High Court Says UK Government Can No Longer Collect Internet Data In Bulk

from the snoopers-charter:-now-with-10%-less-snooping! dept

UK civil liberties group Liberty has won a significant legal battle against the Snoopers Charter. A recent ruling [PDF] by the UK High Court says the data retention provisions, which include mandated extended storage of things like web browsing history by ISPs, are incompatible with EU privacy laws.

The court found the data retention provisions are at odds with civil liberties protections for a couple of reasons. First, the oversight is too limited to be considered protective of human rights asserted by the EU governing body. As the law stands now, demands for data don't require independent oversight or authorization.

Second, even though the Charter claims demands for data will be limited to "serious crimes," the actual wording shows there are no practical limitations preventing the government from accessing this data for nearly any reason at all.

The decision quotes the Charter's stated reasons for obtaining data, which range from "public safety," to "preventing disorder" to "assessing or collecting taxes." Obviously, the broad surveillance powers will not be limited to "serious crimes," contrary to the government's assertions in court.

First, the wording of the draft declaration is so broad that it would include areas which are outside (or potentially outside) the area of serious crime: for example, the area of national security. As will become apparent later, the issue of whether the area of national security falls within the scope of EU law at all is the subject of dispute between the parties.

The second sentence refers to the government's argument: that UK national security concerns trump European law. Unfortunately, the High Court does not provide an answer as to whether UK law can ignore CJEU decisions when it comes to securing the nation. This will have to wait until after a decision is handed down in another challenge to the surveillance law.

[I]n our view, although the terms of section 94 of the 1984 Act and the terms of Part 4 of the 2016 Act are not identical, the questions which have been referred by the IPT are not confined to the precise scope of section 94. Rather they raise broader questions about the scope of EU law, having regard to Article 4 TEU and Article 1(3) of the e-Privacy Directive; and also raise the particular question of whether any of the Watson CJEU requirements apply in the field of national security.

For those reasons we refuse the application by the Claimant to make a reference to the CJEU on this question. This part of this claim will be stayed pending the CJEU’s decision in the reference in the Privacy International case.

In the end, the court decides this part of the Snoopers Charter must be stricken and rewritten to comply with EU privacy protections. The UK government has six months to fix the law. Until that point, it appears UK agencies will still be able to demand data in bulk under the Charter draft. Once the fixes are in and enacted, bulk collections of internet browsing data and communications metadata will cease… at least until the UK exits the European Union.

Filed Under: data protection, eu, mass surveillance, privacy, snooper's charter, surveillance, uk

UK Councils Used Massive Surveillance Powers To Spy On... Excessively Barking Dogs & Illegal Pigeon Feeding

from the once-the-power's-there... dept

Over in the UK, we've highlighted many of the problems of massively expanding surveillance through the (most likely illegal) "DRIPA" (Data Retention and Investigatory Powers Bill) and the new Snooper's Charter. And yet, the government there keeps insisting that such powers would never be abused. But, that's ridiculous. As we've seen in the past, it's difficult to find examples of surveillance powers not being expanded and abused over time. And, now the UK is realizing exactly how that works. The Guardian, via Freedom of Information requests, has discovered that local British councils were given the ability to use surveillance powers under the Regulation of Investigatory Powers Act (RIPA) to spy on all sorts of people for what appear to be minor infractions:

A mass freedom of information request has found 186 local authorities – two-thirds of the 283 that responded – used the government’s Regulation of Investigatory Powers Act (Ripa) to gather evidence via secret listening devices, cameras and private detectives.

Among the detailed examples provided were Midlothian council using the powers to monitor dog barking and Allerdale borough council gathering evidence about who was guilty of feeding pigeons.

Remember, of course, that every time these kinds of surveillance powers are discussed in government, everyone is told that they're necessary to stop the horrible threat of imminent death from terrorism. No one talks about how they'll stop the scourge of illegal pigeon feeding.

While the article rightly quotes politicians horrified by this abuse of surveillance power -- and using it to question why the UK is giving itself more powers under the Snooper's Charter, which will be similarly abused -- there are also some local politicans who defend spying on the public in this manner:

“I’m frankly far more concerned about the rights and civil liberties of the victims and wider council tax-paying public, who are currently having to pick up the tab, than the small minority criminal element who continue to treat the rest of us with open contempt.”

And this is how civil liberties die. By claiming that it's more important to give them up to capture people involved in petty nuisance activities, and claiming that the government needs to spy on everyone to stop such activities.

