On September 13, after a five-year legal battle, the European Court of Human Rights said that the UK government’s surveillance regime—which includes the country’s mass surveillance programs, methods, laws, and judges—violated the human rights to privacy and to freedom of expression. The court’s opinion is the culmination of lawsuits filed by multiple privacy rights organizations, journalists, and activists who argued that the UK’s surveillance programs violated the privacy of millions.

The court’s decision is a step in the right direction, but it shouldn’t be the last. While the court rejected the UK’s spying programs, it left open the risk that a mass surveillance regime could comply with human rights law, and it did not say that mass surveillance itself was unlawful under the European Convention on Human Rights (a treaty that we discuss below).

But the court found that the real-world implementation of the UK’s surveillance—with secret hearings, vague legal safeguards, and broadening reach—did not meet international human rights standards. The court described a surveillance regime “incapable” of limiting its “interference” into individuals’ private lives when only “necessary in a democratic society.”

In particular, the court’s decision attempts to rein in the expanding use of mass surveillance. Originally reserved for allegedly protecting national security or preventing serious threats, use of these programs has trickled into routine criminal investigations with no national security element—a lowered threshold that the court zeroed in on to justify its rejection of the UK’s surveillance programs. The court also said the UK’s mass surveillance pipeline—from the moment data is automatically swept up and filtered to the moment when that data is viewed by government agents—lacked meaningful safeguards.

The UK Surveillance Regime

In the UK, the intelligence agency primarily tasked with online spying is the Government Communications Headquarters (GCHQ). The agency, which is sort of the UK version of the NSA, deploys multiple surveillance programs to sweep up nearly any type of online interaction you can think of, including emails, instant messenger chats, social media connections, online searches, browser history, and IP addresses. The GCHQ also collects communications metadata, capturing, for instance, what time an email was sent, where it was sent from, who it was sent to, and how quickly a reply was made.

The privacy safeguards for this surveillance are dismal.

For more than a decade, the GCHQ was supposed to comply with the Regulation of Investigatory Powers Act 2000 (RIPA). Though no longer fully in effect, the law required Internet service providers to, upon government request, give access to users’ online communications in secret and to install technical equipment to allow surveillance on company infrastructure.

The UK directly collected massive amounts of data from the transatlantic, fiber-optic cables that carry Internet traffic around the world. The UK government targeted “bearers”— portions of a single cable—to collect the data traveling within, applied filters and search criteria to weed out data it didn’t want, and then stored the remaining data for later search, use, and sharing. According to GCHQ, this surveillance was designed to target “external” communications—online activity that is entirely outside the UK or that involves communications that leave or enter the UK—like email correspondence between a Londoner and someone overseas. But the surveillance also collected entirely “internal” communications, like two British neighbors’ emails to one another. This surveillance was repeatedly approved under months-long, non-targeted warrants. Parts of this process, the court said, were vulnerable to abuse.

(In 2016, the UK passed another surveillance law—the Investigatory Powers Act, or IPA—but the court’s decision applies only to government surveillance under the prior surveillance law, the RIPA.)

A Failure to Comply with Human Rights Laws 

The suit's results can be looked at as a disconnect between the domestic laws allowing government surveillance in the UK and the UK’s international human rights obligations.

The court took issue with the UK’s failure to comply with the European Convention on Human Rights—an international treaty to protect human rights in Europe, specified in the convention’s “articles.” The European Court of Human Rights (ECtHR), a regional human rights judicial body based in Strasbourg, France, issued the opinion.

Though the lawsuit’s plaintiffs asserted violations of Articles 6, 8, 10, and 14, the court only found violations of Article 8 and 10, which guarantee the right to privacy and the right to freedom of expression. The court’s reasoning relied on applicable law, government admissions, and recent court judgments.

The court found two glaring problems in the UK’s surveillance regime—the entire selection process for what data the government collects, keeps, and sees, and the government’s unrestricted access to metadata.

How the government chooses “bearers” for data collection should “be subject to greater oversight,” the court said. By itself, this was not enough to violate Article 8’s right to privacy, the court said, but it necessitated better safeguards in the next steps—how data is filtered after initial collection and how data is later accessed.  

Both those steps lacked sufficient oversight, too, the court said. It said the UK government received no independent oversight and needed “more rigorous safeguards” when choosing search criteria and selectors (things like email addresses and telephone numbers) to look through already-collected data. And because analysts can only look at collected and filtered data, “the only independent oversight of the process of filtering and selecting intercept data for examination” can happen afterwards through an external audit, the court said.

