Incyder news

 

17 October 2018


Subscribe

ECtHR: When not backed by strong safeguards, mass surveillance violates privacy

In many states, the only vehicle for untargeted surveillance is, or was, data retention. The Court of Justice of the European Union (CJEU) has clearly expressed where it stands on the matter, in Digital Rights Ireland and in particular more recently in Tele2 Sverige where it spelled out that surveillance not based on reasonable suspicion and which remains untargeted is not compatible with the EU Charter on Fundamental Rights. The European Court of Human Rights’ (ECtHR) judgement in Big Brother Watch and Others v UK, although ruling a mass surveillance scheme illegal, is not a proper equivalent to the CJEU cases, since it is not as categorical and in many aspects is much more lenient towards untargeted surveillance. The judgment contains treats as well as some tricks, and therefore is a mixed bag for human rights activists, as aptly described by Marko Milanovic in the EJIL blog.

In Tele2 Sverige, the CJEU came to the conclusion that untargeted data retention is unlawful because it is untargeted, disregarding all the safeguards, oversight mechanisms and remedies in place. The ECtHR held quite the opposite view – that although the UK´s surveillance programmes ran short of the legal standard required, the untargeted nature in itself was not disproportionate. Another aspect in which the judgment constitutes a precedent is that it touches, although with utmost caution, on the issue of intelligence sharing, an area characterised by secrecy and regulatory mist.

 

The surveillance regime in question

In 2014, the UK government asked Lord David Anderson, the Independent Reviewer of Terrorism Legislation, to review the investigatory powers vested in the UK´s intelligence agencies. In his subsequent report he noted, among other things, that the Regulation of Investigatory Powers Act 2000 (RIPA) surveillance regime was, as it stood in 2015, obscure and incomprehensible to the point of being ‘undemocratic, unnecessary and – in the long run – intolerable’.1 The following is a brief (and oversimplified) description of the now-defunct surveillance regime authorised under Section 8(4) of the now-defunct  RIPA.

In RIPA terminology, signals intelligence was referred to as ‘interception of external communications in the course of their transmission by means of a telecommunication system’.2 Only ‘external’ communications (those which begin and/or end outside the British Isles, also referred to as ‘one-end foreign’) could be collected in bulk.3 However, the British government also included communications that were routed via foreign service providers such as Google or Facebook among these external communications. Section 5(6) allowed for the incidental interception of internal communications, since in practice the two categories were often indistinguishable.

The collection, retention and later analysis of communications data under RIPA section 8(4) took place in 4 distinct stages:4

1. The interception of a small percentage of internet bearers, selected as being those most likely to carry external communications of intelligence value.

2. The filtering and automatic discarding (in near real-time) of a significant percentage of intercepted communications, being the traffic least likely to be of intelligence value.

3. The application of both simple and complex search criteria to the remaining communications, with those that match the relevant selectors being retained and those that do not being discarded.

4. The examination of some (if not all) of the retained material by an analyst.

On 30 December 2016, RIPA was repealed and replaced by Investigatory Powers Act 2016 (IPA), which first and foremost sought to tidy the nebulous legal framework stemming from RIPA. While clarifying the system of issuing warrants, it did not noticeably limit law enforcement’s and intelligence agencies’ mandate for bulk surveillance.

 

Metadata is no easy way out

The one area in which the Court gave its unambiguous support to Big Brother Watch and their co-applicants was that metadata is just as sensitive and revealing as content data, and therefore its collection and retention should be subject to equally diligent procedures. The ECtHR had previously referred to CJEU case law (and vice versa), and hence started to build an interesting dialogue between the two. In Big Brother Watch v UK, while it otherwise often stood in stark contrast to CJEU,  it did not downplay the infringement potential associated with communications metadata.

In the context of carrying out the surveillance procedures authorised under Section 8(4) of RIPA, communications metadata is referred to as ‘related communications data’. When considering this, the Court followed the lead of the CJEU as expressed in Digital Rights Ireland and reiterated in Tele2 Sverige. In a judgement where four of the judges expressed dissent in key issues, no member of the sitting chamber opposed the prevailing view of whether metadata could be treated with less diligence and care. The ECtHR did not, however, oppose the bulk collection of metadata in itself, but rather the lack of accompanying oversight and safeguards.

