British security agencies have secretly and unlawfully collected massive volumes of confidential personal data, including financial information, on citizens for more than a decade, judges have ruled.
The investigatory powers tribunal, which is the only court that hears complaints against MI5, MI6 and GCHQ, said the security services operated an illegal regime to collect vast amounts of communications data, tracking individual phone and web use and other confidential personal information, without adequate safeguards or supervision for 17 years.
Privacy campaigners described the ruling as "one of the most significant indictments of the secret use of the government's mass surveillance powers" since Edward Snowden first began exposing the extent of British and American state digital surveillance of citizens in 2013.
The tribunal said the regime governing the collection of bulk communications data (BCD) – the who, where, when and what of personal phone and web communications – failed to comply with article 8 protecting the right to privacy of the European convention of human rights (ECHR) between 1998, when it started, and 4 November 2015, when it was made public.
It added that the retention of of bulk personal datasets (BPD) – which might include medical and tax records, individual biographical details, commercial and financial activities, communications and travel data – also failed to comply with article 8 for the decade it was in operation until it was publicly acknowledged in March 2015.
Since 1998, telecoms companies have been forced to provide the security services with regular access to BCD – the who, what, where and when of personal communications data, including information such as the location and time of a communication made by phone or over the internet, but not the content of the message.
"This information reveals a lot about you," says Camilla Graham Wood from Privacy International. "If someone knows who you've been speaking to and when you've been speaking to them, they can make some strong conclusions."
The right to privacy is enshrined in Article 8 of the European Convention on Human Rights (ECHR).
For security agencies to legally collect data about the public, they need to disclose information about their activities and have adequate oversight and safeguards in place. "That wasn't done," says Wood. "In fact, nobody was told. Not parliament and not the public."
The tribunal concluded that BCD was collected unlawfully from March 1998 until November 2015, when the data collection programme was made public and "a more adequate system of supervision" was introduced.
Personal data
The agencies also breached privacy laws when they collected another type of data called bulk personal data (BPD), the exact details of which are still unknown but which Privacy International says could include tax records and medical records. We know that this personal information has been collected and stored by intellligence agencies since around 2006.
"The BPD regime failed to comply with the ECHR principles… throughout the period prior to its avowal in March 2015," the tribunal concluded.
However, the tribunal found that the agencies' collection of BCD and BPD both now comply with Article 8.
"We are pleased the tribunal has confirmed the current lawfulness of the existing bulk communications data and bulk personal dataset regimes," the government said in a statement. The statement didn't address any of the aspects of previous illegality mentioned in the judgement.
One issue that still remains unclear is proportionality – the question of whether the risks associated with such vast data collection programmes are outweighed by the benefits, says Paul Bernal, at University of East Anglia Law School, UK. "Every time this issue comes up, the agencies say ‘if we told you we would compromise people in the field', making it impossible to establish the evidence for each side," he says. The tribunal has not yet come to a conclusion on this issue.
In the meantime, the government has made its intentions on surveillance clear with the new Investigatory Powers Bill – also known as the snooper's charter – which is due to become law in the next few weeks. The bill was overwhelmingly passed during its second reading and strengthens current surveillance legislation, making it easier for government agencies to access data, including requiring content service providers to keep a record of the websites internet users visit.
Ever since the Snowden revelations, state surveillance programmes have increasingly come under the spotlight, despite government denials. "The obvious question is," says Bernal, "what else are they doing that we haven't yet found out?"
0 comments: