Human Rights Watch respectfully submits the following information to David Anderson QC for the Investigatory Powers Review. Firstly, we explain the need to reform UK legislation governing surveillance to bring it in line with the UK’s human rights obligations, in particular its obligations to respect and protect the right to privacy. Secondly, oversight of government surveillance by the Interception of Communications Commissioner is not comprehensive and it lacks the independence and transparency that are necessary for such a task. The government should address these shortcomings and create an authority that provides effective oversight of its surveillance activities.
Revelations by former National Security Agency (NSA) contractor Edward Snowden published by the Guardian included credible evidence that the Government Communications Headquarters (GCHQ) is engaged in the interception and collection of internet and phone data on a mass scale, in breach of the rights of millions of people in the UK and in other countries to privacy and to freedom of expression. Yet the UK government has failed to answer legitimate questions about its involvement in mass surveillance, asserting that the intelligence agencies complied with the law and acted to protect public safety.
While we fully accept that the UK government has a duty to protect national security and prevent crime, there is an important distinction between taking steps that are necessary and proportionate to achieve those aims and monitoring indiscriminately the communications of millions of people in the UK and other countries who are under no suspicion whatsoever. The UK’s human rights obligations impose limits on the scope and scale of surveillance that the government may justify under the banner of national security.
The UK government should explain to the public the scope and magnitude of the alleged surveillance by the GCHQ as well as the authority and limitations under which it is conducted. The government should also clarify how much data on people located outside British territory is being gathered and how it is being stored, used, or shared with third parties, particularly since the legal protections against such interception are weaker for people abroad under UK law.
Reforming UK surveillance legislation in accordance with the right to privacy
Human Rights Watch holds that legislation in force in the UK is inadequate to protect against wholesale breaches of privacy rights and that any new legislation should ensure that communications data is intercepted only in exceptional circumstances. Any decision authorizing such interception should be subjected to independent scrutiny by a judicial authority.
Analysis of UK laws governing surveillance by Human Rights Watch has led us to conclude that the legislative framework in the UK does not adequately protect the right to privacy and allows for far-reaching government surveillance without effective independent oversight.
In July 2014, the UN Office of the High Commissioner for Human Rights (OHCHR) published a report that is highly critical of mass surveillance and calls on states to review their laws and bring them into line with international human rights standards. The report elaborated on state obligations to respect and ensure privacy when conducting digital surveillance. The report found that practices in many states have revealed “a lack of adequate national legislation and/or enforcement, weak procedural safeguards, and ineffective oversight.” Combined with a “disturbing lack of governmental transparency,” these failings have “contributed to a lack of accountability for arbitrary or unlawful interference in the right to privacy” (paras 47-48).
Under the European Convention on Human Rights (ECHR), and the Human Rights Act (HRA) which incorporates it into domestic law, the UK must respect the right to private life and any interference with this right must be “in accordance with the law” and “necessary in a democratic society,” that is, no greater than needed to protect a legitimate state interest. As the OHCHR report states, the International Covenant on Civil and Political Rights (ICCPR), ratified by the UK, also prohibits arbitrary and unlawful interference with privacy, which requires surveillance measures to be not only according to law but also necessary and proportionate. This right applies to digital and phone communications and is not limited to the contents of those communications. The OHCHR has called on all states to “review their own national laws, policies and practices to ensure full conformity with international human rights law.”
The UK government should bring up to date the law under which GCHQ has been acting, namely the Regulation of Investigatory Powers Act 2000 (RIPA), and bring it in line with advancements in technology and digital communication and the UK’s international human rights obligations. In the years since the UK’s new law on intercepting communications was introduced, digital surveillance capabilities have evolved dramatically and the government now has the duty to reform the legal framework to ensure it protects the right to privacy, given how technologies have evolved.
RIPA allows a senior government minister—a “secretary of state”—to issue a warrant at the request of a senior intelligence or police official. The warrant authorizes the interception of communications for which the sender or intended recipient is in the United Kingdom, if the secretary of state believes intercepting the information is necessary and proportionate.
In addition to permitting a warrant if it is “necessary” “in the interests of national security,” the law permits a warrant if it is “necessary” for “preventing or detecting serious crime.” The grounds for granting a warrant under the law remain very broad, even though the recent Data Retention and Investigatory Powers Act (DRIPA) 2014 limited an additional reason of “safeguarding the economic well-being of the United Kingdom” to cases relating to national security.
RIPA distinguishes between communications between people located in the UK (“internal”), and those where the sender or recipient is abroad. For the latter, considered to be “external,” the warrant does not need to specify a particular person or premises that may be linked to wrongdoing or actual security threats, creating a lower standard of protection for those communications. This lower standard for the interception of external communications enables extremely broad collection of personal data and communications of individuals who are not linked to any wrongdoing, thus breaching the principle of proportionality as well as those individuals’ right to privacy.
As made clear by the government’s written statement in the case brought by Privacy International, Amnesty International and other rights groups before the Investigatory Powers Tribunal on GCHQ’s surveillance activities, the UK government treats searches on Google and YouTube, posts on Facebook, and tweets as “external communications” since the companies’ web servers are largely based outside the British Islands, which means that the online communications of people in the UK may be intercepted with only the weak safeguards RIPA requires for “external communications.”
This shows the inherent weakness of the RIPA regime, as well as the urgent need to update current legal frameworks for the digital realm. RIPA was enacted in 2000, before the advent of nearly all global social media services. Today, over a decade later, when individuals use social media or web-based email services, their data is routinely held in various jurisdictions around the world and can travel across multiple borders in seconds.
