UK counter-eavesdropping agency gets slap on the wrist for eavesdropping

The UK National Authority for Counter-Eavesdropping (UK NACE) has been criticized by Britain’s investigatory powers watchdog after unlawfully (and unsuccessfully) attempting to eavesdrop to uncover a journalistic source.

UK NACE is tasked with protecting the country’s most sensitive information and sites both in Britain itself and in embassies around the world. As part of this duty, the agency was given new powers back in October 2021 to acquire communications data — the legal term for metadata — in the interests of national security.

The new powers came with increased oversight. According to the 2022 annual report of the oversight body — the Investigatory Powers Commissioner's Office (IPCO) — published Monday, UK NACE had a “a high incidence of errors” and the agency was acquiring communications data without the appropriate authorizations.

“Of most concern, we identified five authorisations (resulting from one single tasking) to identify a journalistic source in respect of which UK NACE had failed to seek the requisite approval from a Judicial Commissioner,” stated the IPCO report.

Despite the lack of the necessary approval — intended to be a crucial safeguard for protecting journalists’ sources — UK NACE was successful in acquiring this data, although it was not able to identify a journalistic source.

The nature of the investigation was not disclosed. IPCO’s report stated that 49 applications were made by public authorities in 2022 to acquire data that related to confidential journalistic material. There were 31 further applications to identify a journalistic source. IPCO does not provide details on the nature of these applications, nor on whether the applications were successful.

“Although the non-compliance was serious in failing to seek the requisite approval from a Judicial Commissioner, no serious error had occurred within the meaning of the IPA and there was no affected person for us to notify,” noted IPCO.

The issue was due to “a lack of awareness, training and support structures, rather than any bad faith” according to the commissioner himself, Sir Brian Leveson.

But the report states Leveson was “so concerned by the inspection findings that he concluded that UK NACE, at that point, was not competent lawfully to exercise its powers without close supervision.”

The agency’s powers to authorize its own attempts to acquire data was subsequently suspended, and that UK NACE would instead have to apply to the Commissioner before being able to execute a warrant to acquire the material it sought.

According to the annual report, UK NACE was re-inspected in December 2022 and found “considerable effort” had been committed to address the failings. The agency resumed its internal authorization process in January 2023.

A government spokesperson said: “We are confident in the ability of UK NACE to authorise activity that is lawful and proportionate.

“UK NACE cooperated with the Commissioner, addressing his concerns as soon as they were identified, and significantly improving staff training and internal processes as a result.

“These steps gave the Commissioner the confidence to restore UK NACE’s powers of self-authorisation.”