"Enhancing the ability to evaluate evidence"

Challenges in the UK to Surveillance by the NSA and GCHQ

Posted by Aidan on Sunday, February 23, 2014
By Aidan Booth and Adina Schwartz (posted on October 7th 2013, to be revised in response to developments)
Last Revised: April 18th 2015

I. The UK’s Tempora program and use of Prism

A. The Investigation by the Intelligence and Security Committee of Parliament (“ISC”) of access to private communications by the intelligence agencies

1) The ISC’S Statement in 2013 Affirming the Legality of the GCHQ’s Use of Prism

On the basis of its investigatory powers under the Justice and Security Act 2013, the ISC responded to the Snowden revelations by taking oral evidence from the Director of the GHCQ, obtaining reports by the GCHQ on intelligence from the United States, and engaging in discussions during a visit to the United States with the NSA and “our Congressional counterparts.” Based on this, the ISC, chaired by the Rt. Hon. Sir Malcolm Rifkind, MP, issued a Statement on July 17, 2013, affirming the legality of the GCHQ’s use of the NSA’s Prism Program. In particular, the ISC found that the reports that the GCHQ produced on the basis of intelligence that it had sought from the US conformed to the GCHQ’s legal authority under the Intelligence Services Act of 1994. The ISC further found that in accord with the legal safeguards of RIPA, “in each case where GCHQ sought information from the US, a warrant for interception, signed by a Minister, was already in place.” The ISC called, however, for further scrutiny of the law governing GCHQ investigations, stating that “legislation … expressed in general terms” had left the GCHQ to develop its own guidelines for complying with UK human rights law.

2) The Broadening of the ISC’S Investigation

On October 17, 2013, the ISC announced that it was broadening its inquiry to consider “whether the current statutory framework governing access to private communications remains adequate.” The heads of MI5, MI6, and GCHQ appeared before the ISC for the first time in an open evidence session on November 7, 2013.

On December 11, 2013, the ISC invited the submission of written evidence. Among those submitting written evidence were: Liberty; Lecturer in Information Technology, Intellectual Property and Media Law at the UEA Law School Paul Bernal; independent advocate Caspar Bowen; Liberal Democratic peer Lord Paul Strasburger; the Institution of Engineering and Technology; a group of University College law students consisting of Daniella Lock, Tara Agoston, Hitesh Dhorajiwala, Josie Teale, Edmund Gross, Edmund Robinson, Aimee Riese and Maryam Siddiqui, and Rights Watch (UK).

The ISC held public evidence sessions on October 14, 15, 16, and 23, 2014. Those who provided oral evidence are listed in the ISC’s Report of March 12, 2015, at pp. 147-49.

3) The ISC’S Report of March 12, 2015

On March 12, 2015, the ISC concluded its investigation by issuing a report, “Privacy and Security: A modern and transparent legal framework,” that “scrutinised GCHQ’s bulk interception capability in particular detail, since it is this that has been the focus of recent controversy.” At p. 2. The Report’s principal conclusions are that the intelligence and security services (MI5, the Secret Intelligence Service (SIS or MI6) and GCHQ) “do not seek to circumvent the law,” including the requirements of the European Convention on Human Rights (ECHR), as incorporated in the UK Human Rights Act 1998. Id. By contrast, the legal framework governing the agencies’ operations “is unnecessarily complicated,” raising “serious concerns about the resulting lack of transparency.” Id. The ISC proposed that existing legal provisions be replaced by a single law and that more particular legal reforms be instituted before this basic change was made.

a) Overhauling the legislative framework and increasing transparency

Concluding that the existing legal framework was “difficult to understand,” “unnecessarily secretive,” and consisted of different Acts of Parliament whose “interaction … is complicated,” the IPT called for a single Act of Parliament to replace the:

  • Security Services Act 1989;
  • Intelligence Services Act 1994;
  • RIPA;
  • Wireless Telegraphy Act 2006;
  • Telecommunications Act 1984;
  • Counter-Terrorism Act 2008; and
  • other “relevant” legislative provisions “as appropriate.”

Para. 275; Conclusion (Concl.) XX.

The call for a radical legislative overhaul was intertwined with recognizing the need for increased transparency. We recognize that much of the detail regarding the Agencies’ capabilities must be kept secret. There is, however, a great deal that can be discussed publicly and we believe that the time has come for much greater openness and transparency regarding the Agencies’ work.” Concl. BBB.

Among the particular concerns about transparency were:

  • The “broad general powers” that the Intelligence Services Act 1994 and Social Service Act 1989 respectively accorded to MI5 and to MI6 and GCHQ “could be misconstrued as providing the Agencies with a ‘blank cheque’ to carry out whatever activities they deem necessary.” Concl. MM.
  • Although the ISC was “reassured that the Human Rights Act 1998 acts as a constraint on all the Agencies’ activities,” “[t]he interactions between the different pieces of legislation which relate to the statutory functions of the intelligence and security Agencies are absurdly complicated, and are not easy for the public to understand ….” Concl. NN.
  •  “[A]s a matter of both practice and policy,” GCHQ seeks raw SIGint from a foreign partner only “on individuals whom they themselves are intercepting – therefore there would always be a RIPA warrant in place already.” Concl. RR. Despite praising GCHQ, however, for having “gone above and beyond what is required in the legislation,” the ISC concluded that “it is unsatisfactory that these arrangements are implemented as a matter of policy and practice only.” Concl. SS. The ISC also recommended that statutes define the arrangements for exchanging analyzed intelligence reports with foreign partners.

Additional recommendations for transparency in regard to the distinctions between “external and “internal” communications and “communications data” and “Communications Data Plus” are respectively described in (c) and (d) below.

By contrast, although Contributors raised the issue, the ISC did not assess the adequacy of the government’s policy of issuing a Neither Confirm Nor Deny (NCND) response to all questions about the operation and oversight of the intelligence and security agencies.

Among the issues that the Report discussed about the operation of the intelligence and security services were:

b) Bulk interception

Seeking to assuage concerns about mass surveillance, the ISC reasoned that although talk of “bulk interception” was justified by the numbers of communications intercepted, the GCHQ in fact engaged in targeted surveillance. First, the GCHQ has the technical capacity to access only a “small percentage [redacted]” of the 100,000 bearers comprising “the core infrastructure of the internet,” and at any one time accesses “only a fraction” of the bearers that it is capable of accessing. Para. 58. Second, the GCHQ only collects internet traffic flowing through the accessed bearers if it matches simple selectors related to individual targets, or, for a much smaller number of bearers, complex criteria composed of multiple elements. Finally, analysts select only a small fraction of the collected traffic for examination.

The redaction of the numbers that convinced the ISC that increasingly radical selection takes place at each stage makes it impossible to independently assess the extent to which GCHQ surveillance is targeted. Nor does the Report contain any explanation of the criteria analysts use for suspecting someone of criminal activity or considering him or her a national security target. This stymies assessment of the ISC’s conclusion that “Only the communications of suspected criminals or national security targets are deliberately selected for examination.” Concl. J. Further hindering independent evaluation, the ISC decided that the GCHQ “case studiesdemonstrating the effectiveness of their bulk interception capabilities … cannot be published, even in redacted form ….” Para. 81.

Dismissing concerns raised by Liberty, Privacy International, Big Brother Watch, and Justice, the ISC stated that, “While we recognize privacy concerns about bulk interception, we do not subscribe to the point of view that it is acceptable to let some terrorist attacks happen in order to uphold the individual right to privacy – nor do we believe that the vast majority of the British people would. In principle it is right that the intelligence Agencies have this capability, provided – and it is this that is essential – that it is tightly controlled and subject to proper safeguards.” Concl. M. By assuming, however, that the need to combat terrorism always trumps privacy concerns, the ISC begged the question of what it means for surveillance to be “tightly controlled and subject to proper safeguards.

c) The distinction between external and internal communications

The ISC recognized that lack of correspondence between the routing of internet communications and geographical boundaries creates problems for RIPA’s distinction between “internal” and “external” communications. While RIPA requires targeted 8(1) warrants for the interception of internal communications, only untargeted 8(4) warrants are required for intercepting external communications. According to the Committee, the distinction is “confusing and lacks transparency;” [t]he Government must publish an explanation of which internet communications fall under which category, and ensure that this includes a clear and comprehensive list of communications.” Concl. O. (See Section (B)(2)(a) below for a more thorough account of the distinction between “internal” and “external” communications and the types of warrants required).

