European Court Of Human Rights: UK Surveillance Revealed By Snowden Violates Human Rights

from the well-of-course-it-does dept

Yet another vindication of Ed Snowden. Soon after some of the documents he leaked as a whistleblower revealed that the UK's GCHQ was conducting mass surveillance, a variety of human rights groups filed complaints with the European Court of Human Rights. It's taken quite some time, but earlier today the court ruled that the surveillance violated human rights, though perhaps in a more limited way than many people had hoped.

At issue were three specific types of surveillance: bulk interception of communications, sharing what was collected with foreign intelligence agencies, and obtaining communications data (metadata) from telcos. The key part of the ruling was to find that the bulk interception of communications violated Article 8 of the Human Rights Act (roughly, but not exactly, analogous to the US 4th Amendment). It was not a complete victory, as the court didn't say that bulk interception by itself violated human rights, but that the lack of oversight over how this was done made the surveillance "inadequate." The court also rejected any claims around GCHQ sharing the data with foreign intelligence agencies.

In short, the court found that bulk interception could fit within a human rights framework if there was better oversight, and that obtaining data from telcos could be acceptable if there were safeguards to protect certain information, such as journalist sources. But the lack of such oversight and safeguards doomed the surveillance activity that Snowden revealed.

Operating a bulk interception scheme was not per se in violation of the Convention and Governments had wide discretion (“a wide margin of appreciation”) in deciding what kind of surveillance scheme was necessary to protect national security. However, the operation of such systems had to meet six basic requirements, as set out in Weber and Saravia v. Germany. The Court rejected a request by the applicants to update the Weber requirements, which they had said was necessary owing to advances in technology.

The Court then noted that there were four stages of an operation under section 8(4): the interception of communications being transmitted across selected Internet bearers; the using of selectors to filter and discard – in near real time – those intercepted communications that had little or no intelligence value; the application of searches to the remaining intercepted communications; and the examination of some or all of the retained material by an analyst.

While the Court was satisfied that the intelligence services of the United Kingdom take their Convention obligations seriously and are not abusing their powers, it found that there was inadequate independent oversight of the selection and search processes involved in the operation, in particular when it came to selecting the Internet bearers for interception and choosing the selectors and search criteria used to filter and select intercepted communications for examination. Furthermore, there were no real safeguards applicable to the selection of related communications data for examination, even though this data could reveal a great deal about a person’s habits and contacts.

Such failings meant section 8(4) did not meet the “quality of law” requirement of the Convention and could not keep any interference to that which was “necessary in a democratic society”. There had therefore been a violation of Article 8 of the Convention.

The court also found that acquiring data from telcos violated Article 8 as well, for similar reasons.

It first rejected a Government argument that the applicants’ application was inadmissible, finding that as investigative journalists their communications could have been targeted by the procedures in question. It then went on to focus on the Convention concept that any interference with rights had to be “in accordance with the law”.

It noted that European Union law required that any regime allowing access to data held by communications service providers had to be limited to the purpose of combating “serious crime”, and that access be subject to prior review by a court or independent administrative body. As the EU legal order is integrated into that of the UK and has primacy where there is a conflict with domestic law, the Government had conceded in a recent domestic case that a very similar scheme introduced by the Investigatory Powers Act 2016 was incompatible with fundamental rights in EU law because it did not include these safeguards. Following this concession, the High Court ordered the Government to amend the relevant provisions of the Act. The Court therefore found that as the Chapter II regime also lacked these safeguards, it was not in accordance with domestic law as interpreted by the domestic authorities in light of EU law. As such, there had been a violation of Article 8.

Both of those elements also ran afoul of Article 10's protection of free expression because journalists' communications had been swept up in the bulk data collection:

In respect of the bulk interception regime, the Court expressed particular concern about the absence of any published safeguards relating both to the circumstances in which confidential journalistic material could be selected intentionally for examination, and to the protection of confidentiality where it had been selected, either intentionally or otherwise, for examination. In view of the potential chilling effect that any perceived interference with the confidentiality of journalists’ communications and, in particular, their sources might have on the freedom of the press, the Court found that the bulk interception regime was also in violation of Article 10.

