Mass surveillance in the United Kingdom



The use of electronic surveillance by the United Kingdom grew from the development of signal intelligence and pioneering code breaking during World War II. In the post-war period, the Government Communications Headquarters (GCHQ) was formed and participated in programmes such as the Five Eyes collaboration of English-speaking nations. This focused on intercepting electronic communications, with substantial increases in surveillance capabilities over time. A series of media reports in 2013 revealed bulk collection and surveillance capabilities, including collection and sharing collaborations between GCHQ and the United States' National Security Agency. These were commonly described by the media and civil liberties groups as mass surveillance. Similar capabilities exist in other countries, including western European countries.

Surveillance of electronic communications in the United Kingdom is regulated by acts of Parliament. In particular, access to the content of private messages (that is, interception of a communication such as an email or telephone call) must be authorised by a warrant signed by a Secretary of State. Although the law provides for governance and safeguards over the use of electronic surveillance, these safeguards have been criticised as not far-reaching enough, nor protective enough of the public's privacy  Further oversight including a requirement for judges to review warrants authorised by a Secretary of State, as well as new surveillance powers, were introduced by the Investigatory Powers Act 2016.

The judicial body which oversees the intelligence services in the United Kingdom, the Investigatory Powers Tribunal, ruled in December 2014 that the legislative framework in the United Kingdom does not permit mass surveillance and that while GCHQ collects and analyses data in bulk, its practices do not constitute mass surveillance. Other independent reports, including one by the Intelligence and Security Committee of Parliament, also came to this view although they found past shortcomings in oversight and disclosure, and said the legal framework should be simplified to improve transparency. However, notable civil liberties groups and broadsheet newspapers continue to express strong views to the contrary, while UK and US intelligence agencies and others have criticised these viewpoints in turn.

Various government bodies maintain databases about citizens and residents of the United Kingdom. These include "bulk data sets" such as medical records. In January 2016 the Home Secretary stated she would neither restrict the data sets that might be accessed for such purposes, nor state whether or not communications protected from law enforcement access such as journalist's sources and legal privilege had been accessed covertly. Although the use of video surveillance cameras in the United Kingdom is common, as it is in many countries, its prevalence may historically have been overstated. Legal provisions exist that control and restrict the collection, storage, retention, and use of information in government databases, and require local governments or police forces operating video surveillance cameras to comply with a code of conduct: the Surveillance Camera Code of Practice.

Legal framework for lawful interception
The legal framework in the United Kingdom for lawful interception and storage of communications data and, when a warrant exists, the content of electronic communications is based on the Regulation of Investigatory Powers Act 2000 and several other pieces of legislation. The Data Retention and Investigatory Powers Act (DRIPA) 2014 deals with the retention of certain types of communications data (not the content of messages). It was brought into effect after the European Union's Data Retention Directive was declared invalid. The Telecommunications Act 1984 has also been used by the government to facilitate bulk communications data collection. The Protection of Freedoms Act 2012 includes several provisions related to controlling or restricting the collection, storage, retention, and use of information in government databases. The Human Rights Act 1998 requires the intelligence agencies, including GCHQ, to respect citizens' rights as enumerated in the European Convention on Human Rights.

Compatibility with human rights law
The Investigatory Powers Tribunal ruled in December 2014 that the legal frameworks in the United Kingdom governing the bulk interception of data and intelligence sharing with agencies in other countries do not breach the European Convention on Human Rights, and are compliant with Articles 8 (right to privacy) and 10 (freedom of expression) of the European Convention on Human Rights. However, the Tribunal stated that one particular aspect of intelligence sharing, the data-sharing arrangement that allowed UK Intelligence services to request data from the US surveillance programmes Prism and Upstream, had been in contravention of human rights law until two paragraphs of additional information, providing details about the procedures and safeguards, were disclosed to the public in December 2014.

