In his 1921 novel We, Yevgeny Zamyatin depicts a society where people – the Numbers – are reduced to numerical entities; their existence programmed and synchronised to cold arithmetical perfection (they wake up and work at the same hour, at the same minute, “united into a single body with a million hands”); their instincts and feelings brushed off as unknown mathematical values (“in her eyes, there was a strange irritating X”); their individuality and humanity lost. The Numbers live behind the Glass Wall, a structure much resembling Jeremy Bentham’s “Panopticon”, which allows for constant watching and monitoring by the One State. We inspired Orwell’s famous dystopian novel 1984. Here again, surveillance is a central weapon in the artillery of the totalitarian regime. Telescreens overlook every corner of public and private life. Winston Smith recounts in haste:
There was of course no way of knowing whether you were being watched at any given moment… It was even conceivable that they watched everybody all the time… You had to live – did live, from habit that became instinct – in the assumption that every sound you made was overheard, and, except in darkness, every movement scrutinised.
The Snowden Disclosures
June 2013 Edward Snowden, former employee of the Central Intelligence Agency (CIA) and contractor for the National Security Agency (NSA), the successor of the so-called “Black Chamber”, began to uncover the frightening details of global mass surveillance programmes carried out by the NSA and other intelligence services around the world. The means used to do so are countless: agreement with technology companies to weaken encryption systems; partnerships with internet corporate giants such as Google, Facebook, Microsoft or Skype to access directly electronic communications; secret treaties between governments for the sharing of information. The programmes too are numerous and use technologies that (at least to a lawyer like myself) are even more cryptic than the imposing acronyms behind which they hide – PRISM, TEMPORA, MUSCULAR, to list but a few. There are no limits to the people being targeted. The tapping of the German premier Angela Merkel’s phone of course ranked high in the headlines. And the latest revelations include allegations of the NSA spying on prominent human rights organisations such as Amnesty International and Human Rights Watch. But anyone is liable to snooping, including completely innocent ordinary civilians. In fact, at this stage, one can seriously question whether States even know who is spying on whom, how and why: un foutoir at that, as the French would say.
Of course, this can hardly come as a complete surprise. Recent history is populated with whistleblowers who have given us glimpses of the daunting surveillance practices of our governments. As early as 1971, the leftist activist group Citizens’ Commission to Investigate the FBI broke into the offices of the FBI and got hold of documents showing that COINTELPRO (Counterintelligence Program) was used to spy on multiple domestic political organisations and activists, including Martin Luther King. In a book published in 1996, journalist Nicky Hager confirmed rumours that ECHELON, a program created by the “Five Eyes” (Australia, Canada, New Zealand, the UK and the US) to spy on the Soviet Union during the Cold War, was being used to intercept vast amounts of private and commercial communications. In the UK, former MI5 agent David Shayler was prosecuted under the Official Secrets Act for disclosing, among other things, the government’s monitoring of socialists. In the last three years, Wikileaks too published various accounts of the partnership between the corporate worlds and intelligence agencies forged in a bid to control electronic communications.
But the novelty of Snowden’s disclosures is that they are unprecedented in both scale and geographical scope. At once, the pieces of a scattered puzzle are put together: surveillance is a global, omnipresent and indiscriminate beast. It seems there is hardly any place left in the world for anyone to hide. Another dystopian novel? No Prime Minister. This is just the hard reflection of a dark reality.
In the wake of Snowden’s disclosures, much public attention focused on the NSA. But the grass is not always greener on the other side of the Atlantic. The UK’s equivalent – the Government Communications Headquarters (GCHQ) – may bear equal if not more responsibility for the mass surveillance scandal. Alongside MI5 and MI6, GCHQ is one of the three main UK intelligence agencies. Its primary task is to provide “signals intelligence”, that is to gather intelligence through the interception of communications. Unsurprisingly, the agency operates under complete secrecy. In fact, although first established just after the First World War, its existence was only revealed in the mid-70s and it was not until the adoption of the Intelligence Services Act in 1994 that its functions and powers were placed on a formal legal footing. The leaks revealed GCHQ’s participation in the NSA’s PRISM program, the primary tool used to access and monitor thousands of emails, chats, video calls and other internet communications directly from internet service providers, thereby also confirming the strong ties between the two agencies. But they also exposed GCHQ’s own surveillance program, TEMPORA, which has been used by the agency since 2011 to intercept and process vast amounts of personal data.
