UK mass interception law violates human rights - but the fight against mass surveillance continues (from 2018)
Updated on 24 May 2021
Following a case initiated by Privacy International and nine other CSOs, as well as two other cases, the First Section of the European Court of Human Rights (ECtHR) ruled that the UK government's mass interception program violates the rights to privacy and freedom of expression because of insufficient safeguards and lack of oversight. That decision laid the groundwork for influencing the UK government to adjust current legislation and practices in compliance with the Court's findings. Changes are on hold pending the Grand Chamber of the ECtHR judgment on 25 May 2021.
The European Court of Human Rights ruled today that the UK government's mass interception program violates the rights to privacy and freedom of expression. The Court held that the program "is incapable of keeping the 'interference' to what is 'necessary in a democratic society'". This finding is an important victory for human rights and the rule of law. Below, we break down the key parts of the decision.
The Court's ruling comes after a five-year battle against two UK mass surveillance programs - (1) the mass interception of internet-based communications and (2) access to the intelligence gathered by other governments' surveillance programs, including the mass surveillance programs of the U.S. National Security Agency ("NSA"). These programs were first disclosed by Edward Snowden in 2013 and subsequently challenged by Privacy International and nine other NGOs before the UK's Investigatory Powers Tribunal. The Court joined this case together with two separate challenges from the other groups and individuals (Big Brother Watch, Open Rights Group, English PEN and Dr Constanze Kurz, and The Bureau of Investigative Journalism and Alice Ross.)
UK MASS INTERCEPTION VIOLATES THE RIGHT TO PRIVACY
The Government Communications Headquarters ("GCHQ"), the UK signals intelligence agency, conducts mass interception of communications by tapping undersea fibre optic cables landing in the UK. Today's judgment found the legal regime (pursuant to section 8(4) of the Regulation of Investigatory Powers Act 2000 ("RIPA")) governing that interception to violate the right to privacy as enshrined in Article 8 of the European Convention on Human Rights (ECHR). (§§ 387-388)
The Court expressed specific concern over the way in which the UK government selects the undersea cables it will tap (called "bearers" by the Court), and the search criteria applied to the communications obtained from those cables.
The UK's geographic location makes it a natural landing hub for many of the cables that carry the world's communications. The Snowden disclosures revealed that the UK government - often with the cooperation of telecommunications companies - has attached probes to these cables to intercept their traffic. Once intercepted, the UK government uses "selectors" and "search criteria" to filter the content and metadata it collects. Those selectors and search criteria could be as broad as:
(1) all traffic to and from France
(2) all search queries on Google
(3) all purchases on Amazon
(4) all location data, or
(5) a wide range of IP addresses.
Intercepted information is stored in databases, which government analysts can query, data-mine or use to call up information to examine further. This process provides the UK intelligence agencies with a vast trove of content and metadata (referred to as "communications data" in the judgment) that is capable of revealing the most intimate details of anyone who uses online communications.
