In his 1921 novel We, Yevgeny Zamyatin depicts a society where people – the Numbers – are  reduced to numerical entities; their existence programmed and synchronised to cold arithmetical perfection (they wake up and work at the same hour, at the same minute, “united into a single body with a  million hands”); their instincts and feelings brushed off as unknown mathematical values (“in her eyes, there was a strange irritating X”);  their individuality and humanity lost. The Numbers live behind the Glass  Wall, a structure much resembling Jeremy Bentham’s “Panopticon”, which  allows for constant watching and monitoring by the One State. We inspired Orwell’s famous dystopian novel 1984.  Here again, surveillance is a central weapon in the artillery of the  totalitarian regime. Telescreens overlook every corner of public and  private life. Winston Smith recounts in haste:

There was of course no way of knowing whether you were being watched at any given moment… It was  even conceivable that they watched everybody all the time… You had to  live – did live, from habit that became instinct – in the assumption  that every sound you made was overheard, and, except in darkness, every  movement scrutinised.

Prophecies?

The Snowden Disclosures

June 2013 Edward Snowden, former employee of the Central Intelligence  Agency (CIA) and contractor for the National Security Agency (NSA), the  successor of the so-called “Black Chamber”, began to uncover the  frightening details of global mass surveillance programmes carried out  by the NSA and other intelligence services around the world. The means  used to do so are countless: agreement with technology companies to  weaken encryption systems; partnerships with internet corporate giants  such as Google, Facebook, Microsoft or Skype to access directly  electronic communications; secret treaties between governments for the  sharing of information. The programmes too are numerous and use  technologies that (at least to a lawyer like myself) are even more  cryptic than the imposing acronyms behind which they hide – PRISM,  TEMPORA, MUSCULAR, to list but a few. There are no limits to the people  being targeted.  The tapping of the German premier Angela Merkel’s phone  of course ranked high in the headlines. And the latest revelations  include allegations of the NSA spying on prominent human rights  organisations such as Amnesty International and Human Rights Watch. But  anyone is liable to snooping, including completely innocent ordinary  civilians. In fact, at this stage, one can seriously question whether  States even know who is spying on whom, how and why: un foutoir at that, as the French would say.

Of course, this can hardly come as a complete surprise. Recent  history is populated with whistleblowers who have given us glimpses of  the daunting surveillance practices of our governments. As early as  1971, the leftist activist group Citizens’ Commission to Investigate the FBI  broke into the offices of the FBI and got hold of documents showing  that COINTELPRO (Counterintelligence Program) was used to spy on  multiple domestic political organisations and activists, including  Martin Luther King. In a book published in 1996, journalist Nicky Hager  confirmed rumours that ECHELON, a program created by the “Five Eyes”  (Australia, Canada, New Zealand, the UK and the US) to spy on the Soviet  Union during the Cold War, was being used to intercept vast amounts of  private and commercial communications. In the UK, former MI5 agent David  Shayler was prosecuted under the Official Secrets Act for disclosing,  among other things, the government’s monitoring of socialists. In the  last three years, Wikileaks too published various accounts of the  partnership between the corporate worlds and intelligence agencies  forged in a bid to control electronic communications.

But the novelty of Snowden’s disclosures is that they are  unprecedented in both scale and geographical scope. At once, the pieces  of a scattered puzzle are put together:  surveillance is a global,  omnipresent and indiscriminate beast. It seems there is hardly any place  left in the world for anyone to hide. Another dystopian novel? No Prime  Minister. This is just the hard reflection of a dark reality.

GCHQ

In the wake of Snowden’s disclosures, much public attention focused  on the NSA. But the grass is not always greener on the other side of the  Atlantic. The UK’s equivalent – the Government Communications  Headquarters (GCHQ) – may bear equal if not more responsibility for the  mass surveillance scandal.  Alongside MI5 and MI6, GCHQ is one of the  three main UK intelligence agencies. Its primary task is to provide  “signals intelligence”, that is to gather intelligence through the  interception of communications. Unsurprisingly, the agency operates  under complete secrecy. In fact, although first established just after  the First World War, its existence was only revealed in the mid-70s and  it was not until the adoption of the Intelligence Services Act in 1994  that its functions and powers were placed on a formal legal footing. The  leaks revealed GCHQ’s participation in the NSA’s PRISM program, the  primary tool used to access and monitor thousands of emails, chats,  video calls and other internet communications directly from internet  service providers, thereby also confirming the strong ties between the  two agencies. But they also exposed GCHQ’s own surveillance program,  TEMPORA, which has been used by the agency since 2011 to intercept and  process vast amounts of personal data.

