GCHQ

UK’s top security judges struggle to assess privacy threats

Technological advancements make it difficult for the Investigatory Powers Tribunal to assess privacy threats, say the tribunal’s own judges

Britain’s top security judges lack the technological understanding to assess the degree to which state surveillance might threaten citizens’ privacy, according to the judges themselves.

The Investigatory Powers Tribunal (IPT) is the most senior British court that handles security issues, and is also one of the most secretive UK courts.

The judges made the admission as part of a four-day hearing brought by Privacy International, a non-profit organisation that focuses on the protection of citizens from state interference.

It is the latest in a series of cases that have queried the legal basis for the mass surveillance first revealed by Edward Snowden in 2013.

Privacy International brought the case against the Foreign Secretary, the Home Secretary, GCHQ, the Security Service MI5 and the Secret Intelligence Service MI6, to challenge the legality of the use of mass databases on the population, known as bulk personal data sets.

They include databases showing the travel history, financial data and databases supplied by other government departments, such as HMRC and private sector companies. The intelligence agencies also collect and analyse bulk records of telecommunications, email and web traffic.

In the second day of the hearing, Thomas de la Mare, representing Privacy International, argued that the court is not in a fit position to decide whether the intrusion into privacy surveillance using bulk personal datasets is justified by threats to national security.

Asked by one of the judges when the actual invasion of privacy takes place, de la Mare said it is at the point of acquisition, “when the data is added to the database”.

The law requires that the intelligence services only make use of bulk data to the degree that it is necessity for the prevention of crime, or in the interest of national security, the court heard.

Difficult for judges to assess threats posed by bulk data

But IPT judge Sue O’Brien said the judges were not in a position to consider the technical threats posed by examination of bulk personal datasets.

“We don’t have enough technical knowledge,” she said. “The law looks at acquisition at moment of interference with the rights.”

Thomas de la Mere told the court that unless judges know how the data might be used, it is impossible to predict how data might interfere with the rights of data subjects, and consider what counts as proportionate.

“Lots of search terms could engage private life,” he said, adding that technology is changing all the time and the opportunities for the intelligence services grow with it.

“This form of surveillance is evolving, and the absence of technological competence in the tribunal is a risk – there is no assessor present. We are getting into the realm of systemic proportionality.”

Information commissioner is ‘not a technical expert’

The president of the IPT, Justice Burton, said that the tribunal is able to make use of the information commissioner’s expertise.

But O’Brien told the court this might be of limited value. “The commissioner is not a technical expert,” she said.

According to de la Mare, there should be an independent person, preferably the judiciary, to assess the impact of the use of bulk personal data sets by the intelligence services.

“It does not have to be judicial control, but it does have to be by someone sufficiently independent of the executive. It should normally be ensured by the judiciary, at least in the first resort,” he said.

Burton said granting prior permission for bulk surveillance to take place is a job for the information commissioner, and not the court. The IPT, however, is the only court that will hear complaints against the security services.

Privacy International and the judges disagreed as to what constitutes as surveillance.

The vice-president of the IPT, Justice John Mitting, said bulk interception of telecommunications data does not constitute surveillance at all. “Surveillance is monitoring someone’s activity in real time,” he said, adding that people reveal their ignorance in their criticisms of mass surveillance.

“[The use of the term surveillance] shows a basic misunderstanding of how services operate. It is not mass surveillance but a mass gathering of data, which is then mined to narrow down those who are of interest.”

O’Brien resigned earlier in July 2016 from her chairmanship of the Scottish child abuse inquiry, alleging governmental interference in the inquiry, with attempts to dismiss her from her post following her remonstrations.

Read more about government surveillance

Read more on Privacy and data protection