A computer specialist has filed a complaint to the Investigatory Powers Tribunal (IPT) after being told they had failed the vetting process just before starting work as a technology specialist at MI6’s London headquarters.
The IT specialist, who Computer Weekly is identifying as RP to protect their identity, claims the Secret Intelligence Service (SIS) failed to follow “procedural fairness” and “due process” when carrying out Developed Vetting (DV) for a full-time role at MI6’s London headquarters.
In a complaint to the Investigatory Powers Tribunal, RP claimed the vetting service was disorganised and delayed the vetting interview for three months – only moving forward because RP repeatedly intervened to politely ask for the process to be speeded up.
MI6 ultimately denied RP security clearance six months after their initial application for the job. However, the complaint alleges that vetting officers failed to take the basic step of following up on interviews arranged with people who had agreed to act as referees for RP, including a former police colleague.
RP, who is a member of the LGBT+ community, has also complained to the tribunal about multiple attempts to hack their email and social media accounts, made within days of disclosing details of the accounts to the vetting service.
Vetting service under fire
UK Security Vetting (UKSV), which provides security vetting services for the intelligence services and other government bodies, has previously been criticised by the National Audit Office for its “poor” performance.
The National Audit Office (NAO) found that UKSV had processed only 7% of Developed Vetting applications within the required time frame, and relied on outdated unreliable computer systems, which lacked capacity, were too slow and required extensive manual workaround, according to a 2023 report.
A government spokesperson told Computer Weekly it had addressed the issues raised by the NAO report and had made “significant improvements” to vetting procedures, with 97% of vetting applications being completed “in line with agreed timelines”.
RP, an experienced software engineer and team leader, who has worked in private and public sector roles previously, passed Developed Vetting for a senior role in MI6 in 2009 and was surprised not to have passed vetting in 2024.
In a complaint to the IPT, RP argued that the SIS and UKSV failed to follow government guidance, which requires an assessor to take into account “all relevant information obtained during the vetting process” before making its decision.
“A salient point of this appeal is that none of the character referees that SIS’s vetter asked me to set up meetings with reported being contacted to provide a reference. These included senior civil servants and former colleagues in the police service,” according to the complaint.
RP said in the complaint that they have no way of knowing what, if any, information led to SIS’s decision not to grant security clearance, but it was clear the vetters had not followed government guidance.
“It seems clear at a minimum that failing to balance any such adverse information (of which I cannot be aware) by even bothering to speak with the referees they asked for is a clear breach of the guidance,” RP wrote in the four-page complaint.
SIS gave ‘no reasons’ for vetting refusal
The complaint also stated that SIS’s Developed Vetting process failed to follow government guidance that states “when security clearance is refused, individuals must be informed and provided with reasons where possible”.
However, in a letter to RP from “FCO Services” in October 2024, a government recruitment agent told RP: “I regret that we are unable for national security reasons to provide feedback on decisions not to grant DV.” The letter also contained no information on how to conduct an internal or external appeal.
According to the complaint, it appears the vetting officer may have used “national security” as an “excuse” for failing to complete the Developed Vetting process, or may have made a biased or irrational decision without investigating “all of the pertinent facts”.
RP has also raised questions about the refusal letter, which arrived on an “FCO Services” letterhead when the Foreign and Commonwealth Office had been renamed The Foreign, Commonwealth and Development Office (FCDO) following its merger with the Department for International Development in 2020.
“The lack of accuracy and care in evidence by these mistakes was reflected in the more general lack of accuracy and care taken by this department in carrying out its vetting function lawfully and in accordance with the guidance. If they can’t even get their own name correct, how can they be trusted to get important details right about candidates for DV clearance?” the complaint stated.
Applicant hit by cyber attack
RP applied for an IT position with SIS, based at its London headquarters in Vauxhall Cross, in April 2024. By late June, RP had completed interviews and been offered a role. It took a further three months for SIS’s vetters to arrange a Developed Vetting interview, but only after RP had to “regularly lean” on the parties to get the process moving.
