Regulating Signals intelligence

Iain Cameron is professor in public international law at Uppsala University

Introduction

For European states, an important factor pushing towards better regulation of security agencies generally has been the ECHR. The work of “signals intelligence” agencies (collecting metadata and the content of electronic mail and voice communications) came to prominence following the allegations of “mass surveillance” made by former NSA-contractor Edward Snowden in 2013. Compared to law enforcement or internal security agencies, signals intelligence agencies tend to possess much more powerful computing facilities, and they thus have abilities to process and analyse vast amounts of data. Data, both content data (telephone conversations, email etc.) and metadata are collected in bulk and then analysed using selectors. The ECtHR has recently looked at the systems for regulation and control of signals intelligence operating in two states, Sweden and the UK, in the cases of Centrum för Rättvisa v. Sweden (CFR) and Big Brother Watch and others v. UK (BBW) (see blogposts for these cases here and here). Both these cases have been appealed to the Grand Chamber which held an oral hearing on 10 July 2019. A judgment is expected soon. The present blog article will look at four issues of principle at stake in the two cases, namely bulk collection, judicial authorization, notification and discrimination. In each of these issues, there is some tension between the regional (ECHR) and sub-regional (EU) human rights standards applicable to signals intelligence.

There were three basic questions in BBW: these concerned the UK rules on bulk collection, on metadata and on intelligence sharing. The majority of the Court found violations of Article 8 and Article 10 as regards the first two issues. In CFR the issue was more simply whether the Swedish signals intelligence law and practice as a whole satisfied Article 8 and the Court unanimously found that it did. Both cases involved many sub-issues, and were detailed examinations of the foreseeability, accessibility etc. of the laws, and their necessity in a democratic society (which mainly centered around the adequacy of the control systems). The Court applies eight criteria in making its assessment, developed from its case law on targeted interception, and the Weber and Saravia v. Germany case. It declined the offer to develop new or additional criteria, taking into account improvements in technology, and designed for bulk interception specifically (previously discussed by the Venice Commission).

Bulk collection possible under the ECHR but forbidden under EU law?

General retention involves a duty on providers to retain all telecommunications metadata for a given period of time and make it available to the police and intelligence services. The Court of Justice of the European Union (CJEU) has produced judgments on the collection and accessing of metadata for the purpose of law enforcement (investigating serious crime). It annulled the EU data retention directive (Digital Rights Ireland Ltd) and then went on to rule in the Tele2/Watson case that the general retention of metadata, even for short periods, was in breach of the EU Charter of Fundamental Rights and Freedoms. Three cases are pending before the CJEU, two of which concern the applicability of the standards set out in the Tele2/Watson case to systems of signals intelligence (for a discussion, see here). The ECHR is a minimum level of protection, and the CJEU has made it plain in other cases that it wants to set higher standards than the ECHR.

The prohibition of general retention in the CJEU’s judgment in Tele2/Watson has been hailed in some quarters as a step forward, whereas in other quarters as based on a misunderstanding of, first, the surveillance potential of the existing technology and second, how police/security agencies actually use the technology. In both CFR and BBW however, the ECtHR states that the choice of whether or not to engage in bulk collection of communications data is a matter within states’ margin of appreciation (CFR, para. 112, BBW, para. 314). Bulk collection is possible, but adequate safeguards must exist, and, bearing in mind the great potential for abuse, the safeguards must be strong. This is a sensible approach.

Prior judicial/independent authorization?

Controls on signals intelligence can come in at different stages. It is the end result which is important. The first thing to think about is the mandate of the agency, who or what can give it tasks and/or whether it can also “self-task”. The second stage is targeting in specific cases (“authorization”).  An important part of this is the “selectors” chosen to obtain the information needed. These can be related to individuals, or organizations, but also such things as communication paths. The third stage is follow-up (post-hoc) oversight.

How broadly or narrowly drafted the agency’s mandate is, and how broadly or narrowly the authorizing body formulates permission to collect signals intelligence in a particular case are crucial parts of limiting the scope for abuse. Broad mandates, e.g. to collect (undefined) “foreign intelligence” or “data of relevance to the investigation of terrorism”, are likely to lead to over-collection of intelligence, unless the authorizing body sets much higher standards in specific cases. In such a situation, an oversight body which is limited to analyzing whether the intelligence collection was made within the mandate is not much of a safeguard. Where, however, an oversight body is able to apply a proportionality analysis, and evaluate the results of the permissions granted by the authorizing body, then it is much more likely to be a proper safeguard. This assumes also that it has the resources and techniques to make its own deep investigations of selected cases.

Under the British system, the mandate, the purposes for which collection is permitted, is very broad. The British judge in BBW in his separate opinion compared the three, very broad, purposes in the British legislation favorably with the eight more specific purposes set out in the Swedish legislation and came to the – absurd – conclusion that the British legislation was thereby better. A government minister authorizes the interception by means of a warrant. The minister does not approve the individual selectors. This is left to the signals intelligence agency itself. The different functions of tasking/targeting are thus  kept within the executive, whereas execution of the targeting (choosing the selectors etc.) is left to the agency itself. The oversight is now performed by a quasi-judicial body, the Investigatory Powers Commissioner’s Office (ICPO). Interestingly, this body has interpreted its powers to include the application of a proportionality test (ICPO Annual report 2017, section 9.22) although the legislation itself (Section 89 of the Investigatory Powers Act 2016) is formulated so that the ICPO may determine only whether the authorization was unreasonable.

