surveillance

The ‘Big Brother Watch’ Ruling on U.K. Surveillance Practices: Key Points from an American Perspective

By Robert Chesney
Tuesday, October 9, 2018, 10:28 AM

Last month, a divided chamber of the European Court of Human Rights (“ECHR”) (that is, a panel of seven judges from ECHR’s “First Section”) issued an opinion declaring several aspects of British surveillance law to be in violation of the European Convention on Human Rights. The case is called, perhaps inevitably, Big Brother Watch and Others v. The United Kingdom. The opinion is ponderous, to say the least. But it’s nonetheless quite interesting from a comparative-law perspective, particularly for those of us who follow all the ins-and-outs of similar challenges to U.S. surveillance law. 

Instead of Fourth Amendment objections, we get objections under Article 8 of the European Convention on Human Rights.  Instead of traditional FISA or 702, we get the Regulation of Investigatory Powers Act 2000 (“RIPA”).  Instead of judicial deference to the executive branch, we get the “margin of appreciation.” Though the labels and granular details vary, the underlying tensions are all the same.

Hopefully that persuades you to have a closer look. Scarlet Kim, who leads the litigation efforts of the advocacy group Privacy International with respect to surveillance, has written a critical assessment of the opinion here at Just Security (see here for a recent example of PI’s work involving litigation before the UK Investigatory Powers Tribunal, which is a fascinating judicial body created by RIPA in order to provide a domestic venue in which persons alleging rights violations by government surveillance can seek redress).  I see the case from a different perspective, and in any event would like to highlight various things about it as a comparative-law teaching moment for the U.S. legal audience.  If that sounds useful to you then read on!

1. For starters, what UK surveillance practices are at issue in Big Brother Watch?

In general, there are three practices at issue: bulk interception of “external communications”; receipt of the fruits of U.S. collection efforts; and targeted requests for metadata held by communication service providers.

a. Bulk collection of content and certain metadata where the intent is to capture only “external communications”

The phrase “external communications” refers to communications that have no more than one-end-domestic.  That is, they can be foreign-to-foreign, foreign-to-domestic, and domestic-to-foreign transmissions, but they do not include domestic-to-domestic ones involving senders and recipients both in the UK. 

Under RIPA, it works roughly as follows. The law expressly authorizes such collection subject to a preliminary finding by the Secretary of State that certain general goals will be advanced (for example, national security or preventing serious crime). Supported by a “certificate” to that effect, the Secretary of State can issue a RIPA section 8(4) “warrant” authorizing bulk collection. In general, what happens next is that the government identifies certain “bearers” within a given fiber-optic cable that it believes are likely to carry qualifying external communications, and intercepts from that stream. That interception is in bulk and results in acquisition of both content and certain metadata. But at this point, the framework narrows in a specific way as it relates to persons thought to be within the UK: Analysts may not use selectors or search terms associated with (or in any event intended to yield information about) a person believed to be in the “British Islands” at that time.

b. Receipt of the fruits of U.S. signals intelligence collection

The opinion also wrestles with whether the UK violates ECHR rules by receiving the fruits of collection conducted by the United States.

c. Compelling communication service providers to provide certain metadata on a targeted basis.

The opinion also addresses a separate RIPA provision, one that is akin to America’s Stored Communications Act insofar as it provides the government with authority to oblige a communications service provider to turn over certain metadata concerning a particular user/customer’s communications.  This is targeted rather than bulk collection, notably.

2. What ECHR rights do the applicants invoke?

The central claim is that these practices violate Article 8 of the European Convention on Human Rights.

Article 8 provides that “[e]veryone has the right to respect for his private and family life, his home and his correspondence,” and it specifies that ECHR member states may not interfere with that right except insofar as doing so is both:

  1. “in accordance with the law” and
  2. “necessary in a democratic society” in order to pursue various listed goals (national security, public safety, economic well-being, prevention of disorder or crime, protection of health or morals, protecting the rights or freedoms of others).

In addition, there are claims for violation of Article 10 of the Convention (which protects freedom of expression) on the theory that some of these practices threatens the confidentiality of journalistic sources and thus freedom of the press.  And there are claims as well under Article 6 (involving fair trial rights) and Article 14 (involving discrimination).  I’m interested in focusing on the Article 8 privacy claims, though, so won’t be saying anything further about the others. 

3. Article 8’s plain language is pretty…well, plain.  Has the ECHR developed caselaw constructing more-detailed “doctrinal rules”—that is, an analytical framework with more specificity—giving Article 8 a more precise and predictable meaning?

Sort of.  The ECHR definitely has developed a doctrinal framework for Article 8.  Whether it actually provides predictability—as opposed to masking judicial discretion to pursue policy preferences in either direction—is debatable.

