The UK government has introduced an amendment to the Investigatory Powers Bill currently going through Parliament, to make ensure that data retention orders cannot require ISPs to collect and retain third party data. The Home Office had
previously said that they didn't need powers to force ISPs to collect third party data, but until now refused to provide guarantees in law.
Third party data is defined as communications data (sender, receiver, date, time etc) for messages sent within a website as opposed to messages sent by more direct methods such as email. It is obviously a bit tricky for ISPs to try and decode
what is going on within websites as messaging data formats are generally proprietary, and in the general case, simply not de-cypherable by ISPs.
The Government will therefore snoop on messages sent, for example via Facebook, by demanding the communication details from Facebook themselves.
The Investigatory Powers Bill is one step closer to becoming law after it was passed by the House of Lords yesterday.
Open Rights Group's Executive Director, Jim Killock, responded:
The UK is one step closer to having one of the most extreme surveillance laws ever passed in a democracy.
Despite attempts by the Lib Dems and Greens to restrain these draconian powers, the Bill is still a threat to the British public's right to privacy.
The IP Bill is a comprehensive surveillance law that was drafted after three inquiries highlighted flaws in existing legislation. However, the new Bill fails to restrain mass surveillance by the police and security services and even extends their
powers. Once passed, Internet Service Providers could be obliged to store their customers' web browsing history for a year. The police and government departments will have unprecedented powers to access this data through a search engine that
could be used for profiling. The Bill will also allow the security services to continue to collect communications data in bulk and could see Internet security weakened by allowing mass hacking.
The European Court of Justice has passed judgement on several linked cases in Europe requiring that ISP retain extensive records of all phone and internet communications. This includes a challenge by Labour's Tom Watson. The court wrote in a
The Members States may not impose a general obligation to retain data on providers of electronic communications services
EU law precludes a general and indiscriminate retention of traffic data and location data, but it is open to Members States to make provision, as a preventive measure, for targeted retention of that data solely for the purpose of fighting
serious crime, provided that such retention is, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the chosen duration of retention, limited to what is strictly necessary. Access
of the national authorities to the retained data must be subject to conditions, including prior review by an independent authority and the data being retained within the EU.
In today's judgment, the Court's answer is that EU law precludes national legislation that prescribes general and indiscriminate retention of data.
The Court confirms first that the national measures at issue fall within the scope of the directive. The protection of the confidentiality of electronic communications and related traffic data guaranteed by the directive, applies to the measures
taken by all persons other than users, whether by private persons or bodies, or by State bodies.
Next, the Court finds that while that directive enables Member States to restrict the scope of the obligation to ensure the confidentiality of communications and related traffic data, it cannot justify the exception to that obligation, and in
particular to the prohibition on storage of data laid down by that directive, becoming the rule.
Further, the Court states that, in accordance with its settled case-law, the protection of the fundamental right to respect for private life requires that derogations from the protection of personal data should apply only in so far as is
strictly necessary. The Court applies that case-law to the rules governing the retention of data and those governing access to the retained data.
The Court states that, with respect to retention, the retained data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained.
The interference by national legislation that provides for the retention of traffic data and location data with that right must therefore be considered to be particularly serious. The fact that the data is retained without the users of
electronic communications services being informed of the fact is likely to cause the persons concerned to feel that their private lives are the subject of constant surveillance. Consequently, only the objective of fighting serious crime is
capable of justifying such interference.
The Court states that legislation prescribing a general and indiscriminate retention of data does not require there to be any relationship between the data which must be retained and a threat to public security and is not restricted to, inter
alia, providing for retention of data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved in a serious crime. Such national legislation therefore exceeds the limits of what is strictly
necessary and cannot be considered to be justified within a democratic society, as required by the directive, read in the light of the Charter.
The Court makes clear however that the directive does not preclude national legislation from imposing a targeted retention of data for the purpose of fighting serious crime, provided that such retention of data is, with respect to the categories
of data to be retained, the means of communication affected, the persons concerned and the retention period adopted, limited to what is strictly necessary. The Court states that any national legislation to that effect must be clear and precise
and must provide for sufficient guarantees of the protection of data against risks of misuse. The legislation must indicate in what circumstances and under which conditions a data retention measure may, as a preventive measure, be adopted,
thereby ensuring that the scope of that measure is, in practice, actually limited to what is strictly necessary. In particular, such legislation must be based on objective evidence which makes it possible to identify the persons whose data is
likely to reveal a link with serious criminal offences, to contribute to fighting serious crime or to preventing a serious risk to public security.