The Stratford report

Jemima Stratford QC is one of two barristers who advised the All  Party Parliamentary Group on Drones on the legality of GCHQ’s actions.  She welcomed me in her chambers at Brick Court in Central London for one  of the few interviews they have agreed to since they published their  advice in January 2014 concluding that GCHQ’s actions were probably  illegal. The advice is timely, she says: “there had been a lot of  attention to Snowden’s disclosures but there hadn’t – in the UK anyway –  been so much attention on whether what is going on is lawful under our  existing laws, let alone on whether we need new laws altogether”.

The barristers were asked to focus on a number of specific scenarios  in their analysis, largely based on the Snowden disclosures. Of  particular interest for our purposes are the allegations that GCHQ is  engaging in the mass collection of data; that they retain and use that  data including to carry out “pattern of life” analyses (a term which  speaks for itself); and that they share much of that data with the NSA.  The advice thus addresses in turn the (1) mass collection, (2)  retention, (3) use and (4) sharing of data. They looked at the problem  in those distinct stages, she explains, “because it is analytically  helpful as those are the steps data goes through if one was to chop it  up”. But she thinks that there are problems at each of the stages and  that it would be wrong to say that one is more important than another.  In particular, she adds, “because the scenarios are a chain of events,  if any one of them were unlawful it would stop the chain at that point  and it wouldn’t avail the government to be able to say that step four  were lawful if step two has already been found to be unlawful. It is  thus important to bear in mind that they will need to account for every  single stage of the process.” In other words, if and to the extent that  collecting data in bulk is illegal, everything else is too.

“It might be that part of the authorities’ response will be that  there are things going on in slightly different ways or that we do not  know about”, she concedes. But “it seems at least not improbable that  GCHQ is indeed engaging in the mass collection, retention, use and  sharing of data”. For my part, I have little doubt that this is the  case. In fact, a large proportion of the reported 1.7 million  intelligence files extracted by Snowden are still to be properly  processed and publicly released. It may very well be that the situation  is far worse than the evidence currently suggests.

Legality under RIPA

Legally, the first question that arises is if the said actions of  GCHQ are even authorised under the relevant legislative framework – the  Regulation of Investigatory Powers Act 2000 (commonly known by its  ominous-sounding acronym “RIPA”), which, among other things, regulates  surveillance and the interception of communications. “Parts of the  report are necessarily legally a bit creative”, Stratford explains, “but  the early sections where we are founding our conclusions very firmly on  the terms of RIPA are black and white. It will thus be much more  difficult for the government to provide a robust answer to some of what  we say there”.

The RIPA is based on two important distinctions: the distinction between internal communications and external communications and the distinction between contents data and communications data.  Internal communications are communications between people located in  the UK. As a rule, their collection and use are subject to more  stringent control mechanisms than external communications, which consist  of communications received or sent outside the UK. Contents data is  data that pertains to the substantive content of a communication.  Likewise it is more stringently regulated than communications data (also  known as “metadata”), which consists of traffic data and other data  relating to the use made of any telecommunication system.

“The key point we make”, Stratford explains, “is that if there is mass collection of internal contents data,  this is always unlawful”. The advice points out that the RIPA is clear  in that respect: a warrant ordering the collection of internal contents  data has to be focused on specific individuals or places. In  other words, GCHQ cannot intercept communications between people located  in the UK in a bulk indiscriminate fashion. In fact, she adds, “if  carried out without a warrant – i.e. with only an authorisation – any  mass collection of contents data, including external contents data, is  equally always unlawful”.

