Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Chapter: 

II. Surveillance policies

National security, government surveillance and law enforcement

The Police and Criminal Evidence Act 1984 (PACE) allows the police to enter and search homes without warrant following an arrest for any offence. The police also have the right to stop and search any person on the street where they have a suspicion against the individual. The police stopped and searched over 1.1 million persons and vehicles in England and Wales in 2008-09, up 10 percent from the previous year.[45]

The Office of the Surveillance Commissioners reviews other investigatory techniques under RIPA Part II and the Police Act 1997.[46] Official figures give an insight into the extent of surveillance operations in the UK. There were 2,681 authorisations including 384 for "intrusive" authorisations for break-ins into homes under the Police Act 1997 and Part II of RIPA over 2008-09.[47] There were 16,118 authorisations by law enforcement and 9,894 from other public bodies for directed surveillance in the same period. The Commissioners have expressed concern about local authority use of surveillance powers, describing a "serious misunderstanding" of proportionality, inexperience of officers compounded with poor oversight, and "an increasing temptation to use innovative technology without properly considering the application of the legislation."[48] They have also stated that they have concerns about new technologies not yet addressed by Parliament including tracking devices, Automatic Number Plate Recognition (ANPR), covert cameras, and special identification dyes.

Wiretapping, access to, and interception of communications

Interception of communications is regulated by the Regulation of Investigatory Powers Act 2000 (RIPA).[49] Part I authorises the Home Secretary to issue warrants for the interception of communications and requires providers of "public telecommunications services"[50] to provide a "reasonable interception capability" in their networks. The Home, Northern Ireland, or Foreign Secretaries of State and the Scottish First Minister normally authorise telephone taps for national security purposes. It further allows any public authority designated by the Home Secretary to access "communications data" without a warrant. This data includes the source, destination, and type of any communication, such as mobile phone location information and partial web browsing logs (note that the full URL is considered content subject to a warrant). Part III of RIPA allows senior members of the civilian and military police, customs, and members of the judiciary to demand that users hand over the plaintext of encrypted material or, in certain circumstances, the decryption keys. Part II sets rules on other types of "human intelligence" powers that had not been previously regulated under UK law. Many legal experts believe that a number of RIPA's provisions violate the ECHR. The Home Office has issued dozens of codes and regulations on its use in the past five years.[51] Currently, evidence obtained from interceptions is not admissible in court although there is a vigorous debate about changing this.

Over 200 agencies, police forces, and prisons are now authorised to intercept communications. Official figures give some indication of how frequently communications are intercepted. In 2009, there were 1,706 warrants for interceptions of telephone and mail issued in England and Scotland under RIPA (down marginally from 1,712 in 2008) and 5,267 modifications (down from 5,334).[52] The government refuses to disclose the number of national security interceptions, claiming that releasing this information could undermine public security.

Requests for communications data are very common, and do not require the grant of a warrant. In 2009, there were over 500,000 such requests. A revised code of practice on acquisition and disclosure of communications data was adopted in October 2007.[53] All police forces, intelligence, and security agencies, 474 local authorities, and 110 other public authorities have the authority to obtain access to communications data. There is evidence that RIPA has been used to obtain information unrelated to serious crimes, which has caused heated controversy.[54] In August 2010, for example, a council in Dorset was revealed to have spied on a family to see if it lived in the right school catchment area.[55] The Conservative-Liberal coalition has indicated that it will not permit local authorities to exercise powers under RIPA unless they are approved by a magistrate and required for preventing serious crime.[56] At the time of writing, these changes have not been implemented.

Requests for interceptions and communications data are reviewed by the Interception of Communications Commissioner, a former high court judge who acts more as a cheerleader than a watchdog for the process.[57] A new Commissioner was appointed in April 2006. Every year the Commissioner has found errors in the process but has also decreed that they were not deliberate and were appropriately remedied. Examples included tapping wrong numbers or monitoring domestic targets using the intelligence services. 36 interception-related errors were recorded in 2009. In one notable case from 2008, using IP data, a person was misidentified as being involved in a paedophile ring and was arrested.

The Investigatory Powers Tribunal hears complaints from individuals who allege that they have been subject to illegal surveillance. It received 157 complaints in 2009, up from 136 complaints in 2008. In 2009, the Tribunal found in favour of one complainant for unauthorised interception.