As the ISC recognized, clarifying the distinction is not sufficient to protect privacy. “[A]part from an increasingly tiny proportion that are between people in the UK, using devices or services based only in the UK, and which only travel across network infrastructure within UK,” all internet communications count as external communications under RIPA. Para. 109. Under 16(2) and (3) of RIPA, external communications of a person known to be in the UK can be selected for examination only if the Secretary of State certifies that examining that particular person’s communications is necessary for national security, the prevention or detection of serious crime, or the economic well being of the UK. The ISC concluded, however, that “[t]he nature of the 16(3) modification system is unnecessarily complex and does not provide the same rigour as that provided by an 8(1) warrant.” Therefore, the Committee recommended that 8(1) warrants always be required for “searching for and examining the communications of a person known to be in the UK.” Concl. Q. (See Section B(2)(b) below for a more extended explanation of RIPA s.16(2) and 16(3)).

In addition, the ISC recommended that RIPA’s purely geographical distinction between internal and external communications be supplemented by a nationality distinction. “[T]he communications of UK nationals should receive the same level of protection under law, regardless of where the person is located. The interception and examination of such communications should … be authorised through an individual warrant like an 8(1) ….” Concl. R.

Overall, the ISC’s recommendations do nothing to ameliorate the central practical problem with RIPA’s distinction between internal and external communications: the difficulty of determining the geographical location of senders or recipients of internet communications. In proposing to supplement this distinction with preferential treatment for UK nationals, the ISC similarly failed to grapple with the difficulty of determining the nationality of telecommunications senders and recipients.

In addition, the ISC’s recommendation that 8(1) warrants be required for UK nationals’ communications, regardless of their location, but for others’ communications only if they are known to be in the UK, very arguably amounts to direct discrimination on the basis of national origin. As discussed in Section B(2)(d) below, absent a “very weighty” justification, such direct discrimination violates Article 14 of the European Convention on Human Rights.

d) Communications Data

RIPA accords “Communications Data (CD),” defined “as the basic ‘who, when, and where’ of a communication” less protection than the contents of communications. Claiming that “the statutory definition of Communications Data … is narrowly drawn,” the ISC dismissed concerns that modern technology makes it as intrusive to collect and examine CD as communications themselves. Concl. V. Here, the ISC’s reasoning arguably conflicted with the reasoning of the European Court of Justice (ECJ), in Joined Cases C-293/12 & C-594/12, Digital Rights Ireland and Seitlinger and Others (Apr. 8, 2014). See Aidan Booth & Adina Schwartz, “Challenges in Europe to Surveillance by the NSA and the GCHQ,” available on this website).

The ISC distinguished CD from “ ‘Communications Data Plus’ – hav[ing] the potential to reveal details about a person’ private life (i.e., their habits, preferences and lifestyle) that are more intrusive,” and, therefore, warranting greater safeguards. Concl. W. Examples of Communications Data Plus are “a call to a particular medical helpline, or a certain type of dating or sex chat line.” Para. 142.

As described in (c) above, the ISC recognized that a vanishingly small percentage of communications count as “internal” communications. Nonetheless, the Committee dismissed concerns that CD of communications between people in the UK might be collected through the bulk interception authorized by 8(4) warrants. “GCHQ targets those bearers most likely to contain external communications, and this minimises the unintended interception of UK-to-UK communications.” Para. 144. Although the ISC did recognize that the protections of 16(3) of RIPA extend to the contents, but not the CD, of UK-to-UK communications that are incidentally collected through bulk interception, its response to this concern was entirely redacted.  

e) Interception of Privileged Information

As indicated in Section III below, on February 26, 2015 in the Belhadj case, the IPT ordered that in accord with the concession of MI5, MI6, and GCHQ, “there be a declaration that since January 2010 the regime for the interception/obtaining, analysis, use, disclosure and destruction of legally privileged material has contravened Article 8 ECHR and was accordingly unlawful.”  By contrast, the ISC only suggested that statutory guidelines replace or supplement the agencies’ internal guidelines on the treatment of privileged information. The Committee’s particular conclusions in regard to the Belhadj case were entirely redacted from the Report.

f) Oversight

i) Judicial vs. ministerial approval of warrants

The ISC dismissed concerns about leaving the authorization of warrants to elected officials by claiming that ministers are likely to be sensitive to the “political or diplomatic risks involved” in intrusions. Para. 202. “Judges might therefore approve more warrant applications on the basis of pure legal compliance, whereas a Minister may refuse more applications based on these broader considerations.” Para. 203.

ii) Oversight of which communications are examined

While 8(4) warrants authorize the interception of communications, accompanying certificates by the Secretary of State describe the intercepted material that may be examined, certifying that such examination is necessary for the purposes of national security, the detection or prevention of serious crime, or the economic well being of the UK. Through an examination, the ISC found that certificates described the material to be examined only “in very general terms. For example: ‘Material providing intelligence on terrorism (as defined by the Terrorism Act 2000 (as amended) including, but not limited to, terrorist organisations, terrorists, active sympathisers, attack planning, fund raising.’Para. 101. Due to certificates’ generic specification of the material to be examined, “[i]n practice,” analysts’ “selection of the bearers, the application of simple selectors and initial search criteria, and then complex searches ….” determine which communications are examined. Para. 123.

The Committee recommended that analysts’ discretion be curbed by according “[t]he Interception of Communications Commissioner [the “Commissioner”] … statutory responsibility to review the various selection criteria used in bulk interception to ensure that these follow directly from the Certificate and valid national security requirements.” Concl. S. If, however, certificates only very broadly describe the material to be examined, it will be difficult, if not impossible, to distinguish between selection criterion that do and do not “follow directly from the Certificate”. The Commissioner might still distinguish between selection criteria that do and do not “follow directly … from … valid national security requirements.” Allocating this post hoc determination to the Commissioner fits ill, however, with the ex ante determination of national security requirements that 8(4) allocates to the Secretary of State.

iii) Oversight by the IPT

Except for acknowledging the need for a domestic right of appeal, the ISC dismissed proffered criticisms of the IPT. Notably, the Committee responded to concerns about the IPT’s having ruled against the Government “only in a tiny minority of cases” by stating that, “[W]e note that as judges they will of course have reached an objective decision depending on the merits of the case before them and therefore we do not consider this a valid argument.” Para. 214.

iv) Oversight by the ISC

The ISC rejected all proposals by contributors to the inquiry for reforming its composition and working arrangements on the ground that “Parliament considered the structure, procedures and powers of the ISC in July 2013 during the passage of the Justice and Security Act 2013.” Para. 219.

B. Liberty & Others vs. the Security Service, SIS, GCHQ, IPT/13/77/H

At issue in this action before the Investigatory Powers Tribunal (“IPT”) was whether Articles 8, 10 or 14 of the European Convention on Human Rights (ECHR) were violated by the Tempora program, which was described in the documents leaked by Snowden as involving bulk interception by the GCHQ of telecommunications and associated metadata transmitted on overseas cables to the UK. Also at issue was whether Articles 8 or 10 of the ECHR were violated by the UK Intelligence Services’ sharing of telecommunications and associated metadata obtained by the NSA through its Prism or Upstream programs.

On December 5, 2014, the IPT issued a Judgment upholding the legality of the Tempora program. This was followed by a Judgment on February 6, 2015 in which the IPT ruled against the Intelligence Services for the first time in its fifteen-year history. The IPT held that until its December 5 and February 6 Judgments published certain disclosures that the Intelligence Services made after hearings in the case, the UK’s acquisition, use and disclosure of information that the NSA obtained through its Prism and Upstream programs violated Articles 8 and 10 of the ECHR. The claimants’ victory was limited, however, in that the IPT held that once the disclosures were published, the UK’s sharing of information obtained through the NSA’s Prism and Upstream programs conformed to the ECHR.

The initial complaint in the case was brought on June 25, 2013 by Liberty, which announced on November 11, 2013 that it would also act on behalf of the American Civil Liberties Union (“ACLU”), Canadian Civil Liberties Association, Egyptian Initiative for Personal Rights, Hungarian Civil Liberties Union, Irish Council for Civil Liberties and the South African Legal Resources Centre. On July 8, 2013, Privacy International filed a legal challenge in the IPT, which Pakistani organization Bytes For All joined on January 9, 2014. On December 9, 2013, Amnesty International filed a claim.

