Home affairsLetter from Trevor Pearce QPM, Director General, Serious Organised Crime Agency, to the Chair of the Committee, 16 August 2013

Thank you for your letter of 7 August in which you ask a number of specific questions but also invite me to provide any further relevant information.

There has been some confused reporting over these matters in the media over the past few weeks and when we met on 30 July you said it would be helpful to have a full update on SOCA’s engagement on the issue of private investigators for when Parliament returned in early September. I have therefore taken the opportunity of not only providing answers to your specific questions but to update you more generally and to provide some further detailed information around issues that have been the subject of correspondence between SOCA and the Committee and subject to speculation by certain commentators.

We have also been in correspondence with Mr Clappison around related issues and attach copies of the letters we have received from him at Annex A. Rather than enter into a parallel series of correspondence I thought it would be helpful to respond to the points he has raised in this letter. So in this letter I will provide you with an overall background, answer yours and Mr Clappison’s specific questions and bring you up-to-date with events. You will see that I have attached a number of annexes, including a timeline detailing our engagement with the Metropolitan Police around the sharing of material from Operation Millipede. These provide a level of detail that I trust will reassure the Committee around SOCA’s engagement on these issues.

Project Riverside

Project Riverside commenced in March 2007 to look into the threat posed to the UK by corrupt private investigators providing services to serious organised criminals. Its report “The Rogue Element of the Private Investigation Industry and Others Unlawfully Trading in Personal Data” was issued by SOCA in 2008. It was essentially a snapshot examination as at the end of September 2007, of information from five law enforcement operations as well as additional information from the Information Commissioner’s Office (ICO). It detailed a range of methods used by certain elements of the industry to illegally obtain personal data and private information, including the technique known colloquially as “blagging”. The principal intent behind preparing the report was to inform debate about strengthening policy, legislation and law enforcement’s response to the issue. The one SOCA operation named in the report, Operation Flandria, was an intelligence development that did not include the gathering of evidence of clients and did not succeed in gathering evidence of criminal activity. Operation Gloxinia, also mentioned in the report, was a closed National Crime Squad operation where the clients of the private investigator were members of an organised crime group and where covert activity disrupted a threat to an individual. To name them would compromise the identity of the individual who was under threat. The remaining three operations referenced in the report were Metropolitan Police Service (MPS) operations. Operation Millipede, of which more in a moment, commenced after the report had been produced.

It has been puzzling to see commentary that SOCA had sought to “suppress” the Riverside report. While the report was appropriately classified at the time of its production because it contained sensitive operational information, the intent of SOCA in producing the report was to raise awareness amongst relevant partners of the issues it covered to enable mitigating action. Setting out the understanding of a problem in this way is a rudimentary driving principle behind law enforcement activity against the range of serious and organised crime. Such reports are not routinely published for obvious reasons, not least of which is the damage that can be caused by revealing to the criminal community what law enforcement knows and the need to protect sources. I accept that, of course, the value of setting out the problem in this way is confined to the extent to which the intelligence is used to tackle it. In this case, information drawn from the Riverside report was used to alert certain sectors about the risks posed by rogue private investigators. These included detailed case studies to show how social engineering (or “blagging”) worked; and an Alert jointly prepared with Ofcom and targeted at suppliers of security equipment and services. In addition, a “Manager’s Guide to Good Practice”, offering basic security advice for contact centre security and HR managers, was issued under Riverside in October 2007.

The report was made available to Lord Justice Leveson’s Inquiry in March 2012 and, with your agreement, a copy was produced to the Committee in April 2012 to inform its consideration of the private investigator issue. A redacted copy has been freely available on the SOCA website since 6 July 2012. The full report was made available to you in May 2012.

In addition, in 2008, SOCA worked with the ICO and the Ministry of Justice to strengthen the penalty under section 55 of the Data Protection Act to two years imprisonment although I understand this has not been commenced.

To assist the Committee I attach at Annex B a “Riverside timeline” to help set this work in context.

Operation Millipede

I now turn to Operation Millipede which commenced in July 2008; the first arrests were made in 2009 and the four defendants were convicted and sentenced on 27 February 2012 for committing fraud by false representation under offences defined in the 2006 Fraud Act.

