On Friday, Access and a coalition of civil society organizations, including the Center for Democracy & Technology, the Electronic Frontier Foundation, and New America’s Open Technology Institute, called on the Home Office of the United Kingdom to address questions about the lack of human rights protections found in its surveillance authorities.
In the wake of revelations that the Government Communications Headquarters (GCHQ) — the National Security Agency’s UK counterpart and oft-partner — is collecting the communications records of its citizens and users around the world, civil society pressured both governments to be more transparent in their electronic surveillance missions. The UK recently published documents that guide the implementation of its laws on communications interception and interference. While the documents are intended to increase transparency and establish protections surrounding the use of surveillance technologies, they fail to account for the impact that these technologies will have on human rights.
New Documents Published
On February 6, 2015, the Home Office published two documents, an updated version of the Interception of Communications Code of Practice, and a new document, the Equipment Interference Code of Practice. The documents provide guidance on the exercise of surveillance authority by the intelligence community of the UK, including GCHQ, the Security Service (MI5), and the Secret Intelligence Service (SIS). While each agency has a slightly different focus, these documents authorize surveillance under a wide standard, and provide that surveillance or equipment interference can be broadly authorized when it is related to national security, the prevention or detection of serious crime, or the economic well-being of the UK.
The Equipment Interference Code of Practice governs the non-consensual physical tampering with systems or equipment in order to facilitate surveillance. In other words, it’s what the government uses when it wants to secretly mess with personal or corporate equipment to spy on users. The code specifically includes modifying or substituting hardware and software without a user’s permission. A recently revealed target of this type of action was the multinational company Gemalto, a Netherlands-based company that makes SIM cards found in millions of mobile phones around the world. It seems the GCHQ, along with the NSA, hacked the company in order to steal the encryption keys. This would allow the agencies to gain access to the private communications all without the user’s knowledge.
The Interception of Communications Code of Practice governs signals intelligence, which generally includes electronic surveillance, but also the modification of systems and networks. Interception occurs when a system is modified or interfered with in a way to make the communications available to a person other than the sender or recipient. The Interception Code applies to the provider of any technology that facilitates communication, including telecommunications services and internet services. The code requires providers to provide “reasonable assistance” to execute a search under a warrant. This can include creating a permanent interception capability in their network, degrading the security that protects user information and communications, and making the network more vulnerable also to third-party interception.
Failure to Protect Human Rights
The Home Office’s new codes are general in scope and grant broad authorities to officials, but lack adequate justification. More than 400 civil society groups, academics, and corporations have sought to guide surveillance practices through endorsement of the International Principles on the Application of Human Rights to Communications Surveillance. The International Principles require any communications surveillance to be both necessary to achieve a legitimate aim and proportionate in scale and scope to the achievement of that aim. But the UK’s new codes of practice allow interference to go beyond interception, facilitating powerful control over networks, and by extension, over users. The International Principles explain that undermining the integrity of communications systems almost always leads to less robust security for all users.
The new codes of practice establish a far too lenient standard for the authorization of surveillance. The International Principles require that communications surveillance must be authorized by a competent judicial authority in order to help insure that the surveillance is truly necessary. However, UK law allows surveillance activities to be authorized by the Secretary of State, who does not need to disclose the identity of the person targeted or the “details of any offense suspected or committed.” They allow for the collection of information from incidental persons who become targets in their own right and expand the instances in which a government official may unilaterally amend a warrant.
While purporting to establish safeguards for privacy, the new codes of practice have an unacceptable impact on human rights. The codes make passing references to Article 8 of the European Convention on Human Rights (“Right to respect for private and family life”) and Article 1 of the First Protocol (“Right to peaceful enjoyment of possessions”), but fail to address other rights set out in the European Convention or other human rights instruments. The codes also provide no protection for the bulk collection of the communications of non-UK persons and allow the collection of privileged information, such as communication between a client and attorney or between a journalist and source. Access has frequently protested such lack of protection for foreigners in regards to bulk collection by the U.S. government.
The codes of practice expand upon the already broad surveillance authorities possessed by UK intelligence agencies. Under the Data Retention and Investigatory Powers Act (DRIP), the UK government requires all telecommunications data to be retained for at least 12 months. It also broadly expands the scope of surveillance extraterritorially under the Regulation of Investigatory Powers Act of 2000.
The codes of practice are especially troubling in the context of the secret information sharing programs between the UK and the U.S., Canada, Australia, and New Zealand, also known as the “Five Eyes.” It is unclear how disclosure of the collected information will be handled and what, if any, safeguards are in place to prevent sharing between governments.
The increased authorities for communications surveillance come at a time in which several leaders around the world are calling for companies to undermine the ability of users to protect against surveillance. The UK’s Prime Minister, David Cameron, recently called for an end to encryption that the government cannot penetrate. He is not alone in this call. James Comey, Director of the Federal Bureau of Investigation, along with several other top members of the Intelligence Community in the U.S., have demanded backdoors in software and encrypted devices. The Chinese government currently requires that companies that sell tech to banks must build in backdoors, and turn over the source code and submit to government audits. However, it is worth noting that President Obama recently stated that he is a “believer in strong encryption” at a 2015 cyber summit in Silicon Valley.
Requesting answers from UK authorities
While we applaud the public disclosure of the codes of practice, the documents may impact privacy and freedom of expression of users around the world. Together with other civil society members, we requested more information on the UK’s activities, and specifically provided five questions for closer consideration. The questions include:
- Does the Home Office appropriately distinguish between passive interception of information and active interference with devices?
- How does the Code of Practice intend to balance the advantages of pursuing an individual act of interference via a discovered security flaw, as opposed to protecting national security and the prevention of acts of serious crime achieved by taking steps to mitigate or fix the flaw?
- How will the Secretary of state ensure that any surveillance activities conducted outside the territory of the UK or the Crown dependencies respect the binding customary international laws demanding strict respect for state sovereignty?
- Will the Home Office provide an analysis of the consistency of the surveillance measures described in RIPA, the ISA, and the relevant Codes of Practice with Article 10 of the ECHR?
- What information sharing agreements exist between the UK and other countries, allowing either raw or processed information collected by means of government surveillance to be transferred to other countries? What safeguards do these agreements require?
You can read our joint submission here. We will keep you updated as the process moves forward.
photo credit: Andrew