From July 14-18, 2013, the IPT took the highly unusual step of holding a public hearing on the claimants’ challenges. Since the UK government invoked its longstanding “neither confirm nor deny” (NCND) policy in regard to the operation of the Intelligence Services, the tribunal heard the challenge on the basis of “agreed assumed facts,” with the exception of (i) the NSA’s public admission of the existence of the Prism and upstream data collection programs and (ii) confirmation of the NSA’s transmission of information obtained via Prism to the GCHQ. Judgment, Liberty & Others vs. the Security Service, SIS, GCHQ, IPT/13/77/H (Dec. 5, 2014) (“Dec. 5 Judgment”) paras. 4(i),13.

The subsequent closed and open hearings before the IPT and the Judgments of December 5, 2014 and February 6, 2015 can best be understood by separately considering (i) the Prism or intelligence sharing issue and (Ii) the Tempora or s. 8(4) of the Regulation of Investigatory Powers Act 2000 (“RIPA”) issue. With regard to both issues, the IPT assumed that its reasoning in regard to Article 8 of the ECHR applied equally well to Article 10 of the ECHR.

1) The Prism or intelligence sharing issue

The parties agreed that RIPA only applies to the interception of communications by UK agencies. Hence, the Intelligence Services were not subject to the requirements of RIPA when they received information from the NSA’s Prism or upstream collection programs, even if the information included telecommunications sent or received within the UK. Accordingly, the issue was whether in the absence of RIPA’s legal constraints, the Intelligence Services’ sharing of information obtained by the NSA satisfied Article 8 of the ECHR’s requirement that any interference with privacy be in “accordance with the law.”

The IPT recognized that the “accordance with the law” requirement includes both that (i) executive discretion be constrained to prevent arbitrary interferences with privacy and (ii) the public be sufficiently notified of the governing rules so that interferences with privacy are foreseeable. Although the demands of national security reduce the strictness of the notification requirement, Article 8 of the ECHR nonetheless requires that “the nature of the rules … be clear and the ambit of them … be in the public domain so far as possible, an ‘adequate indication’ given … so that the existence of interference with privacy may in general terms be foreseeable.” Dec. 5 Judgment, para. 37 (ii) (citation omitted).

In arguing that the “accordance with the law” requirement was satisfied, the Intelligence Services invoked the requirements in the Security Service Act 1989 and Intelligence Services Act 1994 that the heads of MI5, MI6, and GCHQ respectively ensure that “arrangements” exist to prevent MI5, MI6, or GCHQ from obtaining information “except so far as necessary for the proper discharge of its functions.” Under these laws, the heads of the Intelligence Services are also obligated to ensure that “arrangements” exist to prevent the disclosure of information except for the purposes of criminal proceedings or the proper exercise of the Service’s functions. MI5 and MI6 may also disclose information for the purposes of “the prevention or detection of serious crime,” and MI6 may make disclosures “in the interest of national security.” Id. at para. 18 (ii), (v), and (viii).

The need for a closed hearing arose because the Intelligence Services claimed that national security precluded any disclosure of the arrangements that their heads had established for obtaining, disclosing, and safeguarding data. According to the Respondents, the “accordance with the law” requirement of the ECHR could be found to be satisfied on the basis of testimony by Mr. Charles Farr, the Director-General of the Office for Security and Counter Terrorism at the Home Office, that the requisite arrangements existed. In addition, the IPT could rely on the oversight of the Intelligence Services’ operations by the ISC and the Interception of Communications Commissioner (“the Commissioner”) to find that the “accordance with the law” requirement was satisfied. In particular, the Commissioner and ISC had both found that the Intelligence Agencies did not circumvent UK law by obtaining information from Prism. (See A(1) above for a discussion of the ISC’s finding)

The IPT refused to accept the Respondents’ position, claiming that it had the advantage over the ISC and Commissioner of being empowered to conduct closed hearings on sensitive and confidential matters and gain “access to all sensitive information.” Hence, the IPT held a one-day closed hearing, at which the Claimants were not represented, to determine “whether the arrangements (a) do indeed exist as asserted by Mr. Farr, [and] (b) are adequate to do the job of giving the individual “adequate protection against arbitrary interference.” Dec. 5 Judgment, para. 46 (iii). In addition, the IPT sought to determine whether, consistently with the demands of national security and the notification requirement of Article 8 of the ECHR, any details of the arrangements should be publicly disclosed.

a) The disclosures

i) After the closed hearing

After the closed hearing, the UK government agreed to disclose that:

1(a): The Intelligence Services may request unanalyzed intercepted communications and associated communications data from a foreign government if a RIPA warrant has already been issued by the Secretary of State and if the assistance of the foreign government is needed because the communications at issue “cannot be obtained under the relevant RIPA interception warrant and it is necessary and proportionate for the Intelligence Services to obtain those communications.” Id., para. 47.

1(b): The Intelligence Services may also request unanalyzed intercepted communications and associated communications data from a foreign government in the absence of a warrant, if “making the request … in the absence of a relevant RIPA interception warrant does not amount to a deliberate circumvention of RIPA … (for example, because it is not technically feasible to obtain the communications via RIPA interception) and it is necessary and proportionate for the Intelligence Services to obtain those communications.” Id.

2:“[I]nternal ‘arrangements’” ensure that all communications, whether analyzed or unanalyzed, and all communications data that the Intelligence Services obtain from a foreign government are subject to the “same internal rules and safeguards” that apply to the same categories of data obtained by the  Intelligence Services through RIPA interceptions. Id.

ii) After the additional open hearing

After an additional open hearing on October 31, 2014, the UK government agreed to the following Disclosure:

(1): The Intelligence Services may only make requests to the US government for “unanalyzed intercepted communications (and associated communications data)” obtained, in accord with Section 702 of FISA, through the Prism program or, hypothetically, the Upstream program. Id., para. 48.

(2): As to the requests referred to in paragraph 1(b) of the Disclosure after the first closed hearing (see (a) above), the Intelligence Services have yet to request data from the Prism or Upstream programs without a RIPA warrant in place, and “[a]ny such request would only be made in exceptional circumstances.” Id.

b) The Judgment of December 5, 2014

The IPT held that the disclosures, together with the statutory framework and the oversight of the ISC and the Commissioner, “sufficiently signposted” to the public the Intelligence Services’ arrangements for receiving, safeguarding, and disclosing information from Prism and/or the Upstream program. Hence, the notification requirement of Article 8 of the ECHR was satisfied

In regard to Article 8’s prohibition of arbitrary interferences of privacy, the IPT determined, on the basis of the disclosures, that the Intelligence Services’ hitherto secret arrangements for obtaining, safeguarding, and disclosing data obtained from the NSA’s Prism and, hypothetically, Upstream programs were, “save only for the wholly exceptional scenario [which had never occurred of a] 1(b) request,” the same as those in RIPA. Id., para. 51. Hence, the issue of whether the sharing of information from the NSA’s Prism and Upstream programs was compatible with Article 8’s prohibition of arbitrary interferences with privacy resolved into the issue of whether the relevant provision of RIPA, s.8(4), was compatible. As explained in (2) below, in ruling against the Complainants in regard to the Tempora issue, the IPT decided that s.8(4) of RIPA did not arbitrarily interfere with privacy.

c) The Judgment of February 6, 2015

The December 5 Judgment left open the question of whether before the publication of the Intelligence Services’ disclosures in the Judgment, the UK’s sharing of information from the NSA’s Prism and/or Upstream programs was compatible with Article 8 of the ECHR. In its February 6, 2015 Judgment, the IPT ruled against the Intelligence Services for the first time in its history, finding that before the disclosures, the sharing of information violated the notification component of the ECHR’s requirement that interferences with privacy be in “accordance with the law.”

