Court Blesses Bulk Surveillance But Tells UK You’re Doing It Wrong

On September 13, the European Court of Human Rights (ECtHR) ruled that the United Kingdom’s bulk surveillance regime violates the European Convention on Human Rights (ECHR) rights to privacy and freedom of expression. The Court concluded the interception regime “does not meet the ‘quality of law’ requirement and is incapable of keeping the ‘interference’ to what is ‘necessary in a democratic society.’” (para 388) Specifically, the Court pointed to inadequate oversight of selection criteria and selector choices in searching intercepted communications, lack of safeguards in the selection of bearers for interception, lack of protections afforded to metadata, and lack of safeguards for journalists’ confidential materials. However, the ECtHR came up short by explicitly finding that “the decision to operate a bulk interception regime … is one which continues to fall within States’ margin of appreciation.” (para 387) In other words, the Court with the most advanced case-law addressing mass surveillance determined for the second time this year that bulk interception regimes—in principle—can be ECHR compliant.

The case consolidated three challenges, Big Brother Watch and Others v. United Kingdom, Bureau of Investigative Journalism and Alice Ross v. the United Kingdom, and 10 Human Rights Organisations and Others v. the United Kingdom, filed by non-governmental organizations and individuals campaigning for civil liberties in the wake of the 2013 Snowden revelations. Specifically, the parties challenged the legality of the UK’s program of tapping the fiber cables carrying internet traffic to scan and analyze all electronic data that goes in or out of the UK. The parties also challenged the intelligence sharing program between the UK and US, by which the National Security Agency (NSA) collected intelligence was provided to the UK. CDT filed third-party interventions (the equivalent of an amicus brief) in two of the challenges. We argued the UK violated the right to privacy (ECHR Article 8) by accepting surveillance data from the US because the US surveillance programs themselves are not compliant with Article 8.

This mixed judgment certainly contains process and substance victories. However the conclusion that bulk interception—aka “collect it all” surveillance—can be done in a manner compliant with human right requirements will hinder efforts to end mass surveillance. In short, the judgment is nuanced and the victories from this case, while significant, should be appropriately couched.

The UK’s Bulk Interception Program

The ECtHR evaluated the foreign bulk interception program authorized by the Regulation of the Investigatory Powers Act of 2000 (RIPA). While the Court noted that the regime had since been changed—including in the Investigatory Powers Act 2016, it cabined its analysis to the regime that was challenged.

At the time Section 8(4) of RIPA allowed the Secretary of State to issue warrants for the “interception of external communications.” The Secretary of State had to also issue a certificate setting out a description of the intercepted material and the reason why their examination was necessary. ‘Necessary’ was broadly defined under the law to include materials that were in the interests of national security, for the purpose of preventing or detecting serious crime, or for safeguarding the economic well-being of the United Kingdom. RIPA also demanded that the interception authorized by the warrant be proportionate to what was sought. That required a review of whether the information sought could be obtained by other means. Finally, pursuant to Section 16, intercepted material could not be selected to be read, looked at, or listened to “according to a factor which is referable to an individual who is known to be for the time being in the British Islands.” That is, RIPA permitted bulk collection for broadly defined purposes, and limited the use of selectors against that data to people believed to be outside of the British Islands.

The Good

The Court concluded the UK’s bulk interception program violated ECHR Article 8 because there was insufficient oversight both of the selection of the cables to tap as well as the filtering, search, and selection of intercepted communications for examination. There was also insufficient protection afforded to metadata. (para 387)

In the UK bulk interception regime, communications are intercepted from targeted cables, and are then filtered and searched using selectors like email addresses or phone numbers, or other search criteria. It should be noted that not much is known about the selectors, and they could be much broader than these to include, for example, all communications going to/from a country, or all searches on Google. The ECtHR found that “[i]n a bulk interception regime, where the discretion to intercept is not significantly curtailed by the terms of the warrant, the safeguards applicable at the filtering and selecting for examination stage must necessarily be more robust.” (para 346) To be more robust they must be subject to independent oversight, which the regime did not provide for.