The issues raised by the Committee’s specific interest in the clients of the private investigators convicted as a result of Operation Millipede have been characterised by some sections of the media as “blue chip hacking”. However, it is important to note that the main focus of Operation Millipede was around the use of “blagging”. There are different legislative penalties available to investigators and a lack of particularly dissuasive penalties for “blagging” under the Data Protection Act, as opposed to “hacking”. Operation Millipede was pursued under the 2006 Fraud Act. At the conclusion of the case the Information Commissioner issued a statement:

“If SOCA had been restricted to pursuing this case solely using their powers under the Data Protection Act then these individuals would have been faced with a small fine and would have been able to continue their activities the very next day.”

During the course of the investigation SOCA worked closely with the ICO which provided specialist advice and expert evidence throughout. In early 2010 a recorded decision was taken by the Operation Millipede Senior Investigating Officer to refer all the Operation Millipede material, including that in respect of the clients, to the ICO at the conclusion of the Millipede prosecution. The ICO issued a statement following the sentencing which said:

“The scourge of data theft continues to threaten the privacy rights of UK citizens. We welcome today’s sentencing but note that the outcome of the case underlines the need for a comprehensive approach to deterring information theft. The ICO will be receiving additional case material from SOCA and would not rule out taking further action against the organisations that received information from these individuals if it becomes clear that they failed to comply with the requirements of the Data Protection Act.”

SOCA’s press statement issued at the time said:

“SOCA’s focus during the investigation was criminal conspiracy. However in recognition of the fact that the operation might also uncover information relevant to other authorities, SOCA worked in partnership with a number of bodies including the Information Commissioners Office. SOCA will now hand over any such information to its partners to determine whether further action is appropriate.”

The information has yet to be passed to the ICO as it has first been made available to the MPS Operation Tuleta Team. However. SOCA has kept in touch with the ICO in the interim. I attach a timeline at Annex C which details SOCA’s engagement with the ICO over this period.

Operation Tuleta commenced before Operation Millipede concluded. Tuleta is not a reinvestigation of Millipede. Its terms of reference include to investigate criminal acts that intrude on individual privacy for journalistic purposes, that are not covered by the terms of reference for the MPS Operations Weeting or Elvedon. Operation Millipede was focussed on investigating the fraudulent acquisition of personal data by private investigators. Nevertheless, SOCA worked closely with the MPS to ensure that information from Millipede was made available to the Operation Tuleta team. Commander Basu and I issued a joint statement on the 12 July to clarify the position which you acknowledged had been very helpful when we met. However, I understand some further clarification is now required and I will deal with that under the specific questions you have raised. I attach a timeline, jointly agreed with the MPS, detailing the engagement between us at Annex D.

In response to a request from the Committee on 2 July SOCA produced a list of clients, known to SOCA, of the private investigators convicted as a result of Operation Millipede. While the information was available in the Millipede case files, and had been made available to the MPS as outlined in the timeline, it did not exist as structured lists in the form that were presented to the Committee prior to 2 July. While I don’t intend to repeat in full the reasons why SOCA has chosen to classify the lists, which were set out in our letters of 12 and 30 July, I would remind the Committee that we advised you of our intention to do so and received agreement that you were content to receive them on that basis.

As I made clear in my evidence in July, SOCA has been active in this space since its first year of operation, working to inform the debate around regulation of the industry; to help prevent potential victims from falling prey to rogue investigators; assisting in the strengthening of sanctions; working with the ICO on a landmark investigation and providing partners with information to allow them to carry out further investigations. I am satisfied that SOCA’s response has been proportionate given the range of its responsibilities and remit, as set by statute.

Specific Questions Raised in your Letter

I will now turn to the specific questions raised in your letter of 7 August:

1.How long has SOCA had the information contained in lists a, b, and c?

The lists were drawn up in response to the specific request from the Committee on 2 July; structured lists did not exist before then. The information that informed the lists was drawn from material gathered during Operation Millipede in 2009.

2.When did SOCA approach the Metropolitan Police and ask them to review the lists?

As you will see from the attached time line at Annex D, SOCA approached the MPS on 3 July and met with members of the Operation Tuleta team on 12 July to review the information and identify that which was subject to MPS investigation. Subsequently, we informed the MPS on 19 July that we were submitting the lists (referred to as Attachments A and B) to you.

3.Who made the decision to protectively mark the lists? Was it you and Sir Ian Andrews or another person?

This was an operational decision and, as is normal practice, the classification of material is initially carried out by the originator of the document. I was and am satisfied that the SOCA decision-making in classifying this material was correctly applied taking into account the Government Protective Marking System, legal advice and relevant legislation including the Data Protection Act.