In many other respects, however, the RIPA grants considerable powers  to the intelligence services. The advice highlights that communications  data, whether internal or external, can be intercepted and retained  simply by means of an authorisation and that there are virtually “no  restrictions on the uses to which intercept material might be put”: the  security services can retain and analyse any data, including the data of  non-suspects. Legally, the position in relation to the sharing of data  is even more obscure. The advice concludes that the RIPA probably does  not authorise the transfer of data to the NSA, but there is an added  layer of complexity in the UK. As simply as one could possibly put it,  Stratford explains: “in this country, the central government is treated  effectively as a normal person so that it can do everything that the law  does not prevent it from doing using their common law or prerogative  powers”. These are unwritten, undetermined powers, largely a vestige of  the Crown’s prerogatives, which are now effectively exercised by the  executive. In fields as sensitive and directly connected to citizens’  rights as this, Stratford continues, “we would seriously question the  appropriateness of the government relying on those powers”. But, she  admits, it would be very convenient if there were a complete regulatory  gap, for the government could argue that there is nothing formally  stopping them from cooperating with foreign authorities.

The RIPA ripe for change

Breach of privacy rights

Even so, this is by no means the end of the story. The RIPA or other  rules may sanction some of GCHQ’s activities but the inquiry has to go  further and look at whether the provisions of the RIPA that seemingly  “authorise” those activities are themselves unlawful.

The European Convention on Human Rights (ECHR) has been part of UK  law since the adoption of the Human Rights Act (HRA) in 1998. Article 8  states:

Everyone has the right to respect for his private and family life, his home and his correspondence.

The interception, retention and sharing of data all constitute (in  fact distinct and particularly serious) interferences with a person’s  privacy. While the right can be limited in a number of situations,  including in the interest of national security, public safety, the  economic well-being of the country and for the prevention of disorder or  crime, under the Convention, this is subject to a number of conditions.

First, the interference must be in accordance with the law. This does not mean that it is sufficient for there to be just any  kind of law sanctioning the interference. The law has to satisfy a  number of qualities: it has to be accessible, it has to be clear and it  has to be precise. These requirements are inherent in the concept of the  rule of law, which, even in a formal narrow sense, requires the law to  enable people to plan their lives with at least some degree of  certainty. It must therefore be possible for individuals to foresee the  circumstances in which governmental agencies can use their surveillance  powers.

Second, the interference must pursue a legitimate aim. National  security or the prevention of crime may be such legitimate aims, but the  government needs to prove that this is the objective being pursued and  must be able to do so in respect of each individual case in which surveillance is being used.

Last but not least, the interference must be proportionate to the  goal being pursued. This essentially means that even if a particular  surveillance operation is necessary for, say, national security, if  other measures are available that are less intrusive on a person’s  privacy, then the purported action is disproportionate and breaches the  right to private life.

Where does that all leave the RIPA? Well, not in a very good  position. In my view, the surveillance practices of GCHQ that the  barristers were asked to examine and that are seemingly authorised by  the RIPA are also illegal, given that the relevant provisions of the  RIPA are themselves contrary to the ECHR. The advice provides a very  thorough and insightful analysis of the different issues, but the main  problem can be summarised as follows: the RIPA grants almost unlimited,  unfettered powers to the executive. The advice thus notes that the rules  on the interception of external contents data provide “too wide a  discretion to the Secretary of State in respect of the categories and  kinds of documents that can be retained” and that those on communications data  provide “insufficient clarity about the circumstances in which the  executive may or may not authorise [their] interception”. Likewise the  barristers’ analysis reveals that there are virtually no restrictions on  the retention, use, and transfer of data. Everything is essentially up  to a single individual, thereby severely jeopardising the transparency  and predictability of the whole regime.

Ironically, the RIPA itself was partly meant to provide greater  respect for the right to privacy in this area. As Stratford point outs,  “the RIPA didn’t come from nowhere. It is the successor of other  legislation and in fact in part a response to some adverse judgments  from the Strasbourg court on that previous legislation”. Strasbourg’s  take on this “improved” version of the UK’s laws in this area will come  sooner rather than later as Big Brother Watch and other similar  organisations have brought proceedings challenging the legality of PRISM  and TEMPORA. Unusually, Strasbourg has decided to hear the case under  an expedited fast track procedure. In Stratford’s view, “the easier  point for the court to grapple with and use to find a violation would be  the lack of certainty in the law and therefore the fact that it would  be contrary to the requirement that any interference be in accordance  with the law. But this is not to say that there are not also  proportionality arguments. The indiscriminate interception and retention  of data, of whatever kind and solely by reference to the request of the  executive, is a disproportionate interference with the private life of  the individuals concerned”. Either way, she concludes, “there is a real  prospect, even likelihood, that the Court will find at least some  breaches”. This assessment is now further supported by the recent  judgment of the EU Court in Luxembourg in the Digital Rights Ireland  case, where it annulled the EU Data Retention Directive on the ground  that the indiscriminate retention of communications data constitutes a  disproportionate interference with the right to private life.

