The High Court has granted Liberty, the privacy advocate, leave to challenge the Investigatory Powers Act 2016 (IPA). The Act, colloquially known as the Snoopers’ Charter allows the UK government to conduct mass surveillance on communications and internet data.
Liberty has built its case based on a successful challenge at the European Court of Justice to the Data Retention and Investigatory Powers Act 2014. That ruling made it clear there are limits on government access to retained data. For government to have access:
- there has to have been a serious crime
- the access must be proportional
- there must be judicial oversight.
Although that legislation expired at the end of 2016 many of its provisions were incorporated into the IPA.
Martha Spurrier, Director of Liberty, said: “We’re delighted to have been granted permission to challenge this authoritarian surveillance regime. It’s become clearer than ever in recent months that this law is not fit for purpose. The Government doesn’t need to spy on the entire population to fight terrorism. All that does is undermine the very rights, freedoms and democracy terrorists seek to destroy.
“And as increasingly frequent hacking attacks bring businesses and public bodies to their knees, our Government’s obsession with storing vast amounts of sensitive information about every single one of us looks dangerously irresponsible. If they truly want to keep us safe and protect our cybersecurity, they urgently need to face up to reality and focus on closely monitoring those who pose a serious threat.“
What is Liberty challenging?
The key challenge Liberty brings concerns the Mass collection of everybody’s communications data and internet history. Liberty believes that this breaches the right of an individual to privacy.
The IPA also places onerous duties on telcos and internet service providers. They are required to undertake the capture and retention of the data. That data is then handed to government agencies who will carry out data mining and analytics. How long it will then be held for or what it will be used for is unclear.
One of the Act’s predecessors was regularly abused. For example, some local councils used the Regulation of Investigatory Power Act 2000 to: track parents applying for school places. They also used it to track:
- track parents applying for school places.
- dog walkers to make sure they cleaned up after their pets.
Every year, the courts approved tens of thousands of uses of that legislation, despite many having little to do with the original intent of the Act.
It is this level of overreach which concerns Liberty, and other groups. The data gathered by the IPA would be available for mining and analysis. This could provide a very detailed view of an individual’s personal life. While there are cases to be made around crime and terrorism Liberty believes there are insufficient safeguards to inhibit the abuses performed under previous legislation.
Three other challenges also allowed
Liberty has permission to challenge three other parts of the IPA. These challenges, however, cannot take place until the government issues further codes of practice for each area. Nevertheless, if these codes are not published by March 2018, the High Court has said Liberty can bring its case regardless.
The three areas are:
- bulk and ‘thematic’ hacking – the Act lets police and agencies covertly access, control and alter electronic devices like computers, phones and tablets on an industrial scale, regardless of whether their owners are suspected of involvement in crime; this leaves them vulnerable to attack by hackers
- bulk interception and acquisition of communications content: the Act permits the State to read texts, online instant messages and emails, and listen in on calls en masse, without requiring suspicion of criminal activity
- bulk personal datasets: the Act permits agencies to acquire and link vast databases held by the public or private sector; these can contain details on religion, ethnic origin, sexuality, political leanings and health problems and cover, potentially, the entire UK population (which is a recipe for undisclosed abuse and discrimination).
What does this mean?
The IPA garners ALL data, not just that from individual’s private lives. This means it potentially has a significant impact on business communications. This is not just about the SME who works from his or her home office. Any communication by a company director working at home or on the road is liable to interception. The implication is that sensitive commercial communications are as available for capture as sensitive personal data.
While many organisations use encryption for data movements not everything (yet) warrants encryption. More importantly, the UK government is moving in the direction to outlaw encryption (and/or demand backdoor access). Businesses should fear this and consider what they should do to maintain data security.
There is also a secondary, and possibly much more dangerous, issue here. Governments are no better at securing data than any other organisation (and arguably worse – q.v. Snowden, Manning, Wikileaks, et al). So much data in one place would be a magnet for state-sponsored hackers and criminals. It would enable them to conduct both commercial espionage as well as craft highly personal cyber-attacks against both individual people and businesses.
Liberty has applied to have its costs capped at the High Court (the Government has infinitely deep resources – the ‘poor bloodied tax payer’). If granted, this will provide a solid base which will enhance our interest in how this case proceeds.