In a new shocking revelation, the UK’s Government Communication Headquarters (GCHQ) was found guilty of unlawfully spying on two international human rights organizations: the Egyptian Initiative for Personal Rights (EIPR) and the South African Legal Resources Center (LRC), the UK’s Investigatory Powers Tribunal (IPT) ruled on Monday.
According to the ruling, GCHQ — the intelligence agency responsible for collecting and outsourcing signals intelligence to the British government — violated procedures pertaining to the handling of communications intercepted from the two organizations.
However, the IPT ruled that the initial process of surveilling data by GCHQ was lawful.
The IPT is the only judicial body independent of the British government that is allowed to receive and rule on complaints related to surveillance carried out by British governmental bodies.
The IPT’s jurisdiction is governed by the legal framework set by surveillance laws in the UK. If a complaint leads to the discovery that a surveillance operation is being carried out, but procedures have been followed correctly, the plaintiff does not receive confirmation that they are under surveillance, and the IPT only states that the complaint has not been upheld.
Monday’s case dates back to 2013, when American whistleblower Edward Snowden leaked documents to the press revealing the extent of data interception carried out by the British government using their Tempora system, which buffers internet communications extracted from fiberoptic cables for further processing and analysis.
Snowden’s leaks also proved that the UK was sharing the collected intelligence with the American National Security Agency (NSA).
In July 2014, faced with the possibility of legal action and a police raid, the Guardian was forced to destroy hard drives containing copies of the leaked documents provided by Snowden. GCHQ had claimed that the newspaper’s servers were not secure, and “could be hacked by Russia or China.”
Following the revelation, 10 international NGOs, including Amnesty International, Liberty, Privacy International, LRC and EIPR filed a complaint against GCHQ before the IPT in early 2013, demanding disclosure of surveillance operations that they might have been subject to, Deputy Director of Privacy International Eric King tells Mada Masr.
EIPR, which had been working with a number of international NGOs, including one of the main plaintiffs, Liberty, joined the case “in solidarity, since the leaks revealed the huge scale of external surveillance, besides internal operations,” says EIPR researcher Karim Ennarah.
“At the time, we had no idea whether we were actually victims of surveillance or not, but we wanted to contribute to the pressure put on UK government to reveal the magnitude of its surveillance program,” Ennarah continues.
“These types of cases are important to pursue, especially after Snowden’s leaks, because these countries actually have the legal framework that allows for exposing the extent of surveillance practiced by government intelligence agencies,” he added.
The IPT has already issued a number of rulings in the case since 2013, the first of which was in December 2014, stating that “as a matter of principle, the legal framework permitting surveillance is lawful.”
In February 2015, a second ruling declared that “regulations covering access by GCHQ to emails and phone records intercepted by the NSA breached human rights laws.”
The tribunal’s decision meant that intelligence sharing between the UK and US prior to the verdict (between 2007 and 2014) was unlawful because the public were unaware of its procedures.
“But the lawsuit also forced GCHQ to make otherwise classified documents public, including disclosing surveillance procedures which in turn gave legality to their work from then on,” King adds.
Monday’s verdict, however, found surveillance procedures practiced against two out of the 10 plaintiff NGOs to be unlawful.
In LRC’s case, the IPT ruled that their communications were intercepted and then unlawfully selected for examination, acts that violate GCHQ procedures.
Concerning EIPR, the IPT ruled that their communications were intercepted, accessed and then “unlawfully retained for materially longer than permitted.” GCHQ was ordered to confirm that relevant data had been deleted within 14 days from the date of the ruling.
“According to the law, Tempora’s data collection for examination was legal, but granting personnel access to the data for a prolonged period of time required another level of authorization, which GCHQ failed to present in EIPR’s case,” Ennarah explains.
He adds that, while his organization has yet to be informed about the type of illegally acquired content pertaining to their case, he suspects “it’s beyond mere metadata.”
“Actual content was accessed by someone at GCHQ, but the IPT would never disclose such classified information for national security reasons,” he concludes.
Ennarah says that EIPR does not expect any particular diplomatic stance from the Egyptian government, which is why the organization is pursuing further legislative course before the European Court of Human Rights.
“This is not Germany or Brazil, where news of citizens being spied on by foreign governments shakes the state,” he exclaimed.
In July 2014, reports that the NSA was spying on German citizens, including Chancellor Angela Merkel’s own personal communication, had caused widespread diplomatic controversy.
In both EIPR and LRC’s cases, the issue surpassed automated screening by Tempora, as “a human being was allowed access to the information collected by the machine,” King asserts.
Meanwhile, a government spokesperson told the BBC that “GCHQ takes procedure very seriously. It is working to rectify the technical errors identified by this case and constantly reviews its processes to identify and make improvements.”
For the eight other plaintiffs, the tribunal ruled “no determinations,” which “doesn’t necessarily mean that they were not spied on, but that they might’ve been spied on lawfully,” says King.
In King’s opinion, the problem with the IPT’s rulings is that it can only look into the procedural violations, not the concept of surveillance itself.
“The UK invading fundamental rights of those trying to make the world a better place is not very reassuring for NGOs,” he says. “The current state of affairs is that NGOs can be lawfully spied on and the court would be perfectly okay with it.”
He also speculates that “statistically speaking, it’s more likely that there are many similar cases taking place, but the only way to discover the actual extent of the UK’s surveillance program is if someone forces the IPT to look into it.”
Since the IPT is the only recourse for domestic proceedings related to government surveillance in the UK, the 10 NGOs filed a lawsuit before the European Court of Human Rights (ECHR) to challenge the IPT’s endorsement of mass scale surveillance, to pressure the UK government to release more details on the procedures and the types of surveillance they conduct and to enforce a more sophisticated system for authorizing surveillance, says Ennarah.
The IPT’s Monday ruling stipulated that no material damage had been done to the plaintiffs, and that no compensation was required.
Aside from data interception, Privacy International and six Internet Service Providers (ISPs) from South Korea, Zimbabwe, Canada, the Netherlands, the UK and Germany, have also challenged GCHQ before over hacking claims.
“They have been hacking into people’s phones to remotely activate their microphones, hacking into computers, webcams and emails,” says King.
Moreover, he believes that the current laws cannot be the only set of rules to consider in these cases. “There’s also the concept of what’s right and what’s wrong,” he explains.
“The ECHR is not going to be able to judge whether British laws are right or wrong, so the only way forward is campaigning to fix legislation to constrain surveillance programs,” says King.
He hopes for a better rewrite of intelligence laws in the UK by the end of the year, but others are not as optimistic.
In May, the UK government passed an amendment to the Computer Misuse Act, exempting GCHQ, the police, and other intelligence officers from prosecution for hacking into computers and mobile phones.
In response, a Privacy International statement said, “It appears that no regulators, commissioners responsible for overseeing the intelligence agencies, the Information Commissioner’s Office, industry, NGOs, nor the public, were notified or consulted about the proposed legislative changes… There was no public debate.”
Although King says many people in the UK still trust security agencies, he has some hope in public shockwaves caused by rulings like the IPT’s on Monday. People need to realize this is not a James Bond movie, he concludes.
Update since publishing: On July 4, the UK’s Investigatory Powers Tribunal (IPT) notified Amnesty International that UK agencies had spied on them and not EIPR, along with the Legal Resources Centre in South Africa.