There is a long history of illegal wiretapping of political opponents, labour unions, and others in the UK.[58] In the late 1970s and 1980s, MI5, Britain's security service, tapped the phones of many left-leaning activists including current MPs and members of the government. Following strong criticism from the European Court of Human Rights (ECtHR), several changes were introduced. In 1985, the ECtHR ruled that police interception of individuals' communications was a violation of Article 8 of the ECHR,[59] which resulted in the adoption of the Interception of Communications Act 1985. The ECtHR ruled in 1997 that police eavesdropping on a policewoman violated Article 8, which resulted in the adoption of RIPA.[60] The ECtHR ruled in April 2007 that monitoring an employee's telephone, email, and Internet usage violated Article 8.[61] In July 2008, the Court ruled that the bulk "strategic monitoring" of all communications between the UK and Ireland violated Article 8.[62] There has also been considerable controversy about the legality of ISPs using a system to monitor the traffic of their users for advertising purposes.[63]

National security legislation

The United Kingdom has an extensive system of anti-terror legislation that has developed over the past 100 years. Five major anti-terrorism statutes have been introduced in the last ten years.

In December 2001, Parliament approved the Anti-terrorism, Crime and Security Act (ATCS).[64] ATCS allows the Home Secretary to issue a code of practice for the "voluntary" retention of communications data by communications providers for the purposes of protecting national security or preventing or detecting crime that relates to national security.[65] Under ATCS, some communications data can be retained for up to a year. An opinion commissioned by the ICO found that access to information retained under ATCS for non-national security purposes would violate human rights and would be unlawful.[66]

The Terrorism Act 2000 allows the police to stop and search individuals where there is a "reasonable suspicion" that such individuals are involved in terrorist activities.[67] Up until July 2010, the police were able to obtain authorisations to stop and search individuals and vehicles without suspicion in certain designated areas (including the whole of London). In a landmark ruling from the ECtHR, the power to stop and search individuals without suspicion was declared a violation of Article 8 of the ECHR.[68] Following this decision, Home Secretary Theresa May announced in July 2010 that the police would no longer be able to obtain authorisations to search individuals without suspicion, and that vehicles may only be searched where there is "reasonable suspicion" that the relevant individuals are involved in terrorist conduct.[69] It is important to note that the power to stop and search individuals without suspicion will remain law until the relevant provision is repealed or amended, and could be reinstated by a decision of the Home Secretary in the future.[70]

Official figures show the extent to which stop and search powers under the Terrorism Act have been used in the past few years. There were over 210,000 stops in 2008-09, an increase of 66 percent from the previous year. Less than 1 percent of these stops resulted in an arrest.[71] The NGO Statewatch estimates that many of these stops are made under other legislation and that the official figures represent only half of actual incidents. Individuals of Asian origin are 30 percent more likely to be stopped than other races in London, but thousands have been stopped without reason in an attempt to try and balance the statistics.[72]

Additional legislation was adopted following the London bombings in July 2005. This focused on other aspects including detention periods, "control orders", and increasing penalties for "encouraging" terrorism.[73] The Counter-Terrorism Act 2008 extends the possibilities for collecting DNA and fingerprints.[74]

Data retention

The provisions of the EU Data Retention Directive have been implemented into UK law by the UK's Data Retention (EC Directive) Regulations 2009 ("Retention Regulations"), which came into force in April 2009. The Retention Regulations require that all traffic data, including Internet usage data and mobile location data, be kept for one year. Previous legislation only covered traffic data generated by telephony services. RIPA (see above) sets out which bodies may access retained communications data. A proposal for creating a national database of all communications data was withdrawn after widespread public opposition, although the former government offered companies '2 billion to maintain the capability themselves.

The Home Office then set out proposals in April 2009 to extend requirements on Communications Service Providers (CSPs) to collect, retain, and use communications data. This initiative, known as the Interception Modernisation Programme (IMP), would have required CSPs to collect and retain even more communications data than they do at present. The scope of the data collection and retention obligations under IMP were wide, and would have included data that were not processed for business purposes, such as data relating to Internet-based services, and data that were not subject to the Retention Regulations. CSPs would have been required to organise and process these additional communications data, matching their own data to those of third parties where they had features in common (for example, where they related to the same person or to the same communications device). The government's stated objective was to keep up with developments in communications technology and "to find ways both (i) to ensure that all the potentially relevant data is collected and retained; and (ii) that it is done in a way that allows public authorities to put together an increasing number of fragments to make a coherent whole."[75] The government framed IMP as an attempt to "maintain" the existing capability of public authorities to access and use communications data. The ICO certainly did not accept that IMP was merely about preserving the status quo; on the contrary, it expressed in stark terms that the proposals would "represent a step change in the relationship between the citizen and the state."[76] IMP was reported to have been shelved in autumn 2009. The largest organisation of ISPs condemned this initiative as intrusive and illegal.[77]