RP told recruiters in an email that they had traced the IP address used to compromise their Facebook Messenger account to a US address linked to the Russian Federation
During an interview on 4 October 2024, RP mentioned that they used an alias to communicate with an elderly relative on Facebook Messenger during lockdown. Some weeks later, RP reported that the social media profiles they disclosed during the vetting interview were subject to repeated attempts by third parties to gain access.
RP was able to trace some of the IP addresses used in the attacks to the Russian Federation, some to Vietnam, while most of them came from the US. The only successful attack gained access to the email RP had set up as an alias to communicate with the elderly relative.
The IT specialist stated in the complaint that the social media accounts targeted were associated with multiple identities and that there was no obvious indication they were associated with the contractor.
‘Barium meal’
“The only place that I noted these multiple identities as belonging to me was in my DV interview and associated DV form,” the contractor wrote. “In intelligence circles, this kind of situation is what they’d call a ‘barium meal’. That is, the source of the attacks can be inferred from the fact that only one entity – FCDO’s vetting department – was aware that the separate accounts targeted belonged to the same person.
“It is of concern that multiple social media profiles in different names were simultaneously attacked when the only place these different profiles were mentioned together was during my DV interview.”
It is of concern that multiple social media profiles in different names were simultaneously attacked when the only place these different profiles were mentioned together was during my Developed Vetting interview RP
The contractor has asked the IPT to investigate whether any attempt was made by the Foreign Commonwealth and Development Office or any proxy acting on its behalf to access their social media accounts.
The complaint also raised questions over the security of personal information gathered about them during DV, and whether there was adequate security in place to protect it from misuse by third parties.
“The effect of my being denied DV clearance without due process is that I am now left with a DV refusal on my record. I was told during my vetting interview that if I didn’t pass clearance, there was no right of appeal, and that FCDO would not change its decision,” RP wrote.
“I sold my home of 23 years in anticipation of taking up the role I had been offered with SIS. There are therefore real financial losses associated with FCDO’s actions should IPT find them at fault.”
Kind had been offered a job as the first head of investigations at surveillance watchdog IPCO, until an objection from MI5, which claimed he was “insufficiently deferential to the sanctity of confidentiality”, led to his security clearance being withdrawn.
Judges found, however, that there was no national security reason why the vetting officer should not have spelled out the concerns raised by MI5 to Kind so he could have provided a focused written response.
“The elephant in the room…is that in this case IPCO’s preferred candidate for a senior position was being refused DV security clearance largely because one of the three agencies which IPCO oversees had strong reservations about him,” they wrote in a 20-page ruling.
Delays and mistakes at GCHQ
RP previously experienced delays and mistakes in Developed Vetting after being offered a job as a lead developer with GCHQ, the signals intelligence agency, in January 2021.
The IT specialist sent multiple emails to GCHQ and the government’s national security vetting helpdesk after GCHQ incorrectly entered RP’s email into the “eVetting” system.
That meant RP couldn’t complete the vetting form and that details of RP’s vetting process may have been sent to an email address belonging to someone else.
When GCHQ emailed RP four months later to say that Developed Vetting had been delayed by three months, RP informed GCHQ they had already taken another role.
RP continued to receive emails and phone calls from GCHQ asking how vetting was going, despite the IT specialist calling and emailing several times to confirm they no longer wanted the job.
In the complaint to the Investigatory Powers Tribunal following their experience at SIS, RP asked the tribunal, at a minimum, to set aside the decision to deny them DV clearance so that it does not remain on their record.
“If the IPT finds in my favour, I would like to be compensated for the loss of employment opportunity that the FCDO’s failing to follow due process has caused,” the complaint adds.
Government has made ‘significant improvements’
A government spokesperson told Computer Weekly: “We accepted all of the recommendations made by the NAO in 2023 and have made significant improvements to our vetting procedures. In February 2025, over 97% of all vetting clearances were completed in line with agreed timelines.”
