The oversight court for the UK’s intelligence agencies has said Europe’s top court should rule on the legality of powers that give the country’s spies the ability to collect and interrogate various forms of data in bulk (aka mass surveillance).
State agencies’ current use of bulk collection has been challenged by privacy rights group, Privacy International, which asked the tribunal to consider the lawfulness of the use of so-called “Bulk Communications Data” (BCD), and “Bulk Personal Data (BPD) under European human rights law.
BCD refers to communications metadata — so the what, where, who and why of digital communications (excluding the content of messages, but with all the granular digital data points needed to triangulate and infer massive amounts of context).
While BPD refers to large databases of personal information maintained and utilized by intelligence agencies, plugged into their analytics systems (so fully searchable via their ‘selectors’), with data, scraped from various public and private/commercial sources, which can include highly sensitive information such as political affiliation, sexual orientation, religion, racial and ethnic origin.
Last year the tribunal ruled that UK agencies’ use of bulk powers had been illegal for a period of around a decade, prior to 2015 — because they had not been avowed in parliament. The difference now is the government has written bulk collection into law. But the question is whether in doing so it has breached EU human rights law.
In a judgement handed down yesterday the Investigatory Powers tribunal said both sides saw the necessity for a reference to the European Court of Justice (ECJ)’s grand chamber.
During the course of this case, the ECJ has ruled on another challenge — brought against emergency surveillance legislation rushed through the UK parliament in 2014 (called DRIPA) — stating in December that “general and indiscriminate” state data retention regimes contravene EU law.
But while DRIPA was overturned by the ruling, it was temporary legislation and had already been sunsetted in the UK — replaced by a new surveillance regime: the Investigatory Powers Act. So it’s a legal challenge to the bulk powers contained within that current regime that’s ongoing here.
And even though EU judges have already made it clear EU Member States cannot establish “general and indiscriminate” data retention regimes, the government is trying to drive a wedge between that finding and matters of national security, arguing that the use of bulk data capabilities is “critical” to national security.
Intelligence agencies also told the court that if December’s ECJ Watson judgement — named for the Labour politician, Tom Watson, who brought the challenge — were applied in the field of national security it “would effectively cripple the SIAs’ [security and intelligence agencies’] Bulk Data capabilities”.
The tribunal, which was established in 2000 and prior to the fallout from the 2013 Snowden disclosures about government’s mass surveillance programs had never upheld a complaint against the agencies whose work it is tasked with overseeing, said in its judgement: “We have carefully considered the evidence before us, both from the Claimant and the Respondents, and we are persuaded that if the Watson Requirements do apply to measures taken to safeguard national security, in particular the BCD regime, they would frustrate them and put the national security of the United Kingdom, and, it may be, other Member States, at risk.”
“By the end of the hearing it was clear that both parties either agreed to or saw the necessity for a reference to the Grand Chamber, and the need for it is, we suggest, obvious from this Judgment,” it added. “Neither party in the event contended that the questions we have considered are either acte clair, or acte éclairé as a result of the Watson judgment.”
The Guardian reports that part of the state evidence given to judges included a statement from MI5’s deputy director in which he claimed that without BCD it would be necessary for the intelligence agencies to carry out “other and more intrusive inquiries” — such as making “many more individual requests for CD [communications data] or use other more intrusive powers in order to narrow the scope of a search”.
“The inability to use BCD would therefore involve greater intrusion into the privacy of individuals,” the MI5 deputy director also claimed.
The tribunal also heard evidence from agencies that in 2005, and on the basis of what they couched as “sensitive but fragmentary intelligence”, agencies had been able to apply filters to a BPD to reduce “pool of 27,000 candidates” down to one person who they claim was identified as a “suspected potential al-Qaida suicide bomber”.
On the other side of the argument, Privacy International’s lawyers pointed out that metadata in the modern Internet age is massively revealing about individuals — therefore necessitating “strict safeguards against the state accessing highly sensitive information about us”.
The group said it fundamentally disagrees with the government’s position that data access safeguards set out the Watson judgement — such as requiring a judge to approve access to highly sensitive information — should not apply to national security.
The UK’s now defunct DRIPA regime was rushed through parliament in 2014, and subsequently ruled unlawful under European Human Rights law by a UK high court in 2015 — after a civil rights group challenged it for targeting an overly broad range of data and having an extremely lax access regime.
Yet the government persisted in pushing to legislate for a permanent state surveillance regime that cements bulk collection as its foundational core, claiming such powers are necessary for counterterrorism efforts.
At the end of 2016 parliament passed the current legislative framework for investigatory powers, cementing the intelligence agencies’ old bulk processes into dedicated legislation. Previously agencies had relied on vague clauses in obscure and outdated laws to authorize their use of the powers (illegally, as it turned out).
The new IP Act has also expanded the UK state’s bulk collection via a new requirement for ISPs to retain browsing data on all their users for 12 months. Though, on the flip side, it also brings in a new oversight regime for use of the most intrusive powers based on warrants being authorized by ministers and judges. This does not apply to accessing the ISP browsing data, however.
In yesterday’s judgement the intelligence agencies’ oversight court refused Privacy International’s request to expedite the matter to the ECJ — which means it will likely take years more before the court makes a judgement.
At which point the UK will be further down the road of the brexit process of leaving the Union — and the government has said it wishes to remove the country from the jurisdiction of the ECJ.
So years more uncertainty are a given here. And, yes, that is the sound of a can being kicked very far down the road. Let’s all go and look at some cats.