European Court Of Human Rights: UK Surveillance Revealed By Snowden Violates Human Rights
from the well-of-course-it-does dept
Yet another vindication of Ed Snowden. Soon after some of the documents he leaked as a whistleblower revealed that the UK's GCHQ was conducting mass surveillance, a variety of human rights groups filed complaints with the European Court of Human Rights. It's taken quite some time, but earlier today the court ruled that the surveillance violated human rights, though perhaps in a more limited way than many people had hoped.
At issue were three specific types of surveillance: bulk interception of communications, sharing what was collected with foreign intelligence agencies, and obtaining communications data (metadata) from telcos. The key part of the ruling was to find that the bulk interception of communications violated Article 8 of the Human Rights Act (roughly, but not exactly, analogous to the US 4th Amendment). It was not a complete victory, as the court didn't say that bulk interception by itself violated human rights, but that the lack of oversight over how this was done made the surveillance "inadequate." The court also rejected any claims around GCHQ sharing the data with foreign intelligence agencies.
In short, the court found that bulk interception could fit within a human rights framework if there was better oversight, and that obtaining data from telcos could be acceptable if there were safeguards to protect certain information, such as journalist sources. But the lack of such oversight and safeguards doomed the surveillance activity that Snowden revealed.
Operating a bulk interception scheme was not per se in violation of the Convention and Governments had wide discretion (“a wide margin of appreciation”) in deciding what kind of surveillance scheme was necessary to protect national security. However, the operation of such systems had to meet six basic requirements, as set out in Weber and Saravia v. Germany. The Court rejected a request by the applicants to update the Weber requirements, which they had said was necessary owing to advances in technology.
The Court then noted that there were four stages of an operation under section 8(4): the interception of communications being transmitted across selected Internet bearers; the using of selectors to filter and discard – in near real time – those intercepted communications that had little or no intelligence value; the application of searches to the remaining intercepted communications; and the examination of some or all of the retained material by an analyst.
While the Court was satisfied that the intelligence services of the United Kingdom take their Convention obligations seriously and are not abusing their powers, it found that there was inadequate independent oversight of the selection and search processes involved in the operation, in particular when it came to selecting the Internet bearers for interception and choosing the selectors and search criteria used to filter and select intercepted communications for examination. Furthermore, there were no real safeguards applicable to the selection of related communications data for examination, even though this data could reveal a great deal about a person’s habits and contacts.
Such failings meant section 8(4) did not meet the “quality of law” requirement of the Convention and could not keep any interference to that which was “necessary in a democratic society”. There had therefore been a violation of Article 8 of the Convention.
The court also found that acquiring data from telcos violated Article 8 as well, for similar reasons.
It first rejected a Government argument that the applicants’ application was inadmissible, finding that as investigative journalists their communications could have been targeted by the procedures in question. It then went on to focus on the Convention concept that any interference with rights had to be “in accordance with the law”.
It noted that European Union law required that any regime allowing access to data held by communications service providers had to be limited to the purpose of combating “serious crime”, and that access be subject to prior review by a court or independent administrative body. As the EU legal order is integrated into that of the UK and has primacy where there is a conflict with domestic law, the Government had conceded in a recent domestic case that a very similar scheme introduced by the Investigatory Powers Act 2016 was incompatible with fundamental rights in EU law because it did not include these safeguards. Following this concession, the High Court ordered the Government to amend the relevant provisions of the Act. The Court therefore found that as the Chapter II regime also lacked these safeguards, it was not in accordance with domestic law as interpreted by the domestic authorities in light of EU law. As such, there had been a violation of Article 8.
Both of those elements also ran afoul of Article 10's protection of free expression because journalists' communications had been swept up in the bulk data collection:
In respect of the bulk interception regime, the Court expressed particular concern about the absence of any published safeguards relating both to the circumstances in which confidential journalistic material could be selected intentionally for examination, and to the protection of confidentiality where it had been selected, either intentionally or otherwise, for examination. In view of the potential chilling effect that any perceived interference with the confidentiality of journalists’ communications and, in particular, their sources might have on the freedom of the press, the Court found that the bulk interception regime was also in violation of Article 10.
When it came to requests for data from communications service providers under Chapter II, the Court noted that the relevant safeguards only applied when the purpose of such a request was to uncover the identity of a journalist’s source. They did not apply in every case where there was a request for a journalist’s communications data, or where collateral intrusion was likely. In addition, there were no special provisions restricting access to the purpose of combating “serious crime”. As a consequence, the Court also found a violation of Article 10 in respect of the Chapter II regime.
On the final issue of passing on the info to foreign intelligence agencies, the court didn't find any human rights issues there:
The Court found that the procedure for requesting either the interception or the conveyance of intercept material from foreign intelligence agencies was set out with sufficient clarity in the domestic law and relevant code of practice. In particular, material from foreign agencies could only be searched if all the requirements for searching material obtained by the UK security services were fulfilled. The Court further observed that there was no evidence of any significant shortcomings in the application and operation of the regime, or indeed evidence of any abuse.
It would have been nice if there was more of a blanket recognition of the problems of bulk interception and mass surveillance. Unfortunately the court didn't go that far. But at the very least this has to be seen as a pretty massive vindication of Snowden whistleblowing on the lack of oversight to protect privacy and the lack of safeguards to prevent telcos from sharing information with the government that should have been protected.
Filed Under: bulk collection, echr, ed snowden, european court of human rights, gchq, human rights, mass surveillance, suveillance