It’s hard to believe that the Snowden Files were leaked some five years ago. Despite the passing of time, and the seismic happenings in world politics, the fallout rumbles on – as last week’s ruling against GCHQ demonstrates.
Although hailed by privacy campaigners as a “landmark judgement” that vindicates Snowden’s whistleblowing, the ruling relates to the UK’s surveillance system that existed in 2013.
Given that new legislation is now in place, what impact will this ruling actually have – and should we still be concerned about government snooping?
A history lesson: RIPA, DRIPA and IPA
Edward Snowden exposed ‘population scale’ government surveillance programmes in 2013 Credit: Lawrence Holmes Flickr
‘RIPA, DRIPA and IPA’ are shorthands for the various laws that have governed state surveillance since 2000.
RIPA – the Regulation of Investigatory Powers Act 2000 – is the framework under which GCHQ conducted its mass surveillance programme, as exposed by Snowden.
It is therefore the basis of the recent ruling by the Human Rights Court in Strasbourg, last week.
Given the digital advancements of the previous decade, by 2013, many in law enforcement considered RIPA to be outdated and inadequate – an alleged hindrance to their ability to monitor the communications of suspected terrorists.
However, an attempt by then home secretary Theresa May to introduce a new law granting even wider surveillance powers – the Communications Data Bill, the first incarnation of the so called ‘Snooper’s Charter’ – was unsuccessful, blocked by coalition partners the Liberal Democrats.
What followed was a piece of emergency legislation known as “DRIPA” (The Data Retention and Investigatory Powers Act), which was passed in 2014. Although it expired in 2016, the Court of Appeal has since ruled that its remit also breached human rights law.
That leaves the Investigatory Powers Act (“IPA”), the current law governing, and authorising, the Government’s surveillance system. It came into force in December 2016, despite opposition from privacy campaigners.
RIPA is Dead but IPA is Alive and Kicking
Image Credit: netzpolitik.org / Flickr
Although the ruling of the Human Rights Court relates to RIPA, the old framework, many of the principles apply to the current IPA – a law described as “even more intrusive” by the likes of Amnesty, Liberty and Big Brother Watch.
Their concerns include sweeping retention powers, bulk interception and hacking powers, and bulk datasets, which are explained in more detail below.
Sweeping Retention Powers
The IPA allows ministers to issue ‘retention notices’ to communication companies and service providers, requiring their retention of our communications data (when, where, how and with whom we’re communicating) for up to 12 months. This includes records of our internet browsing history – the websites we visit, although not individual webpages.
Controversially, this data can be obtained by public authorities for reasons unrelated to the prevention of serious crime – for example, to collect taxes and fines. Authorisation by an independent person, such as a judge, isn’t required.
Liberty has already succeeded in challenging this part of the IPA; in April 2018, the High Court ruled that such widesweeping, and unchecked, retention powers violated the right to privacy. In doing so, it echoed the Court of Appeal’s previous criticism of DRIPA.
Bulk Interception, Acquisition and Hacking Powers
As well as targeted snooping, the IPA allows ‘bulk warrants’ to be granted.
These give the state access to our communications en masse – this is done either by intercepting them directly during transmission or by forcing communication companies to hand swathes of data over.
A bulk warrant can also be given to authorise the widespread hacking of our electronic devices.
These warrants can only be granted to the UK’s intelligence agencies, upon the approval of both a minister and judge, and – in the case of interception and hacking warrants – only for the purpose of revealing the content of data going to, or coming from, abroad.
Nevertheless, campaigners argue that snooping on people in an indiscriminate manner, without there being any suspicion of criminal activity, is an invasion of privacy and morally wrong. They also argue that judges’ power of review is limited.
In its ruling, the Human Rights Court did not object to bulk interception regimes in principle.
However, it found the UK’s approach (under RIPA) to be lacking, especially when it came to selecting what data to intercept, and then examine.
This may form the basis of any legal challenge to the bulk warrant regime under the IPA – one that Liberty is already pursuing in the UK courts.
Bulk Personal Datasets
Liberty’s second attack on the IPA is also based on its objection to ‘personal dataset warrants’.
These allow GCHQ to access databases held by other agencies, where the majority of personal data collated relates to people ‘who are not, and are unlikely to become, of interest to the intelligence services’.
Examples include databases held by credit agencies, DVLA and the Land Registry.
These warrants effectively legalise collateral damage, enabling the trawling and retention of ‘incidental’ personal data for ‘legitimate’ intelligence-gathering purposes.
However, Liberty argues: “these [databases] contain details on religion, ethnic origin, sexuality, political leanings and health problems, potentially on the entire population – and are ripe for abuse and discrimination.”
Threat to Freedom of Expression
It’s not just privacy issues driving campaigners’ objections to the IPA. The National Union of Journalists, for example, has argued that journalists’ confidential material, including the identity of sources, is not adequately protected by the Act.
Referring to the old framework, RIPA, last week’s Human Rights Court ruling shared their concern. It held the UK’s mass surveillance regime did not adequately limit the State’s power to search for confidential journalistic material.
The Court also found that authorities could acquire journalists’ communications data from service providers with relative ease – as the Police did in the ‘Plebgate’ affair to identify who was behind leaks to the press.
While the ‘Plebgate’ scandal prompted the need for additional scrutiny by a judge, this only applied where access to data was being requested for the purpose of identifying a source. “Collateral intrusion” remained a risk, therefore.
Taking these oversights into account, the Human Rights Court found there had been a violation of freedom of expression under Article 10 of the Convention.
By jeopardising the protection of sources, the flow of information – and, with it, the airing of stories of public interest – was at risk.
As many of these loopholes apply to the IPA, a legal challenge on this basis may now follow.
The UK government has until November 2018 to rewrite parts of the IPA – those relating to sweeping retention powers – following Liberty’s victory in the High Court earlier this year.
However, the recent ruling by the Human Rights Court undoubtedly ‘ups the ante’, as before the judgement, campaigners stated that any victory would require the wholesale re-write of the IPA.
In particular, Liberty’s second legal challenge to the Act is likely to be influenced by the ruling, especially when it comes to the legality of the UK’s bulk interception regime.
Even if the Government manages to win over the UK courts, maintaining mass snooping powers could pose additional hurdles after the UK leaves the European Union.
In the wake of Snowden’s revelations, the European Court of Justice struck down the EU’s ‘Safe Harbour’ agreement with the US, which allowed personal data to flow freely to and from America.
If the EU has similar doubts about the safety of its citizens’ data, in the face of extensive UK surveillance powers, the ‘free movement of data’ between the UK and its European neighbours could be at risk – posing another barrier to trade.