The Stratford report
Jemima Stratford QC is one of two barristers who advised the All Party Parliamentary Group on Drones on the legality of GCHQ’s actions. She welcomed me in her chambers at Brick Court in Central London for one of the few interviews they have agreed to since they published their advice in January 2014 concluding that GCHQ’s actions were probably illegal. The advice is timely, she says: “there had been a lot of attention to Snowden’s disclosures but there hadn’t – in the UK anyway – been so much attention on whether what is going on is lawful under our existing laws, let alone on whether we need new laws altogether”.
The barristers were asked to focus on a number of specific scenarios in their analysis, largely based on the Snowden disclosures. Of particular interest for our purposes are the allegations that GCHQ is engaging in the mass collection of data; that they retain and use that data including to carry out “pattern of life” analyses (a term which speaks for itself); and that they share much of that data with the NSA. The advice thus addresses in turn the (1) mass collection, (2) retention, (3) use and (4) sharing of data. They looked at the problem in those distinct stages, she explains, “because it is analytically helpful as those are the steps data goes through if one was to chop it up”. But she thinks that there are problems at each of the stages and that it would be wrong to say that one is more important than another. In particular, she adds, “because the scenarios are a chain of events, if any one of them were unlawful it would stop the chain at that point and it wouldn’t avail the government to be able to say that step four were lawful if step two has already been found to be unlawful. It is thus important to bear in mind that they will need to account for every single stage of the process.” In other words, if and to the extent that collecting data in bulk is illegal, everything else is too.
“It might be that part of the authorities’ response will be that there are things going on in slightly different ways or that we do not know about”, she concedes. But “it seems at least not improbable that GCHQ is indeed engaging in the mass collection, retention, use and sharing of data”. For my part, I have little doubt that this is the case. In fact, a large proportion of the reported 1.7 million intelligence files extracted by Snowden are still to be properly processed and publicly released. It may very well be that the situation is far worse than the evidence currently suggests.
Legality under RIPA
Legally, the first question that arises is if the said actions of GCHQ are even authorised under the relevant legislative framework – the Regulation of Investigatory Powers Act 2000 (commonly known by its ominous-sounding acronym “RIPA”), which, among other things, regulates surveillance and the interception of communications. “Parts of the report are necessarily legally a bit creative”, Stratford explains, “but the early sections where we are founding our conclusions very firmly on the terms of RIPA are black and white. It will thus be much more difficult for the government to provide a robust answer to some of what we say there”.
The RIPA is based on two important distinctions: the distinction between internal communications and external communications and the distinction between contents data and communications data. Internal communications are communications between people located in the UK. As a rule, their collection and use are subject to more stringent control mechanisms than external communications, which consist of communications received or sent outside the UK. Contents data is data that pertains to the substantive content of a communication. Likewise it is more stringently regulated than communications data (also known as “metadata”), which consists of traffic data and other data relating to the use made of any telecommunication system.
“The key point we make”, Stratford explains, “is that if there is mass collection of internal contents data, this is always unlawful”. The advice points out that the RIPA is clear in that respect: a warrant ordering the collection of internal contents data has to be focused on specific individuals or places. In other words, GCHQ cannot intercept communications between people located in the UK in a bulk indiscriminate fashion. In fact, she adds, “if carried out without a warrant – i.e. with only an authorisation – any mass collection of contents data, including external contents data, is equally always unlawful”.