The government said it does not comment on security matters but maintained that “robust processes” are in place to defend against potential cyber incidents.
It has a “long-standing policy” not to comment on matters relating to intelligence and individuals’ security vetting. Government policy is that “all staff undergo necessary vetting procedures in accordance with UKSV and Cabinet Office guidance.”
According to government practice, “referees are a standard part of the Developed Vetting process, and are contacted as part of an applicant’s clearance process”.
RP’s security vetting timeline
RP is offered a junior role at MI6 but declines
March 2009: RP is conditionally offered a job at the Secret Intelligence Service (SIS), MI6, subject to completion of security clearance.
July 2009: RP is given a starting date for joining SIS after passing Developed Vetting, but decides not to take up the job.
January 2017:UK Security Vetting (UKSV) is formed following a merger of the vetting services run by the Foreign and Commonwealth Office and the Ministry of Defence.
March 2022: The Investigatory Powers Tribunal finds that the Home Office unfairly refused a leading expert in surveillance a senior role in the Investigatory Powers Commissioner’s Office, after an intervention from MI5 led to his security clearance being unfairly refused. It finds the decision not to appoint Eric Kind as the organisation’s first head of investigations was “effectively prejudiced” by one of the bodies IPCO was designed to oversee.
RP offered a job at GCHQ but declines following vetting delays
December 2021: RP is offered a role as a lead software engineer with the signals intelligence agency, GCHQ, subject to passing security vetting.
8 January 2022: RP mails the national security vetting helpdesk asking the service to correct their correspondence email address, which had been mistyped in a letter giving information about arrangements for Developed Vetting (DV) for the GCHQ role.
10 January 2022: The national security vetting helpdesk mails RP saying it is unable to change RP’s contact details in its software and to contact GCHQ.
10 January 2022: GCHQ’s recruitment office confirms that it has corrected RP’s email address in its records.
10 January 2022: RP emails the national security vetting helpdesk asking for copies of emails RP missed because GCHQ had used an incorrect email address.
10 January 2022: The helpdesk replies that it is unable to do so as the incorrect email address is still on the system. The missing emails contained links to a secure “eVetting” account that RP needed to access to complete the vetting process.
10 January 2022: After trying unsuccessfully to make contact, RP again emails the GCHQ recruitment office asking for the email address in their eVetting account to be updated to the correct email address. It still has not been updated, despite previous assurances.
11 January 2022: GCHQ’s recruitment team apologises and says it will correct the email on the eVetting form and will send out a new letter by post.
4 April 2022: GCHQ emails RP stating that a decision on their Developed Vetting has been delayed until July 2022.
5 April 2022: RP mails GCHQ declining the job, as four months after making a conditional offer, GCHQ has yet to start the vetting process. RP states they had to take another role.
RP said they received further emails and phone calls from GCHQ asking how vetting was going, despite calling and emailing several times to confirm they no longer wanted the job.
UK Security Vetting faces criticism
18 January 2023: The NAO reports that UKSV’s record in delivering timely clearances “continues to be poor” and longer-term efforts to transform security vetting “have made little progress”. It finds that UKSV has failed to meet its targets for Developed Vetting since May 2021, achieving its target of processing Developed Vetting applications within 95 days in only 7% of cases and failing to meet targets for follow-up checks on DV clearances. The NAO report finds that UKSV is still using an IT system that it first said it wanted to abandon in 2018 because it lacked capacity, was too slow, and needed too many manual workarounds to keep it up and running.
12 May 2023: The Cabinet Office has “failed to get a grip” on the delivery of national security vetting since it took over responsibility for security vetting in 2020, according to Parliament’s Public Accounts Committee. It finds that UKSV has failed to meet its main performance targets since 2021; nearly a third of Developed Vetting clearances in 2022 to 2023 took more than 180 days to process, almost double the 95-day target; and staff levels were 23% below estimated requirements.