Filed Under: barking dogs, investigatory powers, pigeon feeding, ripa, snooper's charter, surveillance, uk

European Court Of Justice Rules Against UK's Mass Surveillance Program

from the will-it-matter-after-brexit? dept

Over the summer, we noted that the Advocate General for the European Court of Justice had sort of punted on the issue of whether or not the UK's Data Retention and Investigatory Powers Bill (DRIPA) was actually legal. Thankfully, the final ruling is much clearer: "general and indiscriminate retention" of emails and other electronic communications is illegal in the EU according to the court. The only thing that is allowed is targeted interception, used to combat "serious crime."

This is a pretty big deal, as the original recommendation from the Advocate General had suggested that DRIPA might be found legal. Of course, DRIPA is in the process of being superseded by the even worse Investigatory Powers Bill, better known as the Snooper's Charter. If DRIPA violates the law, than the Snooper's Charter almost certainly does so at an even greater level. Of course, there is some irony in all of this, in that the case that came to the CJEU was brought by a Member of Parliament, David Davis, who is now the "Brexit Secretary," meaning that he's helping to organize the process by which the UK will be removed from the EU... such that it may not even matter what the EU's Court of Justice has to say on the matter.

The UK has also made it clear it's going to appeal the decision, meaning that it will get to drag this process out as long as possible, potentially until the Brexit process is completed, at which point the ruling will not matter.

Still, it should at least raise question in the UK about why their politicians are granting the government powers to snoop on every member of the public at a level that goes way beyond what is considered appropriate.

Filed Under: cjeu, data retention, david davis, drip, dripa, european court of justice, investigatory powers bill, ip bill, mass surveillance, snooper's charter, uk

Parliament Passes Snooper's Charter, Opens Up Citizens To Whole New Levels Of Domestic Surviellance

from the surfing-the-internet-with-The-Man dept

Despite loudly, and repeatedly, raised concerns from activists and members of Parliament, the UK's Snooper's Charter (a.k.a., Investigatory Powers bill [PDF]) has been passed by both parliamentary houses and only needs the formality of the royal signature to make it official.

These are the fantastic new things UK citizens have to look forward to with this expansion of government surveillance power.

The law will force internet providers to record every internet customer's top-level web history in real-time for up to a year, which can be accessed by numerous government departments; force companies to decrypt data on demand -- though the government has never been that clear on exactly how it forces foreign firms to do that that; and even disclose any new security features in products before they launch.

The list of new powers doesn't end with these. UK intelligence agencies are also given permission to perform "electronic interference" -- hack into computers and electronic devices belonging to UK citizens, not just individually, but in bulk. It also codifies secret (and illegal) surveillance of UK citizens that the country's intelligence agencies have engaged in for years without proper authority or oversight.

The government, of course, is trying to portray this as nothing more than a fine tuning of preexisting laws, specifically the Regulation of Investigatory Powers Act (RIPA). Glossed over in its perfunctory "nothing to see here" explanation is the fact that RIPA was also rushed into existence to codify other secret and illegal surveillance programs.

But it's no ordinary update of existing investigatory laws. Jim Killock of the Open Rights Group calls the Snooper's Charter "the most extreme surveillance law ever passed in a democracy." Thanks to the new powers, UK intelligence agencies should be able to put together very extensive dossiers on pretty much anyone they feel like.

This is the collection of Internet Connection Records (ICRs)—a record of which services every citizen it is connecting to, logged in real-time. This unprecedented level of micro-surveillance is accompanied by a machine to make sense of the mass of data, called a ‘Filter’, but is in essence, a search engine. It can match these ICRs with your mobile phone location data and call histories. It can, we believe, be used to profile the social relationships and the sexual and political activities of every U.K. citizen.

That's how the UK government wants it, apparently: porn filtered out, but spy agencies let in.

Beyond the expansion of law enforcement and surveillance powers is the precedent set by the government in its continual codification of secret surveillance programs. Like RIPA before it, the new law sends a message to intelligence and law enforcement agencies that all misdeeds will ultimately be legislatively forgiven by their overseers. Agencies are implicitly invited to hide programs from overseers and explore new collection techniques without running it past anyone else in the government first. And years later, it will all be papered over by "updated laws."

This is also good news for other Five Eyes surveillance partners. The NSA and GCHQ's information sharing partnership means the US agency now has access to even more data on British citizens. Almost anything GCHQ can acquire, the NSA can access. And now GCHQ can access more than ever.