Also left open by the December 5 Judgment was the question of whether if the Intelligence Services were to depart from previous practice and, in accord with Disclosure 1(b), obtain data from the NSA in the absence of a warrant, the protections of s.16 of RIPA would apply. (See (a)(i) above for an account of Disclosure 1(b)). After the Judgment, the Intelligence Services issued an additional disclosure, stating that if a warrantless request for data from Prism or Upstream were to be targeted at communications to, from, or about a specific individual(s), analogously to a RIPA s.8(1) warrant, the request for that person’s communications would need to be approved by the Secretary of State. The protections of s. 16 would only be needed if, by analogy to a s.8(4) of RIPA warrant, a request for communications from the NSA were not to be targeted at any particular individual. In the event that communications were obtained through an untargeted request, the Intelligence Services disclosed that, analogously to s.16(2) of RIPA, factors referable to a person known to be residing in the UK would not be used to select that person’s communications for examination. The prohibition could be lifted only if, by analogy to s.16(3) of RIPA, the Secretary of State were to certify that examining that particular person’s communications was necessary for national security, the detection or prevention of serious crime, or the economic wellbeing of the UK.

With Amnesty International’s agreement, Privacy International submitted that the additional disclosure ensured that the safeguard of s.16 of RIPA “is now in place” in the event of warrantless requests under 1(b), “but was not in place before December 2014.” Accepting the Claimants’ position, the IPT held that “’prior to the disclosure made and referred to in the Tribunal’s Judgment of 5 December 2014 and this judgment’ the Prism and/or Upstream arrangements contravened Articles 8 or 10 ECHR.” February 6 Judgment, para. 32.

The Claimants’ victory was limited, however, in that IPT held that the disclosures were sufficient to make the Prism and/or Upstream arrangements comply with the ECHR.

2) The Tempora or s.8(4) of RIPA issue

The Intelligence Services would neither confirm nor deny the existence of the Tempora program. Therefore, the issue before the IPT was whether if the GCHQ engaged in the alleged Tempora program of bulk interception of telecommunications and associated metadata transmitted on overseas cables landing in the UK, the ECHR would be violated by the governing UK legal requirements.

8(1) of RIPA requires that a targeted warrant directed at a particular individual’s telecommunications be used to intercept “internal communications” sent and received within the UK. By contrast, under 8(4) of RIPA, “external communications,” whose sender or recipient is located outside the UK, may be intercepted through untargeted warrants. By considering the following issues, the IPT concluded that 8(4) and its associated legal provisions and oversight mechanisms complied with the ECHR.

a) The difficulty of distinguishing between external and internal communications

Since the routing of the Internet does not conform to national boundaries, a communication between two people in the UK may travel on ISP’s in foreign countries and be carried on an overseas cable that lands in the UK. The parties agreed that “[i]t is impossible to differentiate at the ‘interception’ stage between external and internal communications, which will all be carried within the same bearer [on an international fiber optic cable].” December 5 Judgment, para. 94(i). In addition, since the same mobile telephone number or email address may be used in the UK or abroad, at the time of interception, it is impossible to know whether a communication is “external” or “internal.”

As indicated above, 8(4) of RIPA provides that untargeted warrants may only be used for “external” communications. Accordingly, an issue before the IPT was whether the “difficulty of distinguishing between external and internal communications” meant that the 8(4) regime violated the requirement of Article 8(2) of the ECHR that any interference with privacy be in “accordance with the law.” Id., para. 80.    

The IPT distinguished “Stage one” of interception in which telecommunications are obtained and recorded from the subsequent application of selection criterion to determine which telecommunications will “be read, looked at or listened to by a person.” Id. at paras. 62, 101. On that basis, the IPT ruled that “the ‘heavy lifting’” was done by the provisions in s.16 of RIPA for the selection of communications for examination. Id., para. 101. The 8(4) regime could satisfy the “accordance with the law” requirement of the ECHR, despite the impossibility of distinguishing between “internal” and “external” communications at the interception stage, if s.16 adequately protected “internal communications” from examination.

b) The adequacy of the protections of s.16 of RIPA

S.16(2) of RIPA provides that factors referable to a person known to be residing in the UK are not to be used to select his or her communications “to be read, looked at or listened to.” Although the Complainants argued that this provision would make it too easy for “internal communications” to be selected for examination, the IPT announced that imposing “an obligation upon the Respondents not to read the communication if the presence of the individual in the UK is simply suspected would impose far too high an obligation, particularly in the course of extended examination of substantial numbers of communications.” Id., para. 105.

Under 16(2)(b), people known to be in the UK are not protected from having communications about them targeted for examination. Factors referring to a person known to be in the UK can be used to target others’ communications for examination, even though they cannot be used to select his or her own communications. Upholding this limit, the IPT averred that, “the aim [of s.16] is to prevent access to communications sent by or sent to an individual who is in the United Kingdom.” Id.

Additionally, the protections of s.16 apply only to the contents of communications and not associated metadata. While acknowledging that Article 8 of the ECHR protects metadata as well as contents of communications, the IPT reasoned that lesser protection was justified by the need to use metadata to determine whether individuals were entitled to the protections of s.16(2). “The ability to use the communications data/metadata … would render it a manageable task to ascertain whether the individual could be said to be known to be in the UK.” Id. Further, the IPT reasoned that by limiting access to and retention of metadata as well contents of communications, s.15(2) and (3) of RIPA compensated for s.16’s failure to protect metadata.

c) The Weber “accordance with law” requirements

The IPT went on to consider whether, apart from s.16, the 8(4) regime conformed to the Weber requirements established in the European Court of Human Rights’ jurisprudence for satisfying the “accordance with law” requirement of Article 8(2) of the ECHR.

i) The Weber specificity requirement

To hold that the Weber requirement of legal specification of the offenses and categories of people who might be subject to surveillance was met, the IPT found that the statutory purpose of protecting national security sufficiently restricted the issuance of 8(4) warrants. Reiterating the distinction between the initial collection and subsequent selection of communications for examination, the IPT further found that “[t]he absence of targeting at ‘Stage one’ is acceptable and inevitable” and that it “would be both risky and pointless” to require “search words to be included in an application for a warrant or in the warrant itself.” Id., para.116 (ii) and (v). In addition, the absence of a requirement of judicial pre-authorization of warrants did not prevent the Weber specificity requirement from being met because “approval by the highest level of government, namely by the Secretary of State” is required for the issuance of 8(4) warrants. As additional compensation for the absence of judicial pre-authorization, the IPT cited its own availability to examine complaints about unlawful surveillance and oversight by the Interception of Communications Commissioner (“the Commissioner”).

ii) The Weber requirements for the treatment of intercepted communications and associated metadata

For surveillance to be in “accordance with law,” Weber also requires statutory limits on the duration of interception and statutory safeguards pertaining to the examination, usage, storage, disclosure and destruction of intercepted material. 15(1)-(3) of RIPA and the Interception of Communications Code of Practice (“the Code”) require the Secretary of State to ensure that “arrangements” are in place for such purposes. Under s.57(1)(d) of RIPA, the Commissioner is  obligated to review the adequacy of the “arrangements. Although the IPT also referred to the “robustly independent” oversight provided by the ISC, as with the Prism issue, the IPT decided that a closed hearing was needed to examine the secret “below the waterline” arrangements. Id., para.120, 121. “[W]e need to be satisfied that there are adequate arrangements in place to ensure compliance with the statutory framework and the Convention and to give the individual adequate protection against arbitrary interference, that they are sufficiently accessible, bearing in mind the requirements of national security, and that they are subject to oversight.” Id., para. 125.

iii) Additional disclosures

At or after the closed hearing, the UK government agreed to the following disclosures summarizing the evidence presented:

3. The Intelligence Services’ “internal ‘arrangements’” allow authorized persons access to unanalyzed material and associated metadata intercepted under a RIPA s.8(4) warrant only if the justification for such access is first recorded.

4. The Intelligence Services have “internal ‘arrangements’” that specify (“or require to be determined on a system-by-system basis”) retention periods for unanalyzed material and associated metadata intercepted under RIPA s.8(4) warrants. While the retention periods “are normally no longer than 2 years,” longer retention is possible if prior authorization is obtained “from a senior official within the particular Intelligence Service at issue” who has determined that the retention is “necessary and proportionate.”

