The failure of the latest legal challenge to the UK government’s snooping powers will be bitterly disappointing for privacy campaigners who, buoyed by shock revelations of long-standing unlawful behaviour by MI5, were hopeful the ruling would be in their favour.
More importantly, it sends a clear message to both the government and those whose data it harvests.
It reassures the Home Office that it can act with impunity when handling the vast volumes of bulk surveillance data it “hoovers up” every day, while bringing into sharp focus for the public that there can be no guarantee of safety for our data once in government hands.
The High Court on Monday dismissed civil liberties group Liberty’s legal challenge to the Investigatory Powers Act (IPA), sometimes referred to as the Snoopers’ Charter. Liberty has said it will appeal the decision.
The court rejected Liberty’s argument that the mass surveillance aspects of the 2016 legislation breached European human rights laws as its powers were too broad in scope and lacking the necessary minimum safeguards.
This would be disappointing on its own but there was also an unexpected twist that raised privacy advocates’ hopes that they would win the case, only to be dashed when the ruling was handed down.
Over the course of the hearing, it emerged that MI5 had lost control of how it stored the mass surveillance data that it collected. The intelligence agency admitted that there were “ungoverned spaces” on its computers where it did not know what was stored there.
The judges even acknowledged this in their ruling: “[We] are very conscious that the recent disclosures made by the defendants about MI5’s handling procedures have caused the investigatory powers commissioner obvious concern and will cause others in society concern too.”
Yet despite this unlawful conduct, which dates back to when the Act first came into force, the judges said it did not change their view that the IPA was compatible with human rights law as the “interlocking safeguards” set out in the legislation were sufficient.
These safeguards include the so-called “double lock” of additional judicial approval required for the most intrusive aspects of the law. The Investigatory Powers Commissioner’s Office (ICPO), created to monitor the government’s use of its new powers, is another key safeguard.
So what does this ruling mean for privacy?
What’s most disturbing is that it didn’t matter to the court that the safeguards set out in the IPA, whose existence underpins much of its ruling, had so clearly systematically failed in the case of MI5.
Instead, the mere fact that the ICPO had eventually investigated the issue earlier this year, putting MI5 on “special measures” as a result, was taken as proof the safeguards were working.
This is of cold comfort given the extent of data mismanagement by MI5, along with revelations (from the ICPO and quoted in the ruling) that “warrants were issued to MI5 on a basis that MI5 knew to be incorrect and that consequently JCs were given false information".
Rather than put the government on notice that it must strictly follow the safeguards or risk being reined in, the message is that they can act with impunity as long as they offer contrition afterwards.
There will of course be those that agree with the court’s view that the failings of MI5 do not render the IPA in breach of EU human rights laws and had no bearing on the Liberty’s case.
However, the court’s ruling makes it clear that when it comes to mass surveillance, there’s no limit to how wide the government may cast its net, as long as the legislation includes sufficient safeguards, regardless of whether they are actually effective in practice. As the ruling states: “we accept the fundamental submission made on behalf of the Defendants that the question of compatibility with the Convention must be determined by reference to the totality of the inter-locking safeguards applicable at the various stages of the bulk interception process. In particular it must not be done by reference to the potential breadth of the information that could in principle be retained under the bulk interception power.”
This ruling will embolden the government to intensify its use of mass surveillance with the support of the court, which agreed that hacking the nation’s smartphones, tablets and computers to create bulk data “haystacks” in the hope of finding the occasional criminal “needle” justified the trampling of civil liberties.
Dispiritingly, the court failed to even question whether this was an effective form of policing and simply took on face value that it was.
It’s sadly nothing new to say that we should have no expectation of privacy in the UK. However, the confirmation that the government cannot be trusted to safeguard the data it relentlessly scoops up and, worse, that it doesn’t seem to matter, should spur into action even the most apathetic.
It’s imperative to use encryption wherever possible to minimise the harvesting of our data in the first place. Simply using a VPN (Virtual Private Network), along with messaging apps that employ end-to-end encryption, such as Signal and WhatsApp, greatly reduces exposure to government dragnets with minimum inconvenience.
One group disproportionately affected by the ruling are journalists, whose confidential communication with sources is protected by EU law due to the crucial role of a free press in a healthy democracy.
However, the court decided that these protections do not apply to the analysis of bulk surveillance data. The judges took the view that, as long as the primary intent of the analysis was not to uncover journalistic sources, then it was a necessary evil should that come to pass as a by-product of an authorised analysis.
This will surely have a chilling effect on journalism in this country, as whistleblowers and other sources weigh up the risk of being inadvertently exposed.
This ruling also feeds into a broader narrative. Home Secretary Priti Patel this week renewed demands for encryption “backdoors”, despite long-standing expert consensus opposing such a move. This ruling may embolden the government to force through changes to the law in this area, as it gives further weight to the idea that privacy is always secondary to notions of national security, however vague.
Privacy has been losing out elsewhere too, despite dominating the headlines. Google and Facebook recently paid largely symbolic fines for major privacy intrusions but escaped more serious censure. Equifax too has effectively shrugged off the worst data breach in history.
This ruling embodies this trend: privacy matters but when it comes to the crunch, it will never be a top priority.