The terror alert email service being offered by the British secret service is not secure, according to a Spy Blog, a libertarian organisation that monitors security and surveillance developments.
MI5 launched an email alert service on Tuesday which informs subscribers of any changes to the national security threat levels. However, a Spy Blog investigation claims to have found that subscriber details will be sent out of the country, unencrypted, to a server based in the US.
In a process Spy Blog describes as "a shambles", subscriber names, addresses and email addresses are collected on an SSL-encrypted web form. However, the information collected is then sent unencrypted to a UK-based digital marketing company called Mailtrack, via America.
While Spy Blog says that the information going to Mailtrack is "not necessarily a bad thing", the organisation objects to the information being sent unencrypted to and processed by a Level 3 web server physically located in California — outside the jurisdiction of the UK government. Level 3 is a large US internet service provider. Moreover, Spy Blog believes that another third party, WhatCounts.com, seems to provide the back-end email list marketing software.
As the information is not encrypted, Spy Blog claims that "any ISP or telecoms network administrators, or the governments of the USA or perhaps also of Canada, can snoop on this MI5 email subscription traffic with impunity". Spy Blog claims this process contravenes the Data Protection Act.
"There is nothing particularly wrong in using a commercial email service for these MI5 email alert lists, except for the fact that this United Kingdom National Security system is being run insecurely in a foreign country, and ignoring some of the built-in standard SSL protections which these services are perfectly capable of offering," said Spy Blog.
"We will not be surprised if the entire list of MI5 email list subscribers is stolen in transit or by obtained by unauthorised access, perhaps by an existing customer or employee of Mailtrack, Level 3, or WhatCounts," Spy Blog continued.
The Cabinet Office, which is handling press inquiries on this issue, was not immediately able to comment on Spy Blog's claims.
Spy Blog said it is highly likely that there are logfiles of all of the transactions in this mailing list subscription, un-subscription, confirmation email and confirmation web link access process, all of which are outside of the direct control and protection of the UK government.
Spy Blog said that this information may even be the legal property of these US companies, meaning they are legally free to use the information for direct marketing purposes. It also claimed that it is certainly at risk of being legally handed over, en masse, to the US authorities.