Privacy and civil liberties advocates such as Liberty and Privacy International, who brought a legal case against the government to force the judgement, continue to oppose to the temporary bulk collection of data, powers to access this and retain selected data, as well as intelligence sharing relationships; they intend to appeal the judgement to the European Court of Human Rights. Intelligence agencies and MPs have criticised the viewpoint of privacy campaigners on this issue.

Following the publication of a special report by the Intelligence and Security Committee of Parliament in March 2015,  which identified shortcomings in past oversight and potential improvements to the legislative framework, Prime Minister David Cameron initiated an inquiry into the legalisation governing the interception powers of the intelligence agencies.

A third independent report into surveillance in the UK published in July 2015 found the intelligence agencies are not knowingly carrying out illegal mass surveillance of British citizens. However, it did say the laws governing the agencies' powers to intercept private communications need a significant overhaul. This view is consistent with separate reports by the Interception of Communications Commissioner.

In October 2016, the Investigatory Powers Tribunal ruled British security services had, in secret, unlawfully collected citizens' information, including financial information, individual phone and web use, and other confidential personal data, without adequate safeguards or supervision for 17 years. The tribunal found that from its inception in 1998 until its public acknowledgement on 4 November 2015, this bulk collection was in breach of article 8 of the European convention on human rights.

After a High Court victory by two MPs challenging the legality of DRIPA, the UK government appealed to the European Court of Justice (ECJ), but in December 2016 the verdict of the national court was upheld. The ECJ ruled that general and indiscriminate retention of emails and electronic communications by governments was illegal, opening the way to challenges against the UK's new Investigatory Powers Act (2016), which replaced DRIPA.

Investigatory Powers Act 2016
, the Investigatory Powers Bill was published for scrutiny. The bill would introduce new powers, as well as restate existing ones, for targeted interception of communications, bulk collection of communications data, and bulk interception of communications. New oversight procedures would be introduced, including a requirement for a judge to review a warrant signed by a Minister for interception of communications, that is reading the content of messages. The bill would require Internet connection records – which websites were visited but not the particular pages and not the full browsing history – to be kept by internet service providers for one year.

On 16 November 2016, the Investigatory Powers Bill had passed both houses of parliament and is scheduled to become law.

The Investigatory Powers Act 2016 is a comprehensive statute which makes provision for both targeted and bulk retention of content and metadata. It consolidates much of the previous legislation and makes public a number of previously secret powers (equipment interference, bulk retention of metadata, intelligence agency use of bulk personal datasets).

Controversially, it enables the Government to require internet service providers and mobile phone companies to maintain records of (but not the content of) customers' Internet connections for up to 12 months. Police and intelligence officers may seek approval for access to these records without a warrant, as part of a targeted investigation.

In addition, the Act creates new safeguards, including a requirement for judges to approve the warrants authorised by a Secretary of State before they come into force.

The Bill that gave rise to the Act was informed by reports of seven parliamentary committees, as well as an external report from the Royal United Services Institute and two influential reports by David Anderson QC, the UK's Independent Reviewer of Terrorism Legislation: A Question of Trust (2015) and the report of his Bulk Powers Review (2016). The latter contains a detailed appraisal (with 60 case studies) of the operational case for the bulk powers used by MI5, MI6 and GCHQ and often characterised as mass surveillance.

The Act may yet require amendment as a consequence of legal cases brought before the Court of Justice of the European Union and the European Court of Human Rights.

Data Retention and Investigatory Powers Act 2014
In April 2014, the European Court of Justice ruled that the European Union's Data Retention Directive was invalid. Since October 2007, telecommunication companies had been required to keep records of phone calls and text messages for a minimum of 6 months and at most 24 months under this directive. The European Court of Justice found it violates two basic rights, respect for private life and protection of personal data.

Supported by all three major political parties in the UK, Parliament passed the Data Retention and Investigatory Powers Act in July 2014 to ensure the police and security services retained their existing powers to access telephone and internet records. No additional powers were granted by the legislation, but it did make clear that the requirements also apply to foreign companies, based abroad, whose telephone and internet services are used in the UK.