Section 16 of RIPA allows that information gathered under Section 8(4) can be accessed and used to the extent that it is not ‘referable to an individual who is known to be for the time being in the British Islands.’ The applicants argued that access to communications metadata was not subject to the same guarantees and safeguards as content data, and that communications metadata could be exploited to gain access to the communications of people outside the British Islands. The government, however, explained that being able to access metadata formed the basis of the Section 16 safeguards, since it enabled allocation to a data subject. The Court held that, while allocation is indeed essential, there were no legitimate grounds for applying lesser safeguards to the gathering and processing of metadata.

 

The quality of law requirement

As of October 2018, across the EU only France, Italy, the UK, Sweden and the Netherlands have adopted laws that specifically regulate untargeted surveillance. This does not indicate that other EU states lack the capacity or are not carrying out such dragnet communications intelligence.5 In July 2018, the ECtHR issued its decision in Rättvisa v Sweden, and UK´s (now repealed) scheme was the second to come under the scrutiny of  an international court; a French case is still pending. The main predicament the Court has to deal with is establishing just how much it is possible to apply case law regarding targeted surveillance in the context of today’s technological ‘sea change’. The judgement in Rättvisa vs Sweden was built on the precedents of Klass, Weber and Saravia, Liberty and Zakharov. Another source that the Court cited extensively was the Venice Commission’s report on democratic oversight of intelligence authorities.6 The case law and sources referred to prescribe that, to meet the quality of law requirement, any surveillance regime, whether targeted or not, must specify:

  • the nature of offences which may give rise to an interception order;

  • a definition of the categories of people liable to have their communications intercepted;

  • a limit on the duration of interception;

  • the procedure to be followed for examining, using and storing the data obtained;

  • the precautions to be taken when communicating the data to other parties; and

the circumstances in which intercepted data may or must be erased or destroyed.

While in its assessment the Court applied the standards developed in Weber and Saravia and Liberty in a pretty straightforward manner, the applicants (and two dissenting judges) were convinced that these criteria should be revised in the light of enhanced SIGINT, automated data mining and analysis capabilities. They suggested that any such programme that seeks to be proportionate and necessary should:

a) conduct surveillance solely on the basis of reasonable suspicion; and

b) be subject to ex ante judicial oversight.

Here comes perhaps the greatest disappointment for the applicants. Unlike the CJEU, the Court admitted that in today’s environment, bulk interception is a valuable means of strengthening national security, combating crime and protecting the economic well-being of a country.7 Therefore, the indiscriminate nature of data collection in itself does not constitute a problem. As for the first proposed additional requirement, it implied in principle that evidence-based and personalised collection of communications data would obviate any advantage that bulk interception might offer. Therefore, it did not deem it appropriate to ‘add them to the list of minimum requirements in the case at hand’. The Court, however, agreed that the additional requirements proposed by the applicants might constitute important safeguards in some cases.

In regard to the second additional standard, the Court cited its previous case law and the Venice Commission’s report to conclude that while ex ante, judicial authorisation was in the present case compensated by independent oversight.

Nevertheless, the Court declared the RIPA regime to be in conflict with the quality of law requirement. The primary shortcomings were the lack of independent oversight over the selection of targets for interception, search terms and keywords (see step 1).8

The second major drawback, logically derived from the first, is that the regime lacked any real safeguards applicable to the selection of related communications data for examination.

 

A modest precedent on intelligence sharing

Another camouflaged method for governments to spy on people in their territory is to do it through intelligence sharing. However, having access to residents’ communications is not the primary objective of intelligence collaboration. Understandably, intelligence sharing constitutes one of the most efficient and widely employed practices, whereas its efficiency does to a considerable degree arise from opacity. A report published by the EU Fundamental Rights Agency in 2017 showed that, among the studied 28 EU Member States, 17 do not require oversight of such activity, while others foresee oversight which is very limited when compared to that of national intelligence activities. Only a few Member States have introduced safeguards specifically tailored to international intelligence sharing, as an exception requiring prior approval from the executive has been made mandatory in 27 EU Member States.9

Big Brother Watch was the first case where the Court had to weigh up intelligence sharing and on some crucial aspects it did make a statement. In a victory for privacy activists, the Court left no doubt that, from the perspective of human rights, intelligence sharing stands on par with active national surveillance measures. Since the potential infringement is just as grave, there can be no compromises on safeguards and remedies. In his analysis, Tomaso Falchetta points out that the Court is not in fact applying this principle in paragraphs 433 and 434 of the judgement, where the same safeguards that failed to meet the quality of law test are deemed sufficient when it comes to selectors and search terms applied to materials collected by foreign intelligence agencies. While not seeing a violation of ECHR Article 8 in the UK´s intelligence sharing regime, the Court made a bold step in asserting that intelligence sharing, however covert and vital, has to be balanced with other vital interests such as privacy. The data above shows that few states were prepared for such news.

