Edmondson et al: News International hacking judgment and GCHQ scandal

Note: Since publication of this post Privacy International has announced a legal challenge against the GCHQ programme based on European Court of Human Rights proportionality principles.

The first legal skirmish in the Rebekah Brooks/Andrew Coulson phone hacking saga has produced a Court of Appeal judgment with wider ramifications – which could spread into the burgeoning bugging scandal surrounding Britain’s “spy-station” GCHQ.

The phone hacking case need not detain us too long. Edmondson et al v Regina was brought by various top former News International personnel facing conspiracy charges regarding alleged phone hacking, among them Brooks and Coulson. Their contention was that the offence they are accused of, conspiring to intercept other people’s mobile phone voicemail messages, should be dismissed because the alleged hacking was not actually unlawful under the Regulation of Investigatory Powers Act 2000.

This is why the case is relevant to GCHQ and the revelations by Edward Snowden of alleged trawling and storing of private communications: Section 1(1) of RIPA says: “It shall be an offence for a person intentionally and without lawful authority to intercept, at any place in the United Kingdom, any communication in the course of its transmission by means of – 
(a) a public postal service; or
 (b) a public telecommunication system.” (Emphasis added.)

The Edmondson defendants claimed no one could be alleged to have “intercepted” messages that had already arrived at the voicemail inbox and been opened for reading by the recipients since they were no longer “in transmission”. They cited S.2(7) of RIPA which says:

“For the purposes of this section the times while a communication is being transmitted by means of a telecommunication system shall be taken to include any time when the system by means of which the communication is being, or has been, transmitted is used for storing it in a manner that enables the intended recipient to collect it or otherwise to have access to it.”

The defendants argued that once it had been “accessed” (listened to in the case of a phone message or, presumably, opened if it is a text or email) it is no longer “in the course of its transmission”.

The judges, headed by the Lord Chief Justice Lord Judge, rejected this argument. “Interception” included interception of messages saved on the voicemail facility. The judgment notes:

“In this regard it is significant that the intended recipient cannot gain access to the voicemail message without resort to the telecommunication system, but is totally dependent on the system. In these circumstances, there is no good reason why the first receipt of the communication should be considered as bringing the transmission to an end nor is there any support for this within the statutory language. We consider that it is readily apparent from the plain words that it was the intention of Parliament that section 2(7) should extend the course of transmission to include this situation.”

So the appeal was dismissed and the substantive case against the defendants proceeded. Ultimately Coulson was found guilty of conspiring to hack phones while Brooks was acquited (Guardian report).

Issues for GCHQ
The wider implications, however, are that the court has clarified that, no matter where in the process a phone message is captured, it will have been intercepted somewhere in the transmission system and hence potentially unlawfully.

The judgment acknowledges “transmission” might mean different things technically depending on the communication medium (phone calls, messages, emails) but refers to “the Government’s stated intention to provide a single legal framework regardless of the means of communication”.

It is to be assumed that Parliament also intended the same protections for all means of communications, so unauthorised accessing of an email would be accessing it during its “transmission” in RIPA terms – even if the recipient has already opened it to read. Any other interpretation would be absurd since the intention of RIPA is to protect private communications, not to protect electrons (or photons) down a wire between communication devices.

As Fulford LJ put it in the preparatory hearing to the Edmondson case (approved by the Court of Appeal judgment):

“I accept, therefore, that the period of storage covered by the section (RIPA S.2(7)) does not come to an end on first access or collection by the intended recipient, but it continues for so long as the system is used to store the communication, and whilst the intended recipient has access to it in this way. In a comprehensive fashion, this covers the vice that in my view the provision was intended to address, namely unauthorized access to communications, whether oral or text, whilst they remain on the system by which they were transmitted. As the prosecution submits, unlawful access and intrusion is not somehow less objectionable because the message has been read or listened to by the intended recipient before the unauthorized access takes place.”

