UK court to review legality of web snooping law

Two British members of Parliament have won the right to have the contentious Data Retention and Investigatory Powers Act (DRIPA) – an expansion of the U.K. authorities’ surveillance powers – reviewed by the High Court.

DRIPA was fast-tracked in July after Europe’s highest court struck down an EU-wide mandate for telcos to store records of their users’ communications. Although it was billed as an emergency measure to allow the U.K. to continue its data retention efforts – and it is indeed time-limited until the end of 2016 — it effectively expanded the scope of what information must be stored, to include metadata about people’s social media conversations and potentially many other kinds of web communications.

Labour’s Tom Watson and the Conservative David Davis applied for a judicial review later in July, alongside the civil rights group Liberty. The case was subsequently joined by the Open Rights Group and Privacy International.

On Monday, the High Court granted them the judicial review, to see whether DRIPA does indeed fall foul of European human rights law. Open Rights Group legal director Elizabeth Knight said in a statement:

After the Court of Justice of the EU declared the Data Retention Directive invalid, the UK government had the opportunity to design new legislation that would protect human rights. It chose instead to circumvent the decision of the CJEU by introducing the Data Retention and Investigatory Powers Act (DRIPA), which is almost identical to the Data Retention Directive.
Through our submission, we hope to help demonstrate that DRIPA breaches our fundamental human right to privacy and does not comply with human rights and EU law.

Despite DRIPA’s recent introduction, the British government is already amending it to take in more data. The government will require ISPs to maintain records of which customers use which IP addresses, and will also force web service providers who have British users to retain “data required for IP resolution”. The idea is to be able to match specific devices to terrorist or extremist communications, or crimes committed online, such as bullying.

Wider human rights problem

The U.K. isn’t the only European country that’s trying to push ahead with mandatory data retention despite the striking-down of the EU directive. The Swedish government, for example, is also forcing ISPs to keep customers’ metadata for the benefit of the authorities, and rebel ISP Bahnhof has reacted by offering customers free VPN in conjunction with a local digital rights group, so as to make the stored metadata unusable.

Meanwhile, late last week a coalition of Dutch lawyers, ISPs and journalists sued the government there over its insistence on data retention. The group claims data retention is in conflict with the CJEU ruling, though the Dutch government says it would be able to keep its legislation legal with a few tweaks. Dutch lawyers and journalists have already sued the government over its NSA intelligence-sharing arrangements.

As has been demonstrated in the U.K., data retention laws can be used to spy on lawyer-client communications and (systemically, in the case of the U.K.) on journalists too.

Meanwhile, on Monday the Council of Europe’s human rights commissioner, Nils Muižnieks, issued a report saying that “suspicionless mass retention of communications data is fundamentally contrary to the rule of law.” He said mass surveillance was not justified by the war on terror, and ran counter to established human rights laws. Muižnieks said he was “watching closely” what the U.K. was doing.

This article was updated at 7.30am PT to add further context, and again at 10am PT to remove the suggestion that viewing terrorist material online is a crime in the U.K. — the police there have suggested that it is, but this is almost certainly nonsense. Instead I have noted that the IP resolution move is intended to target terrorists and bullies.