Simple browser automation.
Surveillance laws permitting GCHQ to operate its Tempora dragnet mass surveillance system broke the law, the European Court of Human Rights has ruled.
The judgment, handed down this morning in Strasbourg, vindicates the Edward Snowden revelations of 2013. The former NSA contractor revealed that Western spy agencies had been largely ignoring legal controls on their operations because, at the time, indiscriminate dragnet surveillance was more convenient than obeying the law.
Today’s ruling confirms that dragnet surveillance is not against the European Convention on Human Rights per se, provided that properly enforced safeguards to minimise indiscriminate spying are in force – and this is where UK.gov’s arguments fell apart.
“The Court considers that, when viewed as a whole, the section 8(4) regime, despite its safeguards… did not contain sufficient ‘end-to-end’ safeguards to provide adequate and effective guarantees against arbitrariness and the risk of abuse,” ruled the European Court of Human Rights (ECtHR)’s Grand Chamber.
Section 8(4) is a reference to the Regulation of Investigatory Powers Act 2000. That section has since been replaced by the Investigatory Powers Act 2016, but the court was looking at allegedly unlawful acts by UK.gov in the past.
The ECtHR’s ruling added: “In particular, it has identified the following fundamental deficiencies in the regime: the absence of independent authorisation, the failure to include the categories of selectors in the application for a warrant, and the failure to subject selectors linked to an individual to prior internal authorisation.”
In wording unlikely to win the ECHR many friends in Whitehall or Cheltenham, the court said “it is of fundamental importance for at least the categories of selectors to be identified in the authorisation and for those strong selectors linked to identifiable individuals to be subject to prior internal authorisation providing for separate and objective verification of whether the justification conforms to the aforementioned principles.”
In other words, warrants authorising surveillance of named targets should be pondered in advance of each operation, not signed off in bulk (as the UK used to do) at the start of the year, and legal justification should be held on file – something the British spy agencies, MI5, MI6 and GCHQ, have been shoddy about in the past.
The Liberty human rights pressure group celebrated today’s judgment, with lawyer Megan Goulding saying in a statement: “We all want to have control over our personal information, and to have a government that respects our right to privacy and our freedom of expression. That’s what makes today’s victory, and the court’s recognition of the dangers posed by these mass surveillance powers, so important.”
- Furious Google techie on NSA snooping: ‘F*CK THESE GUYS’
- When it comes to privacy, everyone says America needs a new federal law ASAP. As for mass spying, well, um… huh what’s that over there?
- NSA: We’ve learned our lesson after foreign spies used one of our crypto backdoors – but we can’t say how exactly
- Ed Snowden doesn’t need to worry about being turfed out of Russia any more
- Chinese database details 2.4 million influential people, their kids, addresses, and how to press their buttons
She added: “Bulk surveillance powers allow the State to collect data that can reveal a huge amount about any one of us – from our political views to our sexual orientation. These mass surveillance powers do not make us safer.”
The Grand Chamber also ruled that sending intercepted data to non-ECHR signatory countries such as America would be unlawful unless it was stored securely to prevent “abuse and disproportionate interference” with ECHR rights, though it added that diplomatic assurances would be enough to meet that condition.
The Court of Appeal is expected to hear an ongoing, related UK case later this year.
What the ECtHR said about the ECHR
Today’s judgment ruled on three separate cases that had been linked together by the court because they all raised similar issues about the lawfulness of British dragnet surveillance laws. Everyone involved, including Liberty, Privacy International, EU campaign group EDRi and others, argued that “the [UK] regime for the bulk interception of communications was incompatible with Article 8 of the Convention.”
Article 8 of the European Convention on Human Rights (ECHR) is where the “right to respect for private and family life” comes from, as set out in the UK legal version of it contained in the Human Rights Act 1998.
Summarising their arguments, the court said: “The applicants contended that bulk interception was in principle neither necessary nor proportionate within the meaning of Article 8 of the Convention and, as such, did not fall within a State’s margin of appreciation.”
That “margin of appreciation” is the discretion which governments have to interfere with privacy rights “as far as is necessary in a democratic society”. The Foreign, Commonwealth and Development Office (FCDO), on behalf of the British government, argued that legal changes since the original Snowden revelations of 2013 meant the UK’s laws now complied in full with the ECHR.
“The Government contended that the interception of communications under the bulk interception regime would only have resulted in a meaningful interference with a person’s Article 8 rights if his or her communications were either selected for examination (that is, included on an index of communications from which an analyst could potentially choose items to inspect) or actually examined by an analyst,” said the court.
UK.gov “reiterated that any analysts who examined selected material had to be specially authorised to do so, and received mandatory regular training, including training on the requirements of necessity and proportionality. They were also vetted. Before they examined the material, they had to create a record setting out why access to the material was required, why it was consistent with the Secretary of State’s certificate and the requirements of [the Regulation of Investigatory Powers Act]; and why it was proportionate,” continued the court.
A spokesperson for Home Office said:
“The UK has one of the most robust and transparent oversight regimes for the protection of personal data and privacy anywhere in the world. This unprecedented transparency sets a new international benchmark for how the law can protect both privacy and security whilst continuing to respond dynamically to an evolving threat picture.
“The 2016 Investigatory Powers Act has already replaced large parts of the 2000 Regulation of Investigatory Powers Act (RIPA) that was the subject of this challenge. We note today’s judgment.”
France, the Netherlands and Norway all formally supported the UK’s unsuccessful defence of dragnet surveillance powers. As the judgement points out, those countries, together with Finland, Germany, Sweden, Switzerland and the United Kingdom, all “officially operate bulk interception regimes over cables and/or the airways.”
The full, and dense, judgment can be read on the court’s website. ®
Browser automation without code.