Skip links

GCHQ was rebuked for ignoring spy law safeguards as pandemic hit Britain

Former foreign secretary Dominic Raab rebuked GCHQ for secretly halting internal compliance audits that ensured the spy agency was obeying the law, a government report has revealed – while just 0.06 per cent of spying requests made by Britain’s public sector were refused by its supposed overseer.

GCHQ’s unilateral decision to stop recording audit data was because of the COVID-19 pandemic, it insisted when inspectors from the Investigatory Powers Commissioner’s Office (IPCO) discovered it three months later in July.

“One of the measures which had been temporarily suspended concerned the internal audit of necessity and proportionality justifications written by analysts to justify their selection for examination of bulk data,” said IPCO in its 2020 annual report, published last week.

Although the snoopers of Cheltenham claimed they always intended to produce the audit reports, delivering them by October 2020, IPCO said neither it nor the former foreign secretary (GCHQ’s ministerial boss) were impressed.

Explaining how GCHQ’s COVID excuse “deviated from our expectations,” IPCO said: “The IPC and the Foreign Secretary made clear to GCHQ that, in future, they expect GCHQ to inform them of any changes relevant to the handling of warranted data.”

Raab’s two-year tenure as foreign secretary was unremarkable until a failure to return from his holidays as Britain beat a hasty exit from Kabul at the end of its Afghanistan War defeat earned him a ministerial demotion in September 2021. He is now justice secretary.

Snippets from the report

Praising the public sector’s “strong culture of compliance,” IPCO broadly gave domestic snoopers a pat on the back and said they were all doing brilliantly.

Out of 20,632 applications for approval, IPCO said no in just 12 cases – a rate of 0.06 per cent. This extraordinarily low rejection rate calls into question IPCO’s independence of public-sector spies, summoning the 2018 spectre of a judge telling spy agency lawbreakers he was “anxious to assist” them despite being repeatedly lied to.

Surrey and Sussex Police were both using Google Play Store call recording apps to engage in “widespread, indiscriminate and arbitrary” surveillance of innocent members of the public. Hundreds of paranoid police workers were covertly recording their every phone call with ordinary people “to record by way of anticipation anything that might happen.” IPCO slapped the two forces on the wrist and told them not to do it again.

Public-sector agencies (not identified by IPCO but could be anything from MI5 down to local councils, under the Snoopers’ Charter) asked IPCO 25 times for permission to hunt down and identify journalists’ confidential sources. Another 29 journalists were spied on with the Investigatory Powers Commissioner’s knowledge and approval.

Around 1,000 targeted equipment interference (TEI) authorisations were issued during the year, up from 850 in 2019. TEI warrants are issued for police and other domestic state-backed hacking, known by the euphemism “equipment interference” within the public sector. Such hacking targets everyday devices such as PCs, phones, and tablets. Most police forces weren’t deleting data harvested from TEI hacking, IPCO having to remind them to do so.

Meanwhile, MI5 admitted to making 25 errors in targeted interception (TI) authorisations, TI being snooping on live conversations. The agency’s poor record of legal compliance continues from previous years, with IPCO uncovering double the number of errors when compared with foreign spy agency MI6 and GCHQ. Year-on-year trends weren’t a reliable comparison because of the effects of COVID on auditing and reporting, said IPCO.

The Investigatory Powers Commissioner himself, retired senior judge Sir Brian Leveson, has held his post since 2020, having opened his tenure by approving the mass interception of British criminal suspects’ instant messages by foreign police forces.

Leveson’s judicial juniors in the High Court later endorsed his decision, notwithstanding that French and Dutch police had bluntly told their British counterparts they didn’t care whether or not they were given permission to slurp up messages in the UK. Confronted with a status-hurting loss of face if it didn’t play along, the National Crime Agency (NCA) blinked and agreed to ignore inconvenient UK laws.

Criminal convictions came thick and fast in the resulting Encrochat cases, helped by the Court of Appeal deciding to protect the NCA from Encrochat evidence supplied by foreign police being ruled inadmissible. While the ends were laudable, the means were indubitably grubby.

IPCO showed some signs last year of robustly challenging lawbreaking by MI5 in particular but it risks acting like a British version of the notorious FISA rubberstamping operation, where a secret American court approved every single surveillance “request” made to it for a quarter of a century. If IPCO is really concerned with upholding the law or even protecting the general public, it needs to show more teeth. ®