The UK bulk interception program permits interception of both content and metadata and the UK afforded fewer legal safeguards to searching metadata (referred to as “communications data”). Specifically, the UK did not apply the Section 16 safeguard to metadata, which meant that such data could be collected and reviewed with no restriction. The Court observed that “the Court is not persuaded that the acquisition of related [metadata] is necessarily less intrusive than the acquisition of content.” (para 356) It rejected the Government’s argument that such data does not merit the same level of protection as content by highlighting the sensitive nature of metadata:

“For example, the content of an electronic communication might be encrypted and, even if it were decrypted, might not reveal anything of note about the sender or recipient. The related [metadata], on the other hand, could reveal the identities and geographic location of the sender and recipient and the equipment through which the communication was transmitted. In bulk, the degree of intrusion is magnified, since the patterns that will emerge could be capable of painting an intimate picture of a person through the mapping of social networks, location tracking, Internet browsing tracking, mapping of communication patterns, and insight into who a person interacted with.” (para 356)

The Court also observed that the UK’s bulk interception program violated freedom of expression by failing to include proper safeguards to ensure that journalistic material is protected:

“[I]t is of particular concern that there are no [public] requirements…either circumscribing the intelligence services’ power to search for confidential journalistic or other material (for example, by using a journalist’s email address as a selector), or requiring analysts, in selecting material for examination, to give any particular consideration to whether such material is or may be involved. Consequently, it would appear that analysts could search and examine without restriction both the content and the related communications data of these intercepted communications.” (para 493)

Furthermore, the Court also considered the “potential chilling effect that any perceived interference with the confidentiality of their communications, and in particular, their sources might have on the freedom of the press,” (para 495) in determining that there was an Article 10 violation.

The Bad

As already mentioned, the ECtHR approved the concept of bulk interception, “[i]t is clear that bulk interception is a valuable means to achieve the legitimate aims pursued, particularly given the current threat level from both global terrorism and serious crime.” (para 386)

Furthermore, advocates had demanded that the existing minimum requirements by which mass surveillance is evaluated (developed from Weber and Saravia v. Germany) should be updated to ensure adequate protection in light of governments’ exploitation of modern technology to “create detailed and intrusive profiles of intimate aspects of private lives by analysing patterns of communications on a bulk basis.” (para 280) The existing recognized minimum requirements that should be set out in law in order to avoid abuses of power include: specifying the nature of the offences which may give rise to an interception order; defining the categories of people liable to have their communications intercepted; limiting the duration of interception; articulating the procedure to be followed for examining, using, and storing the data obtained; specifying the precautions to be taken when communicating the data to other parties; and defining circumstances in which intercepted data may or must be erased or destroyed. Other safeguards were identified in Roman Zakharov v. Russia, including the arrangements for supervising the implementation of secret surveillance measures, notification mechanisms, and providing for remedies for unlawful surveillance in the national law. (para 307). Additionally, in Zakharov (paras. 260 and 262) and the case of Szabó and Vissy v. Hungary (paras. 71, 73, and 75), the Court strongly suggested that government surveillance should be conditioned upon prior judicial authorization, as well as reasonable and individualized suspicion; these requirements would help to prevent the indiscriminate or abusive surveillance practices made possible by powerful modern technology.

Consequently, advocates asked the Court to require reasonable suspicion in relation to the person for whom data is sought; prior independent judicial authorization of interception warrants; and subsequent notification of surveillance subjects. However, the Court discounted its own recent arguments about the importance of targeting requirements to prevent abuse. The ECtHR acknowledged that such “additional requirements…might constitute important safeguards in some some cases”, (para 316) but did not think they should be imposed in this matter. The first two suggestions were rejected for being “inconsistent with the Court’s acknowledgment that the operation of a bulk interception regime in principle falls within a State’s margin of appreciation.” (para 317) And while the ECtHR “considers judicial authorisation to be an important safeguard, and perhaps even a ‘best practice’, by itself it can be neither necessary nor sufficient to ensure compliance with Article 8 of the Convention.” (para 320) In this case it was deemed unnecessary because of the ex post controls available in the regime. (para 381)

The Intelligence Sharing Program

The ECtHR also reviewed the intelligence sharing practices between UK and US intelligence agencies for separate violations of the ECHR. In our interventions, CDT described the legal shortcomings in NSA surveillance operations, which we argued then poison the UK’s receipt of such information. We explained that EO 12333 surveillance lacks adequate transparency, and is not subject to any mandatory Congressional review, or to independent review. Furthermore, FISA Section 702 surveillance only includes review of targeting procedures, not court authorization of individual targets. Both types of surveillance fail to provide notice to surveillance subjects and neither is protective of non-United States persons. Both programs authorize over-broad surveillance that we argued is not in compliance with the proportionality requirements of ECHR Article 8.

