A new British electronic surveillance law, already complicated by the UK’s decision to leave the European Union, faces legal challenges from human rights groups. The Investigatory Powers Act (IPA) retroactively sanctions almost two decades of blanket electronic surveillance by intelligence services and extends their powers further.
Edward Snowden, the U.S National Security Agency contractor who exposed a secret trans-Atlantic alliance to intercept global communications, described the Investigative Powers Act as “the most extreme surveillance in the history of western democracy.”
Last year the act became law and was implemented “with barely a whimper.” But now nonpartisan human rights group Liberty is challenging the Investigatory Powers Act. Critics argue the “Snooper’s Charter” breaches both UK and European Union human rights legislation.
“It’s unthinkable that a mass surveillance architecture could ever be lawful in a democracy,” said Silkie Carlo, policy officer at Liberty. “It’s unthinkable that mass surveillance could ever be compliant with human rights. They’re at total odds.”
The IPA is a surveillance law that allows the British government to collect, intercept and analyze communications data and online activity in bulk. Web and phone companies are required to store vast amounts of their customers’ personal information for 12 months. Access to this confidential data isn’t limited to intelligence agencies – other security services, such as the police, are also allowed access to the information.
The IPA replaces an old law – the Data Retention and Investigatory Powers Act (DRIPA) – that was deemed unlawful by the European High Courts in 2016.
The new law is seen as similar, if not more extreme, and is “ripe for challenge,” Carlo told WikiTribune.
“We’re going to challenge it and we’ll win,” Carlo said. “Unfortunately, neither side of the political debate fought hard enough to get those changes, and government was deaf to the arguments.”
They were already spying
Earlier this year, more than 200,000 people signed a petition to repeal the law, to no avail. The government responded by saying the IPA “dramatically increases transparency around the use of investigatory powers.” An article in the generally conservative-leaning Daily Telegraph praised this very element. But there is more to it than that.
The Investigative Powers Tribunal, an independent court, revealed that several bodies – Britain’s international security service, MI6; the domestic security service, MI5; and the intelligence-gathering service, the Government Communications Headquarters (GCHQ) – have already been unlawfully collecting the data of British citizens without adequate oversight or transparency for 17 years.
Instead of curtailing such behavior, the government decided to legalize it in the form of the IPA. The Snowden revelations showed extensive cooperation between the GCHQ and U.S. authorities in mass internet surveillance, including the UK agency running programs with and for the National Security Agency that would have been illegal if carried out directly by a U.S. agency.
After the repeal petition was rejected, Liberty took court action, raising more than £50,000 in a crowdfunded campaign, The People vs The Snooper’s Charter. In June, they received permission to take it to court.
Carlo said Liberty is challenging “the many mass data powers that are in act.” The use of bulk data collection powers concerns surveillance critics such as the Open Rights Group and Privacy International, who worry about the rise of a totalitarian state and the erosion of Western democratic values.
Careful what you search for
Public opinion, though, is a little more complicated. On one hand, everyday behavior suggests people care about their privacy. The use of passwords and PINs is almost ubiquitous. And there’s been a rise in anti-surveillance technology, including VPNs, encrypted emails and messengers.
The fear of surveillance also has a deeper, internal “panopticon” effect. For example, a study from Oxford University’s Jon Penney details the “chilling effects” government surveillance has on Wikipedia users. In the wake of Snowden revelations, there’s been a “20 percent decline in page views on Wikipedia articles related to terrorism, including those that mentioned ‘al Qaeda,’ ‘car bomb’ or ‘Taliban.’”
“Under observation,” said Snowden, “we act less free, which means we effectively are less free.”
However, despite behaviors and technologies that suggest a concern to protect privacy, a YouGov poll revealed that most Brits don’t care about surveillance: 53 percent voted for the data retention. Given recent terror attacks in London and Manchester, the general public now seems more concerned with security than with privacy.
Nevertheless, the same poll shows that most oppose a ban on encryption software. Javier Ruiz, policy director at Open Rights Group, told WikiTribune that inconsistent answers have “to do with the way problems are framed and some problems will trigger a certain response.”
