The Home Secretary has admitted that MI5 breached surveillance safeguards so severely that its failure to comply has been described as ‘serious’ and requiring ‘immediate mitigation’. In a written statement issued last week, Sajid Javid notified Parliament of compliance risks identified in relation to MI5 and surveillance safeguards under the Investigatory Powers Act 2016.
The Act, nicknamed by critics as the ‘snooper’s charter’, allows public authorities including the intelligence services to apply for ‘interception warrants’ which, in turn, allow those with approved warrants to lawfully intercept data. Designed to limit how information obtained under a warrant is used and shared, the safeguards provided in the Act purportedly require intercepting authorities (in this instance, MI5) to limit the disclosure and retention of data obtained to a minimum.
Javid writes that, by law, authorities issuing warrants are required to ‘ensure certain processing is kept to the minimum necessary for the statutory purpose, including the number of people to whom material is made available, the number of copies made and the length of time it is retained’.
The risks discussed were identified in a report by the intelligence services’ watchdog, the Investigatory Powers Commissioner’s Office (IPCO). Chaired by Court of Appeal judge, Lord Justice Fulford, IPCO provides independent oversight of the use of investigatory powers by intelligence services as well as other public authorities.
The Home Secretary has now launched an independent review in an effort to consider ‘what lessons can be learned for the future’. Data accessible under the Act includes private messages, digital browsing history, and location information, but it is unlikely that details of the material involved in this case will be disclosed.
In his statement, Javid writes: ‘A report of the Investigatory Powers Commissioner’s Office suggests that MI5 may not have had sufficient assurance of compliance with these safeguards within one of its technology environments… . The report of the IPCO into these risks concluded that they were serious and required immediate mitigation.’
He adds: ‘The Commissioner also expressed concern that MI5 should have reported the compliance risks to him sooner.’
The breach was reportedly so severe that IPCO sent a team of inspectors to MI5 for a week to investigate, according to human rights organization Liberty. In a series of tweets this morning, the organisation criticized the government for failing to disclose further details of the breach, and called into question the effectiveness of IPCO as an oversight body.
Megan Goulding, one of the lawyers at Liberty said it was ‘a clear-cut example of how the supposed safeguarding and oversight system is failing to protect us from the excessive and unwarranted surveillance and data retention powers created under the snooper’s charter’. ‘It is possible, from what is known, that millions of innocent people’s data is being shared widely with foreign governments,’ she said. ‘If the government has its way, we will never know if this is the case.’
The Home Secretary’s statement comes as Liberty mounts a separate and broader legal challenge pertaining to the Investigatory Powers Act, which is scheduled to be heard at the High Court next month.