Ten human rights organisations from the UK, the US, Canada, Ireland and Hungary are challenging the lawfulness of mass surveillance by the UK and US governments in the European Court of Human Rights.
Privacy International and nine other human rights organisations have filed submissions to the court, in Strasbourg, in the first case to challenge the legality of surveillance programmes revealed by Edward Snowden.
The action follows a ruling by the UK’s Investigatory Powers Tribunal in June 2015 that the UK government had conducted unlawful surveillance of two non-government organisations, Amnesty International and the Legal Resources Centre.
The case will challenge the legality of mass surveillance conducted by the UK intelligence agencies directly, and the ability of UK intelligence agencies to bypass privacy safeguards by accessing emails, web browsing data and phone records collected and stored by the US National Security Agency.
“For years, the UK government has been secretly intercepting enormous volumes of internet traffic flowing across its borders,” said Caroline Wilson Palow, general counsel at Privacy International. “At the same time, it had, and still has, access to similarly vast troves of information intercepted by the US government.”
According to documents filed in court, the UK claims the right to intercept in bulk any communications that cross the UK, from UK citizens and foreign nationals, and asserts an “almost unfettered” right to communications obtained by the US and other countries.
“The UK intelligence services – the Security Service (MI5), the Secret Intelligence Service (MI6) and the Government Communications Headquarters (GCHQ) – can now intercept, store and analyse vast amounts of internet and telephone communications regardless of any individual ground for reasonable suspicion,” the NGOs argue in their application to the court.
Bulk interception by the UK and the ability of the UK security services to obtain vast troves of data from the US and other intelligence partners are both incompatible with the rights to freedom of expression and privacy guaranteed by Articles 8 and 10 of the European Convention of Human Rights, the submission said.
Vast archive of data
Under secret intelligence sharing agreements, the UK has access to a vast archive of data on UK citizens obtained by the NSA under Executive Order 1233.
Communications are obtained under programmes including Dishfire, which intercepted 194 million text messages a day, Co-traveller, which recorded nearly 5 billion records on mobile phone locations, and Muscular, which obtained communications directly from Yahoo’s and Google’s private datacentres, according to the leaked Snowden documents.
The NGOs claim that the UK: lacks a clear requirement for reasonable suspicion before putting people under surveillance; has given no clear statement of the offences that may give rise to surveillance; fails to place limits on the length of time surveillance can take place; lacks adequate procedures for the examination, analysis and storage of data; and fails to provide adequate authorisation or effective review of interception and sharing intercepted data.
The government argues that that intelligence obtained from the NSA and other intelligence services, under the 5 Eyes agreement, should not be subject to the same safeguards as its own interception powers. “But the reasoning is faulty,” say the NGOs. “Just because another country is conducting the interception does not lessen its intrusion.”
According to the application, a single warrant issued by the home secretary could, in principle, authorise the interception of the communications of every person in the UK and all residents of all other countries.
GCHQ’s mind-blowing surveillance technology
Karma Police maps every user visible on the internet with the websites that they visit to provide a web-browsing profile for each individual or a profile of every visitor to every visible website on the internet, according to Snowden documents. GCHQ has used Karma Police to identify people across hundreds of countries listening to internet radio stations broadcasting extracts of the Quran.
Black Hole is a data repository that contains raw logs of intercepted communications. According to a GCHQ PowerPoint presentation in 2009, it was used to store more than 1.1 trillion communications data records, adding about 10 billion new entries every day. About 41% of its content comprised people’s internet browsing histories. The rest included records of emails, instant messaging, social media activities, logs relating to hacking operations, and data on people’s use of tools to browse the internet anonymously. In 2011, GCHQ began the development of “unprecedented” techniques to perform “population-scale” data mining and monitoring all communications across entire countries in an effort to detect suspicious patterns of behaviour.
GCHQ uses Mutant Broth to sift through the data contained in GCHQ’s Black Hole data repository for intercepted cookies. It uses the cookies to help it monitor people’s internet use and uncover online identities. GCHQ has used the programme to harvest cookies from popular websites, including Facebook, YouTube, Amazon and BBC, according to a document in the Snowden archive. In a six-month period between December 2008 and June 2008, more than 18 billion records were accessible through Mutant Broth.
The government claims that “the resources required to process the data involved means that at any one time, GCHQ in fact only accesses a fraction of that small percentage of bearers (fibre optic cables) it has the ability to access”.
Documents released by Snowden suggest that the UK is intercepting data from more than 200 fibre-optic cables landing in the UK. The interception of the TAT-14 transatlantic cable alone would generate 34 petabytes of data a day – more than the data processed by Google per day in 2008.
