MI5 still risks breaking the law on surveillance data through poor controls – years after it was first warned MI5's storage of personal data on espionage subjects is still facing "legal compliance risk" issues despite years of warnings from spy agency regulator IPCO, a Home Office report has revealed. The sustained legal issues even triggered a Parliamentary statement by Home Secretary Priti Patel, revealing that the domestic spy …
Sounds like a printout in an unlocked desk drawer, not even a basement filing cabinet or leopard notices.
I hope they don't employ cleaners with funny accents.
The way they drag their feet on implementation of 'compliance' rules is a clear sign they regard them as an unnecessary imposition.
Personal-use PCs, departmental servers, shadow-IT, project shared network drives, uncontrolled sharepoints. All, probably, completely secure with the required user access controls, but no monitoring, auditing or timely deletion of the data stashed there.
Sound familiar to anyone?
https://www.wired.com/1999/01/sun-on-privacy-get-over-it/
https://www.bloomberg.com/features/2018-palantir-peter-thiel/
https://www.theguardian.com/uk-news/2018/sep/13/gchq-data-collection-violated-human-rights-strasbourg-court-rules
.....and that's only three links....how many do I need? How many "government reports" do I need?
If that list of "Recommendations MI5 hasn't complied with" is it, then what the problem? Unless I'm missing something, that little lot boils down to "MI5 can't prove everyone has had all the most recent legal training" (points 2 and 3), "MI5 haven't thrown a bucketload of money at the lawyers" (point 4) and "MI5 haven't handed information to the civil service that could be used to identify sources when (not if) someone flaps their gums because they disagree with something Box or the Government did and want to embarrass them without giving a damn about giving away secrets" (point 11).
If that really is the sum of the things that have got the pencil-pushers at the Home Office in such a tailspin then they should be ashamed of themselves - which is more important, trying to keep the streets safe for everyone or proving that James Bond can quote Section 3, Subsection 4, Paragraph 5, points 3-17 of the Terrorist Protection Bill and knows not to copy-and-paste from one warrant request to another (and just how many ways are there to say "We know this person is up to no good but we need to prove it before the do-gooders set them free on a technicality - and the blighter goes off and does something a tad unpleasant")?
Besides, since when did completing the paperwork prove anything? Last I heard, civil servants were supposed to be bound by all sorts of confidentiality and secrecy legislation but that doesn't stop them gobbing off when someone says something they don't like...
I can imagine an environment that rewards individuals for quick actions and information.
The law says that only suitable qualified and trained staff, can access certain data, with appropriate safeguards. It's not a trivial environment, multiple early staff were caught stalking their partners, ex-partners and ex-partners new partners.
The whole point of training and oversight, was to ensure that those accessing secret information, were doing so for a valid reason, within valid timelines and responsibly deleting that information after. No training = less likely to achieve prosecution later on (if you haven't done the training, you cannot be held to the same legal standard, since it hasn't been spelled out to you)
If you cannot demonstrate this, then you cannot continue to practice.
Whether they really need more legal help, I cringe at throwing more money at lawyers, as I am sure that the internal compliance teams and engineers are more than capable of doing their jobs properly, it is probably more about whether they really have the desire to do so.
PS I laughed at "using boiler plate language", but surely that's the point? You use legal templates for such things?
To: not.known@this.address
Quote: "...which is more important, trying to keep the streets safe for everyone..."
Last time I looked EVERY RECENT OUTRAGE was done by someone "already known to the authorities".
What was that you said about "streets safe"? Even when a known, convicted terrorist is released from jail, under license, the "authorities" pay no attention and three people are harmed!!!!!
So.......to your point, the "authorities" are breaking the law and not keeping us "safe" either!!!!! Fantastic value for taxpayers!!!!!
AC, "EVERY RECENT OUTRAGE" was also committed by someone who claimed to be committing their crimes because of their religion. Are you suggesting that the people who say the authorities should not be allowed to monitor people who follow certain religions might be wrong? (Note: yesterday, literally billions of Muslims did NOT commit atrocities. What does that say about those who use their religion as an excuse?)
And which is why I said "...TRYING to keep the streets safe..." - the Security Services don't have access to 'Minority Report'-style precognitives so have to rely on the limited resources they have available. Diverting more people and (taxpayer, as you pointed out) money to box-ticking and away from the reason they exist in the first place (protecting us) doesn't seem a fair trade to me. It's hard enough to keep the training records for a department of 150 people in an office building up-to-date, how hard do you think it is for an organisation the size of MI5 to keep everybody and their records up to date - especially when some of those people are not exactly in a position to attend the latest Equality and Diversity training on why it is a Hate Crime to "mis-gender" someone - do you have evidence of exactly which training has or has not been signed off because there is a huge difference between the ins and outs of GDPR and the evacuation procedures for the specific building you work in - except both are only a checkbox on the Training Record... and either counts as a "fail" in the report.
As for terrorists being out of prison "under licence", do you really know what that means? The UK is both fortunate and unfortunate to have a legal system where convicted criminals in prison can be granted parole *if they promise to obey the law in the future*. Fortunate because people who have genuinely seen the error of their ways and will be law-abiding citizens from now on can be released early as a gesture of good faith - if they break the law again before their original sentence would have been served, back they go. Unfortunate because people can - and do - promise to behave but then go straight back to their life of crime. What do you suggest, punish those who have reformed simply because there will always be people who cannot "play well with others"?
'did not have "a culture of individual accountability for legal compliance risk"'
Although endemic, the concept of "compliance risk" is utterly flawed. In essence it means no more than "risk of getting penalised". The real risk of non-compliance (in the broadest terms) is that some improper act becomes an accepted norm or that some third party suffers harm. So it's typically an externality to the non-compliant unless they get caught.
So what is "compliance" for? There are two obvious answers:
[1] to satisfy a regulator or auditor in order to have q quiet life;
[2] to ensure that something that should be done is done properly so it actually delivers what is required, or ensure that something improper does not occur.
Guess which is the most common interpretation. I'm not awarding any medals.
#1 is more common, but I have worked for companies than perform #2.
It is surprising, that for something as important as "are we making a good product and are we competent at our jobs" the amount of effort put into compliance is basically box ticking for most.
It is bizarre how many great ideas come out of simple tools like DFMEA and VSM concepts. Even simple things like asking your engineers "stop fixing problems when they fail, spend the day looking for the obvious things that will go wrong and fix them in advance".
It appears that Britain's spy agency overseer has grown teeth — and while the law may not be perfect, bringing MI5 into line with it is a victory for the Investigatory Powers Commissioner.
That is as may be, but whenever the law is an ass, MI5 and others of a similar ilk are free to do as they please in service of security of the realms in which they are expected and assumed to excel ........ otherwise they be practically fcuking useless and of no real help to anything sovereign and in need of protection against foul forces and putrid sources.
And surely one would fully expect and accept that as logical and much to be ...... well, quietly applauded is quite apt given the spooky nature of their core businesses.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
