On September 13, after a five-year legal battle, the European Court of Human Rights
said that the UK government's surveillance regime--which includes the country's mass surveillance programs, methods, laws, and judges--violated the human rights to privacy and to freedom of expression. The court's opinion is the culmination
of lawsuits filed by multiple privacy rights organizations, journalists, and activists who argued that the UK's surveillance programs violated the privacy of millions.
The court's decision is a step in the right direction, but it shouldn't be the last. While the court rejected the UK's spying programs, it left open the risk that a mass surveillance regime could comply with human rights law, and it did not say
that mass surveillance itself was unlawful under the European Convention on Human Rights (a treaty that we discuss below).
But the court found that the real-world implementation of the UK's surveillance--with secret hearings, vague legal safeguards, and broadening reach--did not meet international human rights standards. The court described a surveillance regime
"incapable" of limiting its "interference" into individuals' private lives when only "necessary in a democratic society."
In particular, the court's decision attempts to rein in the expanding use of mass surveillance. Originally reserved for allegedly protecting national security or preventing serious threats, use of these programs has trickled into routine criminal
investigations with no national security element--a lowered threshold that the court zeroed in on to justify its rejection of the UK's surveillance programs. The court also said the UK's mass surveillance pipeline--from the moment data is
automatically swept up and filtered to the moment when that data is viewed by government agents--lacked meaningful safeguards.
The UK Surveillance Regime
In the UK, the intelligence agency primarily tasked with online spying is the Government Communications Headquarters (GCHQ). The agency, which is sort of the UK version of the NSA, deploys multiple surveillance programs to sweep up nearly any
type of online interaction you can think of, including emails, instant messenger chats, social media connections, online searches, browser history, and IP addresses. The GCHQ also collects communications metadata, capturing, for instance, what
time an email was sent, where it was sent from, who it was sent to, and how quickly a reply was made.
The privacy safeguards for this surveillance are dismal.
For more than a decade, the GCHQ was supposed to comply with the Regulation of Investigatory Powers Act 2000 (RIPA). Though no longer fully in effect, the law required Internet service providers to, upon government request, give access to users'
online communications in secret and to install technical equipment to allow surveillance on company infrastructure.
The UK directly collected massive amounts of data from the transatlantic, fiber-optic cables that carry Internet traffic around the world. The UK government targeted "bearers"-- portions of a single cable--to collect the data traveling
within, applied filters and search criteria to weed out data it didn't want, and then stored the remaining data for later search, use, and sharing. According to GCHQ, this surveillance was designed to target "external"
communications--online activity that is entirely outside the UK or that involves communications that leave or enter the UK--like email correspondence between a Londoner and someone overseas. But the surveillance also collected entirely
"internal" communications, like two British neighbors' emails to one another. This surveillance was repeatedly approved under months-long, non-targeted warrants. Parts of this process, the court said, were vulnerable to abuse.
(In 2016, the UK passed another surveillance law--the Investigatory Powers Act, or IPA--but the court's decision applies only to government surveillance under the prior surveillance law, the RIPA.)
A Failure to Comply with Human Rights Laws
The suit's results can be looked at as a disconnect between the domestic laws allowing government surveillance in the UK and the UK's international human rights obligations.
The court took issue with the UK's failure to comply with the European Convention on Human Rights--an international treaty to protect human rights in Europe, specified in the convention's "articles." The European Court of Human Rights
(ECtHR), a regional human rights judicial body based in Strasbourg, France, issued the opinion.
Though the lawsuit's plaintiffs asserted violations of Articles 6, 8, 10, and 14, the court only found violations of Article 8 and 10, which guarantee the right to privacy and the right to freedom of expression. The court's reasoning relied on
applicable law, government admissions, and recent court judgments.
The court found two glaring problems in the UK's surveillance regime--the entire selection process for what data the government collects, keeps, and sees, and the government's unrestricted access to metadata.
How the government chooses "bearers" for data collection should "be subject to greater oversight," the court said. By itself, this was not enough to violate Article 8's right to privacy, the court said, but it necessitated
better safeguards in the next steps--how data is filtered after initial collection and how data is later accessed.
Both those steps lacked sufficient oversight, too, the court said. It said the UK government received no independent oversight and needed "more rigorous safeguards" when choosing search criteria and selectors (things like email
addresses and telephone numbers) to look through already-collected data. And because analysts can only look at collected and filtered data, "the only independent oversight of the process of filtering and selecting intercept data for
examination" can happen afterwards through an external audit, the court said.
