Tribunal throws unprecedented critical spotlight on the human-rights compliancy of the UK ‘spy’ agency activities revealed by Snowden
The difficulties created by the borderless nature of modern communications are no more evident than when considered in the context of the duties of nation states to look after the security of their citizens, and the outpacing of surveillance law by technology as it advances at rapid speed. The consequences of these advances have recently been scrutinised within the UK to an unprecedented level as a direct result of the Snowden revelations in 2013. This series of events prompted reviews into the legality of surveillance activities carried out in in the UK in tandem with the US security agencies. Also subject to review has been the adequacy (‘fitness for purpose’) of the legal framework, policies and procedures governing the UK intelligence agencies’ access to private communications, as well as wider considerations of the appropriate balance between privacy and security in the Internet age.
The judgement in the case The National Council of Civil Liberties and others v The Secretary of State for Foreign and Commonwealth Affairs and others IPT/13/77/H, issued last month, is a good case in point. Despite the hearing being held ‘in camara’ and embroiled in ‘hypotheticals’ pursuant to the customary UK policy practice of neither denying or confirming information regarding intelligence activities in order to protect intelligence and agents, the Investigatory Powers Tribunal (IPT) held that the UK government had contravened the European Convention on Human Rights (ECHR), in particular Articles 8 and 10. To such an end, the case, brought by representatives of human rights organisations here and abroad is unique in being the only time (so far) that the IPT has concluded that actions of the UK intelligence services – the Security Service (‘MI5’), the Secret Intelligence Service (‘MI6’) and the Government Communications Headquarters (‘GCHQ’) – have been carried out illegally.
The IPT drew its conclusion based on the fact that the UK government had not made public its arrangements for ensuring compliance with the ECHR in respect of receipt of intercepted information from the US government’s ‘Prism’ and ‘Upstream’ intelligence programmes. Both of these programmes (allegedly) involved the collection of information about UK citizens from electronic communications service providers or via communications as they transit the Internet. Therefore, the IPT held that the UK government was in breach of Article 8 (the right to respect for private and family life, home and correspondence) and Article 10 (the right to freedom of expression) of the ECHR until such time that certain information was sufficiently signposted to the public (more detail below).
Whereas in this case the IPT case considered whether there has been in fact any unlawful interception or treatment of private communications, in December 2014 the IPT gave judgement on a distinct but related case brought by the same complainants. They sought declarations that the (same) respondents had unlawfully failed to ensure that there was in place a legal regime in compliance with Articles 8 and 10 ECHR. This regime encompasses the rules that govern the soliciting, receiving, storing and transmitting by UK authorities of private communications of individuals located in the UK that may be obtained by foreign intelligence agencies. In particular, the complainants asked the IPT to review the legality of the lawfulness of the interception of communications by the UK intelligence agencies pursuant to the rules about the authorisation of warrants to intercept communications under section 8(4) of the Regulation of Investigatory Powers Act 2000 (RIPA). In that earlier judgement, the IPT held that the current regime, both in relation to Prism and Upstream, when conducted in accordance with the requirements set out in domestic legislation, codes of practice and Parliamentary supervision, was both lawful and human rights compliant. In particular, it held that section 8(4) RIPA remains fit for purpose.
To understand the issues here, we need to consider section 8 of RIPA in full as it sets out the UK statutory regime governing the use of surveillance authorisation warrants. According to section 8(1), a warrant must identify a particular subject or a set of premises against which an interception is being carried out and, where an individual is the subject of the warrant, interception may be carried out against any communications service used by that person provided these services are detailed in the schedule to the warrant (section 8(2)). However, this ‘identity information’ does not need to appear in the warrant where the interception is of an “external communication” in the course of its transmission by a telecommunication system (section 8(4)). That is, an external communication so defined is one sent or received outside the British Islands. In effect, section 8(4) enables the UK agencies to search for internal messages from communication between two foreign parties, triggered perhaps by the receipt of foreign intelligence. In the Internet age, however, the distinction between internal and external communications is blurring in practice.
An example of the latter, according to the government, is an email to a person sitting next to me that travels to a web server based abroad, i.e. relying on the argument that even if both ends are in the UK, a communication is still ‘external’ if (technically) it leaves the country in transit. This legal construct of ‘external communications’ has also been argued by the government to include communications via web-based platforms – such as US hosted social media – that are not to another person, but to a wide audience (being communications with the platform, and thus deemed communications that ends outside the UK). The complainants who brought the case to the IPT called into question the adequacy of this interpretation. In particular, they claimed that the statutory definitions should be updated to take into account the far more privacy-intrusive implications of modern communications, which are of a type that Parliament could not have had in mind when RIPA originally made its way through the legislative process.
Returning again to its 2015 judgement, the IPT concluded that whereas there had been a breach in the rules in the past, existing practices regarding the interception of communications data relating to UK-based individuals was now ECHR-complaint, and therefore lawful, because of subsequent disclosures made by the agencies. In particular, it was now sufficiently sign-posted to the public (as a consequences of disclosures set forth in the 2014 judgement) that where a request was made for intercepted information without a warrant under RIPA, the protections set out in RIPA would still apply.
In related news this month, the Home Office published a consultation on two draft codes of practice associated with RIPA, one of which deals directly with the issue of the interception of communications. That draft code updates the existing interception of communications code to include new case law and legislative developments. It also gives additional information on the interception and handling of external communications under section 8(4) and provides further information on the protections given to legally privileged and other confidential material. Clarification in this area is to be welcomed.
Overall, therefore, unsurprisingly Snowden’s legacy is to have thrown a more critical spotlight on the scope of the capabilities provided to intelligence agencies in the UK. More surprisingly, however, as the cases described illustrated, it is the very lack of public domain information about the agencies activities that may lay them most open to future challenges for failing to meet their human rights obligations (rather than what they actually do that impacts significantly upon people’s privacy in the name of protecting national security).
Alison Knight