London, United Kingdom (HRW) – A surveillance bill the United Kingdom government presented to parliament on November 4, 2015, would enshrine the UK’s already overly broad surveillance practices in law and expand the government’s reach even further into peoples’ lives, Human Rights Watch said today.
While the Investigatory Powers Bill includes some improvements to the existing legislation, they do not go far enough to ensure that human rights would be adequately protected.
“Instead of heeding widespread calls to bring investigatory powers in line with human rights standards, the government is seeking to legitimize mass surveillance,” said Izza Leghtas, Western Europe researcher at Human Rights Watch. “The bill as it stands is not only a threat to the privacy of millions of people in the UK and abroad, but also sets a dangerous example for other governments.”
The Investigatory Powers Bill is meant to consolidate UK laws governing surveillance and to replace the Data Protection and Investigatory Powers Act 2014, which is set to expire on December 31, 2016. The 2014 act was introduced under an emergency procedure, leaving inadequate time for scrutiny by parliament and nongovernmental groups. By contrast, the current bill is expected to be subject to a regular parliamentary timetable.
Mass surveillance by UK intelligence agencies has been under the spotlight since June 2013, when the former US National Security Agency (NSA) contractor Edward Snowden began releasing evidence of the UK’s far-reaching and intrusive surveillance practices. Yet, over the past two and a half years, the UK government has expanded, not reduced, its surveillance capabilities. It has refused to engage in a public debate about specific practices, although it did ask the independent reviewer of terrorism legislation, an independent expert appointed by the government, to examine the UK’s legal regime for surveillance.
Presenting the new bill in parliament, Home Secretary Theresa May claimed that it provides “some of the strongest protections and safeguards anywhere in the democratic world.” Yet the Snowden revelations exposed the UK government’s extraordinary surveillance powers, which it has exercised without meaningful oversight, and the draft law would do little to change its practices or give the millions of people caught in its dragnet collection recourse to defend their privacy.
Key aspects of the bill include:
- The bill would preserve current blanket data retention requirements for communications data and add a new requirement for communications service providers to retain users’ “Internet connection records” for up to 12 months. As described in the government’s explanatory notes, this requirement means that the government could get a list of all the websites a person visits or online services they use for up to a year. Even though this would not provide access to the specific pages of a website the person visited, it would be highly revealing of a person’s online activity and could result in self-censorship with a chilling effect on free expression. It would also breach the right to privacy and to information, given that it applies to all users regardless of whether they are under suspicion. Intelligence agencies and police would be able to access such communications data without a warrant or review by a judge. Although judicial approval is required for police to gain access to journalists’ sources, it would not be required for intelligence agencies to get this access.
- The bill would make explicit the legal authority for intelligence and security agencies, the police, and the armed forces to hack into computers, networks, and mobile phones (“equipment interference”), on both a targeted and bulk basis. Although a judge would have to approve warrants for hacking, the targets could be broadly defined even under targeted interference warrants.
- It would provide an explicit legal basis for intelligence and security agencies to intercept and collect communications in bulk. Although such practices would have to be approved by a judge under the new bill, it would preserve many of the mass surveillance practices Snowden revealed, including the Tempora program, which involved tapping into cables that carry Internet traffic to and from the UK.
- The bill would allow authorities to require private companies to carry out hacking, interception, and data collection orders. For example, companies would be required to “maintain technical capabilities” to assist such actions and remove “electronic protection” used by the company to safeguard communications or data. Depending on how these provisions are applied, they could undermine the security of popular Internet services, especially if they require companies to weaken encryption or to redesign encrypted services to include “back doors” for UK authorities. Certain warrants could also be served extraterritorially on companies outside the UK.
- The bill would create a new system of judicial oversight of warrants for interception, hacking, and other powers. Under the current system, such warrants are approved by a senior government minister with no judicial involvement. The proposed system would require approval of warrants by both the minister and a senior judge. However, the role of the judge would be limited to determining whether the authorities followed the correct procedure and acted reasonably and within their powers. No independent substantive review of executive decisions is contemplated. Authorities would also be able to proceed without even this pro forma judicial approval temporarily if they deem it “urgent.” Whether a case is “urgent” would be decided by the person who issued the warrant, and such cases would not be limited to situations involving imminent threats to life.
The bill also would provide for a new right to appeal decisions by the secretive Investigatory Powers Tribunal (IPT) before the Court of Appeal. But it would fall short on providing the transparency so lacking in the current system. The IPT, located under the Home Office, is the sole judicial body where individuals and organizations who suspect they have been under “unlawful” surveillance can file a complaint. Complainants have no access to the government’s evidence or ability to question it, nor access to the court’s deliberations.
The bill would allow the Court of Appeal to hear appeals from the IPT wholly or partly in “closed material proceedings,” which would exclude applicants and their lawyers from the hearings. The bill also would not remove barriers to redress in the current system since users are never notified that they have been under surveillance, and so generally do not know to seek review at the IPT. While the newly created investigatory powers commissioner would be required to inform individuals of “serious errors” that affect them, the mere fact that an individual’s fundamental rights have been breached would not be sufficient by itself to be considered “serious” under the bill.
The right to privacy and freedom of expression are guaranteed by the European Convention on Human Rights (ECHR) and the Human Rights Act (HRA), which incorporates the ECHR into UK law. The European Court of Human Rights has made clear that any interference with those rights must be “in accordance with the law,” “necessary in a democratic society,” and proportionate. The International Covenant on Civil and Political Rights (ICCPR), which the UK has ratified, also provides for the rights to privacy and to freedom of expression and prohibits arbitrary and unlawful interferences with those rights.
“The overwhelmingly intrusive powers this bill would grant the UK government would bring us one step closer to the surveillance state,” Leghtas said. “Parliamentarians, with the involvement of independent groups, should work hard to amend it and introduce stronger protections against abuses.”
This report prepared by Human Rights Watch.