As regards the access of the competent national authorities to the retained data, the Court confirms that the national legislation concerned cannot be limited to requiring that access should be for one of the objectives referred to in the
directive, even if that objective is to fight serious crime, but must also lay down the substantive and procedural conditions governing the access of the competent national authorities to the retained data. That legislation must be based on
objective criteria in order to define the circumstances and conditions under which the competent national authorities are to be granted access to the data. Access can, as a general rule, be granted, in relation to the objective of fighting
crime, only to the data of individuals suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime. However, in particular situations, where for example vital national
security, defence or public security interests are threatened by terrorist activities, access to the data of other persons might also be granted where there is objective evidence from which it can be inferred that that data might, in a specific
case, make an effective contribution to combating such activities.
Further, the Court considers that it is essential that access to retained data should, except in cases of urgency, be subject to prior review carried out by either a court or an independent body. In addition, the competent national authorities
to whom access to retained data has been granted must notify the persons concerned of that fact.
Given the quantity of retained data, the sensitivity of that data and the risk of unlawful access to it, the national legislation must make provision for that data to be retained within the EU and for the irreversible destruction of the data at
the end of the retention period.
The view of the authorities
David Anderson, the Independent Reviewer of Terrorism Legislation gives a lucid response outlining the government's case for mass surveillance. However the official justification is easily summarised as it clearly assists in the detection of
serious crime. He simply does not mention that the government having justified grabbing the data on grounds of serious crime detection, will share it willy nilly with all sorts of government departments for their own convenience, way beyond the
reasons set out in the official justification.
And when the authorities talk about their fight against 'serious' crime, recent governments have been updating legislation to redefine practically all crimes as 'serious' crimes. Eg possessing a single spliff may in practice be a trivial crime,
but the law on possession has a high maximum sentence that qualifies it as a 'serious' crime. It does not become trivial until it goes to court and the a trivia punishment has been handed down. So using mass snooping data would be easily
justified to track down trivial drug users.
The judgment relates to a case brought by Deputy Leader of the Labour Party, Tom Watson MP, over intrusive data retention powers. The ruling says that:
- Blanket data retention is not permissible
- Access to data must be authorised by an independent body
- Only data belonging to people who are suspected of serious crimes can be accessed
- Individuals need to be notified if their data is accessed.
At present, none of these conditions are met by UK law.
Open Rights Group intervened in the case together with Privacy International, arguing that the Data Retention and Investigatory Powers Act (DRIPA), rushed through parliament in 2014, was incompatible with EU law. While the
Judgment will no longer affect DRIPA, which expires at the end of 2016, it has major implications for the Investigatory Powers Act.
Executive Director Jim Killock said:
The CJEU has sent a clear message to the UK Government: blanket surveillance of our communications is intrusive and unacceptable in a democracy.
The Government knew this judgment was coming but Theresa May was determined to push through her snoopers' charter regardless. The Government must act quickly to re-write the IPA or be prepared to go to court again.
Data retention powers in the Investigatory Powers Act will come into effect on 30 Dec 2016. These mean that ISPs and mobile phone providers can be obliged to keep data about our communications, including a record of the
websites we visit and the apps we use. This data can be accessed by the police but also a wide range of organisations like the Food Standards Agency, the Health and Safety Executive and the Department of Health.
No matter how much governments spout bollox about mass snooping being used onlt to detect the likes of terrorism, the authorities end up sharing the data with Tom, Dick and Harry for the most trivial of reasons
Liberty is launching a landmark legal challenge to the extreme mass surveillance powers in the Government's new Investigatory Powers Act -- which lets the state monitor everybody's web history and email, text and phone records, and hack
computers, phones and tablets on an industrial scale.
Liberty is seeking a High Court judicial review of the core bulk powers in the so-called Snoopers' Charter -- and calling on the public to help it take on the challenge by donating v
ia crowdfunding platform CrowdJustice .
Martha Spurrier, Director of Liberty, said:
Last year, this Government exploited fear and distraction to quietly create the most extreme surveillance regime of any democracy in history. Hundreds of thousands of people have since called for this Act's repeal because they see it for what it
is -- an unprecedented, unjustified assault on our freedom.
We hope anybody with an interest in defending our democracy, privacy, press freedom, fair trials, protest rights, free speech and the safety and cybersecurity of everyone in the UK will support this crowdfunded challenge, and make 2017 the year
we reclaim our rights.
