GCHQ

GCHQ bulk interception programme breached privacy rights, Strasbourg court rules

European Court of Human Rights finds that the UK’s bulk surveillance programme breached citizens’ privacy rights

GCHQ’s bulk interception of communications data, including data about telephone calls and emails, unlawfully breached the privacy rights of UK citizens, the European Court of Human Rights ruled today.

The court’s Grand Chamber found that the UK’s regime of intercepting bulk communications data and obtaining data from phone and internet companies breached citizens’ rights to privacy.

The decision follows an eight-year legal battle by 11 non-governmental organisations (NGOs) including Liberty, Privacy International and Amnesty.

They brought the case in the wake of revelations about the UK’s involvement in mass suspicionless surveillance following leaks by former US National Security Agency (NSA) contractor Edward Snowden in 2013.

The court's 17 judges also found the UK’s bulk interception programme did not contain adequate protections for confidential journalist material, including their confidential sources.

However, they rejected claims that the UK lacked sufficient safeguards to prevent abuse when Britain’s spy agencies requested intelligence from overseas intelligence agencies, such as the NSA.

Megan Goulding, a lawyer at Liberty, said the court’s findings showed that the UK’s bulk interception powers had breached the public’s right to privacy and freedom of expression for decades.

“Our right to privacy protects all of us. Today’s decision takes us another step closer to scrapping these dangerous, oppressive surveillance powers, and ensuring our rights are protected,” she said.

The court ruling applies to the surveillance regime of the Regulation of Investigatory Powers Act (RIPA) 2000 which has since been replaced by Investigatory Powers Act 2016, also known as the snoopers’ charter.

Goulding said the court’s decision would clear the way for a further legal challenge against surveillance powers under current surveillance laws, with a case expected to be heard in the Court of Appeal later this year. 

Bulk interception regime lacked safeguards

The court found, in a 200-page judgment, that because of the proliferation of threats faced by the UK and other countries, the decision of the UK to operate a bulk interception regime did not, in itself, violate privacy rights.

However, it found the UK’s bulk interception regime had shortcomings under RIPA which meant it was incapable of limiting the “interference” of citizens’ rights to a private life to that “necessary in a democratic society”.

“Our right to privacy protects all of us. Today’s decision takes us another step closer to scrapping these dangerous, oppressive surveillance powers, and ensuring our rights are protected”
Megan Goulding, Liberty

Surveillance had to be subject to end-to-end safeguards, including an assessment at each stage of the necessity and proportionality of the measures taken, and to supervision and independent review.

It found that UK intelligence services had failed to include in warrant applications search terms defining the kinds of communications that would be liable for examination after interception, and that the search terms linked to an individual had not been subject to prior internal authorisation.

Bulk interception had been wrongly authorised by the secretary of state, rather than an independent body, the court found.

Judges said that the Interception of Communications Commissioner (since replaced by the Investigatory Powers Commissioner’s Office) had provided “valuable oversight” and the Investigatory Powers Tribunal provided a robust judicial remedy for people who alleged their communications had been wrongly interfered with.

But the safeguards did not go far enough to offset the shortcomings of the bulk surveillance regime.

Protection for journalists’ sources

The decision paves the way for greater protection for journalist's sources and journalistic material by requiring independent prior approval before journalists’ communications are intercepted.

The judges found that the regime allowing the UK intelligence services and government agencies to access records held by phone and internet companies was incompatible with Article 8 of the European Convention on Human Rights, which guarantees a right to privacy.

The operation of the regime was not “in accordance with the law”, they said.

Judges said they were concerned that the UK surveillance law did not require that the use of search terms known to be connected to a journalist should be authorised by a judge or an independent decision-making body.

There were no safeguards to ensure that confidential journalist material obtained incidentally through bulk collection would only be stored and examined if subject to independent approval.

Data exchange with overseas intelligence agencies lawful

The judges found that the UK had sufficient safeguards in place to prevent abuse when UK intelligence agencies requested intercept material from foreign intelligence agencies.

They found there were sufficient safeguards in place to protect how the material should be examined, used and stored.

There was adequate supervision from the Interception of Communications Commissioner and the Investigatory Powers Tribunal, the court found.

And the UK had not used requests for foreign governments as a means of circumventing its duties under domestic law and the European Convention of Human Rights.

First case to address UK mass surveillance

The case is the first time that the Grand Chamber of the European Court of Human Rights in Strasbourg has been asked to rule whether surveillance undertaken on a mass scale by the UK and other governments is lawful.

The chamber also addressed what minimum safeguards were needed to ensure the privacy of individuals – the majority of no intelligence value – caught up in electronic surveillance.

The campaigning groups challenged the UK’s right to intercept in bulk and store the contents of any communication that passes through the UK on telecommunications networks and subsea cables, including emails and web browsing records.

The groups, which include the Bureau of Investigative Journalism, argued that the government was likely to have spied on their communications, violating their rights to privacy and freedom of expression, and jeopardising journalistic confidential sources and whistleblowers.

The ruling follows a landmark decision by the First Section of the European Court of Human Rights in September 2018, which found that GCHQ’s use of mass surveillance of online communications data breached privacy laws and lacked sufficient oversight and safeguards.

The Strasbourg court then acknowledged that interception of data related to people’s communications – including times and destinations of emails and phone calls, web pages visited and mobile phone location – posed as serious a risk to individuals’ privacy as the interception of phone calls, emails and text messages.

