The Investigatory Powers Act — dubbed the “Snoopers” charter by critics — was passed by parliament last year, gaining royal assent in November as the government sought to shore up capabilities contained within earlier “emergency” surveillance legislation, aka DRIPA, which contained a sunset clause, meaning those powers expired at the end of 2016.
DRIPA was branded draconian and undemocratic when it was rushed through parliament with minimal scrutiny. The IP bill fared little better, attracting criticism about its impact on privacy and overly intrusive powers from even the hawkish Intelligence and security committee.
And despite what was technically a lengthier parliamentary scrutiny process than DRIPA, critics continued to warn the legislation handed unprecedented surveillance powers to the authorities with inadequate checks and balances to protect privacy and civil liberties.
The IP Act also expands on the investigatory capabilities enabled by DRIPA by including a provision to require ISPs to log all the websites and services that all users connect to for a full year so that the information can be provided to authorities on demand — including to a wide range of government agencies (not just to security and law enforcement agencies). No warrant is needed for accessing the data.
This is one of the bulk powers Liberty is objecting to in its planned High Court challenge, warning that these so-called Internet Connection Records (ICRs) provide “a goldmine of valuable personal information for criminal hackers and foreign spies.”
It also wants a High Court judicial review of three other bulk powers enshrined in the IP Act that it argues also breach the public’s rights — namely:
- Bulk interception — the power for the state to read digital communications and listen in on calls en masse, without the need for there to be any suspicion of criminal activity
- Bulk hacking — aka the ability for police and security agencies to access, control and alter electronic devices such as computers, phones and tablets on what Liberty dubs “an industrial scale, regardless of whether their owners are suspected of involvement in crime — leaving them vulnerable to further attack by hackers”
- Bulk personal data sets — aka the ability for agencies to acquire and link large databases held by the public or private sector. “These contain details on religion, ethnic origin, sexuality, political leanings and health problems, potentially on the entire population — and are ripe for abuse and discrimination,” argues Liberty. This power was only avowed to parliament in March 2015
Commenting on the legal challenge in a statement, Liberty’s director, Martha Spurrier, said: “Last year, this government exploited fear and distraction to quietly create the most extreme surveillance regime of any democracy in history… We hope anybody with an interest in defending our democracy, privacy, press freedom, fair trials, protest rights, free speech and the safety and cybersecurity of everyone in the UK will support this crowdfunded challenge, and make 2017 the year we reclaim our rights.”
A spokeswoman for Liberty said it is aiming to raise at least £10,000 via the Crowdjustice platform to “help cover our costs exposure.”
She noted that more than 200,000 people have already signed a petition calling for the IP Act to be repealed, adding: “We’re very confident that we’ll raise this money, but we will explore other funding options if we don’t reach our target.”
Liberty’s legal challenge to the IP Act follows a key decision by Europe’s top court last month, when the ECJ ruled that EU Member States cannot impose a “general obligation to retain data on providers of electronic communications services.”
“EU law precludes national legislation that prescribes general and indiscriminate retention of data,” the court stated.
As well as indiscriminate data retention, the court objected to DRIPA’s failure to limit access to the data to the prevention and detection of serious crime; to the legislation allowing police and public bodies to authorize their own access to the data; to the law not requiring that people be notified after their data was accessed; and not requiring that data be kept in the EU.
The ECJ ruling was sparked by a legal challenge brought against the now sunsetted DRIPA, but has clear implications for the IP Act, given how many bulk powers are contained within the U.K.’s replacement surveillance legislation.
“We’re very confident the High Court will rule that the powers we’re challenging are unlawful — the powers in DRIPA already ruled by the ECJ to breach rights have been replicated and expanded on in the IPA,” said the Liberty spokeswoman.
“It’s quite difficult to make an estimate on the timeframe because it depends on the courts, but we would expect to have an initial hearing with the High Court within the year,” she added.
Some of the bulk powers contained with the IP Act were subject to a review last summer by QC David Anderson, the U.K. government’s independent reviewer of terrorism legislation. Although, at the time, Liberty criticized the small window of time afforded by the government for the review — and pointed out that two of the appointed advisers had close links with the security and intelligence agencies that were lobbying for the powers.
Anderson’s review went on to back the bulk powers’ inclusion in the legislation, arguing there is a “proven operational case for three of the bulk powers [bulk interception, bulk acquisition and bulk personal dataset], and that there is a distinct (though not yet proven) operational case for bulk equipment interference” [aka hacking].
His review did not consider the proportionality or desirability of the bulk powers — leaving that for parliament to judge. Nor did he assess bulk data gathered by ICRs.
Blogging about the ECJ DRIPA data retention ruling last month, Anderson described it as “a genuinely radical” judgement, and noted it has “significance” for the IP Act — likely meaning the law will have to be amended by further primary legislation or by a statutory instrument (secondary legislation).
In a final thought on the ruling he writes: “This important judgment is bound to feature in law exams across Europe this summer. If I were setting a question, it would be this one: ‘Lives are ruined by crime, not by the properly safeguarded use of general data retention to fight crime. Discuss.’
“That question will continue to be debated in many forms and for many years. It is to be hoped that those debates will generate light as well as heat. For this to happen, the participants — legislators, courts, NGOs, academics and students — need to avoid trading prejudices, and instead make productive use of the increasing evidence base relating to both the harm and the utility of bulk data retention.”