"The Court is not persuaded that the safeguards governing the selection of bearers for interception and the selection of intercepted material for examination are sufficiently robust to provide adequate guarantees against abuse," the
court said. "Of greatest concern, however, is the absence of robust independent oversight of the selectors and search criteria used to filter intercepted communications."
Along with related problems, including the association of related metadata to collected communications, the court concluded the surveillance program violated Article 8.
The court also looked at how the UK government accesses metadata in so-called targeted requests to communications providers. It focused on one section of RIPA and one particularly important legal phrase: "Serious crime."
The UK's domestic law, the court said, "requires that any regime permitting the authorities to access data retained by [communications services providers] limits access to the purpose of combating 'serious crime,' and that access be subject
to prior review by a court or independent administrative body."
This means that whenever government agents want to access data held by communications services providers, those government agents must be investigating a "serious crime," and government agents must also get court or administrative
approval prior to accessing that data.
Here's the problem: that language is absent in UK's prior surveillance law for metadata requests. Instead, RIPA allowed government agencies to obtain metadata for investigations into non -serious crimes. Relatedly, metadata access for
non-serious crimes did not require prior court or independent administrative approval, compounding the invasion of privacy.
Due to this discrepancy, the court found a violation of Articles 8 and 10.
For years, intelligence agencies convinced lawmakers that their mass surveillance programs were necessary to protect national security and to prevent terrorist threats--to, in other words, fight "serious crime." But recently, that's
changed. These programs are increasingly being used for investigating seemingly every-day crimes.
In the UK, this process began with RIPA. The 2000 law was introduced in part to bring Britain's intelligence operations into better compliance with human rights law because the country's government realized that the scope of GCHQ's powers--and
any limits to it--were insufficiently defined in law.
But as soon as lawmakers began cataloguing the intelligence services' extraordinary powers to peer into everybody's lives, other parts of the government took interest: If these powers are so useful for capturing terrorists and subverting foreign
governments, why not use them for other pressing needs? With RIPA, the end result was an infamous explosion in the number of agencies able to conduct surveillance under the law. Under its terms, the government set out to grant surveillance powers
to everyone from food standards officers to local authorities investigating the illicit movement of pigs, to a degree that
upset even the then-head of MI5 .
The court's decision supports the idea that this surveillance expansion, if left unchecked, could be incompatible with human rights.
At more than 200 pages, the court's opinion includes a lot more than just findings of human rights violations.
Metadata collection, the court said, is just as intrusive as content collection.
Take phone call metadata, for example. Metadata reveals a person's seven-days-a-week, middle-of-the-night, 10-minute phone calls to a local suicide prevention hotline. Metadata reveals a person's phone call to an HIV testing center, followed up
with a call to their doctor, followed up with a call to their health insurance company. Metadata reveals a person's half-hour call to a gynecologist, followed by another call to a local Planned Parenthood.
The court made a similar conclusion. It said:
"For example, the content of an electronic communication might be encrypted and, even if it were decrypted, might not reveal anything of note about the sender or recipient. The related communications data, on the other hand, could reveal
the identities and geographic location of the sender and recipient and the equipment through which the communication was transmitted. In bulk, the degree of intrusion is magnified, since the patterns that will emerge could be capable of painting
an intimate picture of a person through the mapping of social networks, location tracking, Internet browsing tracking, mapping of communication patterns, and insight into who a person interacted with."
The court also said that an individuals' right to privacy is applied at the initial moment their communications are collected, not , as the government said, when their communications are accessed by a human analyst. That government
assertion betrays our very understanding of privacy and relates to a similar, disingenuous claim that our messages aren't really
"collected" until processed for government use .
Turning Towards Privacy
Modern telecommunications surveillance touches on so many parts of human rights that it will take many more international cases, or protective action by lawmakers and judges, before we can truly establish its limits, and there is plenty more
that's wrong with how we deal with modern surveillance than is covered by this decision.
This is partly why EFF and hundreds of other technical and human rights experts helped create the
Necessary and Proportionate Principles , a framework for assessing whether a state's communication surveillance practices comply with a country's human rights obligations. And it's why EFF has brought its own lawsuits to challenge mass
surveillance conducted by the NSA in the United States. (The European Court of Human Rights' opinion has no direct effect on this litigation.)
This type of works takes years, if not decades. When it comes to any court remedy, it is often said that the wheels of justice turn slowly. We can at least breathe a little easier knowing that, last week, thanks to the hard work of privacy groups
around the world, the wheels made one more turn in the right direction, towards privacy.
