MI5 withheld critical information from the home secretary when it applied for warrants to gather telephone and internet data, Britain’s most secret court has heard.
The security service is accused of failing to report details of serious legal compliance concerns over the storage and deletion of surveillance data stored on its IT systems.
Lawyers representing the campaign groups Privacy International and Liberty argued that MI5 had “failed in its duty of full and frank disclosure” to the Home Office.
They claimed that the then home secretary, Amber Rudd, also failed in her duty to investigate MI5’s compliance failures when the agency belatedly alerted her in 2016.
That effectively made surveillance warrants issued by the Home Office unlawful, the Investigatory Powers Tribunal heard during a two-day case management hearing last week.
MI5 first disclosed compliance failures in “ungoverned spaces” during legal action brought by Privacy International in 2015 to challenge the legality of bulk surveillance by the security and intelligence agencies.
Documents later disclosed by MI5 during a case brought by Liberty showed that MI5 had sought and obtained bulk interception warrants on the basis of misleading statements.
Speaking after the hearing, Ilia Siatitsa, programme director and legal officer at Privacy International, said: “There appears to be systematic failure by MI5 to comply with human rights standards.
“For more than a decade, MI5 has been collecting vast troves of our personal information while documents today reveal that they knew that there were serious risks of compliance.”
Because of Covid restrictions, lawyers, journalists and observers joined the case through a telephone conference line, but had difficulties hearing the full proceedings.
MI5 had compliance problem from at least 2014
Documents disclosed in court showed that MI5’s management board was aware of compliance risks in what it called the “technical environment (TE)” from at least 2014.
Summarised minutes of a management board meeting from that year showed that MI5’s record, retain and delete (RRD) policy had not been applied to much of MI5’s data and that the agency kept a “vast amount of data” that was not needed.
A year later, an internal report warned that MI5 was holding data unlawfully and that it had “undoubtedly” retained material that “should have removed from the [IT] estate”.
MI5 had put in place a plan to remedy information management risks “inherent in the system”, following a major compliance failure in the agency’s technical environment by October 2016, according to a previously secret report.
The plan led to partial mitigations of some key areas of risk on its completion, but the report warned that not enough had been done to ensure this “legacy risk doesn’t increase” in the future.
“In the context of information management, our limited understanding of what is on the system means we are unable to apply effective review, deletion and discovery techniques,” it said.
Thomas de la Mare QC told the court that although MI5 was required to make “full and frank disclosure” to the secretary of state when requesting surveillance warrants, it had failed to do so until February 2019 at the earliest.
“MI5 made two mistakes by saying that everything was tickety-boo and that there were no facts the secretary of state should be made aware of,” he said.
The security service also failed to fully report its compliance problems to its regulator, the Investigatory Powers Commissioner (IPC), de la Mare told the court.
“Notwithstanding knowledge at the highest level at MI5, MI5 did not report the issue, and when it reported the issue to the IPC, it was not full and frank,” he said.
“There does appear to be a conscious or reckless decision within MI5 not to disclose the totality of the compliance problems they had.”
Under the Regulation of Investigatory Powers Act, that failure meant all warrants were invalid, said de la Mare.
“MI5 had a compliance problem, they knew they had a compliance problem, they told no one at all – or no one adequately – about the compliance problem and they obtained warrants without disclosing a compliance problem,” he said.
MI5 did not warn home secretary of risks
The NGOs argued that then home secretary Rudd failed in her duty to make proper enquiries after the spy agency informed her that there were serious risks that it may not be compliant with legislation in 2016.
MI5 wrote to Rudd in December that year, warning that there was a “relatively longstanding” risk that MI5 was not compliant with the “relevant legislation” on information handling. It rated the risk as “red” – the highest risk category.
The then director general of MI5, Andrew Parker, apologised to Rudd for the errors following a meeting with her on 23 January 2017, according to previously classified documents.
Parker told Rudd that the agency had started a programme to strengthen MI5’s processes and to prepare for the introduction of the Investigatory Powers Act 2016.
In March, MI5’s deputy head wrote to the home secretary, again reporting that there was a “very high” risk that MI5 was not complaint with its statutory obligations, particularly on information handling, and that there was a risk of “substantial legal/reputational damage”.
By October, the Home Office was aware that MI5’s timetable for reducing the risk from red (very high) to orange (high) has slipped from late 2017 to mid-2018.
In December, MI5 again alerted the home secretary to the “red” risk that MI5 did not comply with statutory obligations. It said the rating reflected the long-term challenge of ensuring compliance with legal and other obligations.
De la Mare told the court that MI5 had also failed in its “duty of candour” by failing to disclose relevant information on its compliance to the Investigatory Powers Tribunal (IPT) during earlier litigation brought by Privacy International and Liberty.
Tribunal not a ‘state trial’
Privacy International and Liberty argued that they should be allowed to amend their legal pleas following MI5’s disclosure of a significant number of documents at short notice before last week’s hearing.
The move was opposed by the government, which argued that the tribunal was not meant to police the system – that job belonged to the IPC – and that the court should not engage in a “state trial”.
Sir James Eadie QC for the government argued that allowing the NGOs to change their pleas to introduce “full and frank disclosure” as a full-blown argument would delay the proceedings.
“It is a pretty serious allegation and one that would need to be responded to accordingly,” he said.
Eadie said that the secretary of state and those responsible for issuing warrants had already acknowledged that they had issued warrants without knowledge of the facts. “That is an admission of unlawfulness,” he said.
“This is not a state trial. This is not an exercise in the tribunal being invited in an open way to investigate all technology failures.”
Eadie said the IPT was not the “policeman of the system” – that job belonged to the IPC.
Speaking after the case, Siatitsa said MI5 had told the IPT in 2015 that it had robust procedures in place to protect data collected about the population.
“MI5 guaranteed that robust safeguards were in place so that such data would be safe and protected,” she said. “Yet it turns out that those safeguards were in some cases illusory and MI5 has known that for a very long time.”
The trial is now expected to be held in May or June 2021.
The case continues.