Lack of oversight

In addition, respect for the right to privacy requires that  safeguards be in place to prevent abuses. Yet existing monitoring bodies  are failing to do the job. The barristers were not asked to consider  the issue separately, but in short, Stratford observes, “there is now  outside government a fairly widespread recognition that the systems of  oversight are wanting and need to be looked at again”.

This is not surprising. Parliamentary oversight is weak at best. The  parliamentary Security and Intelligence Committee – the body nominally  responsible for scrutinising the activities of the UK’s intelligence  services – has been subject to severe criticism. “Some reforms have  recently been made to increase its resources”, Stratford notes, but many  claim that the committee lacks the necessary knowledge and expertise to  act as an effective watchdog.

Similar concerns have been raised as to the effectiveness of the  independent Intelligence Services Commissioner and Interception of  Communications Commissioner, which are tasked with providing independent  scrutiny of the surveillance practices of the intelligence services,  including by reviewing warrants. Tellingly, Sir Mark Waller – currently  the Intelligence Services Commissioner – was reported to have repeatedly  refused to appear before the House of Commons Home Affairs Select  Committee to answer for the actions revealed by the Snowden leaks.

Traditional judicial guarantees too are missing. The only judicial  body competent to hear complaints about the conduct of the UK’s  intelligence agencies, the Investigatory Powers Tribunal (IPT), is a  tribunal in name only. Stratford herself describes the IPT as an  “unusual creature” inasmuch as it “differs not only from the ordinary  courts and tribunals that operate in England and Wales, but even from  those that deal with sometimes extremely sensitive national security  matters”. She has in mind tribunals such as the Special Immigration  Appeals Commission (SIAC), which used to deal with cases arising from  control orders (essentially a form of house arrest, which was previously  used as a substitute for preventative detention) and now Terrorism  Prevention and Investigation Measures (commonly referred as “TPIMs”).  These cases typically involve the government relying on evidence that  they claim cannot be disclosed to the individual (what is commonly known  as “secret evidence”). These regimes are already extremely  controversial and repeatedly criticised as “Kafkaesque” but, Stratford  observes, “they at least developed quite sophisticated regimes for  dealing with national security issues, including the use of special  advocates”. By contrast, the workings of the IPT remain untransparent.  “It may be using special advocates too”, she notes, but there simply is  no way of establishing exactly how and why it reaches many of its  decisions. “Adverse decisions will often amount to no more than a sort  of judicial version of a neither confirm nor deny notice”, she adds:  “the person who complained to the tribunal may not know at the end of  the proceedings whether their complaint has been rejected because no  information is held, or whether it is because information is held but  there is some legitimate reason for holding it. There also is no  established right of appeal: individuals have to take a trip all the way  to Strasbourg if they wish to contest the Tribunal’s decision”.

Put into context, the situation is quite dramatic. Out of  approximately 1000 to 1500 complaints heard to date by the IPT, only  about 10 have been upheld. From the inside, the low figure is explained  by the fact that many complaints are allegedly “frivolous or vexatious”.  But there are reasons to be sceptical as neither the way the IPT  operates, nor the available evidence, exactly inspire confidence. Among  the handful of successful cases brought before the IPT, one involved a  local council spying on a couple in order to establish whether they  lived in the right school catchment area. It is therefore likely that  the low success rate might be better explained by a general reluctance  on the part of the IPT to intervene in the affairs of the security  services.

Anachronism

On top of strict legality issues, the RIPA has simply passed its  expiry date. Various parts of the advice make clear that the RIPA has  failed to keep up with technological advances. “Many countries  distinguish between external and internal communications”, Stratford  explains. “The US has a particularly stark approach which is that – to  characterise it very crudely – you can tread all over the rights of  foreigners in a way that is not considered acceptable for domestic US  citizens. But the distinction between internal and external  communications is artificial: a lot of data which is passing between two  people located in the UK may be routed externally as part of its  journey”.

