Fighting Mass Surveillance in the Post-Snowden Era

What Happened

On 5 June 2013, The Guardian published the first in a series of documents disclosed by Edward Snowden, a whistleblower who had worked with the NSA. The documents revealed wide-ranging mass surveillance programs conducted by the USA’s National Security Agency (NSA) and the UK’s Government Communications Headquarters (GCHQ), which capture the communications and data of hundreds of millions of people around the world. In addition to revealing the mass surveillance programs of the NSA and GCHQ, the Snowden disclosures also disclosed a highly integrated intelligence sharing relationship between these agencies and their counterparts in Australia, Canada and New Zealand (collectively known as the “Five Eyes Alliance”), as well as with a broader web of intelligence agencies in dozens of other countries.

The Snowden revelations irrevocably changed the public’s understanding of the scope and scale of surveillance undertaken by intelligence agencies. As methods of communications have changed, surveillance techniques have also evolved to permit the collection, storage, analysis and dissemination of personal information at population-scale. We now know that the NSA recorded every single mobile phone call into, out of, and within at least two countries; it collected hundreds of millions of contact lists and address books from personal email and instant-messaging accounts; and surreptitiously intercepted data from Google and Yahoo user accounts as that information travelled between those companies’ data centres located abroad. We also know that both the NSA and GCHQ conduct mass interception of internet traffic transiting undersea fiber-optic cables; that GCHQ conducts mass hacking both domestically and abroad; and that the US, UK (and the rest of the Five Eyes alliance) have broad access to information gathered through each country’s respective surveillance programs.

What We Did

In the immediate aftermath of the Snowden disclosures, Privacy International launched a series of legal challenges against several of the newly revealed mass surveillance programs. 

In July 2013, Privacy International brought suit in a British court – the Investigatory Powers Tribunal (IPT) – challenging the British government’s mass interception of internet traffic transiting undersea fibre-optic cables, as well as the UK’s access to information gathered through the NSA’s breathtaking array of bulk spying programs. (Nine other organisations submitted similar complaints and the IPT subsequently joined the cases. Those organisations are the American Civil Liberties Union, Amnesty International, Bytes for All, the Canadian Civil Liberties Association, the Egyptian Initiative for Personal Rights, the Hungarian Civil Liberties Union, the Irish Council for Civil Liberties, the Legal Resources Centre and Liberty). 

In May 2014, Privacy International brought another suit in the IPT, challenging the British government’s hacking inside and outside of the UK. (Seven internet and communications service providers from around the world submitted a similar complaint and the IPT joined the cases. Those providers are the Chaos Computer Club (Germany), Greenhost (Netherlands), GreenNet (UK), Jinbonet (Korea), Mango Email Service (Zimbabwe), May First/People Link (US) and Riseup (US)).

In June 2015, Privacy International launched another suit, again in the IPT, challenging two new mass surveillance programmes that were revealed by the UK government as it responded to pressure created by the Snowden disclosures and resulting advocacy (including our lawsuits). The programmes at issue collected “Bulk Personal Datasets” and bulk communications data – also known as metadata.

Key Results

Our litigation accomplished a number of important goals. We forced many of the secretive programs revealed by Snowden further into the public sphere. For example, as a result of our hacking challenge, the British government publicly avowed for the first time that it had hacking powers and admitted the use of hacking at an alarmingly broad scale. It admitted to hacking within and outside the UK using such techniques to “obtain information from a particular device, server or network”; “create or modify information on a device”; and “carry out intrusive activity”. It further admitted that it may undertake hacking against a specific device or an entire computer network and that it undertakes both “persistent” and “non-persistent” operations, the former referring to hacking activities covering an extended period of time. Without our case, the British government would likely still be hacking without public knowledge of the scope of such activities or the rules governing them. 

Our litigation also resulted in judicial determinations that certain aspects of the British government’s mass surveillance programs were unlawful. The first of these decisions was the February 2015 judgment by the IPT finding intelligence sharing between the UK and the US unlawful prior to its judgment because the rules governing such sharing were secret. As noted above, this case also brought intelligence sharing further into the light, in particular, by forcing the British government to reveal the rules it relied upon for engaging in this activity. The IPT also found that the British government engaged in unlawful surveillance against two organisations – Amnesty International and the Legal Resources Centre – whose cases were joined with ours.

In our third-filed case, the IPT held that the UK intelligence services’ collection and use of Bulk Personal Datasets and bulk communications data had been unlawful prior to 2015. The IPT also subsequently determined that Privacy International’s data had been unlawfully captured by the intelligence agencies through their bulk programmes.

Finally, our litigation resulted in significant changes to how the British courts handle surveillance litigation. Prior to these cases, the IPT held very few public hearings. During the course of our three cases, the IPT has significantly increased its open engagement with the intelligence services on the mass surveillance programmes at issue, including at one point permitting us to cross-examine a witness from GCHQ. Our litigation has also raised the important public law question of whether the IPT can be reviewed by the regular UK courts through the judicial review procedure. The UK Supreme Court is currently considering this question.

Going Forward

The IPT determined that the British government’s mass interception and intelligence sharing (following the February 2015 judgment) programs were lawful. We have challenged these determinations before the European Court of Human Rights, which held a hearing in November 2017. In September 2018, the First Section of the ECHR issued a mixed judgment in the case, striking down the UK’s historical mass interception regime while approving of its intelligence sharing. Privacy International and a number of the other claimants before the ECHR have sought referral of that judgment to the Grand Chamber.

The IPT also determined that the British government’s hacking programs are lawful. We have challenged this determination as it relates to hacking outside of the UK before the European Court of Human Rights. That case was communicated in December 2018 and is likely to proceed in 2019. We have also brought a separate domestic challenge (called a “judicial review”) to part of the IPT’s determination, which sanctioned the British government’s use of general warrants to hack domestically. This case is currently before the UK Supreme Court, which held a hearing in December 2018.

Our case on Bulk Personal Datasets and bulk communications data is now in its final stages before the IPT. 

Lessons Learned

Strategic litigation can, however, be a powerful tool because, if we win, the judgments compel action on the part of the governments we challenge.  Strategic litigation is time and resource-intensive, complex and lengthy. Moreover, the complexity of and timeline for litigation makes maintaining the public interest challenging. We have attempted to combat these challenges by continually updating the public through a variety of materials, including infographics, briefings and explanatory blog posts.

Hard lessons

Undertaking such cases is a considerable investment for organisations like Privacy International. The outcome of strategic litigation is not certain. PI always evaluates the strength of its claims as a factor in determining whether to bring a case. But there remains the possibility that we will lose. For that reason, we engage in a mix of strategies to defend the right to privacy, including advocating for strong national, regional, and international laws, and building campaigns to educate and motivate the public to take action to protect this fundamental right.