Spy Blog - SpyBlog.org.uk

MI5 the Security Service, have a statement on the What's New page on their website:

The Security Service does not have a Press Office and does not comment on intelligence matters. The Home Office issues statements relating to our work from time to time...

Why then, is the Cabinet Office handling the media spin over the MI5 email subscription data affair ? Home Secretary John Reid is the man who is meant to be politically responsible for any MI5 "not fit for purpose" issues, but the Home Office Press Office somehow seem to have managed to land the Cabinet Office with the job of trying to put a brave face on it.

According to the BBC:

Alert system dubbed a 'shambles'

By Mark Ward
Technology Correspondent, BBC News website
Last Updated: Monday, 15 January 2007, 13:19 GMT

[...]

A spokeswoman for the Cabinet Office said the changes made to the service, including bringing the data to the UK, were due to happen before SpyBlog investigated. This was to help cope with the large numbers of people signing up.

Approximately how many people have apparently signed up for this insecure service then ?

"Moving the data to the UK will enable faster e-mail delivery to subscribers,

How much faster exactly ? It may only take a fraction of a second longer for an email to be sent from, say Seattle to London than from London to London. It could even be faster, for many internet users.

most of whom are in the UK

This email subscription list data should never have left the United Kingdom in the first place.

What about the millions of UK internet users with say, hotmail.com or yahoo,com or gmail.com or aol.com email accounts, all hosted in the USA ?

and will enable the Security Service to use Mailtrack's latest technology." said a statement issued by the Cabinet Office.

This should have been installed and tested on an adequate number and specification of UK Government hosted machines to cope with the anticipated demand, and sanity checked for security and privacy vulnerabilities during the formal accreditation process required for connection to the Government Secure Intranet to Internet email gateways, used by UK Central Government Departments, before the system was launched to the public last Tuesday.

Does this wording imply that the Security Service has actually signed a contract with MailTrack this time ?

The Cabinet Office said: "We are confident that the technical arrangements for this service are entirely compliant with the Data Protection Act".

They may be compliant now that the system seems to be entirely within the United Kingdom, but they were in breach of the Data Protection Act from last Tuesday until Friday night.

We have written to the Information Commissioner about the Data Protection issues, and about what happens to the data and the webserver logfiles which are in the USA.

We have also written (but not via email !) to the Intelligence and Security Committee, who are meant to scrutinise MI5 on our behalf, and who were the ones who suggested a more open and less complicated Terror Threat Level status system in the first place.