ra2 studio - stock.adobe.com

Counter-eavesdropping agency unlawfully used surveillance powers to identify journalist’s source

More than 750 journalists had their communications data accessed by law enforcement and government agencies between 2018 and 2022

A UK government agency responsible for securing intelligence agencies, armed forces, embassies and other parts of government against electronic eavesdropping unlawfully used surveillance powers in a failed attempt to identify a journalist’s confidential source.

An inspection report found that the UK National Authority for Counter-Eavesdropping (UK NACE), which reports to the Foreign Commonwealth and Development Office, had routinely acquired communications data without “appropriate authorisations” in place.

The failures, revealed in a report published by Investigatory Powers Commissioner Brian Leveson this week, led him to the “extraordinary measure” of asking for the suspension of UK NACE’s internal powers to authorise its acquisition of communications data.

According to Leveson, of the failings identified “of most concern” was the discovery that UK NACE had issued five authorisations for communications data to identify a journalistic source without seeking approval from a Judicial Commissioner, a legal requirement of the Investigatory Powers Act (IPA) 2016.

The Annual report of the Investigatory Powers Commissioner 2022, published this week, reveals government agencies and law enforcement routinely use investigatory powers to access journalists’ communication data, potentially putting their sources at risk.

Between 2018 and 2022, government and law enforcement agencies accessed communications data belonging to 750 journalists. The number of journalists targeted each year has fallen sharply since 2020, likely in response to the introduction of “significantly enhanced safeguards” for journalists in 2019.

According to the most recent figures, government organisations applied for 31 warrants to identify journalistic sources in 2022, and successfully made a further 30 applications for communications data to identify or confirm journalistic sources. Government agencies also made 49 applications for warrants to use surveillance powers to obtain confidential journalistic material that could disclose confidential sources.

Inspection of UK NACE found high incidents of errors

In October 2021, the Investigatory Powers Commissioners Office (IPCO) inspected UK NACE, based in Hanslope Park in Milton Keynes, known as a sister site to the Bletchley Park code-breaking centre during the Second World War.

In September 2021, the government granted UK NACE powers to access communications data – which can include details of who people spoke with or exchanged messages with, their location and what internet sites they have visited – for national security purposes.

The inspectors found that while UK NACE had not used its powers to obtain communications data frequently, a “high incidence” of errors and certain forms of communications data “were routinely being acquired without the appropriate authorisations being in place”.

The Commissioner found the failings were due to a lack of awareness, training and support structures. They meant that UK NACE was not competent to authorise itself to access communications data.

Read more about surveillance of journalists and investigatory powers

Levenson wrote: “During the inaugural inspection of UK NACE in late 2021, we identified a number of errors relating to the acquisition of communications data. This led me to conclude that the authority was not competent lawfully to exercise its internal authorisation powers until sufficient measures were put in place to address these serious issues.”

He told UK NACE and the FCDO “an extraordinary measure was required”, and that UK NACE’s internal authorisation powers should, “in effect, be suspended”.

Under an agreement, Levenson arranged to personally review any future applications by the anti-eavesdropping body to access communications data, while UK NACE took action to improve its controls and governance.

In December 2022, IPCO found that the FCDO and UK NACE had expended “considerable effort” to address the failings identified over a year earlier, but further action was needed to ensure UK NACE had access to dedicated legal advice to enable it “to operate compliantly and confidently”.

“We were, however, satisfied that UK NACE had made sufficient improvement to processes, controls and governance, as well as its understanding of the requirements of the IPA, to restore the IPC’s confidence that it will operate compliantly,” the report found.

UK NACE was given back its powers to internally authorise the collection of communication data from telecom operators in January 2023.

The agency is one of three National Technical Authorities in the UK, alongside the National Protective Security Authority, which identifies risks to the UK national infrastructure, and the National Cyber Security Centre, part of GCHQ.

Read more on Endpoint security