The data being retained does not include the content of messages and telephone calls, just metadata describing when and who the users contacted by email, telephone, or text message. In circumstances when the Home Secretary issues a warrant for intercepting the content of private messages, the Act clarifies the law with which internet services providers must comply.

Provisions were included in the Act to "increase transparency and oversight"; the BBC reported that this included the following:
 * The creation of a Privacy and Civil Liberties Oversight Board to scrutinise the impact of the law on privacy and civil liberties.
 * Annual government transparency reports on how these powers are used.
 * The appointment of a senior former diplomat to lead discussions with the US government and internet firms to establish a new international agreement for sharing data between legal jurisdictions.
 * A restriction on the number of public bodies, including Royal Mail, able to ask for communications data under the Regulation of Investigatory Powers Act (RIPA).
 * Inclusion of a termination clause ensuring the powers under this Act expire at the end of 2016.
 * Statement that a wider review of the powers needed by government should be undertaken during the next parliament (after the general election in May 2015).

In July 2015, the High Court issued an order that parts of the Act were unlawful, and to be disapplied, suspended until 31 March 2016, thereby giving the government a deadline to come up with alternative legislation which is compatible with EU law.

Context
Following the 2010 general election, the new government stated it would take measures to "reverse the substantial erosion of civil liberties and roll back state intrusion".

A report by the House of Lords Constitution Committee, Surveillance: Citizens and the State, had warned in 2009 that increasing use of surveillance by the government and private companies was a serious threat to freedoms and constitutional rights, stating, "The expansion in the use of surveillance represents one of the most significant changes in the life of the nation since the end of World War II. Mass surveillance has the potential to erode privacy. As privacy is an essential pre-requisite to the exercise of individual freedom, its erosion weakens the constitutional foundations on which democracy and good governance have traditionally been based in this country."

A YouGov poll published in 2006 indicated that 79% of those interviewed agreed that Britain has become a 'surveillance society' (51% were unhappy with this). In 2004 the Information Commissioner, discussing the proposed British national identity database gave a warning of this, stating, "My anxiety is that we don't sleepwalk into a surveillance society." Other databases causing him concern were the National Child Database (ContactPoint), the Office for National Statistics' Citizen Information Project (which subsequently became part of the national identity database), and the National Health Service National Programme for IT.

As part of the new measures announced by the government in 2010, the national identity database, including ContactPoint (and the Citizen Information Project), was scrapped.

In addition, the Draft Communications Data Bill, which would have extended powers, for example to include web browsing history, was abandoned by the government in 2013 after opposition from the Deputy Prime Minister Nick Clegg and his party, the Liberal Democrats.

Legislation
The Protection of Freedoms Act 2012 includes several provisions related to controlling or restricting the collection, storage, retention, and use of information in government databases, specifically:


 * Part 1, Chapter 1 requires that fingerprints, footwear impressions, and DNA profiles taken from persons arrested for or charged with a minor offence be destroyed following either a decision not to charge or following acquittal; amends the Police and Criminal Evidence Act 1984, and the Crime and Security Act 2010, relating to the retention of fingerprints; and instructs the Secretary of State to make arrangements for a "National DNA Database Strategy Board" to oversee the operation of a DNA database.
 * Part 1, Chapter 2 requires schools and colleges to obtain consent of one parent of a child under 18 before acquiring and processing the child's biometric information, gives the child rights to stop the processing of their biometric information regardless of any parental consent, and requires that if any parent of the child objects to the processing of biometric information, it must be discontinued.
 * Part 6 extends the existing Freedom of Information Act 2000 and amends the role of the Information Commissioner, including widening the rules on applying for and receiving datasets from public authorities for re-use. And, while the Information Commissioner was already independent of Government in making regulatory decisions, the Act takes steps to further enhance the day-to-day corporate and administrative independence of the Commissioner.

