Operation Oliban messages
As I set out in Part 22, Operation Oliban was a CTPNW investigation into the activities of Abdalraouf Abdallah. It resulted in his conviction for offences under the Terrorism Act 2000. In Part 22, I considered messages which passed between Abdalraouf Abdallah and SA.
It was agreed by CTPNW and the Security Service that the Operation Oliban material relating to SA should have been analysed for intelligence by the CTPNW Intelligence Management Unit.
CTPNW’s position was that the Operation Oliban messages should have been passed to the Security Service in 2015 in accordance with the general approach taken on Operation Oliban to sharing of information with the Security Service. CTPNW’s position was that there was no reason to believe that the Operation Oliban messages were not passed. It was agreed by CTPNW and the Security Service that there was no evidence that the Security Service ever suggested that the Operation Oliban messages had not been passed to the Security Service.
By contrast, the Security Service’s position was that the Operation Oliban messages were not received by the Security Service. Neither CTPNW nor the Security Service had any record that the messages had been passed by CTPNW to the Security Service. At the time, it was not the practice for such an audit trail to be kept.
In light of all the evidence, I find on the balance of probabilities that the Operation Oliban messages were not given by CTPNW to the Security Service. This is likely to have been a result of human error.
However, even had the Operation Oliban messages been passed and even had SA been identified as one of the people Abdalraouf Abdallah was corresponding with, it is unlikely that it would have made a significant difference to the Security Service’s assessment of the risk posed by SA.
The content of the Operation Oliban messages between SA and Abdalraouf Abdallah was consistent with other information CTPNW and the Security Service had on SA. Despite this, SA should have been identified, and the Operation Oliban messages should have been passed to the Security Service. This would have added to the picture that the Security Service and CTPNW held about SA’s actions and intentions.
When reaching my conclusion about the extent of the difference the Operation Oliban messages might have made, I have had in mind the evidence Dr Matthew Wilkinson, the Inquiry’s expert in radicalisation, gave about these messages. However, this is not the totality of the evidence I have heard about them.
While I am satisfied that the Operation Oliban material would not have changed the Security Service’s assessment of SA based on the approach at the time, I do think that there is room for improvement in the Security Service’s approach. In Volume 3‑I (closed), I have raised making a recommendation as to how the Security Service could develop its approach to material of this type. I make clear that I am not being critical of the Security Service in relation to this issue. I understand why the Security Service would have taken the approach it did at the time.
There were two specific occasions on which the fact that SA was not identified as exchanging messages with Abdalraouf Abdallah as part of Operation Oliban may have affected whether he was referred to Prevent.
First, there would have been an opportunity around the time of the closure of Operation Oliban for SA to be reviewed, among other individuals, and a decision made as to whether further steps should be taken to investigate him. He was not reviewed and should have been. This deprived CTPNW of an opportunity to consider whether SA should be referred to Prevent.
Second, Witness D, who worked for CTPNW, had reason to consider SA in 2015. S/he stated in evidence that s/he would have regarded the Operation Oliban messages, had s/he had them, as relevant to an assessment of whether SA should have been referred to Prevent in 2015.
Abdalraouf Abdallah mobile phone data
While he was in prison, Abdalraouf Abdallah had access to a mobile phone. There was a delay in analysing the billing data for that device. The handset was seized by the prison authorities on 17th February 2017. It was downloaded on 3rd March 2017. However, authorisation for obtaining the billing data was not sought until 4th May 2017. The data was not obtained until 1st June 2017. On behalf of CTPNW, DCS Scally accepted that this data should have been obtained more quickly than it was. I agree. It should have been obtained within a month of the download.
The illicit mobile phone was used to call a number, which was attributed to SA after the Attack, on 11 occasions between 16th January 2017 and 15th February 2017. Only three of these connected. It is not possible to say, without knowing the content of the calls, whether these were for nefarious purposes. The delay in obtaining the data relating to these calls did not have any causative significance. This is because the number SA used was not attributed to him until the extensive Operation Manteline investigation conducted after the Attack.
However, it was a concerning delay. Potential intelligence about a prisoner serving a sentence for Terrorism Act 2000 offences and known to be a potential radicaliser should be obtained and analysed more quickly.
Knowledge of the Security Service and Counter Terrorism Policing of SA prior to 2017
The Security Service first received information in relation to SA on 30th December 2010. The information came from CTPNW. The information was to the effect that SA was linked to an address which was relevant to a Trace request. The information included that SA had been stopped and searched twice and nothing suspicious was found. No scrutiny was applied to SA by the Security Service at that stage.