In this context, the Court stated that it was "not persuaded that the safeguards governing the selection of bearers for interception and the selection of intercepted material for examination are sufficiently robust to provide adequate guarantees against abuse." It also emphasised that what was "[o]f greatest concern...is the absence of robust independent oversight of the selectors and search criteria used to filter intercepted communications." (§ 347)
The Court also criticised the UK regime's "absence of any real safeguards applicable to the selection of related communications data for examination." As discussed further below, the Court recognised that the collection of communications data can be as intrusive as content and therefore should be subject to similar safeguards. (§ 357)
These flaws in the UK mass interception law led the Court to conclude it "is incapable of keeping the 'interference' [with privacy] to which is 'necessary in a democratic society'." (§ 388)
UK MASS INTERCEPTION VIOLATES THE RIGHT TO FREEDOM OF EXPRESSION
The Court extended and amplified its concerns about the UK's mass interception program in addressing its impact on journalists. It noted that in the freedom of expression context, "it is of particular concern that there are no [public] requirements...either circumscribing the intelligence services' power to search for confidential journalistic or other material (for example, by using a journalist's email address as a selector), or requiring analysts, in selecting material for examination, to give any particular consideration to whether such material is or may be involved." (§ 493) It concluded that "[i]t would appear that analysts could search and examine without restriction both the content and the related communications data of these intercepted communications. The Court further recognised that such a blanket power to interfere with journalists' communications, including with their sources, could have a broader "chilling effect...on the freedom of the press." (§ 495)
COMMUNICATIONS DATA IS AS INTRUSIVE AS CONTENT
The UK government's mass interception program involves the interception of both content and metadata. In our case, we argued how the interception, storage and analysis of metadata is just as intrusive as similar interferences with communications. Metadata is the digital equivalent of having a private investigator trailing you at all times, recording where you go and with whom you speak. But in the digital realm, metadata records even more — for example, your web activity, which could reveal items purchased, news sites visited, forums joined, books read and movies watched. Each of these pieces of data gives insight into an individual. Pieced together, they can allow an intrusive and comprehensive view into a person’s private life, revealing his or her identity, relationships, interests, activities and location.
The Court agreed with us, rejecting the UK government's claim that "the acquisition of [content] related communications data is necessarily less intrusive than the acquisition of content." It further noted: "For example, the content of an electronic communication might be encrypted and, even if it were decrypted, might not reveal anything of note about the sender or recipient. The related communications data, on the other hand, could reveal the identities and geographic location of the sender and recipient and the equipment through which the communication was transmitted. In bulk, the degree of intrusion is magnified, since the patterns that will emerge could be capable of painting an intimate picture of a person through the mapping of social networks, location tracking, Internet browsing tracking, mapping of communication patterns, and insight into who a person interacted with." (§ 356) As discussed above, because the UK government lacks safeguards for examining metadata, as noted above, the Court found the mass interception law to violate Article 8 ECHR. (§ 357)
INTELLIGENCE SHARING CONSTITUTES AN INTERFERENCE WITH THE RIGHT TO PRIVACY
In addition to its direct surveillance programs, the UK government also has access to information collected by foreign intelligence agencies, including the NSA. In some cases, the UK government may have direct and unfettered access to raw data intercepted by other governments, which it can then filter, store, analyse and further disseminate. Or it might have access to information stored in databases by other governments. The Snowden disclosures revealed both the breath-taking scope of US mass surveillance programs, including a program analogous to the UK's mass interception program, as well as the UK government's wide-ranging access to the information gathered through those programs.
In our case, we argued that when the UK government obtains information through intelligence sharing, the interference with the right to privacy is equivalent to if it had obtained that information through its direct surveillance. We further argued that, for that reason, the Court should approach its scrutiny of intelligence sharing in the same manner as it would assess direct surveillance.
The Court agreed with us, finding that "[a]s with any regime which provides for the acquisition of surveillance material, the regime for the obtaining of such material from foreign Governments must be 'in accordance with the law'..., it must be proportionate to the legitimate aim pursued, and there must exist adequate and effective safeguards against abuse." It added that "[i]n particular, the procedures for supervising the ordering and implementation of the measures in question must be such as to keep the 'interference' to what is 'necessary in a democratic society'" (§ 422) Finally, the Court acknowledged that "States could use intelligence sharing to circumvent stronger domestic surveillance procedures and/or any legal limits which their agencies might be subject to as regards domestic intelligence operations". (§ 423)
WHY THE FIGHT IS NOT OVER
Notwithstanding the positive aspects of the judgment, there remain several significant shortcomings, particularly in the way it applies the law to the specific UK surveillance programs we are challenging.