“The Court is not persuaded that the safeguards governing the selection of bearers for interception and the selection of intercepted material for examination are sufficiently robust to provide adequate guarantees against abuse,” the court said. “Of greatest concern, however, is the absence of robust independent oversight of the selectors and search criteria used to filter intercepted communications.”

Along with related problems, including the association of related metadata to collected communications, the court concluded the surveillance program violated Article 8.

The court also looked at how the UK government accesses metadata in so-called targeted requests to communications providers. It focused on one section of RIPA and one particularly important legal phrase: “Serious crime.” 

The UK’s domestic law, the court said, “requires that any regime permitting the authorities to access data retained by [communications services providers] limits access to the purpose of combating ‘serious crime,’ and that access be subject to prior review by a court or independent administrative body.”

This means that whenever government agents want to access data held by communications services providers, those government agents must be investigating a “serious crime,” and government agents must also get court or administrative approval prior to accessing that data.

Here’s the problem: that language is absent in UK’s prior surveillance law for metadata requests. Instead, RIPA allowed government agencies to obtain metadata for investigations into non-serious crimes. Relatedly, metadata access for non-serious crimes did not require prior court or independent administrative approval, compounding the invasion of privacy.

Due to this discrepancy, the court found a violation of Articles 8 and 10.

For years, intelligence agencies convinced lawmakers that their mass surveillance programs were necessary to protect national security and to prevent terrorist threats—to, in other words, fight “serious crime.” But recently, that’s changed. These programs are increasingly being used for investigating seemingly every-day crimes.

In the UK, this process began with RIPA. The 2000 law was introduced in part to bring Britain’s intelligence operations into better compliance with human rights law because the country’s government realized that the scope of GCHQ’s powers—and any limits to it—were insufficiently defined in law.

But as soon as lawmakers began cataloguing the intelligence services’ extraordinary powers to peer into everybody’s lives, other parts of the government took interest: If these powers are so useful for capturing terrorists and subverting foreign governments, why not use them for other pressing needs? With RIPA, the end result was an infamous explosion in the number of agencies able to conduct surveillance under the law. Under its terms, the government set out to grant surveillance powers to everyone from food standards officers to local authorities investigating the illicit movement of pigs, to a degree that upset even the then-head of MI5.

The court’s decision supports the idea that this surveillance expansion, if left unchecked, could be incompatible with human rights.

Good Findings

At more than 200 pages, the court’s opinion includes a lot more than just findings of human rights violations.

Metadata collection, the court said, is just as intrusive as content collection.

EFF has championed this point for years. When collected in mass, metadata can reveal information so intimate that even the content of a conversation becomes predictable.

Take phone call metadata, for example. Metadata reveals a person’s seven-days-a-week, middle-of-the-night, 10-minute phone calls to a local suicide prevention hotline. Metadata reveals a person’s phone call to an HIV testing center, followed up with a call to their doctor, followed up with a call to their health insurance company. Metadata reveals a person’s half-hour call to a gynecologist, followed by another call to a local Planned Parenthood.

The court made a similar conclusion. It said:

“For example, the content of an electronic communication might be encrypted and, even if it were decrypted, might not reveal anything of note about the sender or recipient. The related communications data, on the other hand, could reveal the identities and geographic location of the sender and recipient and the equipment through which the communication was transmitted. In bulk, the degree of intrusion is magnified, since the patterns that will emerge could be capable of painting an intimate picture of a person through the mapping of social networks, location tracking, Internet browsing tracking, mapping of communication patterns, and insight into who a person interacted with.”

The court also said that an individuals’ right to privacy is applied at the initial moment their communications are collected, not, as the government said, when their communications are accessed by a human analyst. That government assertion betrays our very understanding of privacy and relates to a similar, disingenuous claim that our messages aren’t really “collected” until processed for government use.

Turning Towards Privacy

Modern telecommunications surveillance touches on so many parts of human rights that it will take many more international cases, or protective action by lawmakers and judges, before we can truly establish its limits, and there is plenty more that’s wrong with how we deal with modern surveillance than is covered by this decision.

This is partly why EFF and hundreds of other technical and human rights experts helped create the Necessary and Proportionate Principles, a framework for assessing whether a state’s communication surveillance practices comply with a country’s human rights obligations. And it’s why EFF has brought its own lawsuits to challenge mass surveillance conducted by the NSA in the United States. (The European Court of Human Rights’ opinion has no direct effect on this litigation.)

This type of works takes years, if not decades. When it comes to any court remedy, it is often said that the wheels of justice turn slowly. We can at least breathe a little easier knowing that, last week, thanks to the hard work of privacy groups around the world, the wheels made one more turn in the right direction, towards privacy.