ECtHR Rules UK Mass Internet Surveillance of Citizens Unlawful

The European Court of Human Rights has today ruled that the United Kingdom’s mass surveillance programmes, which came to light in 2013 after ex-NSA employee Edward Snowden leaked significant details to the press, were unlawful and “incapable of keeping the ‘interference’ to what is ‘necessary in a democratic society’“.

The Snowden documents revealed that the United Kingdom’s intelligence agency – GCHQ – were conducting “population-scale” interception, capturing the communications of millions of innocent people and even tapping into at least some of the world’s 10Gbps transatlantic fibre optic cable links (allegedly with the help of Vodafone, BT and others).

The mass spying programmes included TEMPORA, a bulk data store of all internet traffic; KARMA POLICE, a catalogue including “a web browsing profile for every visible user on the internet“; and BLACK HOLE, a repository of over 1 trillion events including internet histories, email and instant messenger records, search engine queries and social media activity.

Naturally it didn’t take long for a coalition of privacy and civil rights organisations – including Big Brother Watch, English PEN, the Open Rights Group (ORG) and computer science expert Dr Constanze Kurz – to take the Government to task over their snooping arrangements with the USA. Fast forward several years and the ECtHR has found in favour of their concerns, at least some of them.

The ECtHR Ruling

The court appears to have agreed that “bulk interception is by definition untargeted,” that there was a “lack of oversight of the entire selection process” and the safeguards were not “sufficiently robust to provide adequate guarantees against abuse“.

ECTHR Ruling Extract (See Full Summary)

It is a matter of some concern that the intelligence services can search and examine “related communications data” apparently without restriction. While such data is not to be confused with the much broader category of “communications data”, it still represents a significant quantity of data. The Government confirmed at the hearing that “related communications data” obtained under the section 8(4) regime will only ever be traffic data.

However, according to paragraphs 2.24-2.27 of the ACD Code, traffic data includes information identifying the location of equipment when a communication is, has been or may be made or received (such as the location of a mobile phone); information identifying the sender or recipient (including copy recipients) of a communication from data comprised in or attached to the communication; routing information identifying equipment through which a communication is or has been transmitted (for example, dynamic IP address allocation, file transfer logs and e-mail headers (other than the subject line of an e-mail, which is classified as content)); web browsing information to the extent that only a host machine, server, domain name or IP address is disclosed (in other words, website addresses and Uniform Resource Locators (“URLs”) up to the first slash are communications data, but after the first slash content); records of correspondence checks comprising details of traffic data from postal items in transmission to a specific address, and online tracking of communications (including postal items and parcels).

In addition, the Court is not persuaded that the acquisition of related communications data is necessarily less intrusive than the acquisition of content. For example, the content of an electronic communication might be encrypted and, even if it were decrypted, might not reveal anything of note about the sender or recipient. The related communications data, on the other hand, could reveal the identities and geographic location of the sender and recipient and the equipment through which the communication was transmitted. In bulk, the degree of intrusion is magnified, since the patterns that will emerge could be capable of painting an intimate picture of a person through the mapping of social networks, location tracking, Internet browsing tracking, mapping of communication patterns, and insight into who a person interacted with.

Consequently, while the Court does not doubt that related communications data is an essential tool for the intelligence services in the fight against terrorism and serious crime, it does not consider that the authorities have struck a fair balance between the competing public and private interests by exempting it in its entirety from the safeguards applicable to the searching and examining of content.

The court similarly highlighted “the risk that a system of secret surveillance set up to protect national security may undermine or even destroy democracy under the cloak of defending it,” before noting that it had to be “satisfied that there are adequate and effective guarantees against abuse.”

The case began in 2013, although the Government has since replaced the old rules with the new Investigatory Powers Act (IPA), which passed into law during November 2016. Today’s judgement that indiscriminate spying breaches rights protected by the ECHR (i.e. the right to respect for private and family life/communications) is thus likely to provoke further questions as to the lawfulness of bulk powers in the IPA.

Jim Killock, Executive Director of Open Rights Group, said:

“Viewers of the BBC drama, the Bodyguard, may be shocked to know that the UK actually has the most extreme surveillance powers in a democracy. Since we brought this case in 2013, the UK has actually increased its powers to indiscriminately surveil our communications whether or not we are suspected of any criminal activity.

In light of today’s judgment, it is even clearer that these powers do not meet the criteria for proportionate surveillance and that the UK Government is continuing to breach our right to privacy.”

The government has already been forced to amend its new IPA a few times and further legal challenges are being prepared by Liberty, not least in order tackle the rules that allow the state to hack our computers, hoover up information about who we speak to, where we go, and what we look at online, and collect profiles of individual people even without any suspicion of criminality (here).

However, it’s important to note that today’s judgement appeared to reject some of the concerns around the issue of sharing such information with foreign governments. Furthermore the ruling doesn’t completely say that such surveillance systems shouldn’t be allowed, but more that the UK’s approach or practice was unlawful.