dripa – Techdirt (original) (raw)

UK Appeals Court Says GCHQ's Mass Collection Of Internet Communications Is Illegal

from the of-course,-when-you're-the-government,-you-just-have-the-laws-changed dept

The UK’s mass surveillance programs haven’t been treated kindly by the passing years (2013-onward). Ever since Snowden began dumping details on GCHQ surveillance, legal challenges to the lawfulness of UK bulk surveillance have been flying into courtrooms. More amazingly, they’ve been coming out the other side victorious.

In 2015, a UK tribunal ruled GCHQ had conducted illegal surveillance and ordered it to destroy intercepted communications between detainees and their legal reps. In 2016, the UK tribunal declared GCHQ’s bulk collection of communications metadata illegal. However, the tribunal did not order destruction of this collection, meaning GCHQ is likely still making use of illegally-collected metadata.

A second loss in 2016 — this time at the hands of the EU Court of Justice — found GCHQ’s collection of European communications being declared illegal due to the “indiscriminate” (untargeted) nature of the collection process. The UK government appealed this decision, taking the ball back to its home court. And, again, it has been denied a victory.

The court of appeal ruling on Tuesday said the powers in the Data Retention and Investigatory Powers Act 2014, which paved the way for the snooper’s charter legislation, did not restrict the accessing of confidential personal phone and web browsing records to investigations of serious crime, and allowed police and other public bodies to authorise their own access without adequate oversight.

The three judges said Dripa was “inconsistent with EU law” because of this lack of safeguards, including the absence of “prior review by a court or independent administrative authority”.

Hey, the elimination of privacy safeguards is just the price that has to be paid when the nation’s security can only be guaranteed by rushed, liberty-violating legislation dropped onto the floor shortly before closing time. If power is going to be consolidated, it needs to be done with a little debate as possible. Built-in safeguards for citizens’ privacy is something that can be relegated to an afterthought. And that afterthought need never be brought up again.

Those powers – granted by DRIPA — have been declared illegal. That’s going to cause problems for the Snooper’s Charter, which is DRIPA’s surveillance state successor. Chances are the problem will be dealt with by erecting a few minimal privacy protections while codifying prior surveillance abuses. And since this only upholds an EU court decision, it will mean less than nothing once Britain completes its exit from the Union.

The good news is the court’s decision backs up what critics have been saying for years: bulk interception of communications violates UK law, and the supposed oversight these collections receive falls far short of what’s required to make the collections legal again.

Filed Under: cjeu, dripa, gchq, mass surveillance, privacy, surveillance, uk

European Court Of Justice Rules Against UK's Mass Surveillance Program

from the will-it-matter-after-brexit? dept

Over the summer, we noted that the Advocate General for the European Court of Justice had sort of punted on the issue of whether or not the UK’s Data Retention and Investigatory Powers Bill (DRIPA) was actually legal. Thankfully, the final ruling is much clearer: “general and indiscriminate retention” of emails and other electronic communications is illegal in the EU according to the court. The only thing that is allowed is targeted interception, used to combat “serious crime.”

This is a pretty big deal, as the original recommendation from the Advocate General had suggested that DRIPA might be found legal. Of course, DRIPA is in the process of being superseded by the even worse Investigatory Powers Bill, better known as the Snooper’s Charter. If DRIPA violates the law, than the Snooper’s Charter almost certainly does so at an even greater level. Of course, there is some irony in all of this, in that the case that came to the CJEU was brought by a Member of Parliament, David Davis, who is now the “Brexit Secretary,” meaning that he’s helping to organize the process by which the UK will be removed from the EU… such that it may not even matter what the EU’s Court of Justice has to say on the matter.

The UK has also made it clear it’s going to appeal the decision, meaning that it will get to drag this process out as long as possible, potentially until the Brexit process is completed, at which point the ruling will not matter.

Still, it should at least raise question in the UK about why their politicians are granting the government powers to snoop on every member of the public at a level that goes way beyond what is considered appropriate.

Filed Under: cjeu, data retention, david davis, drip, dripa, european court of justice, investigatory powers bill, ip bill, mass surveillance, snooper's charter, uk

from the reading-the-tea-leaves dept

Over at the EU Court of Justice, the Advocate General has weighed in on the legal challenge to DRIPA, the Data Retention and Investigatory Powers Bill (DRIPA) that was rushed through the UK Parliament almost exactly two years ago. The law was challenged by a group made up of cross-party Parliament Members, and the Advocate General has sort of punted on the issue. If you don’t recall, the Advocate General’s role in the EU Court of Justice is basically to make a recommendation for the actual rulings. The court doesn’t have to (and doesn’t always) follow the Advocate General’s suggestion, but does so often enough that the opinions certainly carry a lot of weight and suggest what’s likely to happen. In this case, the opinion stated that, even though the court had previously rejected the EU-wide Data Retention Directive as intruding on privacy — the UK’s data retention law might be okay.