National databases for law enforcement and security purposes

The previous Labour government demonstrated an inclination towards the creation of large databases as repositories of information to be used in the fight against crime and in the promotion of wider security. There are indications that the current Conservative-Liberal coalition does not agree with this approach. However, some concerning initiatives are still ongoing. The National Health Service has been in the process of creating a national database of patient records that will have few limits on access. Civil society and doctors' groups have been urging patients to opt out of the system.[78] The project has had significant technical problems and the government remains locked in a '700 million legal dispute following the withdrawal of a major supplier in 2008.[79] There have been reports of officials attempting to coerce patients to stay on the system.[80]

Among the initiatives introduced by the former Labour government was a national database of 11 million children under the Children Act 2004.[81] Under this initiative, over 300,000 people had access to children's personal data. Children's advocates and the Parliamentary Joint Committee on Human Rights rightly expressed their concern that the tool violated Article 8 of the ECHR.[82] This database was shut down by the Conservative-Liberal coalition government in August 2010.[83]

The UK has the largest per capita DNA database in the world. It has grown rapidly in the last ten years to contain over 5 million samples.[84] The law was amended in 2001 to allow for the inclusion of samples from individuals who have been acquitted and who have not been charged with an offence (except in Scotland). The law was further amended in 2003 to permit requests for samples in any arrest, no matter how minor or dubious the crime. Over 7 percent of the population is now included in the system and this includes over 800,000 people who have never been convicted of a crime. A number of judges and senior police officers have called for the expansion of the database to cover the entire population.[85] The House of Lords ruled in 2004 that DNA and fingerprints could be retained even if there was no conviction.[86] However, following a public inquiry, the Human Genetics Commission opposed the retention of samples of unconvicted persons.[87] It was revealed in 2006 that a private company, involved in testing DNA for the government, had been retaining samples secretly, and that the Home Office had given permission for a separate study to investigate whether ethnic backgrounds could be determined by the database.[88] There are also proposals to keep genetic profiles in the national health database currently being constructed.[89] Going forward, the government is likely to face pressure to significantly reform these and other similar information repositories.

In a key decision in December 2008, the Grand Chamber of the European Court of Human Rights unanimously ruled that the UK's system of retaining DNA profiles, samples and fingerprints violated Article 8 of the ECHR. The decision rejected the UK's DNA retention policy in strong terms, stating that it was "entirely improper and prejudicial" for samples to be retained where there was no "reasonable relationship of proportionality to the purported aim of crime prevention."[90] The government responded to this by launching a consultation recommending the retention of information relating to unconvicted persons for six to 12 years. The Association of Chief Police Officers (ACPO) has also urged senior police officials not to follow the ruling and deny requests from those asking to be removed from the database.[91] There is some evidence, however, that the new Conservative-Liberal coalition is willing to more closely align current policy with the Grand Chamber decision. The coalition intends to adopt protections for the DNA database that are similar to those in place in Scotland, where DNA samples from people arrested but not convicted of any other offence must be destroyed after a maximum of five years.[92]

National and international data disclosure agreements

Nothing to report.

Cybercrime

Nothing to report.

Critical infrastructure

Nothing to report.

Territorial privacy

Video surveillance

There has been a proliferation of CCTV cameras throughout Britain. It is estimated that there are over 4 million cameras in Britain, and that the average citizen is recorded over 300 times each day.[104] The camera networks can be operated by police, local authorities, or private companies. Their original purpose was crime prevention and detection, though in recent years the cameras have become important tools for city centre management and the control of "anti-social behaviour". Many of the systems have been enhanced with technology for facial recognition but the agencies that have installed the systems admit that the technology has yet to result in an arrest. It is understood that most CCTV cameras are not operated in compliance with requirements of the DPA.[105]

More concerning for the ordinary citizen is the fact that CCTV systems are now being used in connection with other databases. In London, a system for "congestion charging" uses a sophisticated number plate recognition system to charge motorists who drive into central London during business hours. It was revealed that the system was organised in cooperation with the intelligence services, who use it with facial recognition systems to monitor drivers.[106] The NGO No CCTV has also revealed via freedom of information requests that the police intend to make ANPR a "core policing tool".[107] Traffic cameras have also spread across the country. In 2009, the Information Tribunal rejected an application by Privacy International to review the waiver of data protection rights for all number plate identification cameras in central London.

