Lucian Milasan -

Journalists’ confidential communications subject to unlawful spying, court hears

Campaign group Liberty and the National Union of Journalists tell Court of Appeal the government has not gone far enough to protect confidential journalist information and sources from surveillance

Journalists are having their confidential communications unlawfully spied on, the Court of Appeal heard yesterday (10 May 2023).

Campaign group Liberty told the court there are insufficient safeguards in the Investigatory Powers Act 2016 to protect journalists and their confidential sources from state surveillance.

The group claims that wide-ranging powers in the Investigatory Powers Act (IPA) mean journalists, lawyers and the general public are at risk of having their calls, text messages, internet history and other data collected and stored, regardless of whether they have done anything wrong.

The government has conceded that the UK’s mass surveillance law, known as the Snoopers’ Charter, does not provide adequate protection for confidential journalistic materials, which could include leaked documents, and confidential sources who provide journalists with information.

The campaign group claims the UK has not gone far enough to protect journalists from the risk that the police or the security services intercept confidential journalistic material or identify confidential journalistic sources.

Michelle Stanistreet, secretary general of the National Union of Journalists (NUJ), which is intervening in the case, said the Investigatory Powers Act had harmful consequences for journalists and their sources. “Without sufficient protections, blanket powers can be used by the government to undermine democracy and the public’s access to stories in the public interest,” she said.

Liberty argues that the IPA does not require state bodies to obtain independent authorisation from a judicial commissioner before carrying out searches for journalistic materials in all the circumstances required by the European Court of Human Rights (ECHR).

“Without sufficient protections, blanket powers can be used by the government to undermine democracy and the public’s access to stories in the public interest”
Michelle Stanistreet, NUJ

It argues, for example, that when intelligence agencies or police use search terms that are connected to journalists, or when searches are conducted that are likely to lead to the discovery of confidential journalistic material, the state should obtain prior independent approval from a judicial commissioner.

Communications data

On the first day of a three-day hearing, Ben Jaffey KC told the court it was not necessary for police or intelligence services to read the contents of a journalist’s electronic communications to identify their confidential sources.

The government issues bulk acquisition warrants to require BT and other communications services to disclose all communications data on their networks to the intelligence services on a rolling basis.

There are no provisions to protect confidential journalistic material, journalists’ sources or legally privileged material, he said, appearing before the president of the King’s Bench Division, Dame Victoria Sharp DBE, Lord Justice Stuart-Smith and Lord Justice Lewis.

“In relation to journalist material, communications data will be enough to identify a source. You don’t want to know the substance of the documents that have passed between them because that has been published,” Jaffey told the court.

Government agencies are required to obtain prior approval from a judicial commissioner to obtain a warrant to access confidential journalistic information.

Read more about Liberty’s court battles over surveillance

    But the protection does not apply in cases where journalists have been passed material considered unlawful, such as a leaked government document.

    “Whenever a minister or a civil servant leaks a document to a journalist, which happens every day of the week, that is a breach of the Official Secrets Act,” said Jaffey.

    Bulk personal datasets

    Liberty’s barrister told the court that bulk personal datasets collected by intelligence and law enforcement agencies could contain, for example, all the emails a particular company has sent or received, a copy of a hospital’s health records, flight records, or other data.

    He said there were no protections for journalists’ sources or confidential journalistic information retrieved from bulk personal datasets.

    For example, if a journalist was seen meeting a source in a cafe and the source was seen walking off to the tube, it would be possible to query a bulk personal dataset of tube journeys to identify the source.

    Equipment interference

    Jaffey told the court that equipment interference or hacking could also be used to bypass the need for prior authorisation to identify a journalist’s source.

    For example, if a journalist received a text message from a source, the government concedes that it would need to obtain prior authorisation from a judicial commissioner to obtain a copy of the message using bulk interception powers. But if the same journalist received a message through WhatsApp, which is encrypted, there would be no requirement to seek prior authorisation to recover the message through bulk equipment interference, or hacking.

    Secondary data

    The court heard that the Investigatory Powers Act 2016 had redefined information in electronic communications – previously classed as “content” under the earlier Regulation of Investigatory Powers Act (RIPA) – as “secondary data”, including communications and systems data.

    “The activity that people carry out on the internet that might be thought to be content – choosing who to like or not on a dating app, or which page of website to visit – is systems data,” said Jaffey.

    On a plain reading of the IPA, the court heard that search terms people type into Google would also be classed as systems data, though the government states that it does not use the search terms in this way.

    “The upshot of these provisions is that Parliament has reduced protection for content by deeming lots of things that people do on the internet involving content, as secondary data” said Jaffey.

    A government agency would need a targeted warrant approved by a judicial commissioner to intercept the content of communications of someone in the British Isles, under the “British Isles safeguard”. However, this does not apply to secondary data, even though in reality the secondary data contains the substance of the communication, said Jaffey.