First, the Court rules that mass interception, as a general matter, falls within a state's "margin of appreciation in choosing how best to achieve the legitimate aim of protecting national security". This finding is contrary to consistent pronouncements by international human rights experts as well as the Court of Justice of the European Union ("CJEU") that mass surveillance is inherently disproportionate and therefore violates international human rights law. Just last month, the United Nations High Commissioner for Human Rights, in a report on "The right to privacy in the digital age" to the Human Rights Council, stated that "[w]hile some States claim that...indiscriminate mass surveillance is necessary to protect national security, this practice is 'not permissible under international human rights law, as an individualized necessity and proportionality analysis would not be possible in the context of such measures'". And in 2016, the CJEU found another mass surveillance program requiring the "general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication" to violate the right to privacy enshrined in the Charter of Fundamental Rights of the EU.
The Court's determination that mass interception is not per se violative of the right to privacy also contradicts its own jurisprudence. In two recent earlier decisions, the Court identified individualised reasonable suspicion - impossible in a mass surveillance regime - as a necessary safeguard when states conduct surveillance. (Szabo & Vissy v. Hungary, Zakharov v. Russia). In refusing to apply the reasoning of these earlier decisions to this case, the Court circularly argues that "[b]ulk interception is by definition untargeted, and to require 'reasonable suspicion' would render the operation of such a scheme impossible." This contention ignores the legal principles the Court itself has established, brushing them aside in light of the difficult reality that a system of mass interception cannot accommodate them.
Second, the Court finds the way the UK government authorises mass interception compliant with the right to privacy, despite the lack of involvement of any independent authority, let alone a court or other judicial mechanism (§ 381). Again, it is difficult to square this finding with well-established interpretations of international human rights law and the Court's own jurisprudence (again, see Szabo & Vissy v. Hungary, Zakharov v. Russia). Indeed, this system made the UK an outlier among many other democratic countries and the only state in the Five Eyes Alliance (which also includes the US, Australia, Canada and New Zealand) that did not vest the power to approve surveillance activities in the judiciary, a fact observed by the UK's own former Independent Reviewer of Terrorism Legislation.
Finally, the Court also finds the UK intelligence sharing regime compliant with the right to privacy. In particular, the Court finds the "statutory framework" governing intelligence sharing sufficient to render the practice lawful. But in doing so, the Court relies heavily on a 'note' disclosed during our domestic proceedings. That note consisted of 2 pages, with no heading, and just a few paragraphs of text. It was unclear who drafted or adopted the note (and under what legal authority) or who had the power to amend it. It was further unclear whether the note represented an actual policy, part of a policy, a summary of a policy, or a summary of submissions made by the UK government to the Tribunal in a closed hearing. Although that note was substantially reproduced in the Interception of Communications Code of Practice, its substance also remains inadequate. For example, the Code of Practice speaks of the UK government making a “request” for “unanalysed intercepted communications content (and secondary data).” However, it fails to address other ways that the UK government may access data through its intelligence sharing arrangements, including direct and unfettered access to raw data intercepted in bulk or databases of material collected in bulk by foreign authorities.
The Court's findings on intelligence sharing get both the facts and law wrong. It ignores the reality of modern intelligence sharing, which does not involve antiquated notions of agencies "requesting" dossiers from other agencies, but rather unregulated access to enormous troves of data collected and stored in databases. The Court also, inexplicably, sanctions the application of the UK's mass interception legal framework (RIPA section 8(4)) to intelligence sharing, even though it found that same framework to be unlawful under Article 8.
CONCLUSION
This judgment will have immediate implications for the UK Investigatory Powers Act 2016, which replicates, and in some places extends, the surveillance powers of the UK intelligence agencies. In particular, it is clear that the IPA provisions that regulate the selection of undersea cables the government will tap and the search criteria applied to the communications obtained from those cables will need to be revised, including by providing stronger oversight. In addition, the government will also need to revisit the IPA provisions governing how the agencies examine metadata related to intercepted communications and provide for strengthened safeguards.
While today’s judgment is targeted to the UK, it also provides interpretation of the European Convention on Human Rights for the 47 member States of the Council of Europe (CoE), all of which are parties to the Convention. We expect those countries to review their surveillance laws and practices in light of this judgment and bring them to line with the Court's jurisprudence.
In the meantime, we will continue to fight against the use of mass surveillance by the UK and other governments around the world.