“The distinction between contents and communications data too is  increasingly meaningless”, she continues. There might have been a time  in the postal age where it made sense to distinguish between the address  on the envelope and the content of the letter. But in the modern  internet age, Stratford points out, “a lot of potentially very intimate  information about the person (such as what websites they visit, the  content of their Twitter and Facebook address lists or the content of  certain social media feeds) fall within the category of communications  data”. In its recent judgment, the Court of Justice of the EU put it as  follows: “those data, taken as a whole, may allow very precise  conclusions to be drawn concerning the private lives of the persons  whose data has been retained, such as the habits of everyday life,  permanent or temporary places of residence, daily or other movements,  the activities carried out, the social relationships of those persons  and the social environments frequented by them”.

Legally, the regulation of the information society and in particular  of privacy in the internet age is of course a real challenge. “But while  some would argue that this is a hopeless task and that we should not  even try to deal with it through legislation”, Stratford notes, “when we  have legislation on the statute book which is plainly out of date such  as the distinction between contents and communications data we need to  do something about it”.

Beyond the RIPA – the broader picture

There is therefore a pressing need for change in the rules governing  the surveillance powers of the UK security services: clearer and more  up-to-date rules, more circumscribed powers, better means of control and  accountability, and so on. In that respect, an adverse judgment from  Strasbourg is certainly likely to provide momentum for reform. Stratford  in particular is confident “that the finding of a violation will, in  some shape or form, lead to legislative amendments”. Even though this is  a very sensitive area, she adds, “the controversy behind the prisoners’  voting rights in relation to which the government has thus far failed  to implement the Strasbourg judgment is an isolated case”. It is indeed  unlikely that the government will take a similar stance in this  instance.

All these would of course be very welcome developments, but the legal  response to the Snowden revelations needs to go much further both in  the range of actors it targets and the range of areas it covers if it is  to be truly successful.

First, the problem is not only at state level. Stratford herself  hinted at the issue: “the advice was all about state surveillance, but  there are serious questions about the extent to which private companies  are also now increasingly collecting and/or processing our data, a  matter that may well be even less regulated than what the state can do  at the moment”. The obvious example is internet service providers. But  recent proposals for reform include rules that would allow HM Revenue to  sell our personal financial data to private companies or the care.data  initiative, which may lead to the similar treatment of medical records.  An ever-wider range of bodies is therefore increasingly likely to gain  access to our personal data. The potential consequences of a poorly  regulated private sector have been amply demonstrated in other contexts,  including the financial crisis. For our privacy to be adequately  protected, the legal constraints on the collection, use or sharing of  information would therefore also need to apply to private bodies.

Second, the problem is not only domestic. Distinct issues arise from  the international dimension of surveillance, which space prevents me  from fully considering here. But I will mention one. It is very easy for  the law to get lost in a global context, which results in legal  loopholes that intelligence agencies can exploit to further their ends.  How so? First, intelligence agencies can use each other to achieve what  they alone cannot achieve at home. For example, although they may  typically lack the power to spy on their own citizens (as opposed to  foreigners) without a warrant, they can obtain the relevant information  from their counterparts in other jurisdictions. The advice flags the  possibility of GCHQ using the NSA as a backup system, a storing facility  for data that it cannot lawfully retain itself. But the same can occur  at the earlier stage of data collection. GCHQ could thus theoretically  access the contents data of British citizens via PRISM, even though  under the RIPA it cannot gather that information directly without a  warrant. The potential for such practices to lead to abuses is apparent.  In July 2013, a report of the Intelligence and Security Committee  concluded that GCHQ did not breach UK law by using the US PRISM  programme to access the content of private communications. In addition,  intelligence services could theoretically exploit these loopholes to  escape domestic forms of review and accountability. In the recent case  of Khan v Secretary of State for Foreign and Commonwealth Affairs,  part of the appellant’s argument was that GCHQ should be liable for  passing on locational intelligence to US agents that was used to carry  out drone strikes in Pakistan. The Court declined to give a ruling on  the ground that this would involve serious criticisms or condemnation of  the acts of a foreign state. Overall, the cooperation and information  sharing between intelligence agencies may thus result in a situation  where there is virtually no information that a government – provided it  chooses its “friends” well – cannot freely obtain. In the absence of a  more coordinated global response, domestic legislation could be amended  in some of the ways suggested above, but the international dimension of  the problem will remain.