In many other respects, however, the RIPA grants considerable powers to the intelligence services. The advice highlights that communications data, whether internal or external, can be intercepted and retained simply by means of an authorisation and that there are virtually “no restrictions on the uses to which intercept material might be put”: the security services can retain and analyse any data, including the data of non-suspects. Legally, the position in relation to the sharing of data is even more obscure. The advice concludes that the RIPA probably does not authorise the transfer of data to the NSA, but there is an added layer of complexity in the UK. As simply as one could possibly put it, Stratford explains: “in this country, the central government is treated effectively as a normal person so that it can do everything that the law does not prevent it from doing using their common law or prerogative powers”. These are unwritten, undetermined powers, largely a vestige of the Crown’s prerogatives, which are now effectively exercised by the executive. In fields as sensitive and directly connected to citizens’ rights as this, Stratford continues, “we would seriously question the appropriateness of the government relying on those powers”. But, she admits, it would be very convenient if there were a complete regulatory gap, for the government could argue that there is nothing formally stopping them from cooperating with foreign authorities.
The RIPA ripe for change
Breach of privacy rights
Even so, this is by no means the end of the story. The RIPA or other rules may sanction some of GCHQ’s activities but the inquiry has to go further and look at whether the provisions of the RIPA that seemingly “authorise” those activities are themselves unlawful.
The European Convention on Human Rights (ECHR) has been part of UK law since the adoption of the Human Rights Act (HRA) in 1998. Article 8 states:
Everyone has the right to respect for his private and family life, his home and his correspondence.
The interception, retention and sharing of data all constitute (in fact distinct and particularly serious) interferences with a person’s privacy. While the right can be limited in a number of situations, including in the interest of national security, public safety, the economic well-being of the country and for the prevention of disorder or crime, under the Convention, this is subject to a number of conditions.
First, the interference must be in accordance with the law. This does not mean that it is sufficient for there to be just any kind of law sanctioning the interference. The law has to satisfy a number of qualities: it has to be accessible, it has to be clear and it has to be precise. These requirements are inherent in the concept of the rule of law, which, even in a formal narrow sense, requires the law to enable people to plan their lives with at least some degree of certainty. It must therefore be possible for individuals to foresee the circumstances in which governmental agencies can use their surveillance powers.
Second, the interference must pursue a legitimate aim. National security or the prevention of crime may be such legitimate aims, but the government needs to prove that this is the objective being pursued and must be able to do so in respect of each individual case in which surveillance is being used.
Last but not least, the interference must be proportionate to the goal being pursued. This essentially means that even if a particular surveillance operation is necessary for, say, national security, if other measures are available that are less intrusive on a person’s privacy, then the purported action is disproportionate and breaches the right to private life.
Where does that all leave the RIPA? Well, not in a very good position. In my view, the surveillance practices of GCHQ that the barristers were asked to examine and that are seemingly authorised by the RIPA are also illegal, given that the relevant provisions of the RIPA are themselves contrary to the ECHR. The advice provides a very thorough and insightful analysis of the different issues, but the main problem can be summarised as follows: the RIPA grants almost unlimited, unfettered powers to the executive. The advice thus notes that the rules on the interception of external contents data provide “too wide a discretion to the Secretary of State in respect of the categories and kinds of documents that can be retained” and that those on communications data provide “insufficient clarity about the circumstances in which the executive may or may not authorise [their] interception”. Likewise the barristers’ analysis reveals that there are virtually no restrictions on the retention, use, and transfer of data. Everything is essentially up to a single individual, thereby severely jeopardising the transparency and predictability of the whole regime.
Ironically, the RIPA itself was partly meant to provide greater respect for the right to privacy in this area. As Stratford point outs, “the RIPA didn’t come from nowhere. It is the successor of other legislation and in fact in part a response to some adverse judgments from the Strasbourg court on that previous legislation”. Strasbourg’s take on this “improved” version of the UK’s laws in this area will come sooner rather than later as Big Brother Watch and other similar organisations have brought proceedings challenging the legality of PRISM and TEMPORA. Unusually, Strasbourg has decided to hear the case under an expedited fast track procedure. In Stratford’s view, “the easier point for the court to grapple with and use to find a violation would be the lack of certainty in the law and therefore the fact that it would be contrary to the requirement that any interference be in accordance with the law. But this is not to say that there are not also proportionality arguments. The indiscriminate interception and retention of data, of whatever kind and solely by reference to the request of the executive, is a disproportionate interference with the private life of the individuals concerned”. Either way, she concludes, “there is a real prospect, even likelihood, that the Court will find at least some breaches”. This assessment is now further supported by the recent judgment of the EU Court in Luxembourg in the Digital Rights Ireland case, where it annulled the EU Data Retention Directive on the ground that the indiscriminate retention of communications data constitutes a disproportionate interference with the right to private life.