Part 2, Chapter 1 of the Protection of Freedoms Act 2012 creates a new regulation for, and instructs the Secretary of State to prepare a code of practice regarding the use of closed-circuit television and automatic number plate recognition.

Regulation of Investigatory Powers Act 2000
The Regulation of Investigatory Powers Act 2000 (RIP or RIPA) is significant piece of legislation that granted and regulated the powers of public bodies to carry out surveillance and investigation. Activities covered by the Act include the interception of the content of telephone, internet, and postal communications; collection of information about, but not the content of, telephone, Internet, and postal communications (type of communication, caller and called telephone numbers, Internet addresses, domain names, postal addresses, date, time, and duration); use of agents, informants, undercover officers; electronic surveillance of private buildings and vehicles; following people; and gaining access to encrypted data.

RIPA allows certain public bodies:
 * to demand that an ISP provide access to a customer's communications in secret;
 * to engage in bulk collection of communications in transit;
 * to demand ISPs fit equipment to facilitate surveillance;
 * to demand that someone hand over encryption keys or passwords to protected information;
 * to monitor people's Internet activities;
 * to prevent the existence of interception warrants and any data collected from being revealed in court.

The powers granted by RIPA can be invoked by government officials on the grounds of national security, for the purposes of preventing or detecting crime or serious crime, preventing disorder, protecting public safety or health, in the interests of the economic well-being of the United Kingdom, assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department, or in an emergency, preventing or mitigating death, injury, or any damage to a person's physical or mental health. Some of the powers granted by the Act are available to a relatively short list of from 5 to 12 government bodies, while others are available to longer lists of over 40 bodies.

The 2000 Act received Royal Assent on 28 July 2000 and Commencement Orders bringing provisions within this Act into force were issued between 2002 and 2012. Where prior legislation exists, the 2000 Act works in conjunction with that legislation, in particular the Intelligence Services Act 1994, the Police Act 1997, and the Human Rights Act 1998.

The Act has been amended several times, to both extend and restrict the powers granted. In 2002 the UK government announced plans to extend the Regulation of Investigatory Powers Act so that at least 28 government departments would be given powers to access metadata about citizens' web, e-mail, telephone and fax records, without a warrant and without a subject's knowledge. Public and security authorities made a total of 440,000 requests to monitor people's phone and internet use in 2005–2006. In the period 11 April to 31 December 2006 the UK government issued 253,557 requests for communication data, which as defined by the RIPA includes who you phoned, when they phoned you, how long they phoned you for, subscriber information and associated addresses.

Safeguards
RIPA and the Data Protection Act 1998 require a formal warrant before private data may be gathered by the government. Warrants authorising interception of the content of electronic communications can only be issued by a democratically elected Member of Parliament, usually the Home Secretary, or another Secretary of State. RIPA imposes constraints to ensure the activities authorised meet the requirements of the European Convention on Human Rights (ECHR), in particular that they are necessary and proportional. The Intelligence and Security Committee reported that GCHQ applies these standards to all of its work, not just activities governed by RIPA, to act as a check over all of its activities being necessary and proportional as required by the ECHR.

The Regulation of Investigatory Powers Act established the Investigatory Powers Tribunal to provide judicial oversight and hear complaints about surveillance activities by intelligence agencies and other public bodies. The Tribunal replaced the Interception of Communications Tribunal, the Security Service Tribunal, and the Intelligence Services Tribunal on 2 October 2000. Between 2000 and 2009 the Tribunal had upheld 4 out of the 956 complaints received.

Telecommunications Act 1984
The use of the Telecommunications Act 1984 for communications data collection, and the lack of oversight of this capability, was highlighted in the April 2014 report of the Home Affairs Committee of the House of Commons on Counter-terrorism. This was reiterated in the March 2015 report of the Intelligence and Security Committee of Parliament on Privacy and Security. Section 94 of the Telecommunications Act 1984 allows a Secretary of State to give providers of public electronic communications networks "directions of a general character… in the interests of national security", which may be protected from disclosure. The Act also gives the government certain powers to block foreign involvement in the critical national infrastructure of the United Kingdom. In November 2015, it was revealed MI5 had been using the Telecommunications Act 1984 to collect phone data in bulk for a decade.