Thirdly, part of the logic seems flawed. Justifying its decision to  invite Snowden to testify in April 2014, the Council of Europe stated:  “Edward Snowden has triggered a massive public debate on privacy in the  internet age. We hope to ask him what his revelations mean for ordinary users and how they should protect their privacy  and what kind of restrictions Europe should impose on state  surveillance.” But if privacy is a right which the State is not only  supposed not to unjustifiably interfere with but also actively and  positively to further and protect, how is it that the burden has now  shifted to citizens to protect their private sphere against State  intrusion? How is it that we now have to fight for something to which we  are allegedly entitled as a right? And how far is this duty supposed to  go? Install software that preserves anonymity on the web? Quit  Facebook, Twitter and the like? Viewed in that way, there is a risk of a  broader crisis of the human rights discourse in the making. The  rhetoric needs to be recast if a meaningful debate is to be had.

Fourthly, the problem is not only privacy. The Luxembourg Court  itself highlighted that even the “vague feeling of surveillance [which  these laws cause] is capable of having a decisive influence on the  exercise by European citizens of their freedom of expression and  information”. Woodrow Hartzog, an affiliate at Stanford Law School’s  Center for Internet and Society argued that there is a distinct harm  created by the knowledge of being monitored: “People under surveillance  act differently, experience a loss of autonomy, are less likely to  engage in self exploration and reflection, and are less willing to  engage in core expressive political activities such as dissenting speech  and government criticism”. In other words, surveillance makes us more  vulnerable, less assertive, less intellectually and politically engaged.  This is particularly worrying at a time of economic and financial  turmoil, where policies of austerity and job insecurity weaken entire  classes of the population, thereby undermining peoples’ ability  effectively to organise in expressing dissent.

Finally, the problem is not only surveillance. The prevention of  terrorism and other crimes has been used as a justification for all  sorts of actions that many consider unacceptable. Preventative measures  such as the freezing of funds or control orders, extra-ordinary  renditions, targeted killings, special tribunals: these are all  practices that intensified, even became normalised, in the post-9/11  era. And this is only the tip of the iceberg. The legal black hole that  is Guantanamo Bay has spurred controversy ever since its creation. But  only recently, a US Senate report revealed yet more horrific details  about the torture methods used by the CIA in secret “black sites” around  the globe, such as smashing prisoners’ heads against a wall. The Senate  report also denounces the agency for lying about the alleged usefulness  of the said “interrogation” techniques. Thus Al-Qaeda suspect Abu  Zubaida is reported to have been water-boarded 83 times after disclosing intelligence information.

All this brings me back to the advice, and to the how. Stratford  conceded that while there are broader issues that need serious  consideration and review, they are “such political hot potatoes that we  have to question whether any government will tackle them”. For things to  change, she says, “there would probably have to be enough adverse  pressure from some crisis – either building pressure from the Snowden  revelations or some further different crisis that triggers a major  inquiry”. But if our private sphere is invaded, public dissent and other  forms of expression chilled or even suppressed, we have to ask where  this pressure is going to come from and whether it could ever be strong  enough to stop a phenomenon that is gradually permeating all strands of  society. How long before ostensibly isolated “excusable” actions glue  together into an irreversible whole? Some may buy into the argument that  security comes at a price, and that our privacy is a price worth  paying, but my point is that the security argument is at best  overstated, that privacy is not the only price and that surveillance is  not the only means. In Orwell’s Oceania or Zamyatin’s One State,  surveillance is but one manifestation of a broader authoritarian  society. It would likewise be a grave mistake to treat mass surveillance  as the cause rather than a symptom – unless, of course, one chooses to  remain under the comfortable and comforting illusion that this is all  pure fiction after all.

[Our] mission is to subjugate to the grateful yoke  of reason the…beings…who are…still in the primitive state of freedom.  If they will not understand that we are bringing them a mathematically  faultless happiness, our duty will be to force them to be happy. But  before we take up arms, we shall try the power of words. (Zamyatin)