By Mark Ward
Technology Correspondent, BBC News website
MI5 has overhauled an e-mail terror alert system for the public following detective work by privacy activists.
Activists at Spyblog investigated the MI5 alert system
Digital detective work by campaigners revealed that the alerting system did little to protect the identities of anyone signing up.
They found that data gathered was being stored in the US leading to questions about who would have access to the list of names and e-mail addresses.
The Cabinet Office denies the changes were a response to the investigation.
The public e-mail alert system was announced on 9 January and will send messages to subscribers when threat levels change. The move followed the success of similar public information systems started by MI5 and the Home Office in August.
Despite the announcement no sign-up form for the service was available on the MI5 website at the time of the unveiling. This was despite claims from the Home Office that the system had been under development for some time.
This changed on the evening of 9 January when a web form appeared and this kicked off an investigation by activists behind the SpyBlog to see how it worked.
What they found led the group to describe the e-mail alert list as a "shambles" and drove them to suggest that the system had been put together in a hurry.
The activists discovered that the whole system had been contracted and some of it was being run by a company called Mailtrack that specialises in handling large e-mail mailing lists.
More worryingly when people signed up to use the alert system, the standard encryption software had been disabled. This would have scrambled personal data, such as name and e-mail address, to stop others eavesdropping.
The initial MI5 system did not use built-in encryption systems
Also the computer system to manage the list was based in the US on a server run by Seattle-based firm What Counts. SpyBlog researchers suggested that this put it at risk of being snooped on or inspected by US law enforcement authorities.
"We would not release data to anyone without a subpoena," David Geller, managing director of What Counts, told the BBC News website.
He said the information being collected for the mailing list was similar to that collected by many organisations, such as newspapers, to keep customers informed about updates or special offers.
"It's such a benign use of e-mail," he said, "but we would always encourage people to move it to their own country."
Following its digital detective work, SpyBlog monitored the MI5 website to see if any changes were made. On the evening of 12 January, changes were made that ended the connection with What Counts and started the use of an encryption system to scramble data.
A spokeswoman for the Cabinet Office said the changes made to the service, including bringing the data to the UK, were due to happen before the media began investigating. This was to help cope with the large numbers of people signing up.
"Moving the data to the UK will enable faster e-mail delivery to subscribers, most of whom are in the UK and will enable the Security Service to use Mailtrack's latest technology." said a statement issued by the Cabinet Office.
SpyBlog noticed that one of the digital security certificates used in the scrambling process between the MI5 site and a user's browser while they sign up was only issued two days after the mailing list was unveiled.
SpyBlog said it would be contacting the Information Commissioner over the way the alert system has been set up.
The Cabinet Office said: "We are confident that the technical arrangements for this service are entirely compliant with the Data Protection Act".