The MI5 email alert service launched last week has been criticised for lax data security around the details of those who sign up.
A UK surveillance regulation campaign, called Spy Blog said it had traced the registration data being gathered back to third-party storage systems in the US.
It said the wholly contracted system was handled by mailing list management company Mailtrack and hosted on servers of a US e-marketing application service provider (ASP), What Counts. In addition, they discovered the sign-up procedure had no encryption safeguards, saying the data was vulnerable to the prying eyes of hackers and the US government alike.
Spy Blog made its discoveries on 9 January and said that, by Monday, the What Counts connection had been severed and encryption had been introduced to scramble subscribers’ sensitive data at the sign up stage.
According to coverage on the BBC News website, the Cabinet Office reportedly said it moved the data back to the UK to enable faster service delivery to subscribers and had planned to do so before Spyblog got involved, while allowing the Security Service access to the latest Mailtrack technology.
The Cabinet Office said: "We are confident that the technical arrangements for this service are entirely compliant with the Data Protection Act.” But Spy Blog said it would raise its concerns about the way the service had been set up to the Information Commissioner.