The Snoopers’ Loophole: Why Winning Against GCHQ Is Bittersweet

Long Read
The Snoopers’ Loophole: Why Winning Against GCHQ Is Bittersweet

As Privacy International celebrates Friday's victory against Britain’s security services - the first such victory this century - we cannot help but feel the success is bittersweet. 

After all, we may have convinced the Investigatory Powers Tribunal that GCHQ was acting unlawfully in accessing NSA databases filled with billions of emails and messages, but with a few technical adjustments the intelligence services have managed to insure themselves against any further challenge, at least in domestic courts. 

Friday’s judgement represents both the triumph of civil society and privacy advocates in holding truth to power, and the failure of the justice system to constrain that power.

Intelligence Sharing

The sharing of surveillance material between intelligence agencies in the Five Eyes countries has received international media attention since Snowden’s revelations began. Leaked documents reveal that GCHQ has intermittently had unrestricted access to NSA bulk collection programmes PRISM and UPSTREAM over the past decade. 

The case brought by Privacy International, Bytes for All, and other civil liberties organisations argued that access to foreign intelligence material involves a serious invasion of millions of individuals’ privacy and could only ever be lawful where there are clear, detailed, publicly available laws protecting against arbitrary exercise of power. Before the tribunal, the government argued it did not need to publish the secret internal policies that govern its relationship with the NSA. 

In lengthy oral and written arguments, the government resisted any suggestion that they should have to publish those policies. In a closed hearing that Privacy International was banned from attending, GCHQ disclosed the policies to the Tribunal, which subsequently gave Privacy International a summary. 

The result was as shocking as predicted - GCHQ’s policies showed that the intelligence agencies operate within less than a handful of restrictions when it comes to accessing foreign intercepted material. Importantly, the court’s summary revealed that the government doesn’t even need to get a warrant in order to access most of that material. 

In response, Privacy International contended that the secret policies were so vague, so broad so as to not even constitute any genuine form of regulation, let alone a clear, detailed, publicly available law. Intelligence sharing, therefore, must be be unlawful. 

The IPT - a specially constituted court that has sole jurisdiction over all complaints related to the intelligence services and has never before decided in favour of a complaint against the security services - could not deny that, at the very least, all intelligence sharing prior to the publication of the secret policies was unlawful. That is the decision that was reached on Friday.

Yet the Tribunal also decided (in an earlier judgement of December 2014) that those policies, once published, were sufficient to make intelligence sharing lawful from December onwards.

What Changed?

One might ask, therefore, what changed in December 2014 to make the IPT conclude that after that date the US’s sharing of PRISM and UPSTREAM data with the UK was adequately “prescribed by law.” 

The answer? Not much. 

Under the Human Rights Act, infringements with the right to privacy have to be both “in accordance with the law” and “necessary and proportionate”. In this ruling, the IPT was considering whether the intelligence sharing agreements were “in accordance with the law”, meaning that there must be a clear, detailed publicly accessible legal framework regulating the use of a power which interferes with privacy. 

Prior to Privacy International bringing this legal challenge, there was no publicly available law, except for the overarching requirements that any information the intelligence services gather must serve the a number of legitimate purposes, and be necessary and proportionate. On Friday the IPT concluded this was not sufficient to make any information sharing between the UK and the US “in accordance with law.”

During the course of our case, UK intelligence services were forced to reveal to the Tribunal the content of some of their secret internal policies - including that most requests to another country for “unanalysed intercepted communications” occur where “a relevant interception warrant under the Regulation of Investigatory Powers Act of 2000 (RIPA)” has already been issued, but that some requests to the US for information occur without a relevant RIPA warrant in place, where it would not be technically feasible for GHCQ to obtain the information itself. The government was not required to disclose the policies in full to Privacy International, but rather to the IPT, which subsequently summarised them for the claimants in the case. 

Because of this limited disclosure made during the case, the Tribunal found that there was now sufficiently detailed legal framework in the public domain. They found that what is required is that the “appropriate rules or arrangements exist and are publicly known and confirmed to exist, with their content sufficiently signposted, such as to give an adequate indication” of their contents.

They decided that they were satisfied that the arrangements were sufficiently signposted by virtue, predominantly, of the policies disclosed to the IPT in the closed hearings, and the summaries thereof made for Privacy International by the IPT. Accordingly, in their December 2014 decision, they ruled that from that point onwards NSA-GCHQ intelligence sharing under PRISM and UPSTREAM was lawful.

Falling Short

What was publicly disclosed, therefore, is little more than a Tribunal’s summary of secret policies disclosed in a secret hearing, which policies describe only the broadest of restrictions on the receipt of intelligence material by the UK, and remain buried in a 77-page long decision from the IPT, not enshrined in any accessible law or statute. 

We think that falls far short of what is called for by the “in accordance with law” requirement, and in the coming weeks will be appealing to the European Court of Human Rights to argue our case there, demanding an end to unlawful mass intelligence sharing, and ensuring privacy protections for all.