that the IPT should revisit its findings that bulk surveillance programmes were conducted lawfully after they were publicly avowed in 2015.
In a written claim, the groups allege that MI5 misled the IPT, and the investigatory powers commissioner, by failing to disclose serious failings in its handling of sensitive intercepted communications data, including legally privileged communications for years after they were first discovered.
According to the claim, MI5 gave inaccurate and materially misleading information to the IPT, which led it to conclude that MI5 had safeguards in place. The groups say new evidence from MI5 and the Investigatory Powers Commissioner’s Office (IPCO) “falsifies that conclusion”.
MI5 accused of misleading ministers
The non-governmental organisations (NGOs) also allege that MI5 has misled ministers and the Investigatory Powers Commissioner, which is responsible for overseeing the intelligence services, to grant surveillance warrants to MI5 on a “false basis” over an extended period.
The management board of MI5 were aware that the security service was in breach of both the requirements of UK law and the European Convention on Human Rights as early as May 2013, the NGOs claim. It did not report the matter to the investigatory powers commissioner until February 2019.
“The true nature of the problems was sufficiently serious that even MI5 itself did not understand the true scale and extent of the (systemic) problems,” the NGOs claim.
They allege that from as early as 2014, MI5 “persistently and knowingly” failed to comply with the safeguards of the Regulation of Investigatory Powers Act (RIPA) and the Investigatory Powers Act (IPA), known as the Snoopers’ Charter.
MI5 was unable to carry out proper searches of its databases to meet legal disclosure requirements for the IPT, and the UK’s regime for oversight of secret surveillance failed to identify serious systemic problems, even when raised at MI5 board level, it was claimed.
Adrian Fulford, the investigatory powers commissioner, responsible for overseeing surveillance, found that the management board of MI5 was clearly aware that there were problems with the way the agency stored data gathered from surveillance warrants by January 2018 – but the board failed to alert the watchdog.
“It seems to me that to have provided assurances to the secretary of state regarding safeguarding warranted data, that, in hindsight, did not comply with MI5s obligations…amounts to an error of notable gravity,” Fulford wrote in documents lodged in the court.
MI5 board warned of failures in ‘technical environment’
The failures were so serious in an area dubbed the “technology environment” that an MI5 board paper in October 2018 warned that they could lead to successful legal challenges, result in the loss of confidence of ministers and the independent judicial commissioners, restrictions on warrants and reputational damage.
“It is clear that for warranted material in the [technology environment], there has been an unquantifiable but serious failure to handle warranted data in compliance with the IPA for a considerable period of time,” Fulford wrote.
He said assurances were made to the secretary of state and to the independent judicial commissioners, responsible for approving surveillance warrants, that were “wrong and should never have been made”.
“Warrants have been granted and judicially approved on an incomplete understanding of the true factual position,” said Fulford. “The failure to report these matters in a timely way is a matter of grave concern.”
Fulford described the situation as serious and inherently fragile. “Without seeking to be emotive, I consider that MI5’s use of warranted data in the [technology environment] [requires] special measures.
“The historical lack of compliance with the law is of such gravity that IPCO will need to be satisfied to a greater degree than usual that it is fit for purpose.”
Court warns MI5 over deleting data
Cashman told the case management hearing yesterday that at a high level, the claim was about the duty of candour of MI5 to the court, the secretary of state and the surveillance regulator, IPCO.
He told tribunal chairman Lord Justice Singh that it would be “highly unfortunate” if there was a repeat of an incident in 2018, when MI5 told the tribunal it had deleted information relevant to the case the day before the hearing.
The court heard that MI5 could not guarantee to preserve all data that might be relevant to the hearing, without specific instructions on what data it should retain.
Andrew O’Connor, representing MI5, told the court that MI5 had existing processes in place that meant data was automatically deleted all the time.
“That is not something that can simply be changed by making a phone call or sending an email,” he told the court. O’Connor said he would need to submit evidence in closed session that MI5 was unable to stop deletion of data.
Singh said MI5 had a duty of candour and warned that if the security service deleted data relevant to the case, “there would be consequences”.
Culture of ‘permitting unlawful conduct’
The NGOs claim in legal submissions that there is an ingrained institutional culture of accepting and permitting unlawful conduct in MI5. Compliance with the IPA “never became a mission-critical priority for the senior leadership, nor therefore for MI5 staff”, they said.
According to a summary of a compliance review, MI5 was told “it must ensure that all its data can be shown to be held in accordance with legal compliance requirements by June 2020”.
O’Connor told the tribunal that MI5’s legal team was served with the claim at 6.30pm on 31 January and had had only five days to consider it.
“We have not had an opportunity to think carefully about this claim and to sit down and make the proper analysis, simply because we have had it for such a short period of time,” he said.
The case continues.