5. The Intelligence Services “internal ‘arrangements’” are “periodically reviewed to ensure that they remain up-to-date and effective. Further, the Intelligence Services are henceforth content to consider … whether more of those internal arrangements might safely and usefully be put into the public domain (for example, by way of inclusion in a relevant statutory Code of Practice).” Id., para. 126 (in accord with the December 5 Judgment, the numbering of disclosures is continued from (1)(a)(i) above).

iv) The IPT’s ruling that the arrangements for the treatment of intercepted material satisfy Weber

As a result of the closed hearing and the disclosures, the IPT ruled that “there are very substantial published procedures in s. 15 and the Code” pertaining to the treatment of intercepted communications and metadata. Moreover, the Intelligence Services “are in our judgment justified in their concern that disclosure of further particulars of those procedures would reveal and disclose sensitive and specific details with regard to methods of obtaining and dealing with information, and reveal the precise capacity and capabilities of the Respondents ….” Id., para. 137. On this basis, the IPT was “satisfied that the s.8(4) arrangements are sufficiently signposted, in the statute, in the Code, in the Commissioner’s Reports, and as now recorded in the judgment.” Id., para. 140. Hence, the IPT concluded that the 8(4) regime complied with the notification component of Article 8(2)’s “accordance with law” requirement.

The Complainants had also urged that the provisions of s.15(3) and (4) of RIPA were not sufficient to prevent privacy from being undermined through the construction and data mining of huge metadata databases. The IPT dismissed the concern on the basis on the ground that during the closed hearings, they had especially sought to be satisfied “as to the existence of arrangements relating to the duration of retention and destruction of information the product of intercept or obtained through Prism.” Id., para.138.

d) S.16(2) of RIPA and unlawful discrimination on the basis of nationality

Article 14 of the ECHR prohibits discriminating against people in regard to their enjoyment of the rights and freedoms provided by the Convention “on any ground such as sex, race, color, language, religion, political or other opinion, national or social origin, association with a national minority, birth or other status.” As indicated above, s.16(2) of RIPA prohibits factors referring to a person known to be residing in the UK from being used to select his or her communications for examination. The Complainants alleged that since people of UK nationality are more likely than others to be in the UK, 16(2) violates Article 14 of the ECHR by indirectly discriminating against people on the basis of national origin.

In ruling that Article 14 was not violated, the IPT reasoned that the ECHR requires a “very weighty” justification for direct discrimination on the basis of national origin. By contrast, indirect discrimination need only have a “rational justification.”  Id., para. 144 (citation omitted). To find that any indirect national origin discrimination resulting from 16 (2) was rationally justified, the IPT relied on the stringency of the requirement in s.16(3) of RIPA for circumventing 16(2)’s prohibition of targeting. Under 16(3), the Secretary of State must certify that examining the particular person’s communications is necessary for national security, the detection or prevention of serious crime, or the economic wellbeing of the UK.

The IPT reasoned that if 16(2)’s distinction between people within and outside the UK were eliminated, a 16(3) certificate would be required whenever communications intercepted under 8(4) were selected for examination. Since “it is harder to investigate terrorism and crime abroad, [it would be] difficult if not impossible to provide a case for a certificate under s. 16(3) in every case.” Id. at 147, 148. Invoking, but not disclosing, figures provided to it in the closed hearing, the IPT further found that “[t]he numbers of those involved if s.16(3) certificates were extended to those abroad would inevitably be very substantial.” Id. Hence, since eliminating 16(2)’s geographical distinction “would radically undermine the efficacy of the s.8(4) regime,” any indirect discrimination that the distinction caused was rationally justified. Id.

Having found that the 8(4) regime complied with Articles 8, 10, and 14 of the ECHR, the IPT concluded that if it exists, the Tempora Program is lawful.

3) Further proceedings

On April 11, 2015, Privacy International, Bytes For All, Amnesty UK, Liberty and others of the Complainants filed an appeal with the European Court of Human Rights from the IPT’s judgment that the UK’s Tempora program does not violate the ECHR. Also challenged on appeal was the IPT’s judgment that with the publication of the Intelligence Services’ disclosures in its Judgments of December 5, 2014 and February 6, 2015, the UK’s sharing of information obtained through the NSA’s Prism and upstream data collection programs no longer violates the ECHR.

In light of the Judgment of February 6, 2015, Privacy International and Bytes for All asked the IPT to determine whether their communications were unlawfully collected prior to December 2014 and, if so, to require their immediate deletion by the Intelligence Agencies. Privacy International posted a petition allowing individuals from any country to provide their email addresses and telephone numbers for the purpose of having the GCHQ ascertain whether it obtained their communications from the NSA’s Prism and Upstream programs before December 2014. People whose communications are found to have been so obtained will receive a declaration from the IPT that the GCHQ violated their rights under Articles 8 and 10 of the European Convention on Human Rights. They can also request that the GCHQ delete any information about them that it obtained from the NSA before December 2014.

C. Privacy International’s Actions against the Telecommunications Companies

1) The Pre-Action Letters to the Telecommunications Companies

On August 2, 2013, the German newspaper Suddeustche Zeitung revealed, on the basis of a GCHQ powerpoint presentation from 2009 leaked by Snowden, that the following telecommunications companies had assisted in GCHQ’s surveillance: BT, Verizon Business, Vodafone Cable, Level 3, Global Crossing (now owned by Level 3), Viatel, and Interoute. “Snowden enthullt namen der spahenden Telekomfirmen,” translated as “Snowden revealed names of spying telecom companies,” Google Translated version.

On August 9, 2013, Privacy International sent pre-action letters to each of the telecommunications companies, demanding details of their relationships with GCHQ, including their policies for assessing the lawfulness of government requests to intercept communications and descriptions of any requests they had received, any steps they had taken to oppose or resist requests, and the amount that they had been paid for their cooperation with the government.

2) The Formal Complaint Against the Telecommunications Companies Before the Organization for Economic Cooperation and Development (OECD).

According to Privacy International, the pre-action letters did not result in “answers demonstrating that the telcos have taken steps to mitigate or prevent the adverse human rights impacts that have occurred.” Although Privacy International had originally intended to add the companies as respondents to its IPT claim, it decided not to do so both because even parties before the IPT are not kept abreast of its secret proceedings and because the IPT may take up to seven or eight years for to decide a case. Loek Essers, “Privacy group files OECD complaints over UK telco spying,” PC World, November 5, 2013. Instead, on November 5, 2013, Privacy International filed a formal complaint asking the Organization for Economic Cooperation and Development (OECD)to investigate whether up to a dozen OECD guidelines, pertaining to companies’ responsibilities to respect human rights, including the right to privacy and freedom of expression, were violated.” Although interested parties may file complaints before the OECD, that organization is not a court and has no power to issue legal judgments. According to Privacy International’s communications manager, Mike Rispoli, however, filing a complaint with the OECD “is an avenue that could allow for a real investigation into the companies’ business practices.”

3) The National Contact Point’s Dismissal of Privacy International’s Complaint

On October 27, 2014, the UK National Contact Point (“NCP”) for the Organization for Economic Cooperation and Development (“OECD”) Guidelines for Multinational Enterprises released an Initial Assessment Statement (“the Statement”) that dismissed Privacy International’s complaint against the six telecommunications companies and terminated the complaint process. In the Statement, the NCP found that Privacy International “presents a strong case that mass interception and surveillance of private communications through the collection and storage of data relating to an individual’s private life can infringe an individual’s human right to privacy.” Para. 47. Nonetheless, the complaint was dismissed on the ground that the single newspaper article on a UK security services document on which Privacy International relied was insufficient to “substantiate” “[t]he link the complainants make [between Tempora and] the specific companies.” Para. 45. Although the NCP did not refer to the article by name, the Suddeustche Zeitung article cited in (1) above was the basis for Privacy International’s claim that the six companies had provided the GCHQ with access to transatlantic fiber optic cables. Despite its finding about the evidentiary insufficiency of the article, the NCP “accept[ed] that the publication that made this report saw the document concerned and had reason to trust the source providing it who had provided other information generally acknowledged to be genuine.” Id.

Although the six companies had failed to “explicitly deny receiving the warrants in question” when they responded to the complaint, the NCP concluded that their silence did not warrant investigation of the complaint’s allegations. Here, the NCP reasoned that it was “legitimate” for the companies to be concerned that “commenting on whether and what warrants may have been received would place [them] in breach of duties placed on them by RIPA.” In addition, the NCP asserted that the OECD guidelines make “obeying domestic laws … the first obligation of enterprises and that the Guidelines ‘should not and are not intended to place an enterprise in situations where it faces conflicting requirements.’” Para. 46.

