UK Tribunal Says Spy Agencies Illegally Collected Communications Data In Bulk For More Than A Decade
from the 17-years-of-bulk-rogering dept
A big ruling has been handed down by the UK's Investigatory Powers Tribunal, stating that intelligence agencies' (GCHQ, MI5, MI6) bulk data collection has been illegal since its inception.
The ruling said the regime governing the collection of bulk communications data – the who, where, when and what of personal phone and web communications – failed to comply with article 8 protecting the right to privacy of the European convention of human rights (ECHR) between 1998, when it started, and 4 November 2015, when it was made public.
It said the holding of bulk personal datasets (BPD) – which might include medical and tax records, individual biographical details, commercial and financial activities, communications and travel data – also failed to comply with article 8 for the decade it was in operation until its public avowal in March 2015.
This ruling comes at a particularly opportune time -- just as the UK government is putting the finishing touches on another investigatory powers bill: the so-called Snooper's Charter. But not necessarily because this will deter GCHQ from further bulk data collections. In fact, the ruling may give pro-surveillance politicians a better idea of how to make future collections stand up to legal challenges.
On the other hand, the tribunal's examination of the case uncovered some interesting statements by agency insiders who rather presciently noted the press would have a field day if information about the programs were ever made public. (The statement also shows the agency was prepared to head off backlash by questioning the media's truthiness.)
The IPT ruling included the disclosure from an unpublished 2010 MI5 policy statement that the “bulk personal datasets” include material on the nation’s personal financial activities. “The fact that the service holds bulk financial, albeit anonymised, data is assessed to be a high corporate risk, since there is no public expectation that the service will hold or have access to this data in bulk. Were it to become widely known that the service held this data, the media response would most likely be unfavourable and probably inaccurate,” it says.
The ruling is the end result of Privacy International's multiple legal challenges to British spying powers. Even though this is a win for PI, the charity also notes that no ruling was made on how the illegally-obtained datasets should be disposed of… or if they even will be.
The UK government responded to the ruling showing it had "overseen" more than a decade's-worth of illegal data collection with a cheerily tone deaf, "Things are so much better now!"
"The powers available to the security and intelligence agencies play a vital role in protecting the UK and its citizens. We are therefore pleased the tribunal has confirmed the current lawfulness of the existing bulk communications data and bulk personal dataset regimes.
Through the investigatory powers bill, the government is committed to providing greater transparency and stronger safeguards for all of the bulk powers available to the agencies."
It's not the stuff that's gone on for years. That's apparently not important. No, UK citizens need to keep their eyes on the prize: the ten months or so of legal spying UK intelligence agencies have been engaged in, as well as the eventual codification of other possibly-illegal surveillance programs.