Liberty heads for judicial review over Investigatory Powers Act

The UK's powers to conduct supsicionless bulk surveillance on individuals and organisations face a legal challenge in the high court next year

Human rights group Liberty has won the right for a judicial review into the Investigatory Powers Act 2016 in the latest legal challenge to the UK’s surveillance laws.

The high court held in a ruling released on 29 November that Liberty has the right to a judicial review of the government’s bulk surveillance powers.

The judicial review will rule on part 4 of the Investigatory Powers Act,which gives a wide range of government agencies powers to collect electronic communications and records of internet use, in bulk, without reason for suspicion.

Government agencies also have legal powers for bulk hacking of mobile phones and computer equipment, and to collate large databases, known as bulk personal datasets, that include data on people who are not suspected of any crime.

“This is a major step forward in our ongoing fight to put an end to mass surveillance by the state, and the latest in a series of important defeats on this subject for the government,” said Megan Goulding, solicitor at Liberty.

“The government must urgently reassess the invasively wide powers it has to snoop on our lives, and develop a proportionate surveillance regime that better balances public safety with respect for privacy.”

The decision follows an earlier judicial review brought by Liberty in April 2018 which found that key parts of the Investigatory Powers Act were incompatible with fundamental rights in EU law.

In that case, Lord Justice Singh and Justice Holgate ruled that the government was in breach of European law because it allowed the retention of person data of individuals for reasons which went beyond combating “serious crime”.

They also held that UK government bodies could also access the personal data of individuals without prior review by a court or an independent administrative body, in breach of EU law.

The ruling led the UK government to make some changes to parts the Investigatory Power Act following a public consultation.

The changes include changing the definition of serious crime – under which law enforcement and other government agencies can legally access the public’s internet and email data – from crimes that could attract a sentence of six months to those that could attract 12 months.

The Investigatory Powers Commissioner last year announced plans to appoint 13 judicial commissioners, who will have independent oversight of surveillance.

Liberty’s judicial review is part of long-running series of legal challenges by human rights groups over the Investigatory Powers Act.

The European Court of Human Rights ruled in September last year that GCHQ’s use of mass surveillance and online communications data breached privacy laws and lacked sufficient oversight and safeguards, in a case brought by Liberty and other human rights organisations.

The court found that the UK’s mass surveillance programmes did not “meet the quality of law” and were not capable of limiting “interference” to that “necessary in a democratic society”.

It acknowledged for the first time in the Strasbourg court that the interception of data related to people’s communications – including times and destinations of emails and phone calls, web pages visited and mobile phone locations – poses as serious a risk to individuals’ privacy as the interception of phone calls, emails and texts.

GCHQ focuses on hacking

One area of concern highlighted by human rights groups is the level of oversight of computer network exploitation – or hacking – by the intelligence services to gain access to private or commercial data held on networks, computer systems or mobile phones.

The electronic intelligence agency, GCHQ, is shifting the focus of its surveillance towards gathering intelligence through hacking computer systems, networks and mobile phones, according to a report by Parliament’s Intelligence and Security Committee.

It is working on a project, known as the Computer Network Scaling programme, which aims to “move the focus” of its intelligence- gathering towards accessing data by hacking computers and mobile phones.

The agency, which hired an extra 500 staff in 2016-17, is investing in the development of a high-end datacentre that is expected to give it more capacity to store and retrieve intercepted data.

Tinkerbell revisited

The Investigative Powers Act gave the Home Office powers to order technology service providers to hack their customers in the UK and overseas or to install backdoors on encrypted communications systems.

In an article published on 29 November 2017 , Ian Levy, director of the National Cyber Security Centre, and Crispin Robinson, technical director for cryptanalysis for GCHQ, argue for an alternative approach that they claim will be less intrusive and will allow communications companies to keep encryption intact.

They draw parallels to previous generations of phone tapping, in which engineers physically attached crocodile clips to a target’s phone line, and later phone taps that were made possible by using conference call capability to add the intelligence services as an unseen listener.

“It i’s relatively easy for a service provider to silently add a law enforcement participant to a group chat or call,” they wrote. “The service provider usually controls the identity system and so really decides who’s who and which devices are involved. They are usually involved in introducing the parties to a chat or call. You end up with everything still being end-to-end encrypted, but there’s an extra ‘end’ on this particular communication.”

According to the Intelligence and Security Committee, GCHQ’s is running a “licence to operate” project that aims to “improve” the way in which GCHQ complies with the law, particularly the Investigatory Powers Act .

Security service MI5 has a similar programme to “deliver the changes required for MI5 to operate compliantly and effectively” under the Act.

Plans for additional oversight of government orders to internet and phone companies requiring them to collect data on their customers’ email and internet use are behind schedule, however.

It emerged in court hearings this year that the Office for Communications Data Authorisations – which will oversee the authorisation of data retention orders – has been delayed by a year, following a series of IT problems.

Data retention notices

Parts 3 and 4 of the Investigatory Powers Act permit the secretary of state to issue a “retention notice” requiring telephone or internet companies to retain “relevant communications data” for up to 12 months.

Notices can be issued:

  • In the interests of national security;
  • For the purpose of preventing or detecting crime or preventing disorder;
  • In the interests of the economic wellbeing of the UK so far as those interests are also relevant to the interests of national security;
  • In the interests of public safety;
  • For protecting public health;
  • To assess or collect any tax, duty, levy ... or charge payable to a government department;
  • To assist investigations into alleged miscarriages of justice;
  • Where a person has died or is unable to identify themselves because of a physical or mental condition;
  • For exercising functions relation to (i) the regulation of financial services and markets or (ii) financial stability.

Read more on Privacy and data protection

Data Center
Data Management