By alerting people to an obscure website listing 100 agents, the security services compounded the fiasco. Why did they do it?
The fiasco over the naming of 100 MI6 spies looks more and more like an intelligence blunder of almost Chinese embassy proportions. By drawing attention to an obscure posting in a corner of the internet inhabited only by cranks and conspiracy theorists, MI6 and the D-notice committee contrived to ensure that the list would be for a few days the most famous document on the world wide web, and one which has now been copied to thousands of computers around the world. The story of how this happened provides a rare glimpse into the central importance that computer networks now have in the shadowy world of the security services.

Richard Tomlinson's first list of eight named MI6 agents, among them the head and deputy of the organisation, has actually been published on the net since September last year. He named seven members of the organisation in a letter to John Wadham, of the British civil liberties organisation Liberty, sent last September, which he asked should be transmitted to the parliamentary select committee on the intelligence services.

That letter contained an account of "Orcada", an alleged MI6 agent in the Bundesbank, run by an officer whose diplomatic cover in Bonn was so deep that not even his diplomatic colleagues knew him for a spook. It also named a previous controller. In another letter at the same time, Tomlinson described conversations he had had in 1992 with "the officer responsible for developing and targeting operations in the Balkans" (named in the original document), who was then proposing the assassination of Slobodan Milosevic.

One of the methods proposed, apparently, involved faking a car crash while Milosevic was attending a peace conference in Geneva, perhaps by blinding his driver with a high-powered strobe light while he drove through a tunnel. This memory, Tomlinson claimed, was one of the things which led him to suspect MI6 involvement in the death of Diana, Princess of Wales. Last week Tomlinson swore an affidavit for Herve Stephan, the French judge investigating the death of Diana. In this he claims to have certain knowledge that Henri Paul had been a paid informant for MI6, because his job as security chief for the Ritz made him eminently worth bribing. He names two senior MI6 officers who, he says, should be asked by Stephan what Paul told his controllers in the days before his death.

He does not say that there is a direct link between MI6 and the Princess's death. But then he appears to have used against his old employers all the tricks of deniability and black propaganda that they have used against him. The original allegations about the Bundesbank agent and the plot to assassinate Milosevic were apparently written in a cybercafe which provided access to word-processing software. This, Tomlinson claimed, was because the French security services had confiscated his own laptop when he first went to Paris to talk to Judge Stephan in August 1998. So he was forced to compose his letter in a public cafe, where everything you write remains on the hard disk for following customers to read.

By an extraordinary coincidence the next customer was a Swiss journalist who just happened to read the letters Tomlinson had composed, and immediately published them on the site belonging to his specialist news agency. There they have sat since September 1998.

Last week's leak was even more bizarre. The small list of agents, on a Californian site which was closed down by MI6's lawyers, appears to contain nothing that was not on the six-month-old Swiss list. Then the big list of agents turned up on the website of Lyndon Larouche, an American conspiracy theorist who believes that Prince Philip ordered the assassination of Diana. It is full of bizarre and checkable inaccuracies: for instance, the Cambridge law don named as "the leading recruiter for MI6 agents" who "identifies and recruits the most intellectual geniuses for MI6" has his name spelt wrong and is awarded a professorship he does not hold. Similarly, Our Man in Lagos has after his date of birth the annotation "Wanker".

The list then appeared on, a discussion group where conspiracy theories on the death of Diana flourish; and shortly thereafter on alt.conspiracy.spy. Neither of these discussion groups is really part of the world wide web, though each can be read from it. They are part of Usenet, one of the oldest parts of the internet, which no one reads - except, it seems, the British security services. Without the D notice it is entirely possible that no British newspapers would have noticed the list of spies, and the people on it could have been quietly warned if that was necessary. Of course the readers of alt.conspiracy.spy would have supposed they were in possession of privileged information about the death of Diana, but this belief has been fixed in the Arab world almost since the moment of her death.

But the real importance of the web for intelligence services is as a place where unprecedented quantities of information can be gathered, which in turn helps to justify their role and budgets now that the Cold War is over. A report to the European Parliament published a fortnight ago claims that the American National Security Agency and its British partner GCHQ can and routinely do read e-mail, faxes and web pages of any interest. And, of course, all modern organisations depend on computer systems, so all their interesting secrets will exist in electronic form somewhere.

The NSA has tirelessly lobbied against the export and publication of the mathematical encryption techniques used to make this eavesdropping impossible. Two years ago the Swedish government was horrified to discover that the Lotus Notes software it had purchased had been fixed so that its encryption maintained confidentiality against everyone but the NSA.

In 1995 Bob Morris, one of the NSA's leading computer security experts, told a conference that modern technologies offered an unprecedented harvest of information for the big information agencies. That was the year when the US telephone networks for the first time transmitted more data than voice calls, and all of this data can be easily monitored by the NSA's computers looking for keywords. Because of the way the internet works, even e-mails between two European sites may well pass through American computers on their way and thus be vulnerable. But in their passage by satellite, they can be tapped by hostile governments too.

Dr Ross Anderson, an encryption specialist at Cambridge University, says: "It's not clear whether universal vulnerability is sound defence policy, however much it may have been inevitable in the strategic nuclear context. I have considerable difficulty with GCHQ's insistence that medical networks use weak crypto, and that even UK strategic financial systems such as Crest use encryption weaker than it could be. One can see the advantage for the Russians and the Chinese, and even the Americans; but for the UK?"

The British government must this year make a number of strategic decisions about how much privacy citizens and companies should be allowed in cyberspace against the security services. A real conspiracy theorist might wonder whether the whole Tomlinson fiasco was not a gigantic stunt to distract attention from these serious decisions, and to establish the idea that the internet is so dangerous that of course governments must spy on it as they will. But it still looks more like a cock-up than anything else.