“The necessity and proportionality of bulk interception of private communications is not determined by reference to whether a government agency has the money or technical resources to ‘process’ everything that it intercepts,” the NGOs claim in their application.
The NGOs argue that the UK now intercepts every book, magazine and newspaper read by people on computer, telephone or electronic tablet, effectively allowing the state to store and analyse the reading habits of the entire population.
A law requiring every individual to hand over a list of books, newspapers and magazines they were reading to the UK intelligence services, to be automatically analysed and checked for suspicious material, could not be reconciled by the European Convention on Human Rights.
Metadata needs safeguards
The government argued in court submissions that fewer safeguards were required for intercepting communications data, which might include the sender and recipient of emails, the time that communications were sent, or the address of a website visited, as the data is less intrusive than the content of communications.
But the NGOs claim that communications data should be subject to the same oversight and safeguards as content, because it allows precise conclusions to be drawn about people’s private lives, their daily movements and social relationships.
Their submission quoted the opinion of the Advocate General of the European Court of Justice: “The risks associated with access to communications data (or metadata) may be as great or even greater than those arising from access to the content of communications.”
“Through bulk surveillance programmes, the US and UK governments intercept the private communications and data of millions of people around the world,” said Ashley Gorski, staff attorney at the American Civil Liberties Union (ACLU) National Security Project. “Not only is bulk surveillance unlawful, but it has a deeply chilling and corrosive effect on political discourse and our personal communication.”
The case has been brought by Privacy International, ACLU, Amnesty International, Bytes for All, the Canadian Civil Liberties Association, the Egyptian Initiative for Personal Rights, the Hungarian Civil Liberties Union, the Irish Council for Civil Liberties, the Legal Resources Centre and Liberty.
How GCHQ and the NSA work together to capture the world’s internet traffic
Windstop is an umbrella programme for bulk interception which the NSA operates with the Five Eyes partners – the US, the UK, Australia, New Zealand and Canada. The programme aims to “develop a well-integrated, over-arching architecture to utilise unprecedented access to communications into and out of Europe and the Middle East”.
Marina is the NSA’s communications data depository, which is understood to be available to GCHQ. It holds a year’s worth of metadata on millions of people taken from targeted and bulk surveillance, including tapping of fibre-optic cables. The application provides tools that track people’s web-browsing history, gather contacts and content information and develop summaries of the target.
Xkeyscore is a Google-type search system for analysts developed by the NSA, and made available to GCHQ analysts. In 2008 it had 150 field sites, including in the US and the UK, made up of 700 servers. The servers store “full take” of intercepted data. Xkeyscore allows analysts to query the activities of people based on their location, nationality, and websites visited.
Incensor is the NSA’s fourth-largest cable-tapping programme, which takes more than 14 billion items of internet data a month from cables located in Cornwall, with the assistance of a British telecommunications company. It taps into two communications cables – Flag Atlantic 1, which links the east coast of North America to the UK and France; and Flag Europe Asia, which connects the UK to Japan, Egypt, Saudi Arabia and Asia.
Rampart A was created in 1992 with the aim of gaining access to high-capacity international fibre-optic cables at major congestion points around the world. The NSA operates the programme with foreign partners, which provide access to cables and host US equipment. It has access to more than 3TB of data a second, from voice, email, internet chat, virtual private networks and voice over IP, plus telephone call records.
Prism allows the FBI to send “selectors” to more than nine US-based communications service providers, which are required to send communications sent to or from the selectors to the US government. In the UK, GCHQ analysts can use Prism to obtain emails, photos and videos from US technology companies taking part in the programme. The companies included Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube and Apple at the time of the Snowden leaks. Prism is governed in the US under section 702 of the Foreign Intelligence Surveillance Act, which allows the NSA to gather intelligence on non-US citizens.
Upstream is a bulk collection programme run by the NSA which intercepts telephone and internet communications from the telecommunications backbone, including fibre-optic cables. GCHQ has access to intercepted material. Like Prism, it is governed in the US under section 702 of the Foreign Intelligence Surveillance Act, which allows the NSA to gather intelligence on non-US citizens.
Source: Factual Appendix: 10 Human Rights Organisations v United Kingdom and press reports.
(This report was updated on 30 September) ................................................................................................
Read more on Privacy and data protection
GCHQ bulk interception programme breached privacy rights, Strasbourg court rules
GCHQ mass surveillance regime was in breach of human rights law, European court rules
UK spies face landmark challenge over mass surveillance in human rights court
Bulk surveillance review is ‘fiction’, claims former NSA technical director