Liberty claws partial win against Investigatory Powers Act
"What is crucial is the function being carried out, not the identity of the body performing it."
Human rights group Liberty has won a partial victory in its bitter, long-running fight against the Investigatory Powers Act, as the government receives bids to develop its Internet Connection Records tech.
On Friday 24 June the High Court handed down its verdict in the third stage of Liberty’s challenge against the IPA – and dismissed all but one of the challenges the charity brought. But the area where Liberty succeeded was significant: the ability of security services to approve access to communications data by themselves.
Under the Investigatory Powers Act, most bodies which can access communications data – in this case meaning the metadata of which devices have been used to access which IP addresses, and when – need approval from an “independent administrative body”. But the act included an exception for cases related to national security – and for the security and intelligence services in general.
See also: UK’s bulk surveillance regime breaches human rights, is a risk to journalists: Judges
Lord Justice Singh and Mr Justice Holgate agreed with Liberty that this self-authorisation ability by the security services was too broad, and incompatible with retained EU law. (Even though the UK is no longer in the EU, almost all of its relevant laws were passed into UK law en masse, to avoid the absolute chaos which would follow if it all became invalid.)
The judges based their decision on the fact that, even though the security agencies do act in the interests of national security, they also act for “ordinary criminal purpose[s]” – and said they could not “see any logical or practical reason why they should not be subject to the same legal regime as the police”.
“The mere fact that in general they operate in the field of national security cannot suffice for this purpose. It is the particular function in issue which is relevant. Moreover, the identity of the body carrying out a relevant function is immaterial: what is crucial is the function being carried out, not the identity of the body performing it,” said the judgment.
This isn’t academic either – MI5 was caught breaching the IPA’s safeguarding provisions in 2019, again in a case brought by Liberty. In a statement to parliament, then-Home Secretary Sajid Javid said: “The report of the Investigatory Powers Commissioner’s Office [IPCO] into these risks concluded that they were serious and required immediate mitigation. The Commissioner also expressed concern that MI5 should have reported the compliance risks to him sooner.”
Subscribe to our new Command Line newsletter on LinkedIn
The judges in this latest case haven’t issued a ruling on what needs to happen now, as they have asked Liberty and the government to file submissions on this subject. A final decision hearing should follow sometime from late July onwards.
Liberty’s other claims around the IPA’s legality under EU law – including the act’s authorisation of bulk collection, and the lack of need for prior authorisation when agencies look again at previously-stored data – were dismissed. Liberty is appealing these – along with other points from its previous two hearings, which are working their way through the Court of Appeal.
(The human rights group offers a useful explainer on its fight against the Investigatory Powers Act, although it has not yet been updated with information from this latest decision.)
The IPA put into law what the UK’s security agencies were doing covertly anyway: gathering enormous amounts of metadata without any oversight (as revealed by Edward Snowden). But after being passed in 2016 it quickly ran into legal trouble, and had to be amended in 2018 – directly as a result of Liberty’s challenge against it.
Investigatory Powers Act collection rollout continues
Meanwhile the UK government continues to ramp up its ability to collect internet metadata. Earlier this month the little-known National Communications Data Service (NCDS) closed a procurement round for proposals to “provision a national ICR [Internet Communications Records] service” – with 14 companies having completed applications.
This follows on from last month’s moves by the NCDS, which is part of the Home Office, to outsource its data-gathering capabilities, via a potential £70 million contract.
See: Home Office eying privatisation of bulk surveillance apparatus
Last year ISPreview reported two ISPs were working with the government on a “small scale” trial of communications data collection. The identity of the ISPs remains unknown, as the IPA prevents service providers from talking about anything they do under the act’s provisions.
This means, beyond disclosures from the IPCO, and barring leaks or successful legal challenges, the details of exactly how the government and its agencies are collecting and using metadata will remain unknown.
As our earlier article observed, there are strong opinions on both sides of the fence regarding the Investigatory Powers Act. But given the poor track record of the government on data collection, the misuse of that data by agencies including MI5, and the widespread collection of data from lawyers, doctors, journalists and even MPs, we would suggest robust scrutiny of the law, in the form of challenges such as Liberty’s or otherwise, are highly justified.