back to article MI5 still risks breaking the law on surveillance data through poor controls – years after it was first warned

MI5's storage of personal data on espionage subjects is still facing "legal compliance risk" issues despite years of warnings from spy agency regulator IPCO, a Home Office report has revealed. The sustained legal issues even triggered a Parliamentary statement by Home Secretary Priti Patel, revealing that the domestic spy …

  1. Chris G Silver badge

    Storage areas within the environment

    Sounds like a printout in an unlocked desk drawer, not even a basement filing cabinet or leopard notices.

    I hope they don't employ cleaners with funny accents.

    The way they drag their feet on implementation of 'compliance' rules is a clear sign they regard them as an unnecessary imposition.

    1. Graham Cobb Silver badge

      Re: Storage areas within the environment

      Personal-use PCs, departmental servers, shadow-IT, project shared network drives, uncontrolled sharepoints. All, probably, completely secure with the required user access controls, but no monitoring, auditing or timely deletion of the data stashed there.

      Sound familiar to anyone?

      1. low_resolution_foxxes Silver badge

        Re: Storage areas within the environment

        You mean it's like every engineering department in the world?

  2. Anonymous Coward
    Anonymous Coward

    Move along....nothing to see here......

    .....and that's only three many do I need? How many "government reports" do I need?

  3. Anonymous Coward
    Anonymous Coward

    Excel-lent ?

    It's got to be hasn't it? They're storing all their secret data in Excel. Probably a very old version at that.

  4. not.known@this.address Silver badge

    Is that it?

    If that list of "Recommendations MI5 hasn't complied with" is it, then what the problem? Unless I'm missing something, that little lot boils down to "MI5 can't prove everyone has had all the most recent legal training" (points 2 and 3), "MI5 haven't thrown a bucketload of money at the lawyers" (point 4) and "MI5 haven't handed information to the civil service that could be used to identify sources when (not if) someone flaps their gums because they disagree with something Box or the Government did and want to embarrass them without giving a damn about giving away secrets" (point 11).

    If that really is the sum of the things that have got the pencil-pushers at the Home Office in such a tailspin then they should be ashamed of themselves - which is more important, trying to keep the streets safe for everyone or proving that James Bond can quote Section 3, Subsection 4, Paragraph 5, points 3-17 of the Terrorist Protection Bill and knows not to copy-and-paste from one warrant request to another (and just how many ways are there to say "We know this person is up to no good but we need to prove it before the do-gooders set them free on a technicality - and the blighter goes off and does something a tad unpleasant")?

    Besides, since when did completing the paperwork prove anything? Last I heard, civil servants were supposed to be bound by all sorts of confidentiality and secrecy legislation but that doesn't stop them gobbing off when someone says something they don't like...

    1. Graham Cobb Silver badge

      Re: Is that it?

      The point of the training is to make sure everyone understands that the law does not give them unlimited access to data! Data must be restricted in who can access it, and must be provably deleted in a timely fashion, not saved in case it is useful in the future.

    2. low_resolution_foxxes Silver badge

      Re: Is that it?

      I can imagine an environment that rewards individuals for quick actions and information.

      The law says that only suitable qualified and trained staff, can access certain data, with appropriate safeguards. It's not a trivial environment, multiple early staff were caught stalking their partners, ex-partners and ex-partners new partners.

      The whole point of training and oversight, was to ensure that those accessing secret information, were doing so for a valid reason, within valid timelines and responsibly deleting that information after. No training = less likely to achieve prosecution later on (if you haven't done the training, you cannot be held to the same legal standard, since it hasn't been spelled out to you)

      If you cannot demonstrate this, then you cannot continue to practice.

      Whether they really need more legal help, I cringe at throwing more money at lawyers, as I am sure that the internal compliance teams and engineers are more than capable of doing their jobs properly, it is probably more about whether they really have the desire to do so.

      PS I laughed at "using boiler plate language", but surely that's the point? You use legal templates for such things?

  5. Anonymous Coward
    Anonymous Coward

    Get a grip....the authorities are breaking the law.....and not keeping us safe either.....

    To: not.known@this.address

    Quote: "...which is more important, trying to keep the streets safe for everyone..."

    Last time I looked EVERY RECENT OUTRAGE was done by someone "already known to the authorities".

    What was that you said about "streets safe"? Even when a known, convicted terrorist is released from jail, under license, the "authorities" pay no attention and three people are harmed!!!!! your point, the "authorities" are breaking the law and not keeping us "safe" either!!!!! Fantastic value for taxpayers!!!!!

