The UK Investigatory Powers Tribunal (IPT) found that UK spy agencies have violated the privacy protections in the European Convention on Human Rights. The agencies’ illegal programs have been in effect from 1998 to 2015, when some new safeguards came into place. Privacy International attributes this result to Edward Snowden’s whistleblowing on spy agencies’ activities, without which they wouldn’t have been discovered by the public, the courts, or the Parliament.
Bulk Collection With No Privacy Protections
The illegal programs in question are the Bulk Communications Data (BCD) and Bulk Personal Datasets (BPD) initiatives--where. as the name implies, data of citizens is collected and analyzed in bulk. The programs were re-introduced in the Investigatory Powers Bill, which has yet to pass, although supposedly some privacy protections have been added this time.
However, multiple Parliamentary commissions have already warned that the privacy protections in the IP bill aren’t strong enough and that they have been added only as an afterthought after first defining the agencies’ surveillance powers. The commissions have argued that it should’ve been the other way around, with privacy protections defined for citizens by default, with certain specific exceptions given for various surveillance capabilities.
Reasons For Using Bulk Data Collection
The intelligence agencies wrote to the court concerning the reasons why they say bulk data collection such as BCD and BPD is so necessary.
One of the reasons is that bulk data such as personal financial transactions or communications, for instance, would be too laborious to analyze manually for each individual. Therefore, the agencies prefer to collect everyone’s data of this type and analyze it automatically.
Another reason given is that such analysis could sometimes uncover unknown suspects. The agencies’ argument here is this sort of analysis could help uncover otherwise unknown plots or crimes, before they actually happen, so that they could be prevented.
However, as security expert Bruce Schneier once showed, such data mining can be highly ineffective at preventing attacks, because the numbers simply work against it. Such analysis would almost always result in high numbers of false positives.
Bulk Data Abuses
The Investigatory Powers Tribunal concluded that such data can’t be collected without strict oversight. The Tribunal revealed that UK spy agencies’ staff was abusing the bulk data databases even to check up on other staff members, as well as acquaintances, family members, or public figures. That’s because there was no code of practice nor proper oversight to prevent such abuses.
The court also noted that it would’ve been difficult for the public to discover that the intelligence agencies were abusing their powers when the Parliament itself wasn’t made aware of the agencies’ full range of capabilities. Even the commissioners in charge of intelligence agency audits were limited in knowing how exactly the spies collected, stored, or destroyed data, and their audits weren’t especially detailed.
New Collection Still Possibly Illegal
The IPT court, which deals with surveillance cases, said it’s satisfied with the privacy protections that the agencies have now put in place and believes the agencies’ collection is now legal under the European Convention. However, Privacy International, which launched a lawsuit against the UK intelligence agencies over these issues, isn’t quite as content with the additional oversight measures.
According to the organization, the main issue remains that the bulk data collection requires no judicial or independent authorization, meaning the UK spy agencies are still mostly free to collect whatever data they want. Having a government ministry as the entity that can authorize bulk data collection requests means the government in power can easily abuse its intelligence capabilities. Courts have existed for this reason--as a check--but they seem to have been mostly taken out of the equation when it comes to UK intelligence data requests.
Privacy International also argued that victims of the bulk data collection have no way of knowing whether the government collected their data--not during an investigation, and possibly not ever. This can open up opportunities for abuse, because the agencies can collect and access anyone’s data without any repercussions.
The nonprofit also warned that the agencies can continue to share whole databases of collected bulk data with foreign intelligence agencies, “industry partners” such as contractors, and other local law enforcement agencies. The group believes the Tribunal should have better addressed the necessity and proportionality of collecting so much data about millions of innocent UK citizens.
“Today’s judgment is a long overdue indictment of UK surveillance agencies riding roughshod over our democracy and secretly spying on a massive scale," said Millie Graham Wood, Legal Officer at Privacy International.
"There are huge risks associated with the use of bulk communications data. It facilitates the almost instantaneous cataloguing of entire populations’ personal data. It is unacceptable that it is only through litigation by a charity that we have learnt the extent of these powers and how they are used.
The public and Parliament deserve an explanation as to why everyone’s data was collected for over a decade without oversight in place and confirmation that unlawfully obtained personal data will be destroyed,” she added.
The Investigatory Powers Tribunal will revisit the case again this December to review the legality of the UK agencies’ actions under European Union privacy regulations and the Charter of Fundamental Rights.
Even if the IPT continues to give a pass to UK intelligence agencies (which it seems to have done so far, despite finding its actions were illegal for many years), the case could still be taken to the European Court of Human Rights and the EU’s Court of Justice, which have a history of siding much more often with citizens’ privacy rights.