Filed Under: data retention, gchq, investigatory powers bill, ipbill, metadata, parliament, snooper's charter, uk

EU Court Of Justice Advisor Suggests UK's Last Surveillance Bill May Be Legal, But Hints That The New One Might Not Be

from the reading-the-tea-leaves dept

Over at the EU Court of Justice, the Advocate General has weighed in on the legal challenge to DRIPA, the Data Retention and Investigatory Powers Bill (DRIPA) that was rushed through the UK Parliament almost exactly two years ago. The law was challenged by a group made up of cross-party Parliament Members, and the Advocate General has sort of punted on the issue. If you don't recall, the Advocate General's role in the EU Court of Justice is basically to make a recommendation for the actual rulings. The court doesn't have to (and doesn't always) follow the Advocate General's suggestion, but does so often enough that the opinions certainly carry a lot of weight and suggest what's likely to happen. In this case, the opinion stated that, even though the court had previously rejected the EU-wide Data Retention Directive as intruding on privacy -- the UK's data retention law might be okay.

The opinion basically says some data retention laws may be okay if the powers are "circumscribed by strict safeguards" set up by the national courts.

Of course, the timing on this is important, given that the UK is (1) eagerly trying to push through its new surveillance law, the Investigatory Powers Bill which was (2) championed by then Home Secretary Theresa May as a necessary surveillance tool -- and May is now the Prime Minister due to a series of issues in the UK you may have heard about lately. And some folks who are trying to read the tea leaves of the Advocate General's opinion are suggesting that it may actually hint that while the old DRIPA might possibly be okay, the new Investigatory Powers bill probably is not. Of course, a lot of this depends on how you read the opinion and how certain key phrases are interpreted.

Many of those responding to Tuesday's opinion emphasised the main finding that "solely the fight against serious crime is an objective in the general interest that is capable of justifying a general obligation to retain data, whereas combating ordinary offences and the smooth conduct of proceedings other than criminal proceedings are not."

Basically, it appears that while it may be possible to twist DRIPA into shape so that it's not violating the court's required safeguards, the same cannot be said for the new bill. Whether or not that actually stops forward progress on that bill is another story altogether. And, of course, if the UK really is going to go through with its plan to leave the EU entirely, none of this may matter at all. Well, except for the privacy of everyone in the UK.

Filed Under: data retention, dripa, eu court of justice, eucj, investigatory powers bill, ipbill, snooper's charter, surveillance

UK Parliament Ignores Concerns; Moves Snooper's Charter Forward

from the sad dept

This isn't necessarily a huge surprise, but the UK's House of Commons overwhelmingly voted in support of the Snooper's Charter, officially known as the Investigatory Powers Bill. As we've discussed, this is a dangerous bill that will give the UK government significantly more surveillance powers (or, in many cases, will "authorize" things that the UK government has already been doing on dubious legal authority), with little to no real oversight. And despite people being upset about it, it still was approved by a vote of 444 to 69. And, yes, the current version of the bill still asks for backdoors to encryption, but leaves a vague exemption if a company claims that it would not be feasible or would be too expensive. That's better than the alternative, but it's still a step in the wrong direction. The bill still needs to be considered by the House of Lords, but it's disappointing that the House of Commons seemed so willing to cave to demands for more surveillance powers.

Filed Under: house of commons, investigatory powers bill, ip bill, snooper's charter, surveillance, uk

UK Government Pushes Forward With Insane Snooper's Charter, Despite Widespread Concerns

from the concerns-can-be-ignored-when-you're-in-power dept

We've written a few times in the past year about the latest UK efforts to enact its "Snooper's Charter" law, officially the Investigatory Powers Bill, which would give the government much greater surveillance capabilities. Right after last year's election, Prime Minister David Cameron and Home Office Secretary Theresa May made it clear that they were going to go full Orwell, and do whatever possible to grant themselves greater powers to spy on everyone. As more concerns were raised, we noted that the government pretended to back down, while still including all the bad stuff people predicted.

As more and more complaints about the bill were raised, we noted May decided to try to rush the bill through, along with a healthy dose of "if you don't do this we're all going to die!" FUD. That included releasing a new draft of the bill, which pretended to address the privacy concerns people raised, but which did so basically by just adding the word "privacy" to a heading and making no substantive changes to protect privacy at all (and possibly changes that made things worse).

Rest assured that a lot of people are seriously uncomfortable with all of this. A group of over 200 leading lawyers in the UK have sent a letter slamming the bill:

At present the draft law fails to meet international standards for surveillance powers. It requires significant revisions to do so.

First, a law that gives public authorities generalised access to electronic communications contents compromises the essence of the fundamental right to privacy and may be illegal. The investigatory powers bill does this with its “bulk interception warrants” and “bulk equipment interference warrants”.

Second, international standards require that interception authorisations identify a specific target – a person or premises – for surveillance. The investigatory powers bill also fails this standard because it allows “targeted interception warrants” to apply to groups or persons, organisations, or premises.