The Canadian government is seeking a company that will scour social media and the dark web for data on Canadians' use of cannabis. The request comes a few weeks before recreational pot use becomes legalized on October 17.
According to a tender posted by Public Safety Canada this week, the government wants a company to algorithmically scan Twitter, Tumblr, Facebook, Instagram, and other relevant microblogging platforms for information on Canadians' attitudes
towards legal pot and their behaviours.
The initiative will look for self-reported usage patterns (how much, what kind, and where) and activities such as buying and selling weed. The government will also be scanning social media for criminal activities associated with cannabis
use--driving under the influence, for example. The initiative will also capture metadata, such as self-reported location and demographics, but according to the tender the data must exclude individual unique identifiers.
Motherboard asked Public Safety Canada spokesperson Karine Martel about the project but she did not comment on whether information on cannabis-related crimes collected from social media will be shared with law enforcement, but noted that the work
will be conducted in compliance with the Tri-Council Policy Statement which notes that: research focusing on topics that include illegal activities depends on promises of strong confidentiality to participants.
According to a second tender the feds are also looking to keep track of Canadians buying and selling weed on so-called dark web markets. Both projects are slated to conclude on April 30, 2019.
The European Court of Human Rights (ECtHR) has found that the UK's mass surveillance programmes, revealed by NSA whistleblower Edward Snowden, did not meet the quality of law requirement and were incapable of keeping the interference
to what is necessary in a democratic society.
The landmark judgment marks the Court's first ruling on UK mass surveillance programmes revealed by Mr Snowden. The case was started in 2013 by campaign groups Big Brother Watch, English PEN, Open Rights Group and computer science expert Dr
Constanze Kurz following Mr Snowden's revelation of GCHQ mass spying.
Documents provided by Mr Snowden revealed that the UK intelligence agency GCHQ were conducting population-scale interception, capturing the communications of millions of innocent people. The mass spying programmes included TEMPORA, a bulk data
store of all internet traffic; KARMA POLICE, a catalogue including a web browsing profile for every visible user on the internet; and BLACK HOLE, a repository of over 1 trillion events including internet histories, email and instant messenger
records, search engine queries and social media activity.
The applicants argued that the mass interception programmes infringed UK citizens' rights to privacy protected by Article 8 of the European Convention on Human Rights as the population-level surveillance was effectively indiscriminate, without
basic safeguards and oversight, and lacked a sufficient legal basis in the Regulation of Investigatory Powers Act (RIPA).
In its judgment, the ECtHR acknowledged that bulk interception is by definition untargeted ; that there was a lack of oversight of the entire selection process, and that safeguards were not sufficiently robust to provide adequate
guarantees against abuse.
In particular, the Court noted concern that the intelligence services can search and examine "related communications data" apparently without restriction -- data that identifies senders and recipients of communications, their
location, email headers, web browsing information, IP addresses, and more. The Court expressed concern that such unrestricted snooping could be capable of painting an intimate picture of a person through the mapping of social networks,
location tracking, Internet browsing tracking, mapping of communication patterns, and insight into who a person interacted with.
The Court acknowledged the importance of applying safeguards to a surveillance regime, stating:
In view of the risk that a system of secret surveillance set up to protect national security may undermine or even destroy democracy under the cloak of defending it, the Court must be satisfied that there are adequate and effective guarantees
The Government passed the Investigatory Powers Act (IPA) in November 2016, replacing the contested RIPA powers and controversially putting mass surveillance powers on a statutory footing.
However, today's judgment that indiscriminate spying breaches rights protected by the ECHR is likely to provoke serious questions as to the lawfulness of bulk powers in the IPA.
Jim Killock, Executive Director of Open Rights Group said:
Viewers of the BBC drama, the Bodyguard, may be shocked to know that the UK actually has the most extreme surveillance powers in a democracy. Since we brought this case in 2013, the UK has actually increased its powers to indiscriminately
surveil our communications whether or not we are suspected of any criminal activity.
In light of today's judgment, it is even clearer that these powers do not meet the criteria for proportionate surveillance and that the UK Government is continuing to breach our right to privacy.
Silkie Carlo, director of Big Brother Watch said:
This landmark judgment confirming that the UK's mass spying breached fundamental rights vindicates Mr Snowden's courageous whistleblowing and the tireless work of Big Brother Watch and others in our pursuit for justice.