In dismissing the complaint, the NCP also insinuated that it should have been brought before the IPT, stating that Privacy International “has already brought a challenge … to the IPT which exists to investigate complaints about the alleged conduct including improper use of data/surveillance by UK Government entities within the scope of RIPA.” Para.59.

Although the Initial Assessment Statement was issued on July 11, 2014, publication was delayed because Privacy International requested a review on July 24, and the NCP did not decide to refuse the review request until October 6.

D. Complaints before the IPT about Tempora’s Infringement on the Wilson Doctrine

On May 4, 2014, Green Party members Caroline Lucas MP and Baroness Jones of the House of Lords filed a complaint before the IPT alleging that that their communications very likely had been and were being intercepted as part of Tempora, and that the interception violated Parliamentary privilege and the Wilson doctrine. Announced by Prime Minister Harold Wilson in 1966, the Wilson Doctrine provides that absent a major national emergency, no Member of Parliament’s telephone shall be tapped,  and that any changes to this policy will be reported by the Prime Minister to Parliament. In 1997, Prime Minister Tony Blair extended the Wilson Doctrine to electronic surveillance, stating a few years later that the Doctrine “extends to all forms of warranted interception of communications.” In addition to alleging violations of Parliamentary privilege and the Wilson Doctrine, Ms. Lucas and Baroness Jones alleged that the interception of their communications under the Tempora program violated Articles 8 and 10 of the European Convention on Human Rights.

In its written submissions to the IPT, the government refused to either confirm or deny the existence of the Tempora program or any of the factual allegations in the complaint about the program. Nor did the government confirm or deny whether any of the complainants’ communications had been or were being intercepted.

At the first procedural hearing on the case, held on July 1, 2014, the President of the IPT, Mr. Justice Burton, stated that “the only issue in this case which needs a hearing is . . . [the scope] of the Wilson doctrine.” Although counsel for GCHQ, MI5, and MI6 asked to reserve the right to make submissions in closed session about “past policy and procedures in relation to the Wilson doctrine” Mr. Justice Burton said that the IPT was not “Kafkaesque,” and “[w]e have a good issue here we can decide in open.

On October 22, 2014, MP George Galloway of the Respect Party also filed a challenge before the IPT, arguing that the revelations about Tempora made it inconceivable that his communications were not being intercepted, and that the interception violated both the Wilson Doctrine and Articles 8 and 10 of the ECHR.

The IPT put the Lucas and Jones and Galloway cases on hold, pending its resolution of the challenge by Liberty, et al. described above in Section (B).

II.Privacy International’s Other Complaints before the IPT

A. Privacy International v. Secretary of State for the Foreign and Commonwealth Office and Government Communications Headquarters (Case No. IPT/14/85/CH): Claim in Regard to Illegal Hacking

On May 13, 2014, Privacy International brought a further legal action against the GCHQ and the other security and intelligence services of the UK in the Investigatory Powers Tribunal (IPT). By contrast to its original complaint regarding the interception of communications through the Prism and upstream data collection programs (see I B above), this second legal complaint concerns the widespread insertion of malware into individuals’ computers and mobile devices in order to access stored data or control the devices’ functions (for instance, activate cameras or microphones on devices without their users’ consent). In bringing this second challenge to the GCHQ’s actions in partnership with the NSA, Privacy International alleged in its Statement of Grounds that, “The use of such techniques [for infiltrating computers and other devices] is potentially far more intrusive than any other current surveillance technique, including the interception of communications. … If the interception of communications is the modern equivalent of wiretapping, then the activity at issue in this complaint is the modern equivalent of entering someone’s home, searching through his filing cabinets, diaries and correspondence, and planting devices to permit constant surveillance in future, and, if mobile devices are involved, obtaining historical information including every location he visited during the past year.” Para. 4.

Arguing that the conduct at issue violated Articles 8 and 10 of the European Convention of Human Rights, Privacy International seeks “a declaration that the matters set out in the complaint are well founded and GCHQ’s conduct has been unlawful” and an injunction “restraining any similar future conduct, an order requiring the destruction of any information unlawfully obtained and a public judgment”.  (Investigatory Powers Complaint Form T2, No.8).

On February 6, 2015, the Respondents filed both Closed and Open Responses before the IPT. The Open Response, which was disclosed by Privacy International on March 18, indicated that, as with the IPT challenge to Prism and Tempora described in Section I(B), the Intelligence Services maintained their traditional “neither confirm nor deny” (NCND) policy in regard to all factual details about their operations. To claim that NCND was compatible with the foreseeability component of the “accordance with the law” component of Article 8 of the ECHR, the Respondents invoked the IPT’s power to examine their “below the waterline” arrangements in closed hearings. In addition, the Respondents relied on the draft Equipment Interference Code of Practice (the “EI” Code) that the Home Office published on February 6, 2015, claiming that the Code “reflects the current safeguards applied by the relevant Agencies, including GCHQ.” Open Reponse, para. 66.

Notwithstanding NCND, the Open Response indicated that the EI Code allows “intended”, as well as “collateral,” “interference with the equipment” of “individuals who are not intelligence targets in their own right,” but criticized the Claimants’ “very extreme factual allegations about the scope, scale and nature of GCHQ’s activities ….” Id., paras. 27, 77.

B. Privacy International and 7 Internet Service Providers v. Secretary of State for the Foreign and Commonwealth Office and Government Communications Headquarters (Case No. IPT/14/120-126/CH): Claim Regarding Alleged Network Infrastructure Attacks

In July 2014, Privacy International, along with 7 Internet Service Providers (ISP’s) filed a lawsuit in the Investigatory Powers Tribunal (IPT) claiming that alleged attacks on network infrastructure by the GCHQ and the NSA have violated the UK Computer Misuse Act, Article 1 of the First Additional Protocol (A1AP) of the European Convention of Human Rights (ECHR), which “guarantees the individual’s peaceful enjoyment of their possessions”, as well as Articles 8 & 10 of the ECHR.

This is the first time that ISP’s have brought claims against the GCHQ, and although none of the ISP claimants was specifically named in the documents leaked by Snowden, Privacy International contends that “the type of surveillance being carried out allows them to challenge the practices… because they and their users are at threat of being targeted“.  The ISP claimants are GreenNet (UK), Riseup (US), Greenhost (Netherlands), Mango (Zimbabwe), Jinbonet (South Korea), May First/People Link (US) and the Chaos Computer Club (Germany). According to Cedric Knight of GreenNet, “Snowden’s revelations have exposed GCHQ’s view that independent operators like GreenNet are legitimate targets for internet surveillance, so we could be unknowingly used to collect data on our users. We say this is unlawful and utterly unacceptable in a democracy.”

The claimants are seeking:

  1. A declaration that GCHQ’s intrusion into the computers and network assets of internet and communications service providers, their staff and their users is unlawful and contrary to Articles 8 and 10 and A1P1 ECHR;
  2. An order requiring the destruction of any unlawfully obtained material;
  3. An injunction restraining further unlawful conduct.

GCHQ maintains that all its work is conducted “in accordance with a strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate”.

On February 6, 2015, the UK government filed the same Closed and Open Reponses in this case as in the case described in (A) above.

 

III. The Belhadj Complaint before the IPT in regard to the GCHQ, MI5, and MI6’s Interception and Use of Attorney-Client Communications

Belhadj et al. v. Security Service, et al., Case No. IPT/13/132-9/H

In 2012, the families of Gaddafi opponents Abdel Hakim Belhaj and Sami al-Saadi brought civil actions against the UK government and others after documents found in Tripoli in 2011 revealed a UK-US-Libyan plot to abduct Belhaj, al-Saadi and their families from Southeast Asia and “render” them for torture in Libya. After the Snowden revelations led to concerns that UK intelligence services might be intercepting and misusing the families’ privileged communications with their lawyers at Reprieve and Leigh Day, the families filed a complaint in the IPT in late 2013. The complaint alleges that M15, M16, and GCHQ have ineffective and unlawful policies for protecting “legal professional privilege” (the UK analog of US attorney-client privilege) and that UK government lawyers or officials may have been illegally misusing attorney-client communications in the families’ torture cases.

