Governance & Risk Management , Privacy

Ruling: GCHQ-NSA Data Sharing Illegal

Privacy Rights Groups Plan EU Mass Surveillance Battle

In a landmark decision, a British tribunal ruled that a U.K. intelligence service broke the law by secretly using surveillance data collected by the U.S. National Security Agency. The ruling could have both U.K. and U.S. legislative repercussions, privacy experts say.

See Also: 2021: A Cybersecurity Odyssey

The U.K. Investigatory Powers Tribunal, which investigates complaints against Britain's intelligence services, has ruled that the Government Communications Headquarters intelligence agency illegally accessed mass-surveillance information collected by the NSA. The IPT's judgment says that GCHQ acted unlawfully, until December 2014, because it failed to disclose that it was using data about individuals in the United Kingdom that had been gathered by the NSA.

The ruling came in response to a complaint filed by four privacy and civil rights groups - Privacy International, Liberty, Bytes for All, and Amnesty International. The complaint alleged that GCHQ was conducting illegal mass surveillance.

In response, the IPT ruled that "the regime governing the soliciting, receiving, storing and transmitting by U.K. authorities of private communications of individuals located in the U.K. ... contravened Articles 8 or 10" of the European Convention on Human Rights, "but that it now complies with the said Articles." Article 8 guarantees the right to respect for an individual's private life and family life, while Article 10 guarantees freedom of expression.

The IPT ruling could impact how the U.S. collects and stores data pertaining to foreigners. "The ruling may also force President Obama to take action to honor his long-awaited commitment to protect the rights of non-U.S. persons," says privacy advocate Simon Davies, associate director of the London School of Economics LSE Enterprise program, in a blog post. "Now that the NSA is formally complicit in the abuse of rights of overseas residents, the president has a responsibility to take action to mitigate those violations."

Limited Ruling

Numerous privacy experts, however, have cautioned that the IPT's ruling is quite narrow. "The IPT's judgment ... is interesting because it is the first time it has been critical of anything the [intelligence services] do," data forensics expert Peter Sommer, professor of cybersecurity and digital evidence at de Montfort and the Open Universities, tells Information Security Media Group. "But it is quite limited, saying that there cannot be secret laws, or in this instance, a secret code of practice." That code of practice, which is two paragraphs long, came to light during IPT hearings into the privacy groups' complaint. By publishing the code of practice, the IPT ruled that GCHQ was no longer breaking the law.

But the IPT rejected the main part of the privacy groups' complaint, which alleged that GCHQ was running an illegal mass-surveillance program. "In the view of the IPT, there is a distinction between mass collection of data and mass surveillance - surveillance only takes place when the data is looked at," Sommer says.

The groups filed their complaint in the wake of former NSA contractor Edward Snowden's leaks, after which the U.S. government confirmed the existence of its PRISM program to tap directly into the data centers of leading Internet companies and collect metadata.

The privacy rights groups now plan to challenge the IPT's judgment at the EU level. "The Tribunal believes the limited safeguards revealed during last year's legal proceedings are an adequate protection of our privacy," says James Welch, legal director for Liberty. "We disagree, and will be taking our fight to the European Court of Human Rights."

The IPT's ruling also leaves unanswered the question of potential compensation for anyone whose rights were violated by GCHQ. "The IPT also said GCHQ was only compliant after December 2014, raising the tantalizing question of how many people will seek remedies for what GCHQ did before then," Sommer says. Already, some of the privacy rights groups plan to ask the IPT if information about them was collected illegally - that is, obtained from the NSA - and if so, demand its immediate deletion. Privacy International, meanwhile, says it's exploring a related class action lawsuit.

GCHQ Reacts

GCHQ officials have seized on the IPT judgment as validation for the intelligence agency's practices. "We are pleased that the court has once again ruled that the U.K.'s bulk interception regime is fully lawful. It follows the court's clear rejection of accusations of 'mass surveillance' in their December judgment," GCHQ says in a statement.

But numerous privacy rights groups have asserted that GCHQ's practices may in fact be "mass surveillance" - and thus illegal - under EU law. Furthermore, the agency is only being held to account thanks to Snowden, says Eric King, deputy director of Privacy International. "For far too long, intelligence agencies like GCHQ and NSA have acted like they are above the law," he argues.

U.K. intelligence agencies are governed by the 1994 Intelligence Services Act, as well as the Regulation of Investigatory Powers Act, or RIPA, which established the IPT 15 years ago to handle complaints against GCHQ as well as the Secret Intelligence Service, which is also known as MI6.

But those laws have been derided by many critics as being opaque and outdated.

Unanswered Questions

To date, the British government has not appeared eager to debate those surveillance laws, either in Parliament or the public domain. For example, the government fast-tracked "emergency surveillance legislation" known as the Data Retention and Investigatory Powers Act, or DRIPA, which was signed into law in July 2014, just eight days after it was introduced to Parliament.

Sommer says that in the wake of the IPT's recent ruling, there's more work to be done. "All this shows the need for a complete overhaul of U.K. surveillance legislation to bring the language in line with how technology actually operates," he says. "Other elements requiring attention include the issue of data retention - is DRIPA compliant with the rulings of the European court?" That refers to the April 2014 ruling from the European Court of Justice that any directive requiring blanket - as opposed to targeted - data retention would violate Europeans' right to privacy and protection of their personal information. In other words, that ruling might mean that contrary to what GCHQ asserts, it is, in fact, conducting illegal mass surveillance.

Sommer says there are forthcoming reviews of the country's counterterrorism and surveillance rules - by the U.K.'s Independent Reviewer of Terrorist Legislation, David Anderson, as well as the Intelligence and Security Committee of Parliament. "Hopefully the upcoming reviews ... will provide sufficient balanced information to enable the public and legislators to produce a more balanced and transparent set of surveillance laws," Sommer says.

Already, the U.K. government may be making a new bid for transparency. The same day that the IPT released its judgment, the Home Office published a draft code of practice for hacking software and hardware - "equipment interference and interception" in British-government speak - for public comment.