There is a growing body of research demonstrating that these cameras are not very effective as crime prevention tools.[108] The Metropolitan Police have revealed that only 3 percent of crimes are solved using CCTV.[109] An internal report released in 2009 found that only one crime was solved per 1,000 cameras.[110] An earlier Home Office study had also identified many problems with these systems. In all but one area studied, crime did not show a statistically significant decrease and even increased in a majority of areas. CCTV also did not improve perceptions about safety significantly and did not change behaviour. In nearly half of the areas, support for CCTV and its perceived effectiveness declined once it was installed.[111] The ECtHR ruled in January 2003 that a Council's release of CCTV footage of an attempted suicide for a campaign on CCTV violated the relevant person's Article 8 right to privacy.[112]

Video surveillance has become more intrusive. Some cameras are fitted with facial recognition technology to identify suspects, and in the last few years there has been a vast rise in the number of cameras incorporating automatic car number plate recognition software (ANPR). In February 2010, the Association of Police Chief Officers revealed that 10,502 ANPR-enabled cameras were passing information to the National ANPR Data Centre.

Between 10 and 14 million photographs are being processed every day, many of which contain images of the vehicle's driver and front-seat passengers. These images will be retained for at least two years. Law enforcement agencies in other EU member states can use the database under the Pr'm Treaty, and in April 2008 it emerged that the government has also granted access to the USA.

In January 2010, an Independent on Sunday report revealed that police are using the technology to meet government performance targets and raise revenue. The report also said that records stored on the ANPR database are "at least 30 percent inaccurate" leading to wrongful arrests and car seizures.[113]

In June 2010, an investigation by The Guardian revealed that 150 ANPR cameras, 40 of them "covert", have been installed in predominantly Muslim areas of Birmingham's suburbs to monitor individuals suspected by security agencies of being "extremist".[114] Local councillors and members of the Muslim community had been told it was to tackle vehicle crime, drug-dealing, and anti-social behaviour. On 17 June 2010, use of the cameras was temporarily suspended pending a "full and in-depth consultation".

Location privacy (GPS, mobile phones, location based services, etc.)

Nothing to report.

Travel privacy (travel identification documents, biometrics, etc.)and border surveillance

Nothing to report.

National ID and smart cards

The Conservative-Liberal coalition government has announced its intention to cancel the controversial ID cards programme. Parliament is currently discussing a bill intended to repeal legislation implementing ID cards along with the National Identity Register and the next generation of biometric passports.[115] Given the widespread support the bill enjoys amongst members of the coalition, its passage into law is highly likely, although the legislation implemented by the former government remains in effect at the time of writing.

There has been no national ID card in the UK since 1952, when the House of Lords ruled that requiring the disclosure of the card was not lawful and the National Registration Act was repealed.[116] Since that time, the issue came up every few years and was soundly rejected each time due to public opposition. After 11 September 2001, a series of Home Secretaries proposed the card as a solution while at the same time admitting that it would not stop terrorism, and it was adopted as a government position in 2004.

The Identity Cards Act was approved in March 2006 after years of contentious debate and heated opposition from various parties.[117] The Act requires the creation of a central National Identity Register and the issuing of "voluntary" ID cards that will include biometric identifiers. The legislation includes heavy penalties for a large number of new offences including failing to register to receive a biometric scan, and to update a home address. It gives the Home Secretary the power to issue regulations to vastly expand the scope of the scheme, including making the ID card mandatory for certain classes of people and extending use of the register and the types of information held in it. As indicated above, legislation is pending to repeal these proposals.

The bill was only adopted in the face of a constitutional crisis after the Lords refused five times to agree to the bill as adopted by the House of Commons. The bill was strongly opposed by a wide variety of groups including the Conservative party (the official opposition which initially supported it), the Liberal Democrat party (the third largest political party), the Law Society, and the Information Commissioner.[118]

The Act called for phasing in the National Identity Scheme over ten years or more years starting in 2008 with biometric visas for non-EEA nationals followed by young people in 2010. Most other implementations have been delayed until 2011 or later. Documents released by the Labour government in March 2007 indicate that they planned to make the scheme universally compulsory by 2014 if the Labour Party were to win the 2010 election. Progress in implementing the scheme was due to technical issues, and by 2008 a number of the major technology companies had withdrawn from the project.[119] The first contract was issued in August 2008 to defence contractor Thales.[120]

Estimates suggested that the scheme could cost at least '15 billion to implement, and billions more to integrate with existing public and private sector systems, but the government refused to release many details of the costings claiming reasons of commercial confidentiality.[121]

There was continued opposition to the scheme even after its adoption. Public support dropped from 80 percent to around 50:50 for and against, and 82 percent of the public believe there is a danger their personal information will be divulged improperly from the ID database.[122] Polling from the Home Office estimated that at least 15 million people would refuse to register for the database.[123] The Conservative Party announced it would cancel the scheme when next elected into power. The Foundation for Information Policy Research (FIPR) estimates that more than 200,000 illegal requests for information are made each year by private investigators under false pretences.