The government invoked national security concerns to resist disclosure of GCHQ’s, MI5’s and MI6’s policies. However, two hours before a scheduled hearing before the IPT on November 6, 2014, the government produced extracts of top secret guidelines showing that the UK intelligence services had been intercepting attorney-client communications.

On February 26, 2015, the IPT ordered that in accord with the Respondents’ concession, “there be a declaration that since January 2010 the regime for the interception/obtaining, analysis, use, disclosure and destruction of legally privileged material has contravened Article 8 ECHR and was accordingly unlawful.” Since the government would neither confirm nor deny that its illegal conduct had extended to Belhadj, al-Saadi, and their families, the IPT also ordered that a closed hearing be held on “whether the Claimants’ legally privileged communications have in fact been intercepted/obtained, analysed, used, disclosed or retained (“relevant interception”).” A hearing open to the public was scheduled for March 12 to consider “on the hypothetical assumption (the true position being neither confirmed nor denied), that there have been relevant interception, what if any remedies should be granted to the Claimants.”

At the open hearing on March 13, the UK took the position that even if it had illegally intercepted the attorney-client communications of Belhaj, al-Saadi and their families, it was entitled to keep that fact secret from the families, their attorneys and the public.

IV. Privacy International’s Complaints to the National Cyber Crime Unit in regard to Foreign Government’s Use of FinFisher

A. The Ethiopian Government’s Use of FinSpy

On February 1, 2014, Privacy International filed a criminal complaint asking the National Cyber Crime Unit of the UK’s National Crime Agency (“NCA”) to investigate Ethiopia’s use of FinSpy in June 2012 to infect the computer of Tadesse Kesmo, a political refugee living in the UK since 2009. FinSpy is a component of the FinFisher intrusion kit developed and produced by UK company Gamma Internatational. Users of FinSpy gain full access to their targets’ devices and the contents on the devices and are able to turn on functions such as cameras and microphones. Privacy International alleges that the Regulation of Investigatory Powers Act (“RIPA”), the Serious Crimes Act, and the Accessories and Abettors Act 1861 were violated by Ethiopia’s use of FInSpy to conduct surveillance on Mr. Kesmo’s computer.

Privacy International’s press release is available at https://www.privacyinternational.org/?q=node/80.

B. The Bahraini Government’s Use of FinFisher

On October 13, 2014, Privacy International filed a formal criminal complaint asking the National Cyber Crime Unit of the NCA to investigate Bahrain’s alleged infection with Finfisher malware of the computers and cell phones of three Bahraini human rights activists living in asylum in the UK: Moosa Abd-Ali Ali, Jaafar Al Hasabi and Saeed Al-Shehabi. FinFisher gives its user full access to a target’s device, enabling documents to be copied and transmitted, cameras and microphones to be remotely turned on, and emails to be sent from the target’s account.

In August, Bahrain Watch and WikiLeaks had published evidence of exchanges between Bahraini officials and Finfisher technical support staff. Finfisher was a subsidiary of UK-based Gamma International at the time of the alleged infection, but it has since become an independent German-based firm.

The complaint alleges that Bahraini authorities engaged in unlawful interception of communications under section 1 of the Regulation of Investigatory Powers Act 2000 (“RIPA”). Gamma International is alleged to be an accessory under the Accessories and Abettors Act 1861 and/or to have violated the Serious Crime Act 2007 by encouraging and assisting Bahrain in illegal surveillance.

Privacy International’s Press Release is available at https://www.privacyinternational.org/?q=node/84.

Should the NCA decline to investigate the Ethiopian and/or Bahraini FinFisher complaint, Privacy International could bring actions in court.

V. The Detention of David Miranda

A. The Denial of Interim Relief to Stop the Examination of the Laptop and Other Devices that were seized when Mr. Miranda was Detained

The Queen on the Application of David Miranda v. Secretary of State for the Home Dept and Commissioner of Police for the Metropolis, CO/11732/2013, EWHC 2609 (Admin.) (High Ct of Justice Q.B. Div’l Ct. Aug. 23, 2013)

This proceeding concerned the application of David Miranda, the partner of journalist Glenn Greenwald, for interim relief to stop the defendants from examining and informing third parties of the contents of the material found on the laptop, telephone, memory sticks, portable hard drive and other items that officers seized from him on August 18 during his detention at Heathrow Airport. Balancing “two interests of high importance, the protection of journalistic sources and the protection of national security,” the High Court ruled that pending a hearing on August 30, the authorities would be allowed to inspect the materials seized from Mr. Miranda for the purpose of determining whether there were “reasonable grounds for suspecting that [he was] a person [who] ‘is or has been concerned in the commission, preparation or instigation of acts of terrorism’ (Section 40(1)(b) [of the Terrorism Act 2000])’.” In addition, inspection and disclosure of the contents of the material would be allowed for the purpose of protecting national security.

At the start of the scheduled hearing before the High Court on August 30, the parties stated that they had agreed that the government could continue to examine the seized material under similar conditions to those set forth in the Court’s judgment of August 23. On August 30, the court set a “rolled up” hearing for a future date on Miranda’s application for permission to seek judicial review, with substantive judicial review to follow if the application was granted.

http://www.bbc.co.uk/news/uk-23898580.

B. The High Court’s Judgment Affirming the Legality of Mr. Miranda’s Detention

A hearing was held on November 6 and 7, 2013, and, on February 19. 2014, the High Court, in an opinion by Lord Justice Laws, which Mr. Justices Ouseley and Openshaw joined, granted permission to seek judicial review on the ground that Mr. Miranda had raised issues of “substantial importance.” Para. 15. The Court ruled, however, that the detention of David Miranda under Schedule 7 of the Terrorism Act 2000 (“Schedule 7”) was lawful.

In his opinion, Lord Justice Laws first held that Mr. Miranda had been properly stopped, as required by Schedule 7, for the purpose of determining whether he “appeared to be a person falling within [the definition of a terrorist in] section 40(1)(b).” Para. 21. In reaching this holding, the judge stressed that “the Schedule 7 purpose is not to determine whether the subject is, but only whether he ‘appears to be’ a terrorist.” Para. 30. At the same time, however, Lord Justice Laws recognized that, “The purpose of the stop [of Mr. Miranda] may be simply expressed. It was to ascertain the nature of the material which the claimant was carrying and if on examination it proved to be as was feared, to neutralise the effects of its release (or further release) or dissemination.” Para. 27. In an attempt to fit the purpose of examining and preventing the dissemination of the material Mr. Miranda was carrying within Schedule 7’s mandated, limited purpose of determining whether he appeared to be a terrorist, the judge reasoned that Schedule 7 “provides [for] no particular consequence” when a stopped person is determined to possibly be a terrorist. Consequently, one permissible outcome is the retention of materials in the subject’s possession … if the general law allows it.” Para. 32.

Lord Justice Laws went on to reject Mr. Miranda’s alternative contention that even if his detention was authorized by schedule 7, “the Schedule 7 stop was a disproportionate interference with his … right to ‘the protection of journalistic expression.” Here, the judge agreed with Mr. Miranda’s counsel that English common law, rather than the jurisprudence of the European Court of Human Rights, would suffice to resolve the issue.

In further agreement with Mr. Miranda’s counsel, Lord Justice Laws held that the protections of journalistic expression applied to Mr. Miranda, even though he was not himself a journalist. The judge turned this seeming concession against the claimant, however, by reasoning that while the right to freedom of expression “belongs to every individual for his own sake,” journalistic expression is protected to enable the citizenry to engage in informed political debate. Para. 46. Consequently, in determining whether Mr. Miranda’s detention disproportionately interfered with his freedom, the balance to be struck was not between his private right and the public interest, but between “two aspects of the public interest”: national security versus the public’s interest as readers or audience. Id.

In finding that the balance favored the government, Lord Justice Laws fully credited its evidence about the grave threat to life and national security that exposure of the materials Mr. Miranda was carrying posed. By contrast, the interference with journalistic freedom was limited because Mr. Miranda was not a journalist himself, but only an assistant to Glenn Greenwald. In addition, the “58,000 highly classified UK intelligence documents stolen from GCHQ” that Mr. Miranda carried “was not ‘journalistic material,’ or if it was, only in the weakest sense.” Paras. 64, 72 and 73. Further finding in favor of the government, the judge rejected the claimant’s position that in a democracy, journalists and the government share responsibility for determining when publication should be withheld for the sake of national security. “Journalists have no such constitutional responsibility. The constitutional responsibility for the protection of national security lies with elected government.” Para. 71.