Third, those who authorise interceptions should be able to verify a “reasonable suspicion” on the basis of a factual case. The investigatory powers bill does not mention “reasonable suspicion” – or even suspects – and there is no need to demonstrate criminal involvement or a threat to national security.

These are international standards found in judgments of the European court of justice and the European court of human rights, and in the recent opinion of the UN special rapporteur for the right to privacy. At present the bill fails to meet these standards – the law is unfit for purpose.

Meanwhile, internet service providers, tech companies, and civil liberties groups have asked the government to delay moving forward with the bill, but it does not appear that May has any interest in doing so.

On Tuesday, the House of Commons had its "Second Reading" of the bill, and the debate about it allowed some to raise concerns, but with various parties deciding to abstain from voting, rather than vote against it, the bill moved forward easily (it'll come back to Parliament after the House of Lords goes through the bill). Even worse, the main "opposition" to the bill was not that strongly raised:

Andy Burnham, former Home Office minister, stood to offer the Labour party's official perspective. If there is substantive opposition to the contents of the IP Bill within the Labour party - and I know there is from MPs like Tom Watson and David Winnick - then there was little evidence of it from Mr Burnham's contribution to the debate. He opened by trotting out the dire need to combat the four horsemen of the infocalypse and the false and distorting 'balance security with privacy' dichotomy. From those foundations he was highly unlikely to get anywhere enlightened.

While we're fighting against backdoors and for encryption here in the US, it looks like the UK government is potentially moving very much in the other direction.

Filed Under: david cameron, investigatory powers bill, ipbill, privacy, snooper's charter, theresa may, uk

Sensing Public Support Waning, UK Fast Tracks Snooper's Charter

from the get-the-damn-thing-through-and-then-spy-on-everyone dept

For some time now, we've been covering the UK's plan -- led by Home Secretary Theresa May -- to pass a new Snooper's Charter that would increase surveillance powers greatly in the UK. There's been a growing amount of criticism of the plan in the UK, so rather than respond to it, May has simply moved to fast track the bill, officially called the Investigatory Powers Bill. The bill will officially be "published" today on March 1, and then will likely be voted on before the end of April.

Of course, this seems like standard operating procedures these days. Two years ago, the UK government did the same thing with its data retention bill. It's almost as if the UK government would prefer cutting off debate on these issues, and just rushing through much greater surveillance powers for the government.

Filed Under: investigatory powers bill, snooper's charter, theresa may, uk

What's The Difference Between 'Mass Surveillance' And 'Bulk Collection'? Does It Matter?

from the words,-words,-words dept

As numerous Techdirt stories make clear, the particular words used to describe something can make a big difference in how it is perceived. For example, intelligence agencies like to avoid the use of the bad-sounding "mass surveillance," with its Orwellian overtones, and prefer to talk about "bulk collection," which can be presented as some kind of cool big data project. No one is more vociferous in insisting that they are not engaged in mass surveillance, but merely bulk collection, than the UK's Home Secretary, Theresa May. She was pushing that line again last week, during a grilling by a UK Parliamentary committee about her proposed Snooper's Charter. As BBC News reported:

She said the security minister, John Hayes, had written to the committee of MPs and peers scrutinising the draft bill to give the reasons why the government did not want to reveal the kinds of data investigators were accessing.

She insisted the practice -- and the sweeping up by the security services of large quantities of internet traffic passing through the UK -- did not amount to "mass surveillance" as civil liberties campaigners claim.

"The UK does not undertake mass surveillance," she told the committee.

Given what we know that GCHQ is already doing, and adding in what the UK government says it wants to do, that seems an absurd thing to say. But Paul Bernal, Lecturer in Information Technology, Intellectual Property and Media Law at the UK's University of East Anglia, thinks that there is more to this than meets the eye:

Precisely what constitutes surveillance is far from agreed. In the context of the internet (and other digital data surveillance) there are, very broadly speaking, three stages: the gathering or collecting of data, the automated analysis of the data (including algorithmic filtering), and then the 'human' examination of the results of that analysis of filtering. This is where the difference lies: privacy advocates and others might argue that the 'surveillance' happens at the first stage -- when the data is gathered or collected -- while Theresa May, [former GCHQ director] David Omand and those who work for them would be more likely to argue that it happens at the third stage -- when human beings are involved.

If surveillance occurs through the act of gathering personal data on a large scale, then clearly what the UK government does (and wants to do more of) is mass surveillance. But if surveillance only takes place once a human operator looks at some of the gathered data, then Theresa May can plausibly argue that what the UK government is engaged in is not mass surveillance, because relatively little personal data is scrutinized in this way. So the question then becomes: at what point is it most appropriate to say that surveillance has occurred? Bernal offers a helpful analogy. What the UK government wants to do with the Snooper's Charter would be like:

installing a camera in every room of every house in the UK, turning that camera on, having the footage recorded and stored for a year -- but having police officers only look at limited amounts of the footage and only when they feel they really need to.