The opinion basically says some data retention laws may be okay if the powers are “circumscribed by strict safeguards” set up by the national courts.

Of course, the timing on this is important, given that the UK is (1) eagerly trying to push through its new surveillance law, the Investigatory Powers Bill which was (2) championed by then Home Secretary Theresa May as a necessary surveillance tool — and May is now the Prime Minister due to a series of issues in the UK you may have heard about lately. And some folks who are trying to read the tea leaves of the Advocate General’s opinion are suggesting that it may actually hint that while the old DRIPA might possibly be okay, the new Investigatory Powers bill probably is not. Of course, a lot of this depends on how you read the opinion and how certain key phrases are interpreted.

Many of those responding to Tuesday’s opinion emphasised the main finding that “solely the fight against serious crime is an objective in the general interest that is capable of justifying a general obligation to retain data, whereas combating ordinary offences and the smooth conduct of proceedings other than criminal proceedings are not.”

Basically, it appears that while it may be possible to twist DRIPA into shape so that it’s not violating the court’s required safeguards, the same cannot be said for the new bill. Whether or not that actually stops forward progress on that bill is another story altogether. And, of course, if the UK really is going to go through with its plan to leave the EU entirely, none of this may matter at all. Well, except for the privacy of everyone in the UK.

Filed Under: data retention, dripa, eu court of justice, eucj, investigatory powers bill, ipbill, snooper's charter, surveillance

Compliant UK Press Insist 'Thousands Of Lives At Risk' If Government Can't Spy On Citizens

from the oh-really-now? dept

Earlier today we wrote about how the UK’s High Court determined that the Data Retention and Investigatory Powers (DRIP) Act that passed a year ago, allowing the government wide leverage to get access to citizens’ private data, was a violation of privacy, because it did not have necessary limitations. The rule is still allowed to be used for the next nine months while the court asks Parliament to fix the law (or for the government to appeal the ruling, which it’s doing). Cue frantic bogus FUD from the press stenographers in the UK. The Telegraph’s “Security Editor” posted a story with this ridiculous (and wrong) headline: “Thousands of lives at risk after High Court rules snooping powers unlawful.”

There is, of course, nothing in the article to support the headline, because it’s not even remotely true. Considering that the law stays in place for the time being even if it were true that this power to spy on citizens was necessary (which it’s not), there would be no difference at all today. But the Telegraph has to come out with FUD so it quotes unnamed government officials going with the “but think of the children!” argument:

But police chiefs and the Home Office warned that would mean officers would no longer be able to use the data to help trace vulnerable people such as those at suicide risk or missing children

So they need to spy on you to save you. Talk about a paternalistic authoritarian bullshit. And, actually, the article seems to raise a lot more questions about abuse of DRIP than anything else:

The power was used in around 16,000 such cases last year to ?prevent death or injury in an emergency situation?, the Home Office said.

Under the ruling, judges or an independent body will have to sign off every one of the 500,000-plus requests to access communications data each year.

First of all, 500,000 requests?!? What the hell are they searching? Second: 16,000 cases where this power was used to “prevent death or injury in an emergency situation” — that’s not even remotely believable. That’s saying that law enforcement in the UK needed to snoop on citizens’ private data more than 40 times every day to “prevent death or serious injury.” Considering that the law only went into effect a year ago, did the number of deaths and serious injuries drop by a tremendous amount in the last 12 months, because surely there should be some evidence of that, right? Admittedly, the latest stats only go up to 2013, but if there had been a giant decrease in suicides, wouldn’t someone be talking about that number, rather than the requests for information?

Instead, everyone’s going on and on about how they’re supposedly preventing suicides by spying on your:

Assistant Chief Constable Richard Berry, the National Police Chiefs? Council lead on communications data, said: ?A significant proportion of our acquisition of data relates to situations where life is at immediate risk and a significant proportion of those requests relate to non-crime enquiries, for example: tracing vulnerable and suicidal missing persons.?

Of course, even if this is true (which is unlikely), are they really arguing that they need a special data retention law to make this happen? Or that they can’t bother to ask a judge first? In the US, we don’t have a similar data retention law, and yet companies frequently work with law enforcement to help them locate missing persons. Why do you need a broad law with little oversight unless you’re planning to abuse that power in a way that companies might push back on if they weren’t required by law to comply?

Filed Under: data retention, drip, dripa, fud, lives in danger, suicide, uk