In the Swedish system, there is a “court” (better seen as an independent quasi-judicial body) which authorizes the interception purpose, though not (unless it sees reason to do so) the individual selectors. There is a separate quasi-judicial body which then supervises the execution of the authorization given, applying a proportionality test. For this system to work well, there has to be constant feed-back from the oversight body to the authorizing body, so that the latter is able to refine its authorizing procedures.

In BBW, the majority of the chamber did not regard prior judicial or independent authorization as necessary (para. 377). This requirement depended upon the likelihood of abuse, and the majority of the chamber went on to find that, as there was no evidence of abuse, there was no absolute requirement of prior judicial authorization. It cited the Venice Commission report in support of the view that an absence of prior judicial authorization can be compensated for by post-hoc supervision (para. 318). However, it did not point out that the Venice Commission report (para. 106) had emphasized that “where a system lacks independent controls at the authorization stage, this should mean that very strong safeguards must exist at the follow-up/oversight stage, for example, the power to take binding decisions (emphasis added)”.

The targeting stage is dynamic; there is a constant need to adjust and refine selectors. Unless it receives constant feedback from the agency, the authorizing body will not know how its authorization is in fact being used. Thus, oversight afterwards, when the process has produced a result, is the most important control. However, oversight in the absence of independent authorization raises the question: what is being overseen? What basis is there for analyzing and criticizing the standards the tasking/targeting body has set, and the agency itself has executed? The British independent oversight of signals intelligence gathering has undoubtedly improved over the years, but then it began as what can only be described as a mere façade. In my view, the Court in BBW did not subject the UK oversight system to very searching scrutiny. Simply put, oversight resources and capabilities should match the scale of the operations being overseen. The UK signals intelligence collection is vast, but IPCO, though much improved compared to the past, is still a very small body. It is also difficult to reconcile the approach of the Court in BBW with the approach of the CJEU in Tele2/Watson which insisted on independent authorization.

Differential protection of citizens and foreigners?

One of the major issues in the Snowden revelations was the differential treatment of US persons and non-US persons: simply put, the allegation was that the former had rights, the latter had not. The subsequent presidential directive, PPD 28, went some way to dealing with this and a subsequent report published in October 2018 by the US Privacy and Civil Liberties Oversight Board (PCLOB) finds that the NSA does apply some degree of privacy protection standards to non-US persons. The recent ruling of the German Constitutional Court (BVerfG) on the signals intelligence system applied for collection of information on non-German nationals/residents also emphasized the need to provide for privacy protection for foreigners.

In CFR, the Swedish legislation provides that both foreigners and Swedish citizens have privacy rights. However, the legislation also allows for taking into account “Swedish interests” if and when it is decided to transmit this data to other parties. Thus, there are situations where differential protections can apply. As regards remedies, the Swedish legislation allows anyone, regardless of nationality and residence, to complain to the oversight body. The reason for this was precisely because Article 1 of the ECHR applies to “everyone” within the jurisdiction. By contrast, the UK remedies mechanism, the Investigatory Powers Tribunal (IPT) has not accepted (para. 60) complaints from applicants outside of the territory of the UK. In BBW, the Court accepted differential protection of citizens and foreigners. Its argument was that although the relevant British legislation “prevents intercepted material from being selected for examination according to a factor ‘referable to an individual who is known to be for the time being in the British Islands’, any resulting difference in treatment would not be based directly on nationality or national origin, but rather on geographical location” (para. 517).  The Court thus concluded that it was not discriminatory treatment within the meaning of Article 14 of the Convention. It would have been better, in my view, not to avoid this issue – which is central – but instead rule that even foreigners have privacy rights. This does not mean that they must be treated identically as citizens.

Notification

The applicants in both CFR and BBW argued that notification to all the individuals caught up in a signals intelligence “trawl” was an absolute requirement. However, in neither case did the Court accept this. Both states’ systems provide for a standing right to complain (in the UK system, there is no notification, in the Swedish system, notification in practice never occurs). In BBW, the Court was satisfied with the IPT, even though the review standard it applies cannot be described as “close scrutiny”. As regards CFR, the Swedish Intelligence Inspectorate can order discontinuation and destruction and, together with the Swedish Chancellor of Justice, award compensation. The Court nonetheless compared the Swedish remedies system unfavourably with the equivalent British system (the IPT). This appeared to be because the Swedish system does not publish any statistical information. It is impossible to know how many complainers (potentially) had a case. One would have thought that this lack of transparency is something which is possible to remedy. However, the Court concluded that the aggregate of remedies were sufficient “in the present context” (para. 177).

Conclusion

Bulk collection of communications data undoubtedly poses threats to privacy and other human rights, and must, therefore, be tightly regulated and subject to strong independent oversight, all the more so because it is not practicable to create notification requirements and satisfactory remedies. The Grand Chamber judgment provides an opportunity for the ECtHR to provide tougher standards on oversight in this area, compared to those set by the chamber in BBW, and to deal squarely with the issue to what extent (if at all) nationality can be a factor in privacy protection in this area.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s