In December 2013, SA was identified by the Security Service as being a possible candidate for an unknown individual who had been observed to have been acting suspiciously with Subject of Interest A.
On 18th March 2014, SA was designated a Subject of Interest within the Security Service’s investigation into Subject of Interest A. A Key Information Store record was opened into SA. SA was given a Security Service nickname, as was the usual practice. He was made a Tier 3 Subject of Interest. On 21st July 2014, SA was closed as a Subject of Interest. This was because of SA’s lack of engagement with individuals of interest, including Subject of Interest A. An officer from CTPNW was involved in the closure process. I am satisfied that the decision to close SA as a Subject of Interest at this stage was a reasonable one.
In 2015, SA was identified as being the owner of a telephone number which had previously been used in contact with Subject of Interest B. Subject of Interest B was someone previously linked to Al‑Qaeda and was investigated in connection with his facilitation of travel of others to Syria. Nothing within the information held was considered by the Security Service to be sufficient to justify opening SA as a Subject of Interest.
Later in 2015, the Security Service received information that SA was in contact with Subject of Interest C. Subject of Interest C was a longstanding Subject of Interest due to his previous affiliation with an extremist group in Libya.
In October 2015, SA was opened and closed as a Subject of Interest in the same day. This occurred due to a misunderstanding of information held by the Security Service, which indicated that SA had links to a senior Islamic State figure in Libya. SA was opened as a Subject of Interest on the basis he had direct contact with that senior Islamic State figure. When it was realised that the contact was not direct, but rather contact with a contact, he was closed as a Subject of Interest.I am satisfied that there is no significance to be attached to this event beyond the fact that it demonstrates that the Security Service acted carefully to check its own understanding of information it had received.
‘De facto’ Subject of Interest (2015–16)
Between 2015 and 2016, as part of another Lead with its own Subject of Interest, SA was treated as being a Tier 2 Subject of Interest. SA was not formally designated as a Subject of Interest. This ‘de facto’ Subject of Interest status, as it was subsequently characterised in the Security Service Post‑Attack Review, was not a concept that any Security Service witness, or the Security Service expert witness, recognised.
It was not helpful for SA to be treated in this way. If SA had been formally opened as a Subject of Interest, then he would have continued to have been treated as such, or there would have come a time when he was considered for closure. At the point of closure, there would have been a formal assessment of the risk that SA posed to national security. The inclusion of that assessment in the decision to close a Subject of Interest is not a mere formality. It is a valuable opportunity to take stock of the intelligence that is held.
Further, if a decision had been taken to close a Lead into SA, consideration would then have been given as to whether or not he should be referred to Prevent. During this period, the Security Service received information about SA on several occasions, including his views on Islamic State.I cannot say what would have come of such a referral, if it had taken place in 2016, but it is potentially of causative significance.
It follows from this strand of evidence and my conclusions upon it, that the fact that SA was on paper a closed Subject of Interest between June 2015 and August 2016 is not itself of great significance, there being some material degree of investigation and intelligence collection concerning him throughout this period. Nonetheless, by consciously allowing SA’s categorisation to fall into this uncharted grey area, the investigative team deprived itself of the rigours and precautionary processes that were in place for other open Subjects of Interest so as to ensure that national security was best protected.
In Part 22, I introduced the Prevent programme. The Intelligence and Security Committee of Parliament found that SA should have been considered for a Prevent referral after his closure as a Subject of Interest in 2015. The Committee stated that it was concerning that there is no evidence of a discussion between Counter Terrorism Policing and the Security Service as to a potential record. The Committee also stated that it was surprising and “highly disappointing” that no one in the Abedi family was referred to Prevent.
The question of whether SA could or should have been considered for referral was explored in the closed hearing. As was set out in the open gist of the closed evidence, there is a document which shows that SA was considered for a Prevent referral several years before the Attack and that it was decided not to refer him.This information was not before the Intelligence and Security Committee of Parliament.
Witness J and DCS Scally did not accept that a referral should have been made in SA’s case.In particular, they were both of the view that a decision not to refer SA in 2014 was reasonable. However, Witness J accepted it would have been better to have had a proper documented consideration of a Prevent referral at the point of closure of SA as a Subject of Interest in 2014. DCS Scally agreed.
Both Witness J and DCS Scally made clear that the Security Service and Counter Terrorism Policing see Prevent as a valuable tool.The Security Service is not one of the organisations to which section 26 of the Counter‑Terrorism and Security Act 2015 applies. The Security Service’s main focus is on the Pursue strand of the UK’s counter‑terrorism strategy. Counter Terrorism Policing is more directly involved with Prevent and was in 2017. Prevent officers have been embedded within Counter Terrorism Policing since 2015.