The Investigatory Powers Act passed in an atmosphere of shambolic political opposition last year, despite the Government failing to provide any evidence that such indiscriminate powers were lawful or necessary to prevent or detect crime.
Liberty will seek to challenge the lawfulness of the following powers, which it believes breach the public's rights:
Bulk hacking -- the Act lets police and agencies access, control and alter electronic devices like computers, phones and tablets on an industrial scale, regardless of whether their owners are suspected of
involvement in crime -- leaving them vulnerable to further attack by hackers.
Bulk interception -- the Act allows the state to read texts, online messages and emails and listen in on calls en masse, without requiring suspicion of criminal activity.
Bulk acquisition of everybody's communications data and internet history -- the Act forces communications companies and service providers to hand over records of everybody's emails, phone calls and texts and entire
web browsing history to state agencies to store, data-mine and profile at its will. This provides a goldmine of valuable personal information for criminal hackers and foreign spies.
Bulk personal datasets -- the Act lets agencies acquire and link vast databases held by the public or private sector. These contain details on religion, ethnic origin, sexuality, political leanings and health
problems, potentially on the entire population -- and are ripe for abuse and discrimination.
In a challenge to the Data Retention and Investigatory Powers Act (DRIPA) by MP Tom Watson, represented by Liberty, the CJEU ruled the UK Government was breaking the law by indiscriminately collecting and accessing the nation's internet
activity and phone records.
DRIPA forced communications companies to store records of everybody's emails, texts, phone calls and internet communications and let hundreds of public bodies grant themselves access with no suspicion of serious crime or independent sign-off.
Judges ruled the regime breached British people's rights because it:
Allowed indiscriminate retention of all communications data.
Did not restrict access to the purpose of preventing and detecting precisely defined serious crime.
Let police and public bodies authorise their own access, instead of requiring prior authorisation by a court or independent body.
Did not require that people be notified after their data had been accessed.
Did not require that the data be kept within the European Union.
DRIPA expired at the end of 2016 -- but its powers are replicated and vastly expanded in the Investigatory Powers Act, with no effort to counter the lack of safeguards found unlawful in the case.
Senior police officers are to lose the power to self-authorise access to personal phone and web browsing records under a series of late changes to the snooper's charter law proposed by ministers in an attempt to comply with a European court
ruling on Britain's mass surveillance powers.
A Home Office consultation paper published on Thursday also makes clear that the 250,000 requests each year for access to personal communications data by the police and other public bodies will in future excluded for investigations into minor
crimes that carry a prison sentence of less than six months.
But the government says the 2016 European court of justice (ECJ) ruling in a case brought by Labour's deputy leader, Tom Watson , initially with David Davis, now the Brexit secretary, does not apply to the retention or acquisition of personal
phone, email, web history or other communications data by national security organisations such as GCHQ, MI6 or MI5, claiming that national security is outside the scope of EU law.
The Open Rights Group has been campaigning hard on issues of liberty and privacy and writes:
This is major victory for ORG, although one with dangers. The government has conceded that independent authorisation is necessary for communications data requests, but refused to budge on retained data and is pushing ahead with the Request
Filter, to enable rapid interrogation and analysis of the stored communications data.
Adding independent authorisation for communications data requests will make the police more effective, as corruption and abuse will be harder. It will improve operational effectiveness, even if less data is used during investigations and trust in
the police should improve.
Nevertheless the government has disregarded many key elements of the judgment
It isn't going to reduce the amount of data retained
It won't notify people whose data is used during investigations
It won't keep data within the EU, instead it will continue to transfer it, presumably specifically to the USA
The Home Office has opted for a six month sentence definition of serious crime rather than the Lords' definition of crimes capable of sentences of at least one year.
These are clear evasions and abrogations of the judgment. The mission of the Home Office is to uphold the rule of law. By failing to do what the courts tell them, the Home Office is undermining the very essence of the rule of law.
If the Home Office won't do what the highest courts tell it to do, why should anybody else? By picking and choosing the laws they are willing to care about, they are playing with fire.
There was one final surprise. The Code of Practice covers the operation of the Request Filter . Yet again we are told that this police search engine is a privacy safeguard. We will now run through the code in fine detail to see if any such
safeguards are there. On a first glance, there are not.
If the Home Office genuinely believe the Request Filter is a benign tool, they must rewrite this section to make abundantly clear that it is not a mini version of X-Keyscore (the NSA / GCHQ'S tool to trawl their databases of people linked to
their email and web visits) and does not operate as a facility to link and search the vast quantities of retained and collected communications data.
