MI5, the UK’s domestic security and counter-intelligence agency, has “lost control” of mass data sets, with a government lawyer admitting to a court this week that MI5’s description of the problem as “compliance difficulties” was a “misleading euphemism”.

MI5 has the authority under the Investigatory Powers Act (IPA) – under warrants issued by “Judicial Commissioners” – to carry out “bulk surveillance”: effectively harvesting mass data sets, including browsing history, for potential investigations in the future.

The IPA stipulates certain data handling obligations. But in a remarkable admission to the Commissioner, a senior MI5 official acknowledged that personal data collected by MI5 is being stored in “ungoverned spaces”, while the MI5 legal team claimed there is “a high likelihood [of material] being discovered when it should have been deleted.”

Investigatory Powers Commissioner, Lord Justice Fulford, concluded that the conduct of the UK’s leading security service in “undoubtedly unlawful”. Lord Fulford was first made aware of the compliance risks identified by MI5 at an oral briefing meeting on 27 February 2019. A team of his inspectors then spent a week in MI5 investigating the extent of the compliance risks that had been identified.

MI5 Data Storage Scandal: What is an “Ungoverned Space”? 

MI5 has not disclosed what it means by an “ungoverned space”.

Liberty, the civil liberties NGO, which has led a sustained legal challenge of the IPA, told Computer Business Review that the term was one used by MI5 and it could not offer further insight into precisely what MI5 meant by the term.

Some details of the IPA data guideline breaches were revealed in a series of 10 documents and letters from MI5 and the Investigatory Powers Commissioner’s Office (IPCO) during the course of Liberty’s ongoing legal challenge to the IPA.

Julian Milford, counsel for the Home Office and Foreign Office, told the high court on Tuesday: “We accept that this is material that discloses compliance risks with MI5.”

As the Guardian reports, he said: “Without seeking to be emotive, I consider that MI5’s use of warranted data … is currently, in effect, in ‘special measures’ and the historical lack of compliance … is of such gravity that IPCO will need to be satisfied to a greater degree than usual that it is ‘fit for purpose’.”

Home Secretary Sajid Javid said in a May 2019 written statement to Parliament: “A report of the Investigatory Powers Commissioner’s Office suggests that MI5 may not have had sufficient assurance of compliance with these [IPA] safeguards within one of its technology environments. The report… into these risks concluded that they were serious and required immediate mitigation. The Commissioner also expressed concern that MI5 should have reported the compliance risks to him sooner.”

“In response to the Commissioner’s report, MI5 have also taken immediate and substantial mitigating actions to address the concerns raised. Work to implement those mitigations is ongoing and is being treated as a matter of the highest priority, both by MI5 and the Home Office. This work is subject to review by the Investigatory Powers Commissioner to ensure that sufficient progress is being made.”

The Home Secretary added: “It is of course paramount that UK intelligence agencies demonstrate full compliance with the law.”

Liberty: “Unacceptable” Revelations

Megan Goulding, Liberty lawyer, said: “These shocking revelations expose how MI5 has been illegally mishandling our data for years, storing it when they have no legal basis to do so. This could include our most deeply sensitive information – our calls and messages, our location data, our web browsing history.

“It is unacceptable that the public is only learning now about these serious breaches after the Government has been forced into revealing them in the course of Liberty’s legal challenge. In addition to showing a flagrant disregard for our rights, MI5 has attempted to hide its mistakes by providing misinformation to the Investigatory Powers Commissioner, who oversees the Government’s surveillance regime.

Etienne Greeff, CTO and co-founder at SecureData told Computer Business Review: “What immediately occurs to me is the notion of ‘who will police the policemen?’, MI5 are in a position of power, but have evidently not been policed, or worse ignored the policing that they are subject to. This demonstrates precisely why everyone needs to be incredibly careful when creating backdoors that provide a route to access data. How do we know that that backdoor won’t be used maliciously or illegally?”

He added: “It’s positive that MI5 voluntarily came forward to alert the right people about the data management issues they had. The bad news is that it was three years after they realised there were problems, and this is a major concern. If I could offer any advice to anyone that’s worried by this news, it would be that we must all realise that cybersecurity is not just the domain of a few techies – it’s everyone’s issue now. Collective action is needed to not only to protect the individual, but society as a whole.”

Read this: Landmark GCHQ Publication Reveals Vulnerability Disclosure Process