The NGOs were granted a referral to take the case to the Grand Chamber in February 2019.

Suspicionless surveillance

In a dissenting opinion, Judge Paulo Pinto de Albuquerque, said that the court had made its decision based on “educated guesses” and had failed to require proper disclosure about the UK’s interception capabilities.

“The Government’s case boils down to a simple proposition which is “trust us”. The majority [ of judges] were ready to accept this proposition, with the risk of erring on the side of over-collecting intelligence. I am not,” he said.

“Admitting non-targeted bulk interception involves a fundamental change in how we view crime prevention and investigation and intelligence gathering in Europe, from targeting a suspect who can be identified to treating everyone as a potential suspect, whose data must be stored, analysed and profiled.”

Pinto said that “indiscriminate mass communications surveillance has proven to be ineffective for the prevention of terrorism and therefore is not only dangerous for the protection of human rights but also a waste of resources.”

Snowden revelations

Today’s case centres around surveillance programmes exposed by the former NSA contractor Edward Snowden in 2013.

They include Tempora, a UK government programme that allows GCHQ to store internet traffic entering the UK through fibre-optic cables for “retrospective analysis”.

GCHQ also has access to communications data collected by the US government through a series of programmes called Upstream, which collects vast amounts of data from taps on internet cables passing through the US.

Another programme, Prism, run by the NSA and also accessible to GCHQ, collects emails, chats, videos, images and communications data from at least nine large US technology companies, including Microsoft, Apple, Yahoo!, Google, Facebook, Skype and YouTube.

The UK’s most secret court, the Investigatory Powers Tribunal (IPT), revealed in a ruling in June 2015 that GCHQ had unlawfully spied on Amnesty International and South Africa’s Legal Resources Centre.

GCHQ surveillance programmes

Karma Police

Karma Police maps every user visible on the internet with the websites they visit to provide a web-browsing profile for each individual or a profile of every visitor to every visible website on the internet, according to Snowden documents. GCHQ has used Karma Police to identify people across hundreds of countries listening to internet radio stations broadcasting extracts of the Quran.

Black Hole

Black Hole is a data repository that contains raw logs of intercepted communications. According to a GCHQ PowerPoint presentation in 2009, it was used to store more than 1.1 trillion communications data records, adding about 10 billion new entries every day. About 41% of its content comprised people’s internet browsing histories. The rest included records of emails, instant messaging, social media activities, logs relating to hacking operations and data on people’s use of tools to browse the internet anonymously. In 2011, GCHQ began the development of “unprecedented” techniques to perform “population-scale” data mining and monitoring all communications across entire countries in an effort to detect suspicious patterns of behaviour.

Mutant Broth

GCHQ uses Mutant Broth to sift through the data contained in GCHQ’s Black Hole data repository for intercepted cookies. It uses cookies to help it monitor people’s internet use and uncover online identities. GCHQ has used the programme to harvest cookies from popular websites, including Facebook, YouTube, Amazon and the BBC, according to a document in the Snowden archive. In a six-month period between December 2008 and June 2008 more than 18 billion records were accessible through Mutant Broth.

Source: Factual Appendix: 10 Human Rights Organisations v United Kingdom and The Intercept.

Intrusive powers

Jim Killock, executive director of the Open Rights Group, which is one of the organisations challenging the UK’s activities before the European Court of Human Rights, said: “The court has recognised that bulk interception is an especially intrusive power, and that ‘end-to-end safeguards’ are needed to ensure abuse does not occur.”

He said the Open Rights Group was far from confident that the current bulk interception regime had sufficient safeguards. “This judgment is an important step on a long journey,” he said.  

“The court has recognised that bulk interception is an especially intrusive power, and that ‘end-to-end safeguards’ are needed to ensure abuse does not occur”
Jim Killock, Open Rights Group

Ilia Siatitsa, acting legal director at Privacy International, said: “Today, the court reiterated that intelligence agencies cannot act on their own, in secret and in the absence of authorisation and supervision by independent authorities.”

She said the court had recognised, for the first time, that bulk interception consisted of a series of processes that required different levels of privacy protection.

“The court has established a sliding scale of interference to privacy. It has recognised that not all parts of the bulk interception have the same degree of interference. We cannot treat it as one and the same, and different steps need stronger protection,” she said.

Silkie Carlo, director of Big Brother Watch said that the judgment confirms that the UK’s mass spying breached citizens’ rights to privacy and free expression for decades.

“Mass surveillance damages democracies under the cloak of defending them, and we welcome the Court’s acknowledgement of this. As one judge put it, we are at great risk of living in an electronic “Big Brother” in Europe,” she said.

“We welcome the judgment that the UK’s surveillance regime was unlawful, but the missed opportunity for the Court to prescribe clearer limitations and safeguards mean that risk is current and real.”

The case was brought by Privacy International, ACLU, Amnesty International, Bytes for All, the Canadian Civil Liberties Association, the Egyptian Initiative for Personal Rights, the Hungarian Civil Liberties Union, the Irish Council for Civil Liberties, the Legal Resources Centre and Liberty. Other parties were Big Brother Watch, the Open Rights Group, English PEN, Constanze Kurz, The Bureau of Investigative Journalism and Alice Ross.

Read more about the case

 

Read more on IT for government and public sector