In ruling that Mr. Miranda’s detention was lawful, Lord Justice Laws also dismissed his contention that Schedule 7 contravenes the requirement of Article 10(2) of the European Convention on Human Rights that any restriction on freedom of expression be “prescribed by law.” Following the reasoning in Beghal v DPP, [2014] 2 WLR 150, [2013] EWHC 2573,the judge found that the Schedule 7 powers are not overbroad and arbitrary because they can be exercised only for port and border control, on people who travel through border and port areas, and “subject to cumulative statutory limitations.” Para. 81. Contentiously, the judge went on to suggest that the European Court of Human Rights had wrongly invalidated the stop and search powers in the 2000 Act in Gillan and Quinton v. UK (2010), 50 EHRR 45. In reasoning that “[i]n matters affecting fundamental rights it would be contrary to the rule of law … for a legal discretion granted to the executive to be expressed in terms of an unfettered power,” the Gillan Court failed to understand that “in English law the executive never enjoys unfettered power. All State power has legal limits, for it is conferred on trust to be exercised reasonably, in good faith, and for the purpose for which it is given by statute ….” Para. 83. Strongly suggesting that the unique features of the English legal system obviate the need for explicit constraints on executive power to be set forth in legislation, the judge announced that, “It is not a general, certainly not an absolute, requirement of the law of human rights in England that the Act of Parliament must spell out the constraints upon the power which it confers.” Id.

Further, Lord Justice Laws dismissed the claimant’s contention that by not requiring prior judicial scrutiny of restrictions on journalistic expression, Schedule 7 violates Article 10(2)’s requirement that restrictions on freedom of expression be prescribed by law. In addition to asserting that the European Court of Human Rights had not made prior judicial scrutiny an absolute prerequisite for government interferences with journalistic freedom, the judge again evinced a commitment to the autonomy of UK law. “[T]he Strasbourg court would itself acknowledge that the protections against excess of power by State agents, and the limitations which the law imposes on the power they enjoy, vary greatly from State to State …” Para. 88.

Lord Justice Laws concluded that in addition to showing that the right to freedom of expression under Article 10 of the European Convention on Human Rights is not contravened, the limits that Beghal found on the Schedule 7 power imply that there is no violation of either Article 5’s right to liberty and security or Article 8’s right to respect for private and family life.

Arguably, Lord Justice Law’s reasoning in regard to whether the police powers under Section 7 are overbroad and arbitrary and disproportionately interfere with freedom of expression conflicts with dicta in the UK Supreme Court’s decision in R v Gul [2013] UKSC, 64 (Lord Neuberger, Lady Hale, Lord Hope, Lord Mance, Lord Judge, Lord Kerr, Lord Reed), [63]-[64]. There, the UK Supreme Court reasoned that, “[U]nder Schedule 7 to the 2000 Act, the power to stop, question and detain in port or at borders is left to the examining officer. The power is not subject to any controls. Indeed, the officer is not even required to have grounds for suspecting that the person detained falls within section 40(1) of the 2000 Act …, or even that any offence has been or may be committed, before commencing an examination to see whether the person falls within that subsection.” The Court recognized that it was not faced with the issue of whether the Schedule 7 powers were lawful. “On this appeal, we are not, of course, directly concerned with that issue….” Nonetheless, the Supreme Court justices opined that, “[D]etention of the kind provided for in the Schedule represents the possibility of serious invasions of personal liberty.”

C. David Miranda Receives Permission to Appeal the High Court’s Judgment to the Court of Appeal.

Although the High Court concluded its judgment by dismissing Mr. Miranda’s application for judicial review, on May 15, 2014, David Miranda received permission to appeal the judgment. The main reason for allowing the appeal was that the UK Supreme Court had decided to hear the case, Beghal v DPP [2014] 2 WLR 150, [2013] EWHC 2573, on which the High Court in Mr. Miranda’s case had relied to find that the Schedule 7 powers are not overbroad and arbitrary and, therefore, do not violate the European Convention on Human Rights. It should be noted that Lord Justice Laws followed Beghal even though he was aware that UK Supreme Court had decided to hear the case.

Welcoming the decision to grant permission to appeal, Mr. Miranda’s solicitor highlighted the fact that the Court of Appeal “noted the importance of the issues and the compelling legal arguments raised in his case. We look forward to the appeal being heard as calls for reform of schedule 7 grow alongside concerns around the dangerous conflation of investigative journalism with terrorism which was starkly illustrated by Mr Miranda’s detention“.

The Court of Appeal is not expected to hear the case for a number of months, and it is believed that the judgment will be stayed until the Supreme Court rules in Beghal.

D. The Investigation by the Independent Reviewer of Terrorism Legislation.

1. The Independent Reviewer’s Decision Not to Issue a Specific Report on Mr. Miranda’s Case

Promptly after Mr. Miranda’s detention, David Anderson QC, the independent reviewer of terrorism legislation for the UK, began an investigation into the use of Schedule 7 to detain Mr. Miranda. On March 12, 2014, Mr. Anderson QC informed the Home Secretary, the Chairs of the Home Affairs Select Committee and Joint Committee on Human Rights, Assistant Commissioner Cressida Dick of the Metropolitan Police, and Mr. Miranda’s solicitors that he had decided not to write a specific report on the case, in view of the High Court’s judgment, which is “of course authoritative on matters of law,” and of progress on a bill to reform Schedule 7. Mr Anderson QC indicated, however, that in his annual Terrorism Acts report to Parliament in July, he intends to discuss the Miranda case, with due care to the pendency of the case before the Court of Appeal.

2. The Independent Reviewer’s Recommendations for Reforming Schedule 7

At the invitation of the Home Affairs Select Committee, the independent reviewer set out recommendations to reform Schedule 7, This written evidence was published by the Committee on November 20, 2013. and can be found here[AS1] .

Based in part on confidential briefings and evidence from MI5, ” Mr. Anderson QC recommended that subject to a proposed amendment in the Bill for strip searches, examining officers should continue to have the power to stop, question and search people for the purpose of determining whether they appear to fall within the definition of terrorist in section 40(1)(b) of the Act, regardless of whether they have grounds for suspecting that a person falls within the Section.   He emphasized, however, that such powers should be used for the sole purpose of determining whether a person appears to be connected with terrorism acts and not “for any other purpose”.

The independent reviewer also made recommendations in regard to the legal threshold required for “detention” which the proposed legislation defines as occurring whenever an officer questions a person for more than one hour. Detention gives rise to rights to be informed and to consult a solicitor and to obligations to provide fingerprints or samples under specified circumstances. Mr. Anderson QC rejected the position that an examining officer be required to have “reasonable grounds for suspecting” that a person appears to be involved in terrorism, as defined in section 40(1)(b), on the ground that it would be difficult to arrive at reasonable grounds in the hour before a detention decision must be made. Instead, he recommended that a “senior officer” must be satisfied that there are “grounds for suspecting” that a person appears to fall within section 40(1)(b) and that detention is “necessary in order to assist in determining” whether the person in fact falls within the section. The reviewer further specified that for detention to be extended, a senior officer must be satisfied that the initial grounds that justified the detention remain. He also recommended that the intervals for review of detention be specified in Schedule 7, instead of being set forth in the Code of Practice.

In addition, the independent reviewer recommended that the copying and retention of data from mobile phones and other personal electronic devices be subject to the same legal threshold as detention. He further recommended that the government show how it will “ensure that private electronic data gathered under Schedule 7 is subject to proper safeguards governing its retention and use”.

In regard to the introduction of evidence gathered under Schedule 7 in subsequent criminal trials, the Independent Reviewer recommended that “the Government indicate how adequate safeguards are to be provide in regard to legally privileged material, excluded material and special procedure.” He stated that he might comment further on the issue after the Miranda judgment. Citing the comment of the Administrative Court (Gross LJ, Swift and Foskett JJ) in Beghal v DPP, Mr. Anderson QC joined in recommending a “statutory bar … to the introduction of Schedule 7 admissions in a subsequent criminal trial.”

Categories: Legality