Lack of oversight
In addition, respect for the right to privacy requires that safeguards be in place to prevent abuses. Yet existing monitoring bodies are failing to do the job. The barristers were not asked to consider the issue separately, but in short, Stratford observes, “there is now outside government a fairly widespread recognition that the systems of oversight are wanting and need to be looked at again”.
This is not surprising. Parliamentary oversight is weak at best. The parliamentary Security and Intelligence Committee – the body nominally responsible for scrutinising the activities of the UK’s intelligence services – has been subject to severe criticism. “Some reforms have recently been made to increase its resources”, Stratford notes, but many claim that the committee lacks the necessary knowledge and expertise to act as an effective watchdog.
Similar concerns have been raised as to the effectiveness of the independent Intelligence Services Commissioner and Interception of Communications Commissioner, which are tasked with providing independent scrutiny of the surveillance practices of the intelligence services, including by reviewing warrants. Tellingly, Sir Mark Waller – currently the Intelligence Services Commissioner – was reported to have repeatedly refused to appear before the House of Commons Home Affairs Select Committee to answer for the actions revealed by the Snowden leaks.
Traditional judicial guarantees too are missing. The only judicial body competent to hear complaints about the conduct of the UK’s intelligence agencies, the Investigatory Powers Tribunal (IPT), is a tribunal in name only. Stratford herself describes the IPT as an “unusual creature” inasmuch as it “differs not only from the ordinary courts and tribunals that operate in England and Wales, but even from those that deal with sometimes extremely sensitive national security matters”. She has in mind tribunals such as the Special Immigration Appeals Commission (SIAC), which used to deal with cases arising from control orders (essentially a form of house arrest, which was previously used as a substitute for preventative detention) and now Terrorism Prevention and Investigation Measures (commonly referred as “TPIMs”). These cases typically involve the government relying on evidence that they claim cannot be disclosed to the individual (what is commonly known as “secret evidence”). These regimes are already extremely controversial and repeatedly criticised as “Kafkaesque” but, Stratford observes, “they at least developed quite sophisticated regimes for dealing with national security issues, including the use of special advocates”. By contrast, the workings of the IPT remain untransparent. “It may be using special advocates too”, she notes, but there simply is no way of establishing exactly how and why it reaches many of its decisions. “Adverse decisions will often amount to no more than a sort of judicial version of a neither confirm nor deny notice”, she adds: “the person who complained to the tribunal may not know at the end of the proceedings whether their complaint has been rejected because no information is held, or whether it is because information is held but there is some legitimate reason for holding it. There also is no established right of appeal: individuals have to take a trip all the way to Strasbourg if they wish to contest the Tribunal’s decision”.
Put into context, the situation is quite dramatic. Out of approximately 1000 to 1500 complaints heard to date by the IPT, only about 10 have been upheld. From the inside, the low figure is explained by the fact that many complaints are allegedly “frivolous or vexatious”. But there are reasons to be sceptical as neither the way the IPT operates, nor the available evidence, exactly inspire confidence. Among the handful of successful cases brought before the IPT, one involved a local council spying on a couple in order to establish whether they lived in the right school catchment area. It is therefore likely that the low success rate might be better explained by a general reluctance on the part of the IPT to intervene in the affairs of the security services.