4.Given that SOCA and the Metropolitan Police were working so closely together on this issue why was Commander Neil Basu only given the lists by you at 7pm on 30 July and only after he asked?

My understanding is that Commander Basu requested a personal copy of the lists to inform the response he was preparing to requests for information from the Committee. His office contacted SOCA on the afternoon of 30 July and a copy was hand delivered later that day. The information that informed the list was drawn from the material in Operation Millipede which had already been made available to the MPS in accordance with the timeline outlined in Annex D. Furthermore, the Operation Tuleta team had worked with SOCA agreeing the content of the lists.

5.Who made the decision to remove these particular live cases from the lists?

During the meeting on 12 July 2013 the MPS requested that the five clients be removed as they are currently under active investigation under Operation Tuleta.

6.What are the categories of the firms, organisations and individuals on list c?

I would ask that you direct that question to the MPS.

7.You told me when we met on 30 July 2013 in my office that four people had seen the lists. Are these four SOCA officials or Metropolitan police officers?

As I recall this came up in conversation in response to concerns you had that the lists may have already been leaked to the media. I was referring to the limited number of officials in SOCA who had been sent the actual list at that time. Of course. there are a wider number of SOCA officers who are aware of the information that informs the lists, in particular those involved in drawing them up.

8.It would be of use to the Committee if you could outline in a timeline the specific actions taken on this issue

Please see Annex D which has been drawn up with the MPS and represents the agreed timeline around the sharing of Operation Millipede information.

Mr Clappison’s Questions of 25 and 29 July

To provide a list of the clients of the private investigators in the closed operations referenced in Project Riverside (Barbatus, Flandria and Gloxinia) on the same basis as a list of clients as provided to the Committee in the case of Operation Millipede.

How many other clients of private investigators relevant to the matter besides the 102 are known to you? It would be very useful to know how many other clients there are.

Operation Flandria was an intelligence development that did not include the gathering of evidence of clients and did not succeed in gathering evidence of criminal activity. Operation Gloxinia, also mentioned in the report, was a closed National Crime Squad operation where the clients of the private investigator were members of an organised crime group and where covert activity disrupted a threat to a named person. To name them would compromise the identity of the individual who was under threat. The remaining three operations referenced in the report were MPS operations.

Also relevant to the matter, Operation Millipede identified 107 clients from material seized; five were excluded from the lists submitted to the Committee because they feature in MPS Operation Tuleta.

How many of the 102 clients have been arrested or charged?

SOCA has not arrested or charged any of these. Operation Millipede focussed on the prosecution of the private investigators. I would refer to the statement SOCA issued after the convictions in the operation:

“SOCA’s focus during the investigation was criminal conspiracy. However in recognition of the fact that the operation might also uncover information relevant to other authorities, SOCA worked in partnership with a number of bodies including the Information Commissioner’s Office. SOCA will now hand over any such information to its partners to determine whether further action is appropriate.”

A recorded decision was taken by the Operation Millipede Senior Investigating Officer in 2010 to refer all the Operation Millipede material, including that in respect of the clients, to the ICO at the conclusion of the Millipede prosecution. The information has yet to be passed to the ICO as it has first been made available to the MPS Operation Tuleta Team.

Have any other clients been arrested or charged?

Not by SOCA.

How many of the subjects/victims about whom information was transmitted to the clients by the private investigators have been notified of these matters: is it planned to notify all the subjects/victims about this?

During Op Millipede, material was uncovered which indicated that 51 people, who were subject to investigations conducted by private investigators investigated under operation Millipede, appeared to have had their personal data fraudulently accessed. A further 49 people’s personal data were found but there was no specific evidence to show fraudulent access to personal data.

SOCA considered that these individuals had appeared to suffer intrusion into their private lives. They were notified that material had been uncovered during the investigation and that it might form part of the judicial process. It was not intended or required that they provided witness statements to form part of the prosecution case but that they could make a statement on the lines of a “victim impact statement”.

Letters were sent to those people whose addresses were available. 47 letters were sent to people in the first category:

(1)23 provided no response/reply;

(2)13 provided statements;

(3)four completed a questionnaire; and

(4)seven took no further action following an initial response.

44 letters were sent to people in the second category:

(1)36 provided no response/reply; and

(2)eight responded but did not provide statements.

Current Position and Next Steps

SOCA has kept in regular contact with the MPS and ICO over this issue. It has also had discussions with the Financial Conduct Authority and Solicitors Regulation Authority about future coordinated action.