 

Polarised dissenting opinions

It is fair to say that the final judgement in Big Brother Watch is seeking a middle way. Consequently, the more adamant and clear-cut standpoints can be found in the dissenting opinions. First, Judges Koskelo and  Turkovic take an almost CJEU-style pro-privacy approach. They place emphasis on the technological environment and the impracticality of governing it under outdated regulations and case law. This would have been the outcome the applicants were seeking.

Judge Koskelo introduces an important notion. One of the reasons why the Court had found the German surveillance system in Klass to be legitimate was that it did not concern ‘exploratory surveillance’. The RIPA 8(4) regime, by contrast, was by its very nature exploratory. The plethora of earlier cases dating back to Klass and including Weber and Saravia addresses surveillance that is technologically restricted and narrower in scope. In step with the majority, Judge Koskelo points out that the search and selection criteria used for filtering intercepted communications are up to the whim of the analysts and not subject to any ex post oversight. Besides that, the warrants granted under section 8(4) were formulated too broadly to constitute meaningful ex ante oversight. Koskelo and Turkovic depart from the majority in arguing that ex ante judicial oversight of bulk surveillance is not counterintuitive, but rather – as the applicants had suggested – a necessary prerequisite. As for intelligence sharing, the dissenting judges agreed that, when the available safeguards are not sufficient for section 8(4) communications surveillance, they should not be seen as such in the context of accessing shared intelligence materials.

Dissenting in the very opposite direction were Judges Pardalos and Eicke, who claimed that, by holding the section 8(4) regime unlawful, the Court had deviated from the arguments brought by another chamber in Rättvisa vs Sweden. In the latter case the Court accepted that it was ‘necessary for the FRA (the Swedish SIGINT agency) to store raw material before it could be manually processed’.10 Therefore, the infringement of privacy began only at access, and prior to that the safeguards provided in Weber were not strictly necessary. Judges Pardalos and Eicke admitted that both the Swedish and British regimes had their gaps and shortcomings such as limited oversight and transparency, but these remained within the nation state´s margin of appreciation and did not automatically lead to the unlawfulness of the whole system.

 

Next steps

IPA 2016 has already been challenged, since it foresees even greater surveillance powers over the communications of UK citizens or individuals residing in the UK. It allows for bulk interception ‘where the main purpose of the activity is to acquire intelligence relating to individuals outside the UK’ and explicitly states that ‘conduct within the UK or interference with the privacy of persons in the UK will be permitted only to the extent that it is necessary for that purpose.’  IPA  authorises bulk hacking and bulk interception of communications content, metadata and history and creation of interoperable databases that contain sensitive personal data. Liberty successfully contested IPA at the High Court, which ruled that IPA is incompatible with fundamental rights in EU law in that, in the area of criminal justice, access to retained data is not limited to the purpose of combating ‘serious crime’ and is not subject to prior judicial or independent review. Rättvisa vs Sweden has been referred to the Grand Chamber and Association confraternelle de la presse judiciaire v. France et 11 autres requêtes is still pending. Therefore it remains to be seen just how long today´s technologically amplified surveillance programmes can be looked at and assessed through the lens of earlier case law.

 

Author: Ann Väljataga, NATO CCDCOE Law Branch 

This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.

  • 1. Anderson, D., Independent Reviewer of Terrorism Legislation (2015), A question of trust: Report of the investigatory powers review, London, 11 June 2015.
  • 2. EU Agency for Fundamental Rights, Surveillance by intelligence services: fundamental rights safeguards and remedies in the European Union - Mapping Member States’ legal frameworks, November 2015, p 23.
  • 3. Ibid, p 27.
  • 4. ECtHR, Big Brother Watch and Others v. the United Kingdom - 58170/13, 62322/14 and 24960/15, 13 September 2018, para 329.
  • 5. EU Agency for Fundamental Rights, Surveillance by intelligence services: fundamental rights safeguards and remedies in the European Union - Mapping Member States’ legal frameworks, November 2015, p 47.
  • 6. Council of Europe, European Commission for Democracy through Law (Venice Commission), Report on the democratic oversight of security services, 2007.
  • 7. ECtHR, Big Brother Watch and Others v. the United Kingdom - 58170/13, 62322/14 and 24960/15, 13 Septemper 2018, para 386.
  • 8. Ibid, para 387.
  • 9. EU Agency for Fundamental Rights, Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU - Volume II: field perspectives and legal update, October 2017, p 46.
  • 10. Rättvisa vs Sweden, para 146.