On top of strict legality issues, the RIPA has simply passed its expiry date. Various parts of the advice make clear that the RIPA has failed to keep up with technological advances. “Many countries distinguish between external and internal communications”, Stratford explains. “The US has a particularly stark approach which is that – to characterise it very crudely – you can tread all over the rights of foreigners in a way that is not considered acceptable for domestic US citizens. But the distinction between internal and external communications is artificial: a lot of data which is passing between two people located in the UK may be routed externally as part of its journey”.
“The distinction between contents and communications data too is increasingly meaningless”, she continues. There might have been a time in the postal age where it made sense to distinguish between the address on the envelope and the content of the letter. But in the modern internet age, Stratford points out, “a lot of potentially very intimate information about the person (such as what websites they visit, the content of their Twitter and Facebook address lists or the content of certain social media feeds) fall within the category of communications data”. In its recent judgment, the Court of Justice of the EU put it as follows: “those data, taken as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them”.
Legally, the regulation of the information society and in particular of privacy in the internet age is of course a real challenge. “But while some would argue that this is a hopeless task and that we should not even try to deal with it through legislation”, Stratford notes, “when we have legislation on the statute book which is plainly out of date such as the distinction between contents and communications data we need to do something about it”.
Beyond the RIPA – the broader picture
There is therefore a pressing need for change in the rules governing the surveillance powers of the UK security services: clearer and more up-to-date rules, more circumscribed powers, better means of control and accountability, and so on. In that respect, an adverse judgment from Strasbourg is certainly likely to provide momentum for reform. Stratford in particular is confident “that the finding of a violation will, in some shape or form, lead to legislative amendments”. Even though this is a very sensitive area, she adds, “the controversy behind the prisoners’ voting rights in relation to which the government has thus far failed to implement the Strasbourg judgment is an isolated case”. It is indeed unlikely that the government will take a similar stance in this instance.
All these would of course be very welcome developments, but the legal response to the Snowden revelations needs to go much further both in the range of actors it targets and the range of areas it covers if it is to be truly successful.
First, the problem is not only at state level. Stratford herself hinted at the issue: “the advice was all about state surveillance, but there are serious questions about the extent to which private companies are also now increasingly collecting and/or processing our data, a matter that may well be even less regulated than what the state can do at the moment”. The obvious example is internet service providers. But recent proposals for reform include rules that would allow HM Revenue to sell our personal financial data to private companies or the care.data initiative, which may lead to the similar treatment of medical records. An ever-wider range of bodies is therefore increasingly likely to gain access to our personal data. The potential consequences of a poorly regulated private sector have been amply demonstrated in other contexts, including the financial crisis. For our privacy to be adequately protected, the legal constraints on the collection, use or sharing of information would therefore also need to apply to private bodies.
Second, the problem is not only domestic. Distinct issues arise from the international dimension of surveillance, which space prevents me from fully considering here. But I will mention one. It is very easy for the law to get lost in a global context, which results in legal loopholes that intelligence agencies can exploit to further their ends. How so? First, intelligence agencies can use each other to achieve what they alone cannot achieve at home. For example, although they may typically lack the power to spy on their own citizens (as opposed to foreigners) without a warrant, they can obtain the relevant information from their counterparts in other jurisdictions. The advice flags the possibility of GCHQ using the NSA as a backup system, a storing facility for data that it cannot lawfully retain itself. But the same can occur at the earlier stage of data collection. GCHQ could thus theoretically access the contents data of British citizens via PRISM, even though under the RIPA it cannot gather that information directly without a warrant. The potential for such practices to lead to abuses is apparent. In July 2013, a report of the Intelligence and Security Committee concluded that GCHQ did not breach UK law by using the US PRISM programme to access the content of private communications. In addition, intelligence services could theoretically exploit these loopholes to escape domestic forms of review and accountability. In the recent case of Khan v Secretary of State for Foreign and Commonwealth Affairs, part of the appellant’s argument was that GCHQ should be liable for passing on locational intelligence to US agents that was used to carry out drone strikes in Pakistan. The Court declined to give a ruling on the ground that this would involve serious criticisms or condemnation of the acts of a foreign state. Overall, the cooperation and information sharing between intelligence agencies may thus result in a situation where there is virtually no information that a government – provided it chooses its “friends” well – cannot freely obtain. In the absence of a more coordinated global response, domestic legislation could be amended in some of the ways suggested above, but the international dimension of the problem will remain.
