UK intelligence services have been taking advantage of gaps in the international rules to conduct bulk interception of Internet traffic. That practice came under scrutiny in the European Court of Human Rights, in a ruling that was released this week.

The case of Big Brother Watch and Others v the United Kingdom was brought to the Court by human rights activist groups who were concerned about the mass online surveillance being carried out by UK intelligence services. It has resulted in a ruling that lays out essential ground rules for protecting privacy.

Specifically, the European Court of Human Rights has ruled that the bulk intercept practices of Internet communications by UK intelligence services were unlawful, and has established that there must be independent oversight and that the warrants must be specific to a purpose.

This case is about the intelligence services intercepting people's private communications on the cables that carry Internet traffic around the world. Bulk intercept means they collect and store our emails, website visits, app usage, and other communications. They also collect the associated metadata - this is not what you said, but it is about the time you sent the message, who it went to, and the subject. They may do this without any specific target in mind. It is, in other words, about the automated analysis of data points from Internet, phone and app data, sweeping up millions of records on an exponential scale.

It resulted from information made public in 2014 by the whistle blower Edward Snowden, who revealed the existence of mass surveillance programmes carried out by the National Security Agency (NSA) in the US. These included PRISM, a programme for obtaining data from tech companies, and TEMPORA which involved the bulk storage of Internet data by GCHQ. As aspect of this case considered the exchange of bulk data between the US intelligence services and the UK.

The ruling is welcome confirmation that the bulk interception of online communications, as practiced by UK intelligence services, was in violation of privacy rights. The court said that the UK regime fell short of requirements under the European Convention on Human Rights. It made a point of saying that the bulk surveillance orders were made by a government Minister, whereas they should be made an independent judge. The orders were not sufficiently precise, leaving opportunities for over-reach and abuse of powers. The overall situation meant that individuals could not be sure that their privacy was being protected.

Given that the technology is continually evolving, it is right that the safeguards for users' privacy should also be put under regular review. The Ruling recommended that bulk interception should be accompanied by end-to end privacy safeguards, and subject to independent authorisation, supervision and review.

The dissenting judgment from Judge Pinto de Albuquerque went further however. He stated that bulk intercept opens up a new balance between privacy rights and national security. He criticised the UK regime, stating that the bulk intercept measures were created to "bypass safeguards under the existing system of international mutual assistance treaties" and to "take advantage of the lack of regulation" of new surveillance technologies, which in today's environment could include facial recognition and other biometrics.

Bulk intercept powers form part of the armoury of a modern surveillance state. In the current UK situation, where the government is taking powers away from Parliament and the judiciary, and seeks to weaken the right to protest, the ruling and the comments of the individual judges in this case are an alarm call. It is more important than ever that surveillance measures are subject to strong safeguards to protect people's privacy. We must remain vigilant that the government will follow the ruling with the necessary legal changes.

There is also the risk of knock-on effects for British businesses. Any failure to comply with the ruling could compromise the Data Adequacy decision from the EU. In light of the Schrems ruling, (CJEU Case C-311/18 of 18 July 2020). Businesses would have to consider the surveillance regime when making their legal contractual arrangements for transferring data to the UK.

The scant regard for privacy safeguards is repeated again in the Police, Crime, Sentencing and Courts Bill. The Bill contains provisions for data evidence gathering from mobile phones, but fails to properly regulate the amount of data that can be gathered or who can access it.

---

Case of Big Brother Watch and Others v the United Kingdom, European Court of Human Rights, Grand Chamber Judgment and Press release

Photograph: my own. Copyright Monica Horten 2015.

I discuss the Edward Snowden revelations in my book The Closing of the Net.

Iptegrity is made available free of charge. You may cite my work, with attribution. If you reference the material in this article, kindly cite the author as Dr Monica Horten, Visiting Fellow, London School of Economics and Political Science , and link back to Iptegrity.com.

About me: I've been analysing analysing digital policy for over 13 years. I hold a PhD in EU Communications Policy as well as a Post-graduate diploma in marketing. For many years I was a telecoms journalist, writing for the FT among others. I was an early adopter of the Internet and followed the introduction of the Single Market in the telecoms sector. I am interested in the effects of Brexit and technology. Please get in touch if you'd like to know more about my current research.

If you liked this article, you may also like my book The Closing of the Net which discusses the backstory to content online policy and it introduces the notion of structural power in the context of Internet communications . Available in Kindle and Paperback from only £15.99!

• Next >