As noted above, the plain text of Article 8 requires satisfaction both of an “in accordance with law” test and a “necessary in a democratic society” test. Let’s look at the doctrinal details the Court has developed for each, in that order.

a. The “in accordance with law” test

The ECHR has held that the “in accordance with the law” requirement breaks down into two sub-inquiries: 

  • First, does the practice have an affirmative basis in the state’s domestic law?
  • Second, is the practice “compatible with the rule of law” in the specific sense that its existence and effects are both “accessible” and “foreseeable”? 

That first part is straightforward; one can identify a domestic law authorization or not. 

The second part is more complicated, particularly when applied to surveillance systems that are, of necessity, secretive. To resolve that tension, the ECHR has developed a checklist of considerations that a state’s law must adequately address in order for a secret surveillance framework to qualify as “foreseeable.”  The law authorizing national security investigative powers must sufficiently specify: (1) the substantive basis for using the powers, (2) the persons subject to investigation, (3) time limits on the surveillance, (4) procedures for using and storing resulting data, (5) limits on data sharing, (6) procedures for destroying the data, (7) systems for supervising implementation, (8) any notification requirements, and (9) any remedies for wrongful surveillance.

b. The “necessary in a democratic society” test (shades of Palko)

To a US-trained lawyer, the language “necessary in a democratic society” calls to mind the famous “essential to a scheme of ordered liberty” standard the Supreme Court developed in its “Incorporation” jurisprudence, as seen for example in Palko v. Connecticut.  In that setting, the “test” purportedly guides courts as they decide which of the rights enumerated in the Constitution’s text vis-à-vis the federal government should be deemed part of the “liberty” protected by the 14th Amendment Due Process Clause and thus also binding on state governments.  I think it’s fair to say that few people today think that “essential to a scheme of ordered liberty” is actually a test as opposed to a conclusion.  The reality under that standard is that it masks a judicial determination about the relative importance of a given right and the extent to which the costs of recognizing that right are worthwhile.  That is: what really goes on is a balancing of interests (by the judges), with the results of the balancing then declared to be essential or non-essential.

Well, so too with the “necessary in a democratic society” test from Article 8. 

To be clear, I do not mean to say that this is somehow inappropriate in the Article 8 context. Far from it; these words are written directly into the text of Article 8, after all, and plainly must be given effect.  I’m simply saying that we should not kid ourselves into thinking that this language has objective content independent of the judges’ sense of the balance of interests.  Put another way, the language functions as a textual invitation to judges to conduct such balancing.   

Before we move on, let me note another familiar feature of the ECHR approach that goes by an unfamiliar name: the “margin of appreciation.” The majority confirms that governments are entitled to a “certain margin of appreciation” in making determinations in relation to such weighty and sensitive matters of national security surveillance.  And while we don’t usually use the “margin of appreciation” language in US law, the concept is much the same as our notion of “deference” to the executive branch with respect to certain matters deemed to be within the executive’s special competence.  In both cases, the implication is that there’s a thumb on the scales, with uncertainty (no doubt strategic in some cases) regarding how much work the “appreciation” or “deference” actually is doing. (Foreshadowing: it’s not clear that the margin of appreciation is doing any work for the judges in the majority, which is a point that two dissenting judges emphasize). 

c. Are these two prongs to the analysis really doing distinct work?

Actually, no, not really.  The opinion in Big Brother Watch blends the multi-variable “foreseeability” test with the balancing requirement of the “necessary in a democratic society” test.  That is: the court’s analysis ends up being, for the most part, an application of the balancing approach to each of those individual variables, as applied to various distinct surveillance practices.  It’s a sensible approach, avoiding excessive doctrinal formalism in favor of concentrating on the bottom line.  And what really is that bottom line?  Considering whether the judges think that the UK has done enough, at each point of analysis, to guard against the risk of abuse that might follow if goivernment agents have excessive discretion (that is, if the framework suffers from arbitrariness). 

4. On to the application of the law to the facts, starting with bulk collection. What result when the majority assesses the RIPA 8(4) bulk collection framework for compatibility with Article 8 privacy?

For the most part, the ECHR finds that the various safeguards in RIPA do strike a tolerable balance.  But not as to all of it. The majority finds the safeguards insufficient at three points.

First: The majority finds a problem with the stage in the process where the government selects particular bearers for bulk interception. Alas, the analysis here is truncated and unclear.  The majority acknowledges that the government’s discretion to select bearers is not actually unfettered, and at first it actually seems satisfied that discretion is sufficiently cabined by the requirement that the selection focus on “external communications” (para. 338).  But then the majority goes on to assert—without explanation—that something more is needed in terms of constraints on selection (para. 347).  It is a conspicuous and unfortunate feature of the opinion that it does not make clear what more would suffice.

Second: The majority also finds a problem with the identification of selectors and search terms analysts use to query the resulting database.  Specifically, the majority objects to the lack of sufficient external oversight for this process.  This is despite the fact that there is post hoc auditing of this process by the Interception of Communications Commissioner (as well as the possibility of case-specific complaints to the IPT), and despite the absence of evidence that there has been any abuse (para. 346-47).  Even so, the majority concludes that something more is still needed.  Again, though, the court is conspicuously silent about what, precisely, would do the trick.