Thirdly, part of the logic seems flawed. Justifying its decision to invite Snowden to testify in April 2014, the Council of Europe stated: “Edward Snowden has triggered a massive public debate on privacy in the internet age. We hope to ask him what his revelations mean for ordinary users and how they should protect their privacy and what kind of restrictions Europe should impose on state surveillance.” But if privacy is a right which the State is not only supposed not to unjustifiably interfere with but also actively and positively to further and protect, how is it that the burden has now shifted to citizens to protect their private sphere against State intrusion? How is it that we now have to fight for something to which we are allegedly entitled as a right? And how far is this duty supposed to go? Install software that preserves anonymity on the web? Quit Facebook, Twitter and the like? Viewed in that way, there is a risk of a broader crisis of the human rights discourse in the making. The rhetoric needs to be recast if a meaningful debate is to be had.
Fourthly, the problem is not only privacy. The Luxembourg Court itself highlighted that even the “vague feeling of surveillance [which these laws cause] is capable of having a decisive influence on the exercise by European citizens of their freedom of expression and information”. Woodrow Hartzog, an affiliate at Stanford Law School’s Center for Internet and Society argued that there is a distinct harm created by the knowledge of being monitored: “People under surveillance act differently, experience a loss of autonomy, are less likely to engage in self exploration and reflection, and are less willing to engage in core expressive political activities such as dissenting speech and government criticism”. In other words, surveillance makes us more vulnerable, less assertive, less intellectually and politically engaged. This is particularly worrying at a time of economic and financial turmoil, where policies of austerity and job insecurity weaken entire classes of the population, thereby undermining peoples’ ability effectively to organise in expressing dissent.
Finally, the problem is not only surveillance. The prevention of terrorism and other crimes has been used as a justification for all sorts of actions that many consider unacceptable. Preventative measures such as the freezing of funds or control orders, extra-ordinary renditions, targeted killings, special tribunals: these are all practices that intensified, even became normalised, in the post-9/11 era. And this is only the tip of the iceberg. The legal black hole that is Guantanamo Bay has spurred controversy ever since its creation. But only recently, a US Senate report revealed yet more horrific details about the torture methods used by the CIA in secret “black sites” around the globe, such as smashing prisoners’ heads against a wall. The Senate report also denounces the agency for lying about the alleged usefulness of the said “interrogation” techniques. Thus Al-Qaeda suspect Abu Zubaida is reported to have been water-boarded 83 times after disclosing intelligence information.
All this brings me back to the advice, and to the how. Stratford conceded that while there are broader issues that need serious consideration and review, they are “such political hot potatoes that we have to question whether any government will tackle them”. For things to change, she says, “there would probably have to be enough adverse pressure from some crisis – either building pressure from the Snowden revelations or some further different crisis that triggers a major inquiry”. But if our private sphere is invaded, public dissent and other forms of expression chilled or even suppressed, we have to ask where this pressure is going to come from and whether it could ever be strong enough to stop a phenomenon that is gradually permeating all strands of society. How long before ostensibly isolated “excusable” actions glue together into an irreversible whole? Some may buy into the argument that security comes at a price, and that our privacy is a price worth paying, but my point is that the security argument is at best overstated, that privacy is not the only price and that surveillance is not the only means. In Orwell’s Oceania or Zamyatin’s One State, surveillance is but one manifestation of a broader authoritarian society. It would likewise be a grave mistake to treat mass surveillance as the cause rather than a symptom – unless, of course, one chooses to remain under the comfortable and comforting illusion that this is all pure fiction after all.
[Our] mission is to subjugate to the grateful yoke of reason the…beings…who are…still in the primitive state of freedom. If they will not understand that we are bringing them a mathematically faultless happiness, our duty will be to force them to be happy. But before we take up arms, we shall try the power of words. (Zamyatin)