The ECtHR recognized that there are serious risks with intelligence sharing regimes because “States could use intelligence sharing to circumvent stronger domestic surveillance procedures and/or any legal limits which their agencies might be subject to as regards domestic intelligence operations.” (para 423) The Court determined that just as interception itself is regulated, so too must information sharing, “as the material obtained is nevertheless the product of intercept, those requirements which relate to its storage, examination, use, onward dissemination, erasure and destruction must be present.” (para 423)

An evaluation of the NSA’s practices was deemed beyond the scope of the ECtHR’s review of the case. Instead the analysis rested upon how the UK requested information from the NSA and how the data was subsequently treated. In this review the Court found no violation of the ECHR:

“Due to the nature of global terrorism, and in particular the complexity of global terror networks, the Court accepts that taking such a stand – and thus preventing the perpetration of violent acts endangering the lives of innocent people – requires a flow of information between the security services of many countries in all parts of the world. As, in the present case, this “information flow” was embedded into a legislative context providing considerable safeguards against abuse, the Court would accept that the resulting interference was kept to that which was “necessary in a democratic society.” (para 446)

The Court did not weigh in on what standards should apply when the UK does not specifically request the information. In other words, what protections should be attached if the NSA provides unsolicited bulk interception data? This question is left for another Court to answer.

Moving Forward

The impact of this case will be felt most immediately in the UK. The UK’s bulk interception regime, which has since been replaced with the Investigatory Powers Act 2016, will need to be evaluated for its compliance with the judgment. Furthermore, this Court’s interpretation of the ECHR will provide guidance for other countries that are parties to the European Convention on Human Rights who will need to ensure their surveillance regimes conform to the standards discussed above. It is possible that this judgement will not be the final word on the matter as the case may be appealed to the ECtHR Grand Chamber.

More broadly there are questions about what this judgment means for the efforts to reform and end bulk interception programs. Just three months ago, the ECtHR ruled in Centrum För Rättvisa v. Sweden for the first time post-Snowden in favor of a government’s foreign bulk interception regime. This second judgment in Big Brother and Others signals that if bulk interception regimes are to be entirely dismantled, it will not be through the ECtHR.

While bulk interception regimes may remain intact, the ECtHR is offering guidance on how these regimes should be operated to safeguard privacy and freedom of expression rights; namely, surveillance schemes must be assessed holistically (para 320), and whatever combination of safeguards and requirements exist must in practice prevent abuse. This guidance about necessary safeguards will be significant in the coming years. All across Europe countries have passed sweeping surveillance regimes, including France, Germany, Italy, and Poland. This judgment provides strong support for the implementation of safeguards in mass surveillance regimes.

Another case dealing with the interplay between surveillance conducted by the United States and citizens of Europe will likely arise in the review of the Privacy Shield by the Court of Justice of the European Union, which had previously struck down the EU-US Safe Harbor. The CJEU will probably weigh the absence of independent judicial authorization of individual targets and selectors that characterizes Section 702 surveillance, but may take some comfort in the fact that the FISA Court approves broad and secret “certifications” that state the purposes for Section 702 surveillance. It may weigh the absence of independent judicial authorization of selectors used to query Section 702 data, but may find other aspects of the FISA Court oversight of this surveillance offset that concern, though that oversight—the approval of targeting and minimization procedures—is generally designed to protect Americans and people in the US, not Europeans outside the US. The CJEU will also weigh heavily its own decision in the joined cases of Tele2 Sverige, AB v. Post-och Telestyrelsen and Secretary of State v. Tom Watson, in which it found that mass data retention violates Article 8 of the Convention.

The next case dealing with mass surveillance before ECtHR is Association Confraternelle de la presse judiciaire v. la France et 11 autres requêtes, an application challenging the French Intelligence Act of 2015. CDT intervened in the proceedings in that case in France and plans to participate in the ECtHR proceedings as well.