    1. elsergiovolador Silver badge

      Re: Get a grip....the authorities are breaking the law.....and not keeping us safe either.....

      And as you read deeper you learn that the perpetrators didn't even use encryption to communicate...

    2. not.known@this.address Silver badge

      Re: Get a grip....the authorities are breaking the law.....and not keeping us safe either.....

      AC, "EVERY RECENT OUTRAGE" was also committed by someone who claimed to be committing their crimes because of their religion. Are you suggesting that the people who say the authorities should not be allowed to monitor people who follow certain religions might be wrong? (Note: yesterday, literally billions of Muslims did NOT commit atrocities. What does that say about those who use their religion as an excuse?)

      And which is why I said "...TRYING to keep the streets safe..." - the Security Services don't have access to 'Minority Report'-style precognitives so have to rely on the limited resources they have available. Diverting more people and (taxpayer, as you pointed out) money to box-ticking and away from the reason they exist in the first place (protecting us) doesn't seem a fair trade to me. It's hard enough to keep the training records for a department of 150 people in an office building up-to-date, how hard do you think it is for an organisation the size of MI5 to keep everybody and their records up to date - especially when some of those people are not exactly in a position to attend the latest Equality and Diversity training on why it is a Hate Crime to "mis-gender" someone - do you have evidence of exactly which training has or has not been signed off because there is a huge difference between the ins and outs of GDPR and the evacuation procedures for the specific building you work in - except both are only a checkbox on the Training Record... and either counts as a "fail" in the report.

      As for terrorists being out of prison "under licence", do you really know what that means? The UK is both fortunate and unfortunate to have a legal system where convicted criminals in prison can be granted parole *if they promise to obey the law in the future*. Fortunate because people who have genuinely seen the error of their ways and will be law-abiding citizens from now on can be released early as a gesture of good faith - if they break the law again before their original sentence would have been served, back they go. Unfortunate because people can - and do - promise to behave but then go straight back to their life of crime. What do you suggest, punish those who have reformed simply because there will always be people who cannot "play well with others"?

  6. Mike 137 Silver badge

    "compliance risk"

    'did not have "a culture of individual accountability for legal compliance risk"'

    Although endemic, the concept of "compliance risk" is utterly flawed. In essence it means no more than "risk of getting penalised". The real risk of non-compliance (in the broadest terms) is that some improper act becomes an accepted norm or that some third party suffers harm. So it's typically an externality to the non-compliant unless they get caught.

    So what is "compliance" for? There are two obvious answers:

    [1] to satisfy a regulator or auditor in order to have q quiet life;

    [2] to ensure that something that should be done is done properly so it actually delivers what is required, or ensure that something improper does not occur.

    Guess which is the most common interpretation. I'm not awarding any medals.

    1. low_resolution_foxxes Silver badge

      Re: "compliance risk"

      #1 is more common, but I have worked for companies than perform #2.

      It is surprising, that for something as important as "are we making a good product and are we competent at our jobs" the amount of effort put into compliance is basically box ticking for most.

      It is bizarre how many great ideas come out of simple tools like DFMEA and VSM concepts. Even simple things like asking your engineers "stop fixing problems when they fail, spend the day looking for the obvious things that will go wrong and fix them in advance".

  7. 1752

    Other news..

    In other news, a bear shat in the woods.

  8. amanfromMars 1 Silver badge

    Something for the Grown-Ups in the Room

    It appears that Britain's spy agency overseer has grown teeth — and while the law may not be perfect, bringing MI5 into line with it is a victory for the Investigatory Powers Commissioner.

    That is as may be, but whenever the law is an ass, MI5 and others of a similar ilk are free to do as they please in service of security of the realms in which they are expected and assumed to excel ........ otherwise they be practically fcuking useless and of no real help to anything sovereign and in need of protection against foul forces and putrid sources.

    And surely one would fully expect and accept that as logical and much to be ...... well, quietly applauded is quite apt given the spooky nature of their core businesses.

    1. Anonymous Coward
      Anonymous Coward

      Re: Something for the Grown-Ups in the Room

      Exactly. The terrorists have decided they do not need to follow the laws that protect others - why should they have any of the protections that are guaranteed by the laws that applied to their victims?

  9. EnviableOne Silver badge

    evryone is overthinking it

    its just in standard S3 buckets that arent secured, and in the EU west region

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021