Under the guise of counter-terrorism, the UK has adopted the most authoritarian surveillance regime of any Western state, corroding democracy itself and the rights of the British public. This judgment is a vital step towards protecting millions
of law-abiding citizens from unjustified intrusion. However, since the new Investigatory Powers Act arguably poses an ever greater threat to civil liberties, our work is far from over.
Antonia Byatt, director of English PEN said:
This judgment confirms that the British government's surveillance practices have violated not only our right to privacy, but our right to freedom of expression too. Excessive surveillance discourages whistle-blowing and discourages investigative
journalism. The government must now take action to guarantee our freedom to write and to read freely online.
Dr Constanze Kurz, computer scientist, internet activist and spokeswoman of the German Chaos Computer Club said:
What is at stake is the future of mass surveillance of European citizens, not only by UK secret services. The lack of accountability is not acceptable when the GCHQ penetrates Europe's communication data with their mass surveillance techniques.
We all have to demand now that our human rights and more respect of the privacy of millions of Europeans will be acknowledged by the UK government and also by all European countries.
Dan Carey of Deighton Pierce Glynn, the solicitor representing the applicants, stated as follows:
The Court has put down a marker that the UK government does not have a free hand with the public's communications and that in several key respects the UK's laws and surveillance practices have failed. In particular, there needs to be much
greater control over the search terms that the government is using to sift our communications. The pressure of this litigation has already contributed to some reforms in the UK and this judgment will require the UK government to look again at
its practices in this most critical of areas.
Big Brother Watch has collaborated with leading campaigners, investigative journalists, and lawyers to share stories from the frontline on surveillance and data collection in the UK.
If you believe that you have nothing to hide and nothing to fear, this report will make you think again.
From unionists to journalists, and even welfare recipients and school children, we found that surveillance is increasingly affecting the lives of innocent people in the UK, chilling citizens' rights to freedom of expression and privacy, and
The Five Eyes governments of the UK, US, Canada, Australia and New Zealand have threatened the tech industry to voluntarily create backdoor access to their systems, or be compelled to by law if they don't.
The move is a final warning to platform holders such as WhatsApp, Apple and Google who deploy encryption to guarantee user privacy on their services. A statement by the Five Eyes governments says:
Encryption is vital to the digital economy and a secure cyberspace, and to the protection of personal, commercial and government information ...HOWEVER.. . the increasing use and sophistication of certain encryption designs present
challenges for nations in combating serious crimes and threats to national and global security.
Many of the same means of encryption that are being used to protect personal, commercial and government information are also being used by criminals, including child sex offenders, terrorists and organized crime groups to frustrate
investigations and avoid detection and prosecution.
If the industry does not voluntarily establish lawful access solutions to their products the statement continued, we may pursue technological, enforcement, legislative or other measures to guarantee entry.
Proposals to make fingerprinting of all identity card holders in the EU obligatory were published by the European Commission in April as part of proposal on strengthening the security of identity cards and residence documents.
The proposal published by the Commission says that all EU Member States will be obliged to introduce a uniform format for their identity cards (if they issue them) and that they must include a facial image and two fingerprints - the latter being
included, in the words of the Commission, to further increase effectiveness in terms of security.
This measure flies in the face of the conclusions reached in the Commission's own impact assessment, which said that a proposal excluding mandatory fingerprinting would be more efficient and proportional.
The Commission has made no attempt to justify the necessity and proportionality of what is a serious intrusion on the rights to privacy and data protection - biometric data qualifies as a special category of personal data under the EU's General
Data Protection Regulation and requires suitable and specific safeguards.
The proposals were sent to the Council for the consideration of the Member States, whose representatives in the Working Party on Frontiers first examined the proposals on 4 May. They have been discussed on three further occasions since then.
Policy Exchange is a think tank that describes itself as:
The UK's leading think tank. As an educational charity our mission is to develop and promote new policy ideas which deliver better public services, a stronger society and a more dynamic economy.
And now it has been considering post Brexit visa arrangements and has taken the opportunity to call fro the revival of ID cards, or at least an ID number that can be used for to identify everybody in official and unofficial databases throughout
the world. Policy Exchange writes:
As national borders are being transformed by new technologies and new thinking about how to manage flows of goods and people as quickly and safely as possible, the UK border needs continuing innovation and reform.
The report's main recommendations include:
Roll out ID system for EU citizens . A unique digital reference for interactions with the state is being developed for the 3.6m EU citizens settled here after Brexit. This experiment with a unique number system should be a trial run for
an initially voluntary system for UK citizens.