Documents show how MI5 unlawfully retained innocent people's data 'for years'

MI5 also accused of not telling judges about failing to delete bulk surveillance data

Intelligence agency MI5 has been accused of unlawfully retaining innocent people's data and providing false assurances to judges that it had deleted bulk surveillance data.

That's according to internal documents released in the High Court in London today as part of Liberty's case against the Home Office over what it claims is unlawful surveillance by the security services.

Computing's Cloud Excellence Awards return on the 19th September 2019, recognising the very best of cloud computing in the UK across end users, suppliers and products. Who is the Cloud Architect of the Year? What is the Best Cloud Development Platform? And who is the Cloud Entrepreneur of the Year. Entry is FREE - the deadline is Friday 28th June.

The documents include letters between MI5 and the Investigatory Powers Commissioner's Office (IPCO). IPCO is responsible for ensuring that the privacy protections of the Investigatory Powers Act (IPA) - better known as the Snooper's Charter - are upheld. These include supposed safeguards around the storage and deletion of data.

MI5's deputy director general acknowledged in the documents that personal data collected by MI5 was being stored in "ungoverned spaces", and the organisation's legal team admitted that there is "a high likelihood [of material] being discovered when it should have been deleted, in a disclosure exercise leading to substantial legal or oversight failure".

Last month, as a result of Liberty's legal challenge, the High Court found that MI5 had breached these safeguards. The ten documents released today provide more detail about the nature of the breaches, including the claim that MI5 has never complied fully with the IPA since it became law in 2016.

AI & Machine Learning Live is returning to London on 3rd July 2019. Hear from the Met Office's Charles Ewen, AutoTrader lead data scientist Dr David Hoyle and the BBC's Noriko Matsuoka, among many others. Attendance is free to qualifying IT leaders and senior IT pros, but places are limited, so reserve yours now.

According to Liberty, the documents show that the Commissioner of the IPCO believed that the way MI5 had been holding and handling people's data was "undoubtedly unlawful", and questioned whether it was even "fit for purpose".

MI5 failed to maintain key safeguards, such as the timely destruction of material and the protection of legally privileged material. This, according to Lord Justice Fulford, created "serious compliance gaps" in MI5's legal responsibilities. These were only brought to the IPCO's attention in February 2019.

Finally, the documents indicate that warrants for bulk surveillance were issued by the Judicial Commissioners - senior judges who handle such requests - in the belief that MI5 was meeting its obligations under the Investigatory Powers Act, when they were not. It is open to question whether warrants would have continued to be approved were MI5's lack of compliance known.

MI5 has been illegally mishandling our data for years, storing it when they have no legal basis to do so

Liberty lawyer Megan Goulding said that the documents show "how MI5 has been illegally mishandling our data for years, storing it when they have no legal basis to do so. This could include our most deeply sensitive information - our calls and messages, our location data, our web browsing history".

She added that "the government is still trying to keep us in the dark over further examples of MI5 seriously breaching the law".

These breaches of the IPA were publicised by Liberty in May, and quietly acknowledged by Home Secretary Sajid Javid.

"The compliance risks identified are limited to how material is treated after it has been obtained. They do not relate in any way to the manner in which MI5 acquires information in the first instance or the necessity and proportionality of doing so," admitted Javid in a statement released at the time.

He continued: "The report of the Investigatory Powers Commissioner's Office into these risks concluded that they were serious and required immediate mitigation. The Commissioner also expressed concern that MI5 should have reported the compliance risks to him sooner.

"In response to the Commissioner's report, MI5 have also taken immediate and substantial mitigating actions to address the concerns raised. Work to implement those mitigations is ongoing and is being treated as a matter of the highest priority, both by MI5 and the Home Office.

"This work is subject to review by the Investigatory Powers Commissioner to ensure that sufficient progress is being made."

Delta is a new market intelligence service from Computing to help CIOs and other IT decision makers make smarter purchasing decisions - decisions informed by the knowledge and experience of other CIOs and IT decision makers.

Delta is free from vendor sponsorship or influence of any kind, and is guided by a steering committee of well-known CIOs, such as Charles Ewen, Christina Scott, Steve Capper and Laura Meyer.

Ten crucial technology areas are already covered at launch, with more data appearing and more areas being covered every week. Sign-up here for your free trial of the Computing Delta website.