The UK's mass digital surveillance regime preceding the snoopers charter has been found to be illegal by an appeals court.
The case was brought by the Labour deputy leader, Tom Watson in conjunction with Liberty, the human rights campaign group.
The three judges said Data Retention and Investigatory Powers Act 2014 (Dripa), which paved the way for the snooper's charter legislation, did not restrict the accessing of confidential personal phone and web browsing records to investigations of
serious crime, and allowed police and other public bodies to authorise their own access without adequate oversight. The judges said Dripa was inconsistent with EU law because of this lack of safeguards, including the absence of prior review by a
court or independent administrative authority.
Responding to the ruling, Watson said:
This legislation was flawed from the start. It was rushed through parliament just before recess without proper parliamentary scrutiny. The government must now bring forward changes to the Investigatory Powers Act to ensure that hundreds of
thousands of people, many of whom are innocent victims or witnesses to crime, are protected by a system of independent approval for access to communications data. I'm proud to have played my part in safeguarding citizens' fundamental rights.
Martha Spurrier, the director of Liberty, said:
Yet again a UK court has ruled the government's extreme mass surveillance regime unlawful. This judgement tells ministers in crystal clear terms that they are breaching the public's human rights. She said no politician was above the law. When
will the government stop bartering with judges and start drawing up a surveillance law that upholds our democratic freedoms?
Matthew Rice of the Open Rights Group responded:
Once again, another UK court has found another piece of Government surveillance legislation to be unlawful. The Government needs to admit their legislation is flawed and make the necessary changes to the Investigatory Powers Act to protect the
public's fundamental rights.
The Investigatory Powers Act carves a gaping hole in the public's rights. Public bodies able to access data without proper oversight, and access to that data for reasons other than fighting serious crime. These practices must stop, the courts
have now confirmed it. The ball is firmly in the Government's court to set it right.
High Court judges have given the UK government six months to revise parts of its Investigatory Powers Act. The government has been given a deadline of 1 November this year to make the changes to its Snooper's Charter.
Rules governing the British surveillance system must be changed quickly because they are incompatible with European laws, said the judges.
The court decision came out of legal action by human rights group Liberty. It started its legal challenge to the Act saying clauses that allow personal data to be gathered and scrutinised violated citizens' basic rights to privacy.
The court did not agree that the Investigatory Powers Act called for a general and indiscriminate retention of data on individuals, as Liberty claimed. However in late 2017, government ministers accepted that its Act did not align with European
law which only allows data to be gathered and accessed for the purposes of tackling serious crime. By contrast, the UK law would see the data gathered and held for more mundane purposes and without significant oversight.
One proposed change to tackle the problems was to create an Office for Communications Data Authorisations that would oversee requests to data from police and other organisations.
The government said it planned to revise the law by April 2019 but Friday's ruling means it now has only six months to complete the task.
Martha Spurrier, director of Liberty, said the powers to grab data in the Act put sensitive information at huge risk.
Javier Ruiz, policy director at the Open Rights Group which campaigns on digital issues, said:
We are disappointed the court decided to narrowly focus on access to records but did not challenge the general and indiscriminate retention of communications data.
The UK's intelligence agencies are to significantly increase their use of large-scale data hacking after claiming that more targeted operations are being rendered obsolete by technology.
The move will see an expansion in what is known as the bulk equipment interference (EI) regime -- the process by which GCHQ can target entire communication networks overseas in a bid to identify individuals who pose a threat to national security.
[Note that the idea this is somehow only targeted at foreigners is misleading. Five countries cooperate so that they can mutually target each others users to work round limits on snooping on one's own country].
A letter from the security minister, Ben Wallace, to the head of the intelligence and security committee, Dominic Grieve, quietly filed in the House of Commons library last week, states:
Following a review of current operational and technical realities, GCHQ have ... determined that it will be necessary to conduct a higher proportion of ongoing overseas focused operational activity using the bulk EI regime than was originally
In response to today's judgment in the People's vs the Snooper's Charter case Megan Goulding, Liberty lawyer, said:
This disappointing judgment allows the government to continue to spy on every one of us, violating our rights to privacy and free expression. We will challenge this judgment in the courts, and keep fighting for a targeted surveillance regime that
respects our rights.
These bulk surveillance powers allow the state to hoover up the messages, calls and web history of hordes of ordinary people who are not suspected of any wrong-doing.
The Court recognised the seriousness of MI5's unlawful handling of our data, which only emerged as a result of this litigation. The security services have shown that they cannot be trusted to keep our data safe and respect our rights.