Legal net tightens on Prism in the UK as police investigate legality of US interception

The US Prism spying programme faces a potential criminal investigation in the UK following a complaint to police

The US Prism spying programme faces a potential criminal investigation in the UK following a complaint to the Devon and Cornwall Police.

The complaint, made under the Regulation of Investigatory Powers Act (Ripa), has been passed to the National Crime Agency (NCA).

Up to 20 million people in the UK may be affected by Prism, which requires nine technology companies to provide metadata on their customers’ internet activities to US intelligence agencies. 

The complaint, filed by freelance journalist Kevin Cahill, follows a public statement from the legal head of the US’s National Security Agency (NSA), Rajesh De, in which he confirmed that Prism is an official NSA surveillance programme targeted at non-US citizens.

According to the complaint, the Regulation of Investigatory Powers Act 2000 makes any form of interception of public or private telecoms systems a criminal offence, unless authorised by a warrant.

It argues that the NSA, which secured secret court orders in the US, has no legal jurisdiction in the UK.

Interception illegal in UK without a court order

The complaint follows confirmation by the Commissioner for the Interception of Communication, Anthony May QC, that interception of email and other communications is illegal under UK law without a court order.

May stated in his annual report to the prime minister that: “Section 1(1) of Ripa makes it an offence for a person intentionally and without lawful authority to intercept at any place in the United Kingdom, any communication in the course of transmission by means of a public postal service or public telecommunications system.”

Geoffrey Robertson QC, a leading human rights lawyer, has welcomed the police investigation and called on the government to go further by holding an independent judicial inquiry into Prism.

“The allegations that, under the Prism programme, US agencies are intercepting the electronic communications of some British citizens do raise important issues about compliance with UK law,” he told Computer Weekly.

“It is right that they should be investigated by the police, although it must be doubtful whether British police have the power or the ability to interrogate an American agency that has inscrutable connects with our own GCHQ. An independent judicial inquiry would therefore be more likely to get at the truth,” he said.

Questions over human rights 

May’s report, which acknowledges public concern over the potential for intrusive invasion of privacy, also raises questions over the legality of mass surveillance under the Human Rights legislation.

“Unjustified and disproportionate invasion of privacy by a public authority in the UK would breach Article 8 of the European Convention of Human Rights just as much here as in other parts of the European Union,” he wrote.

In a letter to Cahill, May said: “Should you have evidence upon which the police can initiate an investigation concerning unlawful interception of your communications or those of other parties, I ask that you share it with them at the earliest opportunity.”

The Prism programme

The Prism programme was first revealed in internal NSA memoranda leaked to the Guardian and other newspapers in June 2013.

The companies named in the Prism orders are Apple, Microsoft (including Hotmail), Google, Facebook, Yahoo, YouTube, Paltalk, AOL and Skype.

In an address to the Privacy and Civil Liberties Board of the US Government in Washington, the NSA’s De said Prism orders were subject to the US legal system.  

“Collection under this programme [Prism] is done pursuant to compulsory legal process that any recipient company would have received,” he said.

The court orders seek a wide range of internet transactions: “Email, chat, video and voice, videos, photos, stored data, VoIP, file transfers, video conferencing, notification of target activity, logins, online social networking details, special requests.” 

The Liberal Democrat MP John Hemming, who is also a computer programmer and cryptographer, has expressed concerns about the legal implications of the Prism saga for the UK.

"I am worried that US companies believe that they are immune from UK laws," said Hemming.

Cahill, who filed the complaint, described Prism as an unlawful diversion from the fight against terrorism.

“By implication it makes about one-third of the UK population on the web terrorist suspects. Prism has profound implications for the integrity of the UK government and its willingness to protect us from surveillance,” he told Computer Weekly.

Legal concerns in Germany over NSA phone tapping

Executive bodies in Europe have been more vocal on US spying activities than the UK. 

News that Germany’s federal prosecutor is to investigate the NSA’s alleged tapping of premier Angela Merkel’s mobile phone has led German MP Konstantin von Notz, a member of the Bundestag's NSA inquiry committee, to suggest that all such surveillance of German citizens is legally unfounded.

"I assume that the tapping of Angela Merkel's cell phone must have involved active decisions by real people, whereas the monitoring of 80 million Germans would have been a matter of algorithms and people analysing the results. Both actions amount to violations of German law," he said.

“Whether you have a human being or a computer opening and scanning your letters for individual words, it's the same thing, because government authorities have gained this information.”

Evidence in the hands of the NCA

A spokesperson for the Devon and Cornwall Police confirmed that it had passed the complaint to the NCA. 

The NCA has stated that: “We do not comment on operational matters.”

Computer Weekly approached all nine of the companies named under Prism following Rajesh De’s statements on Prism. They declined to comment.

A copy of Anthony May’s letter has also been sent to Keith Bristow, the director of the NCA, together with the evidence submitted to the Devon and Cornwall Police.

Read more on IT governance