Yesterday, SOCA chaired a meeting with the MPS and the ICO to discuss next steps, including the provision of the information to ICO. Work to achieve this is being taken forward in the coming weeks. SOCA will now convene a further meeting with the MPS and ICO to which other regulatory bodies will be invited. The aim will be to agree further coordinated activity.

As I mentioned at our meeting on 30 July, one of the main reasons for classifying the lists of clients passed to the Committee was to ensure that publication would not prejudice current investigations by the MPS or any possible regulatory action by the ICO or others. That process is moving forward and once it is concluded we will be in a position to review the classification. However, there will still be data protection issues to consider and I repeat the point that we are not alleging that the individuals or companies named on the list have or even may have committed a criminal offence.

I trust the foregoing is of assistance in helping to reassure the Committee around these matters.

Annex A

Letter from James Clappison MP, 25 July 2013

Dear Mr. Pearce,

Following your appearance before the Home Affairs Select Committee on 2 July and your transmission to the Home Affairs Select Committee of the names of a 102 clients of private investigators relevant to our enquiries, I would be most grateful if you could answer some further questions that occurred to me:

(1)Could you tell me how many other clients of private investigators relevant to the matters besides the 102 are known to you? It would be very useful to know how many other clients there are.

(2)How many of the 102 clients have been arrested or charged?

(3)Have any other clients been arrested or charged?

(4)How many of the subjects/victims about whom information was transmitted to the clients by the private investigators have been notified of these matters; is it planned to notify all the subjects/victims about this?

I am sure you will agree with me that it is very important to ascertain the full extent of these matters. I look forward to hearing from you.

Kindest regards,

 

James Clappison MP

Letter from James Clappison MP, 29 July 2013

Dear Sir Ian Andrews,

The Home Affairs Select Committee has been supplied with a copy of project Riverside which analyses the results of investigations into the activities of private investigators arising from Operations Barbatus, Flandria and Gloxnia. Some of these operations ha\C been closed for many years.

I would be most grateful if you could let me have a list of the clients of these private investigators in the closed Operations on the same basis as a list of clients as provided to the Home Affairs Select Committee in the case or Operation Millipede. I would also be most grateful if you could let me know the total number of the clients or private investigators in both the closed and open investigations.

I have taken an interest in these matters as a member of the Home Affairs Select Committee and I am anxious to obtain a full picture of what has happened; I am sure you will agree that there is a public interest in knowing as much about these circumstances as can be properly disclosed.

I am writing on the same basis, making the same request, to the Metropolitan Police for such information, as in their possession.

Kind regards,

 

James Clappison MP

Annex B

PROJECT RIVERSIDE TIMELINE

Project RIVERSIDE, and associated activity considered the threat posed to the UK by corrupt private investigators providing services to serious organised criminals.

March 2007—Project RIVERSIDE was tasked by SOCA under Programme of Activity 2 “Criminal business structures and logistics”, under the UK Serious Organised Control Strategy.

August 2007—Government consultation process launched on whether to regulate “Private Investigation and Precognition Agents.”

September 2007—Intelligence cut-off date for the SOCA report published in January 2008.

October 2007—SOCA issued an Alert to Contact and Call centres offering practical advice to HR and Security managers to maintain standards of data protection, given that the data held by Contact and Call centres is attractive to organised criminals.

January 2008—SOCA report “Private Investigators: The Rogue Element of the Private Investigation Industry and Others Unlawfully Trading in Personal Data” was produced.

End January 2008/early February 2008—SOCA report shared with Home Office and MPS.

July 2008—Discussions held with ICO on PIs and the related threat.

September 2008—SOCA issued an Alert to private sector organisations most affected by illegal activities conducted by Pls. This detailed the techniques used and key vulnerabilities. The release of the document was followed with a series of visits and interviews with senior security managers within the Telecom and Banking sectors.

September 2008—Announcement by Home Office Ministers to introduce the licensing of the private investigation industry.1

October 2008—SOCA had discussions with the Ministry of Justice about strengthening the penalty under s55 of the Data Protection Act to two years imprisonment to increase the risk to unlawful acquisition of data not captured under RIPA.

November 2008—SOCA hosted a multi-agency working group on licensing private investigators.

December 2009—SOCA made submissions to the MoJ consultation (CP22/O9) re the strengthening the penalty under DPA.

September 2010—Alert issued to the private sector detailing the threat of criminals, including private investigators, using social engineering to obtain personal information.