RP makes application for senior IT role in MI6
1 April 2024: RP applies for a role in the Secret Intelligence Service (SIS), MI6.
19 June 2024: RP is offered a senior Grade 6 role in the Secret Intelligence Service and accepts the job subject to passing the Developed Vetting (DV) process. RP is told that it can take up to 12 weeks for a member of the vetting team to be in touch and is advised not to make commitments that may pre-suppose a job offer.
June to October 2024: RP is concerned about the lack of progress on carrying out DV checks and “politely leans” on people to get the process moving.
4 October 2024: SIS vetters interview RP following a series of delays. RP is surprised to be asked about their identity as a member of the LGBT+ community and whether that would compromise their susceptibility to blackmail, but answers the question professionally. RP discloses to vetting officers a private email address in a different name used by RP for accessing Facebook Messenger.
18 October 2024: RP completes house sale and prepares to move to new role at SIS in London.
Cyber attack
23 October 2024: RP’s Facebook Messenger Account is accessed from a computer with an unknown IP address. RP later uses the Whois domain name tool which identifies the IP address as a US address with links to the Russian Federation.
25 October 2024 – late morning: RP receives a notification from LinkedIn that a person located in Hanoi, Vietnam, has attempted to reset their LinkedIn password. Two days later, LinkedIn temporarily blocks RP’s account after detecting “potential unauthorised access”. RP is later asked to verify their identity with government ID. The incident alerts RP that their email address has been compromised.
25 October 2024: RP discovers that their email account disclosed during the vetting interview has been compromised and that someone has managed to change the password despite RP using a random unguessable password.
25 October 2024 – late afternoon: RP calls the SIS recruitment team to report that they have been a victim of a cyber security attack which has compromised the private email address disclosed by RP during vetting with SIS.
26 October 2024: RP reports the cyber security incident by email to the vetting team. RP explains that they had set up the email address to communicate with an elderly family member during lockdown on Facebook and Facebook Messenger, and also to authenticate their personal YouTube channel. RP did not protect the account with two-factor authentication, thinking it unimportant, but acknowledges in the email that it should have been protected. RP discloses that their Facebook Messenger has also been compromised by an IP address which appears to be linked to the Russian Federation. RP encloses screenshots.
RP denied Developed Vetting clearance
29 October 2024: RP is surprised after FCO Services writes to RP declining Developed Vetting (DV) clearance. The letter states: “I regret that we are unable for national security reasons to provide feedback on decisions to grant DV.”
November 2024: RP writes to the chief of MI6, Richard Moore, asking why MI6 has denied them security clearance without speaking to any of the senior civil servants, police colleagues or senior business leaders provided as character references. No reply is forthcoming.
3 November 2024: RP writes to the Foreign, Commonwealth and Development Office, asking for details of the internal appeals process for Developed Vetting applications.
5 November 2024: RP emails the civil servants trade union, FDA, asking for legal advice. RP points out that the union receives a stipend from MI6 to provide services to MI6 staff who are not legally permitted to join a trade union. RP offers to pay any legal costs.
5 November 2024: FDA writes back declining support. The union states that as RP did not take up a post in SIS, given that employment was conditional on passing vetting, and is not a member of FDA, it cannot represent them.
6 November 2024: FDA assures RP that had RP been a member it would have supported RP, who is a member of the LGBT+ community, irrespective of their sexual orientation. The FDA says that while SIS has had “an unpalatable history of questionable employment practices”, those ended “decades ago” and it recently reaffirmed its inclusivity when the trans flag was flown over its building in 2021.
4 Jan 2025: RP submits complaint to the Investigatory Powers Tribunal (IPT).
9 Jan 2025: RP writes to foreign secretary David Lammy, asking him to look into an apparent lack of due process in the vetting process. No reply is received.
15 Jan 2025: IPT acknowledged receipt of complaint from RP.
