Chief inspector says UK surveillance law is broken
The UK’s Chief Surveillance Inspector responsible for oversight of the Regulation of Investigatory Powers Act (RIPA) has admitted that the UK’s surveillance law is flawed and lacks rigorous oversight.
Unlike the US spy agencies, Britain’s GCHQ is immune to Freedom of Information requests and almost always replies to journalists’ requests for information with a familiar boilerplate response:
It is long-standing policy that we do not comment on intelligence matters.
All of GCHQ’s work is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the secretary of state, the interception and intelligence services commissioners and the Parliamentary Intelligence and Security Committee. All our operational processes rigorously support this position.
But in a recent article, the inspector reponsible for oversight disagrees:
I was the Chief Surveillance Inspector at the Office of Surveillance Commissioners for eight years until August 2013. My own view is that the legal and policy framework is not strict and that oversight is not rigorous.
In my view, RIPA is flawed because it is permissive legislation. Apart from an interception, no covert surveillance – the acquisition of communications data, intrusive or directed surveillance or the use of a covert human intelligence source … – must be authorised before it can proceed (RIPA s.80). As Simon McKay (author of Covert Policing) correctly identifies, RIPA is essentially a “voluntary code”.
— Sam Lincoln, Surveillance under RIPA: Neither a strict legal framework nor rigorously overseen, UK Human Rights Blog
Under such a law, if the UK law enforcement or intelligence services wish to covertly wiretap the entire national phone network as they have done, there is no legal requirement for it to be “authorised”.
The author further quotes the UK’s current official legal definitions of “covert” and “surveillance”, which appear quite straightforward. This is different to the US where, for example, a law requiring a warrant to collect data is interpreted to allow unwarranted bulk collection simply by redefining “collect” in a secret intelligence court so that data is not considered “collected” until it is examined by an analyst.
The UK surveillance law needs no such trickery and just makes covert surveillance without warrant outright legal. Surveillance is broadly defined as a any observation or recording of a person or their communications, and it is covert if done in a manner calculated to prevent the target from being aware of it.
By that definition, it is clear that GCHQ engages in what UK law considers mass surveillance of the entire nation and an unlimited number of foreign citizens whose data passes through the UK or its listening points.
This didn’t change when the Snowden leaks revealed the existence of GCHQ’s surveillance programmes. By definition, the fact that they continue to operate secretly (in some cases the highest levels of top secret classification) and that GCHQ refuses to even comment on their existence, means that what they’re doing is covert. That they collect such data on a national scale defines it clearly as mass surveillance.
Note that the GCHQ boilerplate statement make no reference to human rights or privacy. They claim only that what they’re doing is legal and “necessary”, presumably meaning necessary to achieve their own (classified) goals.
Protecting human rights is not one of those goals. This is radically different to the UK’s police force, who take their responsibility to protect human rights seriously, and whose success or failure at this is subject to public scrutiny.
GCHQ views human rights legislation as an impediment to its work, and typically applies only a thin veneer or human rights measures in order to make token compliance with a minimum of restriction to their work. What they do would not be considered human rights.
Take the OPTIC NERVE programme, which recorded private Yahoo webcam conversations for 1.8 million users, including between 3% and 11% which contain nudity. Yahoo called this “a whole new level of violation of our users’ privacy”, and moved to encrypted communications to protect British users from their own government as a result.
Storing this much video in the long term would be extremely expensive, and it’s a fair bet that this was a factor when they decided to limit storage to one video frame per five minutes.
But GCHQ made the outrageous claim that this limited storage was done to preserve the human right to privacy, and that this was sufficient for the programme to comply with that right. GCHQ’s internal compliance officers were clearly so out of touch with the real world and unafraid of meaningful oversight that they signed off on this ridiculous compliance measure.
Nobody reasonable person would accept the line GCHQ has drawn here. Britain hacked Yahoo and took screenshots thousands of innocent people’s private cybersex sessions. Many consider it a violation of privacy even for consensual cybersex partners to take screenshots of without permission, and it is a crime in the UK to do the same to an unwitting victim. Yet here the government sees fit to do this to their own citizens en masse.
We are talking about a system that Yahoo called not only a violation of privacy, but an unprecedented new level of violation, and GCHQ was able to convince its oversight committee that this was in keeping with citizens’ Article 8 privacy rights.
The former Chief Surveillance Inspector is right. GCHQ does not operate under effective oversight, and are wrong to claim otherwise.