Here it is worth pausing to note the dissent from Judges Kristina Pardalos (San Marino) and Tim Eicke (Britain). The general thrust of the dissent is that the areas identified by the majority as faults certainly warrant improvement, but that this is a far cry from concluding that the RIPA section 8(4) system fails to pass muster—particularly bearing in mind the margin of appreciation to which the UK ostensibly is entitled in this setting.  There’s a lot of detail to the analysis, but I’ll simply note one of their key points, which is that the outcome in Big Brother Watch appears to conflict with the near-contemporaneous decision of another chamber with respect to Sweden’s surveillance system (in a case called Centrum For Rattvisa v. Sweden, No. 35252/08). 

Unquestionably, the two surveillance regimes in question can be distinguished, and it may be that the error was on the part of the other chamber in being too deferential to Sweden.  But Pardalos and Eicke are persuasive in contending that the two rulings appear unequally demanding. 

That is not terribly surprising, given the subjectivity of the standard at issue and the fact that the ECHR system of multiple sections and chambers allows (much like a US federal circuit with varying panels, or for that matter the existence of the many separate circuits in the US system) for the possibility of inconsistency.  Whether the ECHR “Grand Chamber” process will view this as a compelling reason to intervene, should either case proceed with an appeal, remains to be seen. Certainly it is the sort of issue, though, that would make Supreme Court involvement likely in the United States.

Third: The majority also finds a selection-criteria failing with respect to the particular situation in which an analyst wants to search through the metadata that bulk collection under section 8(4) yields.  Whereas (as noted above) RIPA prevents analysts from using domestic-target selectors/terms in general, that prohibition drops out if the query is limited to metadata.  The majority concludes that this runs too much of a risk of abuse, and finds that this constraint should remain in place as a general role for metadata searches, dropping out only where the sole reason for querying metadata is to determine the probably location of a target for purposes of this very location analysis vis-à-vis substantive content in the database.

6. What about application of the Article 8 framework to the situation when the UK receives intelligence from the US?

As an initial matter, the majority finds that there is an Article 8 privacy issue to consider here. As Scarlet observes in her Just Security post, this in itself was remarkable.

But the majority from that point breaks the government’s direction.  Most notably, the majority is at pains to exclude from its analysis the legality of the initial collection of such information by the United States. Instead, the majority confines its analysis to the UK’s treatment and handling of the information once that information is received (and finds no problems under that heading).

From a US perspective, the situation is rather like the Kerr-Frisbie doctrine, pursuant to which a court takes no heed of how a criminal defendant came into government custody so long as the defendant is currently within the court’s jurisdiction to try.

7. And what about application of the Article 8 framework to compelled production of metadata (on a targeted rather than bulk basis) from Communication Service Providers?

As noted above, RIPA contains authorities (“Chapter II”) allowing the government in some cases to compel a Communication Service Provider to provide certain non-content information about user or customer activities.  The US has something similar, under the Stored Communications Act, insofar as providers can be compelled to provide limited information (name, address, transmission records with time and duration, means of account payment, and a few other things) without court involvement.  (The details of the SCA get awfully complicated; browse it all starting here).

The majority finds that the Chapter II system necessarily fails to satisfy Article 8 for two reasons. First, Chapter II allows the request for production to be based on investigation of “crime” in general as opposed to “serious crime.” Second, Chapter II does not call for any ex ante review by either a judicial body or at least an independent entity of some other sort.  For the majority, these two conditions were unavoidable requirements because the UK has subsequently conceded as much in the context of parallel litigation involving a 2016 statute (to be discussed in just a moment).  Because of that derivation of the rules, notably, the majority does not actually take direct ownership over the propriety of concluding that such requests for production must be limited to serious crimes and must include an independent ex ante review of the request.

8. Okay, so far so good.  But two years ago the UK enacted the Investigatory Powers Act 2016 in order to further specify and oversee how this all works, and it is in the midst of the process of promulgating detailed regulations to clarify and constrain things further.  Does that make all of this Big Brother Watch business moot?

That is a very interesting and critical question. I’m not steeped in the details of IPA nearly enough to form an opinion on whether it does (or at least might) sufficiently close the gaps on the shortcoming noted above.  Scarlet in her Just Security post argues that it does not.  I’d love to hear from readers with a view on the matter, and will update this post at this spot if useful insight comes in over the transom. For now, I’ll remain agnostic despite the persuasiveness of several of Scarlet’s points, both because of the lack of guidance from the majority in Big Brother Watch regarding what actually would pass muster and because regulations under IPA are still in development. No doubt we can all agree, at least, that there will be more litigation on these points.

Thanks for staying with me this far, by the way.