Does the surveillance happen when the cameras are installed? When they’re turned on? When the footage is stored? When it’s filtered? Or when the police officers actually look at it.

Most people would probably find the automated video recording of everything they did in the privacy of their own home intrusive, and clearly a form of surveillance, even if it was unlikely the footage would ever be seen by a human being. And in Europe, the question has already been settled by the courts:

Privacy invasion occurs when the camera is installed and the capability of looking at the footage is enabled. That’s been consistently shown by recent rulings at both the Court of Justice of the European Union and of the European Court of Human Rights. Whether it is called ‘surveillance’ or something else, it invades privacy -- which is a fundamental right. That doesn’t mean that it is automatically wrong -- but that the balancing act between the rights of privacy (and freedom of expression, of assembly and association etc that are protected by that privacy) and the need for 'security' needs to be considered at the gathering stage, and not just at the stage when people look at the data.

That's important, because it is precisely this issue that the courts will have to consider when the inevitable legal challenges are brought against the UK's Snooper's Charter once some version of it becomes law. In the end, whether the Home Secretary thinks what she is doing is mass surveillance or merely bulk collection is irrelevant -- the UK and EU courts will be the ones that decide whether it's allowed.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: bulk collection, gchq, investigatory powers bill, mass surveillance, snooper's charter, spying, surveillance, theresa may, uk

UK Home Secretary Wants Everyone's Metadata; But If You Ask For Hers, Gov't Says You're Being Vexatious

from the funny-how-that-works dept

Theresa May, the UK Home Secretary who seems like a comic book version of a government authoritarian, is leading the charge in the UK for its new Snooper's Charter, officially called the "Investigatory Powers Bill," that is filled with all kinds of nasty stuff for making it easier for the government to spy on everyone. Among the many problematic elements is the demand for basically everyone's metadata. May dismissed the concerns about this by saying it's nothing more than "an itemised phone bill." Given that, Member of Parliament Keith Vaz noted to May that people might be interested to see May's itemized phone bill.

Soon after that, we noted that UK resident Chris Gilmour sent in a FOIA request for May's metadata. Specifically, he asked for the following:

1) The date, time, and recipient of every email sent by the Home Secretary during October 2015.

2) The date, time, and sender of every email received by the Home Secretary during October 2015.

3) The date, time, and recipient of every internet telephony call (e.g. "Skype" call) made by the Home Secretary during October 2015.

4) The date, time, and sender of every internet telephony call (e.g. "Skype" call) received by the Home Secretary during October 2015.

5) The date, time, and domain address of every website visited by the Home Secretary during October 2015.

Not surprisingly, it appears he was not the only one to do so. UK newspaper The Independent sent in a FOIA request asking for:

... the web browser history of all web browsers on the Home Secretary Theresa May's GSI network account for the week beginning Monday 26 October. Feel free to redact any web addresses relating to security matters."

There may be other such requests as well -- but both of these requests got back the same basic response from the UK government. In both cases, the government rejected the requests, claiming they were "vexatious." Here's the response to Gilmour's:

We have considered your requests and we believe them to be vexatious. Section 14(1) of the Act provides that the Home Office is not obliged to comply with a request for information of this nature. We have decided that your request is vexatious because it places an unreasonable burden on the department, because it has adopted a scattergun approach and seems solely designed for the purpose of ‘fishing’ for information without any idea of what might be revealed.

The requests are similar in nature to a request the Home Office received in 2014 that the Information Commissioners Office (ICO) agreed was vexatious. The decision notice in question can be found at this link: https://search.ico.org.uk/ico/search/decisionnotice?keywords=FS50544833

Guidance issued by the ICO on vexatious requests can be found at this link: https://ico.org.uk/media/for-organisations/documents/1198/dealing-with-vexatious- requests.pdf

It appears that The Independent got an identical response (word for word). The folks at The Independent seem reasonably annoyed by this.

While the Government is widening its own powers to access the information of citizens, it is watering down the public’s right to access the Government’s information.

Either way, there seems to be a legitimate question to ask Theresa May: if there's no big deal about having the government go through your metadata and it's "just like an itemised phone bill," then why is it so "vexatious" for the public to ask for May's metadata?

Filed Under: data retention, foia, freedom of information, home secretary, investigatory powers bill, ipbill, metadata, public records, snooper's charter, surveillance, theresa may, uk, vexatious