GCHQ programmes
A series of media reports in 2013 revealed bulk collection and surveillance capabilities involving GCHQ in the United Kingdom such as Tempora and its component programmes Mastering the Internet and Global Telecoms Exploitation. The Tempora programme involves a large-scale buffer for storing internet content for three days and metadata for 30 days. A number of other GCHQ operations were revealed, including hacking into telecoms equipment, access to fibre-optic cables and programmes operated jointly with the NSA.

GCHQ was originally established after the First World War as the Government Code and Cypher School (GC&CS) and was known under that name until 1946. During World War II, staff including Alan Turing worked on decoding the German Enigma machine, and many other foreign systems. In 1940, GC&CS was working on the diplomatic codes and ciphers of 26 countries, tackling over 150 diplomatic cryptosystems.

After World War II, the United Kingdom and the United States signed the bilateral UKUSA Agreement in 1948. It was later broadened to include Canada, Australia and New Zealand, as well as co-operation with several "third-party" nations. This became the cornerstone of Western intelligence gathering and the "Special Relationship" between the UK and the USA. ECHELON is a code name often used for this global signals intelligence collection and analysis network.

Legislation and governance
GCHQ was placed on a statutory footing for the first time by the Intelligence Services Act 1994. Activities that involve interception of communications were legislated for under the Regulation of Investigatory Powers Act 2000; this kind of interception can only be carried out after a warrant has been issued by a Secretary of State, usually the Home Secretary. The Human Rights Act 1998 requires the intelligence agencies, including GCHQ, respect citizens' rights as enumerated in the European Convention on Human Rights.

The Prime Minister nominates cross-party Members of Parliament to an Intelligence and Security Committee (ISC). The remit of the Committee includes oversight of intelligence and security activities and reports are made directly to Parliament. A special report on Privacy and Security, published by the ISC in March 2015, found that although GCHQ collects and analyses data in bulk, it does not conduct mass surveillance. It did identify past shortcomings in oversight and said the legal framework should be simplified to improve transparency.

The UK also has an independent Intelligence Services Commissioner and Interception of Communications Commissioner, both of whom are former senior judges. Annual reports by the Interception of Communications Commissioner have found the use of interception powers by the intelligence agencies comply with existing legislation.

Judicial oversight of GCHQ's conduct is provided by the Investigatory Powers Tribunal (IPT). The IPT ruled in December 2014 that the legislative framework in the United Kingdom does not permit mass surveillance and that while GCHQ collects and analyses data in bulk, it does not practice mass surveillance.

Reforms
The Justice and Security Act 2013 included a range of reforms to the Intelligence and Security Committee to provide for further access and investigatory powers. The Telegraph reported that this included the following:
 * The nine members of the committee are still nominated by the Prime Minister, but the House of Commons has the power veto the Prime Minister's suggestions. Previously, Parliament had no power to block such appointments.
 * The panel now probes recent operations by the agencies. Before, its remit had only been for "resources, policy and administration" and it had seldom looked at specific operations.
 * Officials acting for the committee are able to enter the premises of the intelligence agencies to inspect files and decide what the panel needs to see.
 * Agencies are "required" to publish information unless handing over such details would compromise national security and they can obtain permission from the Prime Minister. Previously, the committee only had the power to "request" information.
 * To signify the panel's new status, its name was changed to the "Intelligence and Security Committee of Parliament".

National databases
Various government bodies maintain databases about citizens and residents of the United Kingdom. Under the Protection of Freedoms Act 2012, legal provisions exist that control and restrict the collection, storage, retention, and use of information in government databases.

