From the late 1990s until just under a year ago, UK intelligence agencies MI5, MI6 and GCHQ illegally collected data on citizens, according to a new ruling from the Investigatory Powers Tribunal, which oversees the spy services.
The tribunal found that for 17 years, from the mass surveillance programs’ inception in 1998 until last November, all three agencies violated the European Convention on Human Rights in their collection of “bulk communication data” (BCD), or what is frequently called “metadata” in US legal jargon. The ruling also found that the agencies’ collection of “bulk personal datasets” (BPD) has likewise broken the law since they began gathering them around 2006. Privacy International, the group which brought the case, called the ruling a victory.
“Today’s judgment is a long overdue indictment of UK surveillance agencies riding roughshod over our democracy and secretly spying on a massive scale,” said Millie Graham Wood, legal officer at Privacy International. “There are huge risks associated with the use of bulk communications data. It facilitates the almost instantaneous cataloguing of entire populations’ personal data. It is unacceptable that it is only through litigation by a charity that we have learnt the extent of these powers and how they are used. The public and Parliament deserve an explanation as to why everyone’s data was collected for over a decade without oversight in place and confirmation that unlawfully obtained personal data will be destroyed.”
Still, the ruling is far from a total victory for privacy advocates. According to Privacy International, the ruling included no such guarantee that the previously collected data will be deleted. And even as the court ruled the past surveillance programs illegal, it found that those in place now can continue.
“The powers available to the security and intelligence agencies play a vital role in protecting the UK and its citizens. We are therefore pleased the tribunal has confirmed the current lawfulness of the existing bulk communications data and bulk personal dataset regimes,” a UK government spokesperson reportedly said. “Through the Investigatory Powers Bill, the government is committed to providing greater transparency and stronger safeguards for all of the bulk powers available to the agencies.”
Indeed, as Tim Cushing of TechDirt notes, “the ruling may give pro-surveillance politicians a better idea of how to make future collections stand up to legal challenges” as they prepare to push through the IP Bill, otherwise known as the Snooper’s Charter.
The IP Bll “contains a number of proposals aimed at bulking up surveillance powers open to the UK intelligence agencies MI5 and GCHQ, while allegedly increasing the oversight regime available to the politicians at Whitehall,” according to Jason Murdock of the International Business Times UK. These bulked-up powers include a mandate that tech companies store metadata records for a year, along with additional bulk personal dataset collection abilities for the spy agencies.
The British intelligence services have long had vast capabilities to find out more about virtually any given individual than that person knows about themselves. As Ryan Gallagher of the Intercept reported last year, a GCHQ program called KARMA POLICE — apparently named after the Radio Head song — that was in the planning stages in 2008 had the building of “a web browsing profile for every visible user on the internet” as its stated purpose. KARMA POLICE is just one of a plethora of programs and surveillance tools available to British intelligence, with code names like BLACK HOLE, MUTANT BROTH, INFINITE MONKEYS, SOCIAL ANTHROPOID, MARBLED GECKO and MEMORY HOLE.
Despite the UK spy agencies’ push for even greater surveillance powers through passage of the so-called Snooper’s Charter, though, Gallagher also notes that there is still reason to be optimistic about the Investigatory Powers Tribunal ruling.
“It is often argued by government officials that mass collection of data is not on its face a violation of privacy, and that privacy is not breached until individual communications are looked at or analyzed by humans,” he writes. “Notably, the tribunal’s ruling on Monday disagreed with that notion, stating that the privacy protections contained in the European Convention on Human Rights are ‘engaged by the transfer and storage of communications data even if it is not accessed.’ This principle may turn out to be important in a separate case that remains ongoing in the European Court of Human Rights, which is expected to look more closely at the legality of the U.K.’s mass surveillance programs.”
That lawsuit, which is being brought against the UK government in the ECHR by a coalition of ten groups including Privacy International, Amnesty International and the American Civil Liberties Union, challenges the legality of Britain’s BLACK HOLE, MUTANT BROTH and KARMA POLICE programs.
Prior to this summer’s so-called “Brexit” vote, Richard Dearlove, the former head of MI6, wrote that a benefit of Britain leaving the European Union would be “the ability to dump the European Convention on Human Rights,” although Rob Wainwright, director of Europol, has said such arguments “do not stand much scrutiny.” It remains to be seen how much legal surveillance authority the UK intelligence agencies will be allowed, and whether, once those legal limits have been made clearer, the spy agencies will stay within them.