It has emerged that the British Security Service MI5 mistakenly told its staff it had been given an exemption from privacy safeguards when accessing databases with information on the British public’s phone, email, and web browsing records.
The revelation has come to light during the Investigatory Powers Tribunal (IPT) hearing brought by Privacy International which we reported on last week. They are challenging the UK Governments laws which allow the bulk collection of data and permit intelligence agencies to access it with only the most minimal of safeguards.
Home Office regulations, published in March 2015, make it clear that every time they wish to access data they must seek approval from independent staff members, who are referred to as designated persons.
Yet it seems MI5 thought they didn’t even have to comply with those. The court has seen a briefing note, dated 27th October 2015, which claimed MI5 had been made exempt from this requirement.
It said “MI5 uniquely and temporarily has an exemption granted by the home secretary from this requirement. [This has] been agreed with the relevant oversight body, IOCCO, and the interception of communications commissioner.”
However, unfortunately for MI5, a letter sent to the IPT by the Governments lawyers refutes this. The letter clearly states that this claim from MI5 was “not correct”.
In the Tribunal hearing, Privacy International have been using this incident, along with reams of other examples and written evidence, to show that MI5 has been actively trying to avoid additional oversight on these regulations for a long time.
However, it seems that MI5 has not been breaking the rules as such. The Government lawyers went on to show that a separate code of practice which was introduced in 2007 allowed MI5 to avoid using the designated person approval system “in relation to investigations in which they are directly involved in”.
In practice, this loophole has been used to avoid using designated persons altogether, and it seems this has been done with the approval of the interception commissioner, IOCCO, and the Government.
Director General’s Excuses
A series of letters between former Home Secretary Theresa May and the Director General of MI5, Andrew Parker, also showed the MI5 man going to great lengths to avoid implementing additional oversight.
He argues that it would disrupt investigations, reduce operational effectiveness, and use up valuable resources. There were also a variety of documents which indicates warnings and recommendations made to MI5 from its oversight bodies were regularly resisted or ignored.
Abuse of Powers
So with the independent oversight that is in place being routinely bypassed is there any evidence that MI5 has been abusing its powers? No surprise that the answer to that question is, yes.
Privacy International has presented information that MI5 agents have used the powers to undertake searches for at least 20 ‘high-profile people’ (celebrities). None of these were thought to have been approved, or to be justifiable in terms of genuine links to ongoing MI5 cases.
This will come as a shock if you are a celebrity, but even if you are not there is no reason to think that your data hasn’t been abused in the same way.
As things stand, MI5 agents have carte blanche to access the data of anyone they want with no credible oversight or redress if they abuse it. As we have seen with the Government’s RIPA legislation, if the powers are given, they will be abused, and as things stand there is no reason for any of us to feel that our data is safe from MI5.
This is the latest in a long line of revelations about the British Security Services mishandling of our data and should be causing as many shockwaves amongst the British public as the Edward Snowden revelations did in the USA.
It remains to be seen if there is any realistic hope of this situation changing anytime soon. And this means there never been a better time for the British public to be taking steps to ensure its own online privacy through the use of a VPN or other privacy tools.