CybersecurityFeaturedPolicyRead This

UK’s bulk surveillance regime breaches human rights, is a risk to journalists: Judges

The UK’s bulk surveillance regime — as revealed in the Edward Snowden leaks — violates the rights to privacy and freedom of expression under Articles 8 and 10 of the European Convention on Human Rights, and lets intelligence agencies mop up “significant amounts of confidential journalistic material” rendering them unable to protect their sources, the grand chamber of the European court of human rights has ruled.

The grand chamber judgment is the culmination of a legal challenge to GCHQ’s bulk interception of online communications initiated by Big Brother Watch and others in 2013 after Snowden’s mass surveillance revelations. Elements of Articles 8 and 10 are violated by the UK, the Grand Chamber ruled. In particular, the court found that section 8(4) of the UK’s RIPA surveillance act “did not meet the ‘quality of law’ requirement and was therefore incapable of keeping the ‘interference’ to what was ‘necessary in a democratic society'”.

“The use of selectors or search terms connected to a journalist would very likely result in the acquisition of significant amounts of confidential journalistic material which could undermine the protection of sources” ECHR Grand Chamber, May 2021

Operating a bulk interception regime itself was not an ECHR violation, the court held, adding that the Chamber “was satisfied that the United Kingdom was not abusing its bulk interception powers”. It noted that “bulk interception is of vital importance to Contracting States in identifying threats to their national security… because terrorists, criminals and hostile foreign intelligence services had become increasingly sophisticated at evading detection by traditional means; and secondly, because the nature of the global Internet meant that the route a particular communication would travel had become hugely unpredictable.”

The case was brought in the wake of the Edward Snowden leaks, which revealed the existence of a sweeping bulk surveillance programme.

The chamber also concluded that GCHQ’s regime for sharing sensitive digital intelligence with foreign governments [pdf] was not illegal.

Yet under section 8(4) of the UK’s RIPA legal regime, “confidential journalistic material could have been accessed by the intelligence services either intentionally, through the deliberate use of selectors or search terms connected to a journalist or news organisation, or unintentionally, as a ‘bycatch’ of the bulk interception operation,” the court found on May 25.

Indeed, the simple use of a search connected to a journalist was the equivalent to a search of their home or office, the court said.

“Where the intention of the intelligence services is to access confidential journalistic material, for example, through the deliberate use of a strong selector connected to a journalist… the Court considers that the interference will be commensurate with that occasioned by the search of a journalist’s home or workplace; regardless of whether or not the intelligence services’ intention is to identify a source, the use of selectors or search terms connected to a journalist would very likely result in the acquisition of significant amounts of confidential journalistic material which could undermine the protection of sources to an even greater extent than an order to disclose a source,” the court said this week in a damning finding.

Robust safeguards are needed to prevent abuse of this ability, the chamber said, noting that “there was no requirement that the use of selectors or search terms known to be connected to a journalist be authorised by a judge or other independent and impartial decision-making body invested with the power to determine whether it was ‘justified by an overriding requirement in the public interest’ and whether a less intrusive measure might have sufficed to serve the overriding public interest. On the contrary, where the intention was to access confidential journalistic material, or that was highly probable in view of the use of selectors connected to a journalist, all that was required was that the reasons for doing so, and the necessity and proportionality of doing so, be documented clearly.”

“The Court considers it imperative that domestic law contain robust safeguards regarding the storage, examination, use, onward transmission and destruction of such confidential material”, it found.

“Moreover, even if a journalistic communication or related communications data have not been selected for examination through the deliberate use of a selector or search term known to be connected to a journalist, if and when it becomes apparent that the communication or related communications data contain confidential journalistic material, their continued storage and examination by an analyst should only be possible if authorised by a judge or other independent and impartial decision-making body invested with the power to determine whether continued storage and examination is “justified by an overriding requirement in the public interest”.

While the UK’s Interception of Communications Code of Practice (IC Code) of 2018 put in place some safeguards, “there was no requirement that the use of selectors or search terms known to be connected to a journalist be authorised by a judge or other independent and impartial decision-making body invested with the power to determine whether it was ‘justified by an overriding requirement in the public interest'” the court held.

“In view… of these weakness, and those identified by the Court in its consideration of the complaint under Article 8 of the Convention, it finds that there has also been a breach of Article 10 of the Convention by virtue of the operation of the section 8(4) regime” it concluded.

See the full ruling here.

The Home Office said in a comment email to The Stack: “The UK has one of the most robust and transparent oversight regimes for the protection of personal data and privacy anywhere in the world.This unprecedented transparency sets a new international benchmark for how the law can protect both privacy and security whilst continuing to respond dynamically to an evolving threat picture. The 2016 Investigatory Powers Act has already replaced large parts of the 2000 Regulation of Investigatory Powers Act (RIPA) that was the subject of this challenge. We note today’s judgment.”

Follow The Stack on LinkedIn

Tags

Ed Targett

Ed Targett is founder of The Stack. He has previously served as editor at Tech Monitor, Computer Business Review, and Roubini Global Economics.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Close
Close