These concerns were not addressed by DRIPA, passed as emergency legislation in July, after the government gave parliament only three days to review it. On the contrary, the new Act extends the scope of those who may be subject to interception warrants to companies outside the UK that offer communications services to UK customers and extends the definition of “telecommunications service” to include “companies who provide internet-based services, such as webmail.” This change subjects a much broader range of internet companies in the UK and abroad to surveillance warrants from the UK.
The government should safeguard the privacy rights of individuals whose communications it intercepts in the same way whether they are inside or outside the UK. Indeed when a country can exercise control or jurisdiction over the digital communications of non-citizens, or people outside its borders, in a comprehensive or wholesale fashion, it also assumes an obligation to respect those people’s rights. This principle was most recently affirmed by the OHCHR’s report on the right to privacy in the digital age, which stated that digital surveillance may engage a state’s human rights obligations extraterritorially, regardless of the nationality or location of individuals whose communications are under surveillance.[i]
DRIPA also enables the government to require telephone and internet companies in the UK and abroad to collect metadata on their customers’ communications and store it for up to 12 months. The Act was presented to parliament over three months after the Court of Justice of the European Union (CJEU) ruled that blanket data retention is disproportionate and breaches the right to privacy.
The new law fails to address the concerns raised by the CJEU in its ruling, and goes further than the regulations it is purported to replace by expanding the government’s surveillance powers extraterritorially. Indeed the new Act subjects a range of internet and telecommunications companies outside the UK to orders for intercepting the content of communications.
The OHCHR’s July 2014 report specifically states that the mere collection of metadata can interfere with the right to privacy, even if it is not subsequently viewed or used. The report also stated that mandatory, blanket third-party data retention “appears […] neither necessary nor proportionate” (para 26).
The need for independent oversight and transparency
The government should create a more robust, independent and transparent oversight authority that reports to Parliament on the government’s surveillance activities. This authority should be mandated to disclose as much information to the public as possible, consistent with the need to redact information necessary to protect legitimate national security or public order interests.
Human Rights Watch believes that the existing oversight and accountability mechanisms in this area are not adequate to prevent abuse of surveillance powers, and are not consistent with the UK’s human rights obligations, in particular the obligation to protect the right to privacy.
Oversight under RIPA is neither transparent nor comprehensive. The interception of communications commissioner has oversight of the government’s power to intercept, but the prime minister, not the parliament, appoints the commissioner, thereby compromising the independence of the position. The commissioner examines a number of interception warrants after the fact and assesses whether they comply with the criteria of necessity and proportionality. The commissioner’s 2014 annual report—for which the prime minister must approve the content—states that a random sample of around 10 percent of applications for warrants submitted by larger users such as police forces are inspected.
The OHCHR’s report on privacy in the digital age states that oversight of surveillance programs by all branches of government as well as an independent civilian agency is essential to ensure effective protection of law (para. 37).
Those whose communications are the object of an interception warrant are not notified that they are under surveillance. A person who believes one of the intelligence agencies has breached their right to privacy through surveillance can file a complaint before the Investigatory Powers Tribunal, a judicial body made up of judges and lawyers. The tribunal can quash the interception warrant and order the records collected to be destroyed or award compensation. If the tribunal rejects a person’s claim, it doesn’t let the person know whether an interception took place. The tribunal’s decisions are not subject to appeal or judicial review.
In accordance with the right to an effective remedy under Article 13 of the ECHR and Article 2 of the ICCPR, individuals who are subject to a surveillance warrant should be given enough time and information about the decision to put their communications under surveillance to allow them to challenge the decision effectively before a court, and they should have a right of appeal. Notice can be delayed in certain circumstances, including where advance notice would seriously jeopardize the legitimate purpose of the surveillance. However, notice after the fact is important for enabling redress where abuses occur.
Furthermore, the government should ensure that the measures it announced in July, including a new Privacy and Civil Liberties Oversight Board (PCLOB) based on the US model are implemented in a way that enables effective oversight and public scrutiny of UK government surveillance practices. In order to be effective, such a mechanism should be fully independent from the government and its agencies and not report to any other authority; it should have sufficient resources to conduct effective and comprehensive oversight and it should have the power to obtain any evidence it requires to carry out its functions. The new mechanism should also be mandated to oversee surveillance of “external” as well as “internal” communications subject to surveillance by the UK government, whether the person whose communications are intercepted is based in the UK or abroad. The annual transparency reports on how surveillance powers operate, also announced by the government in July, should reveal as much information to the public as possible in a way that is consistent with national security and public order.
Reports on reviews of government surveillance should also be public and transparent to the extent possible. Human Rights Watch is concerned that under section 7(6) of the Data Retention and Investigatory Powers Act 2014, parts of the public version of the Investigatory Powers Review’s report may be excluded by the Prime Minister on the grounds that they are “contrary to the public interest or prejudicial to national security.” Human Rights Watch holds that the decision on what should be redacted from the public version should be taken by the independent reviewer, not the Prime Minister. Redactions should also be limited to only what is truly necessary to protect legitimate national security interests or prevent or detect serious crime. Similarly, we are concerned that the Prime Minister approves the content of the Interception of Communications Commissioner’s annual report before it is made public. Under section 58(7) of RIPA, the Prime Minister can exclude parts of the report on broad grounds, for instance that publication would be “contrary to the public interest” or that it would be prejudicial to national security, “the prevention or detection of serious crime,” “the economic well-being of the United Kingdom” or “the continued discharge of the functions of any public authority whose activities include activities that are subject to review by the Commissioner.” Redactions should be instead limited to only what is truly necessary to protect legitimate national security interests or prevent or detect serious crime.
[i] A/HRC/27/37, paras. 31-36.