    He told the court that, in practice, there were no safeguards to prevent legally privileged information being disclosed through secondary data. “There are many examples where legal privilege will be disclosed in communications data. One of them is the fact that an individual has instructed a lawyer, and the name of that lawyer. Another is whether a lawyer has managed to trace and contact a witness,” he said. “There will be cases [where] very sensitive information will be disclosed by communications data alone.”

    The court heard that the IPA requires law enforcement agencies to apply to a judicial commissioner if they want to keep copies of intercepted legally privileged communications.

    But Jaffey said there should be a requirement to obtain prior authorisation before obtaining legal professional privilege . “One of the difficulties, if one is directly targeting privileged material, is that once it has been selected for examination and read, it is difficult to unread,” he said.

    Jaffey said that under the IPA, much of the substance of communications between people would be treated as secondary data, rather than content, which was not the case under the previous RIPA legislation. This means the British Isles safeguard, which requires prior independent approval for obtaining data from someone on British soil, and protections for legally privileged communications between a lawyer and a client, does not apply when it comes to secondary data.

    “The lack of proper safeguards around bulk surveillance powers leaves journalists and lawyers particularly exposed to state spying – undermining the core pillars of our democracy”
    Megan Goulding, lawyer for Liberty

    “No basis or rational has been put forward as to why those safeguards were properly reduced,” he said. “Our short submission is there is no justification.”

    Bulk surveillance

    Megan Goulding, lawyer for Liberty, said the UK’s mass surveillance powers threaten privacy and freedom of expression and undermine democracy.

    “Bulk surveillance powers continue to allow the state to hoover up the messages, calls, web history and more of millions of people,” she said. “The lack of proper safeguards around these powers leaves journalists and lawyers particularly exposed to state spying – undermining the core pillars of our democracy.”

    The case follows a decision by the High Court on 8 April 2022 to give Liberty permission to appeal a 2019 court decision in the light of a landmark ruling by the European Court of Human Rights.

    Liberty, the Home Department, and the Foreign and Commonwealth Office agreed to delay the appeal application until after the European Court of Human Rights gave a judgment in the case of Big Brother Watch vs UK and further legal arguments were held in the Investigatory Powers Tribunal.

    The hearing continues. 

    Liberty’s appeal arguments

    Safeguards for journalists and sources

    The government agrees that the safeguards in the Investigatory Powers Act 2016 do not protect the confidentiality of journalists, their sources, or confidential journalistic material.

    Liberty argues that stronger safeguards should be introduced to project journalistic material and sources in line with a landmark court ruling in the European Court of Human Rights in 2021, in a case brought by Big Brother Watch.

    A judge or an independent regulator should approve any searches of intercepted communications data by the intelligence services that are likely to find confidential journalistic material, identify journalists’ sources, or make use of search terms that are known to be connected to journalists or news organisations.

    Lack of safeguards in bulk data collection

    The UK government has agreed that existing safeguards fail to protect citizens’ privacy when intercepted data is searched in a way that can identify people.

    Liberty argues that the search terms, known as “selectors”, used by intelligence agencies to search intercepted data should be independently authorised.

    The campaign group believes the use of “strong selectors” – search terms linked to identifiable individuals – should be subject to internal authorisation and an assessment of whether they are proportionate before they are used, and intelligence services should keep a record of the justification for their use.

    Sharing data overseas

    The secretary of state has discretion to share bulk surveillance data collected from the population with overseas intelligence services, without the legal safeguards provided for by the Investigatory Powers Act 2016 (IPA).

    Codes of practice developed for the IPA offer weaker protection for surveillance data shared with overseas intelligence agencies than the codes of practice under the earlier Regulation of Investigatory Powers Act 2000 (RIPA).

    There are no requirements to ensure that third countries have procedures to safeguard intercept material, to limit its disclosure and distribution, or to return or securely delete intercepted communications data when it is no longer needed.

    There are no requirements in the codes of practice for the UK to obtain an explicit agreement that a country receiving intercept material will not share it further.

    Bulk personal datasets

    Liberty argues there are no statutory requirements to limit the data on the population held in databases, known as bulk personal datasets (BPDs).

    BPDs hold personal data that might include financial records, medical information, records of emails, phone calls and text messages, location data and other information. The datasets hold records of the entire population – the majority of which are not of interest to the intelligence services.

    Liberty argues that state-held databases of private information should be sufficiently defined to allow citizens to foresee what information is likely to be retained.

    The campaign group states that, contrary to European case law, there are no restrictions in codes of practice to safeguard BPDs shared with intelligence agencies in other countries.

    Lack of safeguards for lawyer-client communications

    Liberty argues that independent authorisation should be required before the intelligence services examine legally privileged material and that access should be justified by an “overriding requirement in the public interest”.

    Read more on IT for government and public sector

    Data Center
    Data Management