When it came to requests for data from communications service providers under Chapter II, the Court noted that the relevant safeguards only applied when the purpose of such a request was to uncover the identity of a journalist’s source. They did not apply in every case where there was a request for a journalist’s communications data, or where collateral intrusion was likely. In addition, there were no special provisions restricting access to the purpose of combating “serious crime”. As a consequence, the Court also found a violation of Article 10 in respect of the Chapter II regime.

On the final issue of passing on the info to foreign intelligence agencies, the court didn't find any human rights issues there:

The Court found that the procedure for requesting either the interception or the conveyance of intercept material from foreign intelligence agencies was set out with sufficient clarity in the domestic law and relevant code of practice. In particular, material from foreign agencies could only be searched if all the requirements for searching material obtained by the UK security services were fulfilled. The Court further observed that there was no evidence of any significant shortcomings in the application and operation of the regime, or indeed evidence of any abuse.

It would have been nice if there was more of a blanket recognition of the problems of bulk interception and mass surveillance. Unfortunately the court didn't go that far. But at the very least this has to be seen as a pretty massive vindication of Snowden whistleblowing on the lack of oversight to protect privacy and the lack of safeguards to prevent telcos from sharing information with the government that should have been protected.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Dave Cortright (profile), 13 Sep 2018 @ 11:19am

    Show me an example of "proper channels" working

    Of course as I'm reading this, I can already hear the government apologists saying that he should have used "proper channels" to rectify the problem. Of course the obvious problem is that Snowden wasn't even a UK citizen or working for any UK org, so how exactly would that work?

    But more to the point, I'd love to see even just one example of "proper channels" actually resulting in such a legal precedent. We have plenty of examples of people trying to use proper channels and getting ignored, shut down, or even undermined.

    reply to this | link to this | view in chronology ]

  • identicon
    bob, 13 Sep 2018 @ 11:48am

    the UK must be really afraid now.

    Ah the real reason the UK wanted to leave the EU. The court smack down was coming. ;p

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Sep 2018 @ 1:46pm

    Remember

    The government has never metadata it didn't like.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Sep 2018 @ 1:47pm

    ThinThread. We had an actual program that gathered data and minimized it for citizen privacy. Then they junked it for mass surveilance and went after the agents who spoke out about it. Just remember, they could do this right, but they don't want to.

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 13 Sep 2018 @ 1:57pm

    Bulk interception??

    Describe??Explain??

    There really isnt Such a thing, for 1 BIG reason..You limit the area/location/persons/groups/.../... you want or think need to be monitored..

    REAL Bulk would be EVERYONE in the country or Nation..
    I dont mind that..because of 1 thing...TRY AND SCAN all that data, in a timely manner.
    The amounts of data are astounding..And sorting is a monstrous task.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Sep 2018 @ 12:49am

      Re: Bulk interception??

      GCHQ has at least a 3 day rolling "full take" buffer of all internet traffic crossing its borders. And, trust me, they can index and search that. How much of that goes into permanent storage I dont know.

      reply to this | link to this | view in chronology ]

    • identicon
      Canuck, 14 Sep 2018 @ 9:00am

      Re: Bulk interception??

      I hear that Utah is lovely this time of year.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Sep 2018 @ 5:19am

    well, you know...

    Britian's fear of IRA bombings caused all of this

    reply to this | link to this | view in chronology ]

    • identicon
      Wendy Cockcroft, 14 Sep 2018 @ 6:05am

      Re: well, you know...

      No, because the Good Friday Agreement put an end to that. Brexit reignites that fear as a hard border will most likely be imposed if Britain becomes a "third country."

      The problem: leading Brexiteer ministers didn't realise until it was repeatedly pointed out to them that the Republic of Ireland is a sovereign nation. God help us all!

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 14 Sep 2018 @ 6:34am

        Re: Re: well, you know...

        the Good Friday Agreement may have put an end to the bombings, but the "surveillance keeps us safe" fallacy was already in motion by then

        reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.