People have a “partial view of what’s happening,” Ruiz said. “No one really understands public acceptability because there has never been a real program to understand it.” What is clear is that people’s opinions on privacy don’t necessarily reflect their thoughts or behavior.
Key to the back door
Home Secretary (interior minister) Amber Rudd recently came under fire for her remark that “‘real people’ don’t care about end-to-end encryption” in messaging services like WhatsApp. Though the general public may not use it strictly for encryption, does that warrant weakening it?
The former head of GCHQ, Robert Hannigan, disagrees. He warns that “building backdoors” in encryption systems is “a threat to everybody.”
“It’s not a good idea to weaken security for everybody in order to tackle a minority,” he said in a recent interview with BBC Today, a leading national radio program.
Computer security expert Bruce Schneier said backdoor access will make it easier for hackers and criminals to access everyone’s private information. Encrypted services such as WhatsApp don’t just “benefit terrorists” as Rudd claims, but vulnerable people too.
Those in sensitive professions, such as journalists, lawyers, politicians and activists, will see their security jeopardized if encryption is weakened. It’s unsurprising, then that the IPA has led to the UK dropping two places in the Freedom of Press Index, from 38 to 40. It also dipped because of an Espionage Act proposed in early 2017 that would allow courts to imprison journalists for up to 14 years for obtaining leaked information.
Apart from the human rights critics, the IPA will confront another beast: the European Union.
The IPA became law the same year as the EU’s General Data Protection Regulation (GDPR) came into effect. The latter will apply in the UK starting in May next year and will continue for as long as it takes to implement the “Brexit” decision to leave the EU.
The GDPR is intended to protect and enhance the rights of individuals over their personal data. These include the right to be informed, forgotten or object to data collection.
The regulation will create significant challenges for UK businesses and services that handle EU data. The Parliamentary Commissioner, recognizing this, stated:
“When the UK leaves the EU, it will cease to be bound by the EU’s data protection laws. There is no prospect of a clean break: the extra-territorial reach of the GDPR means that the legal controls placed by the EU on transfers of personal data outside its territory will apply when data is transferred from the EU to the UK, affecting UK businesses that handle EU data.”
Digital Minister Matt Hancock recently released a report, A New Data Protection Bill: Our Planned Reforms, which details the UK’s new data protection laws.
The main aim of the legislation is to allow data to flow freely between the UK and EU countries after Brexit, which Hancock acknowledges means mirroring the EU’s GDPR.
“The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world,” Hancock said. “The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit.”
Brexit throws it into doubt
The Data Protection Bill has been criticized for appearing as a novel UK policy. In reality, contends Orly Lynskey, an assistant professor of law at the London School of Economics, the bill implements components of the GDPR. Ruiz of Open Rights agrees, tweeting that “95 percent of New UK Data Protection reforms are simply EU law that Brexit could take away.”
Ruiz told WikiTribune that Brexit isn’t really the biggest issue, since the technical side is easier to resolve. For example, Section 28 of the Data Protection Act exempts certain activities of intelligence agencies from the legislation, and security services don’t have an obligation to tell people they’re collecting data.
“I don’t know if the best way to approach the problem is strictly a conflict between GDPR [and] IPA,” he said. “I think it’s best to say there’s a conflict between surveillance on the one hand, and human rights.”
He has a point. On the data front, Brexit appears to be resolved with the new Data Protection Bill. Yet there’s no mention of how it conflicts with the IPA. And that means there’s no guarantee these new protections would survive into a post-Brexit Britain.
The UK is one of the world’s leading digital nations, but if it wants to maintain trade with the EU, it must reconsider its privacy laws. The 12-month data retention, for example, is illegal in the EU, and does not exist in any Commonwealth countries. Australia even prohibits it.
If the UK is reluctant to change the IPA on the grounds of human rights, it will most likely do it for business reasons. With a human rights court case and Brexit ahead, the UK’s “extreme surveillance” law cannot choose neither option.