Internet surveillance in English law
22nd June 2013

This is partially based on Ian Brown (2012) ‘Government Access to Private-Sector Data in the United Kingdom’ International Data Privacy Law 2 (4) 230-238

For the past fortnight, the media has been full of revelations about the surveillance practices of the US National Security Agency (NSA), a shadowy body responsible for communications intelligence for the US government. UK interest has focused on whether NSA has been sharing intelligence on British residents with its UK equivalent, Government Communications Headquarters (GCHQ). But we now know GCHQ has been engaging in similarly broad, global communications surveillance. What do we know of the legal framework that governs these newly-revealed activities?

The Regulation of Investigatory Powers Act, 2000 (RIPA) allows the Secretary of State to authorise the interception of the communications of a specific individual or premises over a public telecommunication system. This may be requested by various government bodies such as domestic, foreign or defence intelligence, the police, HM Revenue and Customs and GCHQ. Typically, GCHQ conducts interception for “customers” in other parts of government.

Such an authorisation need not specify an individual or premises if it relates to the interception of communications external to the UK (s.8(4)). This  is understood to be the mechanism by which the government authorises GCHQ to undertake automated searches of communications that originate or terminate outside the British Isles, This could include the transmission of data to or from servers outside the UK – which includes traffic to the facilities of most of the large companies (such as Facebook, Google and Microsoft) implicated in the NSA’s PRISM programme.

The government’s current policy is to neither confirm nor deny the details of any GCHQ operational activities. The telecommunications expert for the Applicants in the European Court of Human Rights case Liberty v UK suggested that external interception authorisations are wide-ranging. They can cover classes of traffic such as ‘all commercial submarine cables having one terminal in the UK and carrying external commercial communications to Europe.’ The Secretary of State can then issue a certificate describing in general terms which information should be extracted from the resulting intercepted communications. These terms could be very broad, such as “national security”, “preventing or detecting serious crime” or “safeguarding the economic well-being of the United Kingdom”.

Such “certified warrants” allow intelligence officials to undertake automated searches through this information looking for specific keywords. The Applicant’s expert in Liberty suggested that the resulting intelligence reports have names or other identifying details of citizens or organisations that are incidental to the interception removed . These reports may only be disseminated to recipients who have a proportionate and necessary reason to receive the information.

Section 12 of RIPA gives the Secretary of State the power to require that public telecommunications providers facilitate lawful interception of their network. This could include requirements such as those mandated by the European Telecommunications Standards Institute Lawful Intercept standards to install interception devices that provide specific functionality, such as the ability to intercept communications in real-time and to hide the existence of other simultaneous wiretaps from each intercepting agency. Furthermore, under s.94 of the Telecommunications Act 1984, the Secretary of State may give providers of public electronic communications networks “directions of a general character… in the interests of national security”, which may be protected against disclosure.

Access to “communications data” — subscriber information, records of calls made and received, e-mails sent and received, websites accessed, the location of mobile phones — is also regulated under RIPA. Senior officials in a range of government agencies, going well beyond intelligence and serious crime, may authorise access. ISPs are required to store some of this data for 6-12 months under the Data Retention Regulations, 2009.

Through the combination of several pieces of legislation (Section 10 of the Computer Misuse Act, s 32 of RIPA and s. 5 of Police Act Part III/Intelligence Service Act) government agencies are also able to remotely break into computer systems to access communications and other types of data on those systems.

GCHQ does not itself have the relationships with the largest Internet companies the NSA has used in its PRISM programme, since very few of them are located within the UK. But it clearly has the legal authority to conduct large-scale surveillance of communications entering or leaving the UK. The agency has reportedly already spent several hundred million pounds expanding its capabilities to intercept ISP networks in a “Mastering the Internet” programme, with claims of a total budget of over £1bn ($1.5bn) to give analysts “complete visibility of UK Internet traffic, allowing them to remotely configure their deep packet inspection probes to intercept data – both communications data and the communication content – on demand.”

Some of that data may be encrypted, making surveillance much more difficult. But other external traffic is wide open to the interception and automated analysis that has caused such consternation to critics of the NSA’s newly revealed surveillance programmes. The Guardian has now revealed much more detail about GCHQ’s activities. Legal challenges to the UK regime, based on the lack of legal clarity required for interferences with Article 8 of the European Convention on Human Rights (respect for private and family life), are likely very soon.

Dr Ian Brown is Associate Director of Oxford University’s Cyber Security Centre, and Senior Research Fellow at the Oxford Internet Institute.