Has the High Court outlawed mass computer surveillance?
Privacy campaigners have hailed a major victory as a judgement declares the use of general warrants unlawful. PublicTechnology takes a closer look.
“A major victory for the rule of law.”
This is how campaign group Privacy International (PI) welcomed a judgement issued by the High Court last week. According to the headline one of many stories from national and international outlets covering the case, the ruling – which came following a challenge launched by PI against the independent Investigatory Powers Tribunal – saw “UK mass hacking ruled illegal”.
The judgement passed down by Lord Justice Bean and Mrs Justice Farbey certainly contains findings that will hearten privacy advocates.
But is it really the death knell for indiscriminate state surveillance that has been reported?
Given that the judges conclude that authorities could lawfully hack into the computers of everyone in Birmingham or Kent, perhaps the ruling is not the definitive rebuke that some have characterised it as.
The case reached the High Court after Privacy International requested a judicial review of a 2016 ruling by the Investigatory Powers Tribunal – an independent watchdog funded by the Home Office. The campaign group and the tribunal respectively represented the claimant and the defendant; the latter did not appear before the judges nor was legally represented. However, lawyers from the Government Legal Department appeared on behalf of GCHQ and the foreign secretary – who were named as ‘interested parties’.
All of whom ended up before judges after PI’s lawyers had first needed to argue that the High Court had any jurisdiction over the decisions of the tribunal. A narrow majority of Supreme Court justices finally, in July 2019, agreed that it did – squashing earlier rulings by both the Divisional Court and the Court of Appeal.
"A general warrant is one which requires the exercise of judgment or discretion by the official executing the warrant... the aversion to general warrants is one of the basic principles on which the law of the United Kingdom is founded"
High Court judgement
The ruling being challenged related to the question of whether UK law – namely the 1994 Intelligence Services Act (ISA) – permits government and the security services to issue “a ‘thematic’ computer hacking warrant, authorising acts [of surveillance] in respect of an entire class of people or an entire class of such acts?”.
Such hacking, collectively characterised by the judges as ‘computer network exploitation’ (CNE), comprises “a set of techniques through which an individual or organisation gains covert and remote access to equipment – including both networked and mobile computer devices – typically with a view to obtaining information from it”.
The High Court ruling said: “CNE can be a critical tool in investigations into the full range of threats to the United Kingdom such as terrorism, serious and organised crime, and other national security threats. As the tribunal observed… ‘[the] particular significance of the use of CNE is that it addresses difficulties for the intelligence agencies caused by the ever-increasing use of encryption by those whom the agencies would wish to target for interception’. Its value to the protection of those who live in the United Kingdom from individuals engaged in (among other things) terrorist attacks, espionage and serious organised crime is beyond dispute.”
Whatever the investigative merits such of surveillance may be, Privacy International sought to challenge whether it could lawfully be conducted under the auspices of a warrant which covers a broad and nebulous group of people, or one that relies on the interpretation of those charged with its execution on the ground.
The Investigatory Powers Tribunal had concluded that a warrant issued under the Intelligence Services Act would be “lawful if it is as specific as possible… to assist those executing the warrant”.
The scope of the warrant should be “objectively ascertainable”, the IPT found, but that “it need not be defined by reference to named or identified individuals”.
Citing common law and numerous examples of precedent, justices Bean and Farbey agreed with PI’s argument against the lawfulness of so-called general warrants, that feature no named target, and those which relied on the discretion of officers. Such warrants could only be considered lawful in the event of an express act of parliament to legalise them.
“It is a fundamental right of an individual under the common law that he or she should not be apprehended, or have property seized and searched, save by decision of the person legally charged with issuing the warrant,” they said. “Expressed in modern legal language, a general warrant is one which requires the exercise of judgment or discretion by the official executing the warrant as to which individuals or which property should be targeted. It follows that a general warrant gives rise to an unlawful delegation of authority by the legally entrusted decision-maker to the executing official. This unlawful delegation breaches a fundamental right.”
The judges added: “The aversion to general warrants is one of the basic principles on which the law of the United Kingdom is founded. As such, it may not be overridden by statute unless the wording of the statute makes clear that parliament intended to do so.”
The 44 words above have, in many reports, been the only section of the 11,500-word ruling quoted. But, elsewhere across its 25 pages, the judges diverge from the arguments made by the privacy group – and suggest that authorities could still legally hack into the computers of everyone in a city of more than one million residents.
The text of the judgement reveals that PI’s lawyers accepted that a warrant for computer hacking covering an entire street could still be considered sufficiently specific to be lawful. But they contended that a warrant for an entire city – Birmingham, for example – would go beyond the legal limits of specificity.
"We do not agree… that a warrant could never lawfully permit the use of computer network exploitation across a broad geographical area... such as the city of Birmingham, or the county of Kent, [which] are capable of being specified in a warrant"
High Court judgement
The judges did not agree – nor did they agree with the privacy group’s claim that a warrant could not be lawfully applied to people who might not initially fall within its scope, but may do so in the future.
“We do not agree… that a warrant could never lawfully permit the use of CNE across a broad geographical area such as a town or city,” they said. “The boundaries of a geographical area, at least if it is a local authority area – such as the city of Birmingham, or the county of Kent – are capable of being specified in a warrant under [the ISA]. Whether the issue of a warrant to allow interference with every mobile phone in Birmingham could ever be justified as being necessary and proportionate is a different question, which does not arise in these proceedings.”
The ruling added: “We do not regard [the ISA] as limited to factual situations as at the date of the warrant… a warrant in respect of ‘any device used at the Acacia Avenue Internet Café during the period of six months from the date of issue of the warrant’ would in our view be sufficiently specific, as would ‘anyone who appears on the FCDO (Foreign, Commonwealth and Development Office) Ruritanian diplomatic list during the period of six months from the date of the warrant’.”
Alongside a press release headed with the words ‘We won!’ in large type, PI – which operates as a registered charity – also published an FAQ document which runs through some of the finer points of the ruling, and acknowledges that it addresses only a specified issue.
“Does this case stop government hacking?,” the document asked. “No. The scope of our challenge was strictly limited to the lawfulness of general warrants as set out in ISA 1994 and the Regulation of Investigatory Powers Act 2000.
It added: “While the court agreed [the ISA] could not be read to permit security and intelligence services to rely on non-specific warrants, it did not pronounce itself in relation to other statutes or provisions which allow government hacking to take place, such as the IPA (Investigatory Powers Act) 2016.”
A “major victory” may have been claimed in this battle. But it seems clear that the likes of Privacy International and its supporters will need many more to ever win the war.
Appointee will replace Elizabeth Denham and will lead the data-protection watchdog through a ‘dynamic period of change’
Connexus technology will provide officials with access to a wide range of personal and business information
Prospective MSPs encouraged to sign pledge to 'democratise data’
HMRC vetting procedure identifies possible concerns
There are many reasons to keep your Oracle workloads running on local servers. But there are even more reasons to move them to the cloud as part of a wider digital transition strategy. Six Degrees...
As misinformation about the coronavirus vaccine spreads, Granicus outlines key considerations for local government when delivering a successful vaccine communications campaign
Higher Education institutions are some of the most consistently targeted organisations for cyberattacks. CrowdStrike explores the importance of the right cybersecurity measures.
SolarWinds explains how public sector organisations can make the most of their hybrid IT investments - delivering services that are both innovative and reliable