Mass surveillance must have meaningful safeguards, says ECHR – TechCrunch


The highest chamber of the European Court of Human Rights (ECHR) has delivered a blow to anti-surveillance campaigners in Europe by failing to find that bulk interception of digital comms is inherently incompatible with human rights law — which enshrines individual rights to privacy and freedom of expression.

However today’s Grand Chamber judgement underscores the need for such intrusive intelligence powers to be operated with what the judges describe as “end-to-end safeguards”.

Governments in Europe that fail to do so are opening such laws up to further legal challenge under the European Convention on Human Rights.

The Grand Chamber ruling also confirms that the UK’s historic surveillance regime — under the Regulation of Investigatory Powers Act 2000 (aka RIPA) — was unlawful because it lacked the necessary safeguards.

Per the court, ‘end-to-end’ safeguards means that bulk intercept powers need to involve assessments at each stage of the process of the necessity and proportionality of the measures being taken; that bulk interception should be subject to independent authorisation at the outset, when the object and scope of the operation are being defined; and that the operation should be subject to supervision and independent ‘ex post facto’ review.

The Grand Chamber judgement identified a number of deficiencies with the bulk regime operated in the UK at the time of RIPA — including that bulk interception had been authorised by the Secretary of State, rather than by a body independent of the executive; categories of search terms defining the kinds of communications that would become liable for examination had not been included in the application for a warrant; and search terms linked to an individual (e.g. specific identifiers such as an email address) had not been subject to prior internal authorisation.

The court also found that the UK’s bulk intercept regime had breached Article 10 (freedom of expression) because it had not contained sufficient protections for confidential journalistic material.

While the regime used for obtaining comms data from communication service providers was found to have violated Articles 8 (right to privacy and family life/comms) and 10 “as it had not been in accordance with the law”.

However, the court held that the regime by which the UK could request intelligence from foreign governments and/or intelligence agencies had had sufficient safeguards in place to protect against abuse and to ensure that UK authorities had not used such requests as a means of circumventing their duties under domestic law and the Convention.

The Court considered that, owing to the multitude of threats States face in modern society, operating a bulk interception regime did not in and of itself violate the Convention,” it added in a press release.

The RIPA regime has since replaced by the UK’s Investigatory Powers Act (IPA) — which put bulk intercept powers explicitly into law (albeit with claimed layers of oversight).

The IPA has also been subject to a number of human rights challenges — and in 2018 the government was ordered by the UK High Court to revise parts of the law which had been found to be incompatible with human rights law.

Today’s Grand Chamber judgement relates specifically to RIPA and to a number of legal challenges brought against the UK’s mass surveillance regime by journalists and privacy and digital rights campaigners in the wake of the 2013 mass surveillance revelations by NSA whistleblower Edward Snowden which the ECHR heard simultaneously.

In a similar ruling back in 2018 the lower Chamber found some aspects of the UK’s regime violated human rights law — with a majority vote then finding that its bulk interception regime had violated Article 8 because there was insufficient oversight (such as of selectors and filtering; and of search and selection of intercepted communications for examination; as well as inadequate safeguards governing the selection of related comms data).

Human rights campaigners followed up by requesting and securing a referral to the Grand Chamber — which has now handed down its view.

It unanimously found there had been a violation of Article 8 in respect of the regime for obtaining communications data from communication service providers.

But by 12 votes to 5 it ruled there had been no violation of Article 8 in respect of the UKs regime for requesting intercepted material from foreign governments and intelligence agencies.

In another unanimous vote the Grand Chamber found there had been a violation of Article 10, concerning both the bulk interception regime and the regime for obtaining communications data from comms service providers.

But, again, by 12 votes to 5 it ruled there had been no violation of Article 10 in respect of the regime for requesting intercepted material from foreign governments and intelligence agencies.

Responding to the judgement in a statement, the privacy rights group Big Brother Watch — which was one of the parties involved in the challenges — said the judgement “confirms definitively that the UKs bulk interception practices were unlawful for decades”, thereby vindicating Snowden’s whistleblowing.

The organization also highlighted a dissenting opinion from Judge Pinto de Alburquerque, who wrote that:

Admitting non-targeted bulk interception involves a fundamental change in how we view crime prevention and investigation and intelligence gathering in Europe, from targeting a suspect who can be identified to treating everyone as a potential suspect, whose data must be stored, analysed and profiled () a society built upon such foundations is more akin to a police state than to a democratic society. This would be the opposite of what the founding fathers wanted for Europe when they signed the Convention in 1950.

In further remarks on the judgement, Silkie Carlo, director of Big Brother Watch, added: “Mass surveillance damages democracies under the cloak of defending them, and we welcome the Courts acknowledgement of this. As one judge put it, we are at great risk of living in an electronic ‘Big Brother’ in Europe. We welcome the judgment that the UKs surveillance regime was unlawful, but the missed opportunity for the Court to prescribe clearer limitations and safeguards mean that risk is current and real.”

“We will continue our work to protect privacy, from parliament to the courts, until intrusive mass surveillance practices are ended,” she added.

Privacy International — another party to the case — sought to put a more positive spin on the outcome, saying the Grand Chamber goes further than the ECHR’s 2018 ruling by “providing for new and stronger safeguards, adding a new requirement of prior independent or judicial authorisation for bulk interception”.

“Authorisation must be meaningful, rigorous and check for proper ‘end-to-end safeguards’,” it added in a statement.

Also commenting publicly, the Open Rights Group’s executive director, Jim Killock, said: The court has shown that the UK Governments legal framework was weak and inadequate when we took them to court with Big Brother Watch and Constanze Kurz in 2013. The court has set out clear criteria for assessing future bulk interception regimes, but we believe these will need to be developed into harder red lines in future judgments, if bulk interception is not to be abused.”

As the court sets out, bulk interception powers are a great power, secretive in nature, and hard to keep in check. We are far from confident that todays bulk interception is sufficiently safeguarded, while the technical capacities continue to deepen. GCHQ continues to share technology platforms and raw data with the US,” Killock went on to say, couching the judgment as “an important step on a long journey”.

 





Source link

Leave a Reply

Your email address will not be published. Required fields are marked *