Top court rules UK mass interception of fiber-optic cable traffic violates the right to privacy: a victory, but how big?

Top court rules UK mass interception of fiber-optic cable traffic violates the right to privacy: a victory, but how big?

Five years ago, the Edward Snowden’s revelations about the scale of surveillance by the US and UK shocked the world, and since then only a few releases of documents from Snowden hoard have surfaced. This didn’t stop many privacy groups to use the information released by Snowden to hold governments accountable.

The good news is that the European Court of Human Rights has ruled that the UK’s use of mass surveillance violates the natural right to privacy.

What they found was that the UK was routinely tapping into a large proportion of the fiber-optic cables that crisscross the world carrying data traffic.

According to The Guardian article that broke the story, “Each of the cables carries data at a rate of 10 gigabits per second, so the tapped cables had the capacity, in theory, to deliver more than 21 petabytes a day.” The Government Communications Headquarters (GCHQ) had the ability to spy on around a quarter of the world’s cables carrying Internet traffic, much of it from the US. The UK government uses “selectors” and “search criteria” to filter the content and the metadata it collects. These searches typically include finding all traffic to and from a particular location: Google search queries, purchases on Amazon, location data, downloads from the torrent websites and IP addresses.

The legal regime that authorized GCHQ to sift through the archives of the metadata about the private lives of people is opaque, without a court order or judicial warrant.

Ten human rights organizations filed an application to the European Court of Human Rights (ECHR) to challenge these decisions. The ECTHR has now issued its ruling, which is long and detailed. Privacy International has provided a good summary of the key points.

The ECHR ruled that mass surveillance is not in itself a breach of human rights: each state decides how to best protect its citizens, but GCHQ was not adequate in analyzing the data that the fiber-optic cables gathered and that was a breach of human rights. The ECHR emphasized that what was “Of greatest concern, however, is the absence of robust independent oversight of the selectors and search criteria used to filter intercepted communications.”

The court recognized that the metadata can reveal more about the people’s private lives than about the content. It criticized the lack of safeguards for its gathering and use by GCHQ. These flaws in the UK mass interception law led the judges to conclude it “is incapable of keeping the ‘interference’ [with privacy] to which is ‘necessary in a democratic society’.”

The fact that GCHQ has been gathering internet traffic worldwide, and sharing it with the NSA, means that we should be careful in the future of such surveillance.

In an analysis of the latest decision, Theodore Christakis, Professor of International Law at the University Grenoble Alpes, cautions: “This was undoubtedly a victory for NGOs, but it was probably not a “great” one; in fact, it may even prove to be a pyrrhic victory.” The problem is that for all its criticisms of GCHQ’s actions, the ECHR accepts mass surveillance as a valid government activity: “It is clear that bulk interception is a valuable means to achieve the legitimate aims pursued, particularly given the current threat level from both global terrorism and serious crime.”

As Christakis points out, that is in stark contrast to the EU’s top court, the Court of Justice of the European Union (CJEU), which has ruled against the idea of mass surveillance. For example, in the 2015 decision that struck down the “Safe Harbor” agreement regulating data flows of personal information across the Atlantic, the CJEU declared: “legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.”

The clash between the rulings of the top human rights court in Europe, and the CJEU means that the status of mass surveillance in the EU is now somewhat unclear. That is another good and natural reason for human rights organizations to bring legal challenges to the practice wherever it is being deployed, in order to ensure that “bulk interception” is always subject to laws with meaningful oversight, and that privacy is not being undermined in secret.