The British Police hold records of 5.5M fingerprints and over 3.4M DNA samples on the National DNA Database. There is increasing use of roadside fingerprinting, using new police powers to check identity. Concerns were raised in 2010 over the unregulated use of biometrics in schools, affecting young children. Subsequently, the government introduced legal duties on schools, if they wish to use biometric information about pupils, in the Protection of Freedoms Act 2012.
 * Fingerprints and DNA


 * Vehicle tracking

Across the country efforts have been increasingly under way to track road vehicle movements, initially using a nationwide network of roadside cameras connected to automatic number plate recognition systems. These have tracked, recorded, and stored the details of journeys undertaken on major roads and through city centres. This information is stored for two years. In the future, mandatory onboard vehicle telematics systems have been suggested, to facilitate road charging (see vehicle excise duty).

In London, the Oyster card payment system can track the movement of individual people through the public transport system, although an anonymous option is available. The London congestion charge uses computer imaging to track car number plates.
 * Public transport

In February 2009 it emerged that the government was planning a database to track and store records of all international travel into and out of the UK. The database would retain record of names, addresses, telephone numbers, seat bookings, travel itineraries and credit card details, which would be kept for 'no more than 10 years'. In April 2015, passport exit checks began at UK borders and data will be stored on all travellers as they leave the UK.
 * Overseas travel

Police Forward Intelligence Teams have conducted surveillance of political and environmental protestors and of journalists. The information they gathered has been stored in the crimint database.
 * Protests

CCTV networks


The combination of CCTV and facial recognition could be considered a form of mass surveillance, and is starting to be widely used. This type of system has been trialled at airports to compare faces with biometric passports, but such an application is comparable to existing identification checks at borders.

In 2005, the City of Westminster trialled microphones fitted next to CCTV cameras. Westminster council explained that the microphones were part of an initiative to tackle urban noise and would not "be used to snoop", but comments from a council spokesman appeared to imply they could capture an audio stream alongside the video stream, rather than simply reporting noise levels. The trials were discontinued in 2008 with no further plans for use.

In 2013, the Home Office published the Surveillance Camera Code of Practice for the use of surveillance cameras, including automatic number plate recognition systems, by local and government authorities. The aim of the code is to help ensure CCTV use is "characterised as surveillance by consent, and such consent on the part of the community must be informed consent and not assumed by a system operator. Surveillance by consent should be regarded as analogous to policing by consent."

Number of cameras
The vast majority of CCTV cameras are not operated by government bodies, but by private individuals or companies, especially to monitor the interiors of shops and businesses. According to 2011 Freedom of Information Act requests, the total number of local government operated CCTV cameras was around 52,000 over the entirety of the UK.

An article published in CCTV Image magazine estimated the number of private and local government operated cameras in the United Kingdom was 1.85M in 2011. The estimate was based on extrapolating from a comprehensive survey of public and private cameras within the Cheshire Constabulary jurisdiction. This works out as an average of one camera for every 32 people in the UK, although the density of cameras varies greatly from place to place. The Cheshire report also claims that the average person on a typical day would be seen by 70 CCTV cameras.

The Cheshire figure is regarded as more dependable than a previous study by Michael McCahill and Clive Norris of UrbanEye published in 2002. Based on a small sample in Putney High Street, McCahill and Norris extrapolated the number of surveillance cameras in Greater London to be around 500,000 and the total number of cameras in the UK to be around 4.2M. According to their estimate the UK has one camera for every 14 people. Although it has been acknowledged for several years that the methodology behind this figure is flawed, it has been widely quoted. Furthermore, the figure of 500,000 for Greater London is often confused with the figure for the police and local government operated cameras in the City of London, which was about 650 in 2011.

The CCTV User Group estimated that there were around 1.5M private and local government CCTV cameras in city centres, stations, airports, and major retail areas in the UK. This figure does not include the smaller surveillance systems such as those that may be found in local corner shops and is therefore broadly in line with the Cheshire report.

Research conducted by the Scottish Centre for Crime and Justice Research and based on a survey of all Scottish local authorities, identified that there were over 2,200 public space CCTV cameras in Scotland.