There were two examples of Prevent referrals in relation to individuals connected to SA which the Inquiry heard about. First, Alzoubare Mohammed was referred between 2015 and 2017 due to a history of mental health issues.Second, during Operation Oliban, a 14‑year‑old boy who was passing messages between subjects of the investigation was referred.
Assistant Commissioner Neil Basu, the Senior National Co‑ordinator at Counter Terrorism Policing Headquarters, stated, when he gave evidence, that there has generally been a disproportionate focus on the Pursue pillar of the UK Government’s counter‑terrorism strategy at the expense of Prevent. He stated that this was despite there being a case for Prevent being “by far the most important of the four government pillars of CONTEST. If you speak to police officers of my experience, we all understand the fact that Pursue is largely a sticking plaster and a suppression tactic.”
DCS Scally explained in evidence that there is no defined threshold for what “being drawn into terrorism” means for the purpose of the section 26 statutory duty. He stated that the police look at various factors that might make a person vulnerable, such as complex needs, autism and mental health issues.This, in my view, is a key reason why SA was not referred in 2014 or thereafter.
In light of all the evidence I heard in both the open and closed hearings, I consider SA should have been subject to a Prevent referral at some point in 2015 or 2016. However, it is very hard to say what would have happened if SA had been approached under Prevent or the Channel programme.
A person needs to be willing to engage with Channel. Based on the way in which Ismail Abedi reacted to an intervention from Counter Terrorism Policing, it is unlikely that SA would have responded positively. It is not possible to know for sure.
Ismail Abedi was contacted on several occasions by Counter Terrorism Policing following his port stop in 2015 and the discovery of extremist material on his devices.He was “evasive and non-committal”. The police officer was told not to call him again. An attempt to contact Ismail Abedi through Ramadan Abedi was also unsuccessful.
While any particular individual will only benefit from Prevent if they engage with it, that does not mean that a refusal to engage will be irrelevant to those involved in countering terrorism. On the contrary, such a refusal may provide an indicator to be taken into account when any assessment of that person and their risk is undertaken.
It was suggested by those representing the bereaved families that the threshold for Prevent is too high. DCS Scally explained in evidence that any lowering of the threshold would require significant extra resource.Only a small proportion of referrals to Prevent are followed up by the full Channel programme, just over 10 per cent in 2020.
Another suggestion made was that all closed Subjects of Interest should have been reviewed in 2015 when the Prevent Duty came into effect. In my view, this would have been impractical. Witness J and DCS Scally both stated in evidence that it would have been too large a task. It would have prevented the Security Service and Counter Terrorism Policing from focusing on other, more urgent work.
CLEMATIS and DAFFODIL
CLEMATIS and DAFFODIL are Security Service processes which are designed, said Witness J, “to surface risk” from the Security Service’s data relating to closed Subjects of Interest. Witness J said that the information on SA that came through the CLEMATIS and DAFFODIL process was not new information: it had already been made available to and been considered by investigative teams within the Security Service. CTPNW does not have any involvement in the actual processes themselves, but provides intelligence to the Security Service and acts on the outputs of the processes. DCS Scally said that he had a broad understanding of the processes’ details but does not need to have any deeper knowledge.
In 2017, a team within the Security Service individually reviewed all Subjects of Interest who were flagged by the CLEMATIS data analysis process to decide whether further low‑level investigative enquiries should be undertaken. 8181SA had been flagged by the process, because his circumstances met one of the predetermined triggers. This was noted on 3rd March 2017, along with a significant number of other closed Subjects of Interest.
As a result of this, the Security Service made further checks into whether SA should be considered for referral into DAFFODIL from CLEMATIS. A meeting was arranged between the appropriate personnel for 31st May 2017, but the Attack took place before this could happen.
Witness J explained that even if this meeting had taken place earlier, it is by no means certain SA would have been referred for further investigative steps. Even if he had, there was no information available to DAFFODIL that was not already known to the investigative team about SA, so it would simply have provided a “fresh pair of eyes”.
I do not think there is any reason to believe that the Attack would have been prevented if the CLEMATIS data analysis process had taken place more quickly. This was not a missed opportunity.
However, the fact that CLEMATIS did correctly flag SA as a closed Subject of Interest who was worth another look suggests that this form of data analysis is a useful process for the Security Service to use and into which to invest more time and energy. I understand that significant efforts on this front are already under way.
I welcome all of this work, and I would urge the Security Service and Counter Terrorism Policing to find ways to use these new tools for analysing data, especially about closed Subjects of Interest, effectively.