December 2011—Alert issued in collaboration with Ofcom, highlighting the risks of criminals obtaining surveillance, counter-surveillance, and protective security equipment to frustrate law enforcement, and seeking the reporting of suspicious activity.

March 2012—SOCA shared a copy of the 2008 report with the Assistant Solicitor to the Leveson Inquiry.

April 2012—Not protectively marked version was produced for the Committee.

May 2012—Report was made available to the Chair of the Committee.

July 2012—Not protectively marked version was published on the SOCA website.

July 2013—Full version of report, with a small number of redactions, provided to Committee at not protectively marked and published on SOCA website.

Annex C

TIMELINE OF ENGAGEMENT WITH INFORMATION COMMISSIONER’S OFFICE IN RESPECT OF OPERATION MILLIPEDE

July 2008: Operation MILLIPEDE commenced.

May 2009: ICO briefed by SOCA prior to arrests. ICO officers in attendance for some.

January 2010: MILLIPEDE SIO makes a recorded decision to refer all the Operation Millipede material to the ICO which has the appropriate regulatory powers, at the conclusion of the Millipede prosecution.

February 2010: SOCA and ICO meet to discuss MILLIPEDE material.

March 2011: ICO examines some Millipede exhibits and provide expert statement as to whether material constituted personal data under the Data Protection Act 1998 (DPA). ICO also provides expert witness statement concerning role of ICO and background information about the private investigation industry.

April 2011: ICO provides expert statement on DPA

May 2011: ICO provide statement regarding an individual who had contacted them claiming to have information relating to MILLIPEDE.

February 2012: Conviction and sentencing on MILLIPEDE. ICO issue a press statement.

April 2012: SOCA and ICO meet. Link to MPS investigation discussed. Decision to delay ICO action pending completion of this action.

July 2013: SOCA updates ICO that TULETA ongoing and reaffirms intention to supply data as soon as possible.

August 2013: Meeting with ICO to discuss potential timings for handover of MILLIPEDE material.

Annex D

TIMELINE OF ENGAGEMENT WITH METROPOLITAN POLICE SERVICE ON OPERATIONS MILLIPEDE AND TULETA

Set out below is a timeline of key points of engagement. It does not include all instances of working level discussion and communication, which was ongoing from the point of May 2011. Rather it focuses on the most significant events in terms of the relationship between MILLIPEDE and TULETA and those instances which have previously been of interest to the Committee or subject to commentary.

July 2008: Operation MILLIPEDE commenced.

March 2011: MPS begins scoping exercise looking at private investigators.

May 2011: SOCA contact with alleged victim of hacking.

May 2011: Meeting between senior MPS and SOCA representatives. Agreed to brief MPS on details of MILLIPEDE. MPS confirmed alleged victim was in scope.

June 2011: Request for access to Phillip Campbell-Smith’s hard drive(s) from MPS, and identification by SOCA of potential information of interest. SOCA provides forensically recovered digital material to MPS despite ongoing nature of activity on MILLIPEDE.

June/July: Two-way engagement regards to technical issues with MPS locating and examining material. Issues successfully resolved.

July 2011: MILLIPEDE case summary provided to MPS.

September 2011: SOCA offers access and copies of relevant MILLIPEDE material.

October 2011: Operational memorandum of understanding between SOCA and MPS agreed. This set out the way that requests for intelligence/information would be handled by SOCA, including on occasions when fast-time liaison is necessary.

October 2011: Meeting at which MPS provided overview of ongoing analysis of digital media provided to date and requested some technical advice of SOCA. Additional forensically recovered digital material provided to the MPS.

February 2012: Conviction and sentencing on MILLIPEDE.

April 2012: MPS provided with exhibit list and other evidential items from MILLIPEDE.

May 2012 onwards: Following agreement by SOCA to provide further support, as required, to TULETA, further evidential material is provided including, once the MILLIPEDE process is complete following confiscation proceedings in January 2013, original exhibits and copy exhibits as requested by MPS.

July 2013: Discussions lo draw up client list following request by Home Affairs Committee. SOCA approached the MPS on 3 July. On 12 July the lists of 107 clients was discussed with MPS officers, and five clients were removed at the request of the TULETA team. SOCA informed the MPS on 19 July that it was submitting the lists to the Committee, prior to providing the list of 102 to the Committee on 22 July 2013. Commander Basu requested a copy and was provided with it on 30 July.