So the judgment opens up the possibility that if, for example, GCHQ was proceeding on a similar assumption as set out by the defendants in Edmondson et al, GCHQ may have inadvertently broken the law. According to the Guardian revelations over the last few weeks, GCHQ is able, under its Tempora project, “to tap into and store huge volumes of data drawn from fibre-optic cables for up to 30 days so that it can be sifted and analysed”. This, prima facie, would be an unlawful interception since tapping and storage are part of the definition of “interception” in the European Directive that is the source of RIPA (see below) – and most of the emails and other information will be wholly innocent.

Much is made of the fact that emails don’t go directly from one computer to another. The bits of information are disaggregated and pass around the world to be reassembled at the storage point – a server from which the recipient can access the email. If they can be intercepted outside the UK jurisdiction, it is argued that no offence has occurred. It won’t have been intercepted “at any place in the United Kingdom” (RIPA S.1(1). RIPA goes on to say at S.2(4):

“For the purposes of this Act the interception of a communication takes place in the United Kingdom if, and only if, the modification, interference or monitoring or, in the case of a postal item, the interception is effected by conduct within the United Kingdom”.

If the Guardian claims are correct, GCHQ may be relying on these words when it insists (as it does) that it operates wholly lawfully. But a good argument can be made to suggest that GCHQ are responsible for the surveillance in Britain and hence “effected” it in Britain. What after all does “effect” mean other than “bring about, accomplish”, as the dictionary puts it? In other words it means make something occur; what has occurred is the copying and storing of emails etc for later examination. Even if the British authorities brought it about by asking the US authorities to do it for them, or even if they did it by attaching their bugging devices to cables offshore, it can be argued that GCHQ “effected” the interception from the UK.

This might seem like splitting hairs, but in fact it is a perfectly reasonable act of “construction” – the judicial exercise of deciding what the statute meant, which can start with looking at the dictionary definition of any contentious words – or it can extend the definition to make the Act meaningful in legal terms – as was done in Edmondson regarding the word “transmission”. A judge could also look at the purpose of the legislation, the “mischief” or “the vice that … the provision was intended to address” as Fulford put it in Edmondson. The judges used that word and did just that in Edmondson.

How this affects GCHQ
So, to apply all this to the GCHQ issue: the purpose of RIPA was to implement Article 5 of the 1997 European Union Directive 97/66/EC (now Art 5 of Directive 2002/58/EC) concerning the processing of personal data and the protection of privacy in the telecommunications sector. Article 5, headed Confidentiality of the Communications, says:

“1. Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1).”

Article 15(1) gives an exception for “a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (ie state security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system”. This is not a blanket permission (it must be “appropriate and proportionate”) and Article 8 of the European Convention of Human Rights (right to respect for private and family life, home and correspondence) would also apply since EU and UK law should be in conformity with the ECHR.

The intention of RIPA is to follow the basic intention of the Directive, to deal with the various “mischiefs” set out in the Directive, including “storage” of emails unless authorized by the recipient or by lawful authority under security laws (or, as RIPA s.3(3) adds, by the service provider “for purposes connected with the provision or operation of that service”).

In the UK courts RIPA will be interpreted “in every way possible in the light of the text and aims of the Directive to achieve the aims envisaged by it” (standard jurisprudential phraseology in EU Court of Justice cases on Directives; see Marleasing SA v La Comercial SA [1990] ECR I-4135). In the Edmondson case the judgment says: “It is clear that RIPA should be construed, if possible, so as to comply with Article 8 European Convention on Human Rights and the relevant [EU] Directives.”

So a UK court might well feel obliged to declare unauthorized tapping and storing emails ordered or executed by GCHQ unlawful to conform with the Directive and the ECHR without regard to the technicalities of where the email is stored (whether on a server in Britain, say, or in the US) or how it got there or whether GCHQ attached its interception devices outside the United Kingdom – it is arguably all part of the communication system which is protected from interception by the law.

Additionally the UK Parliament, according to Fulford, has a right to go further in protecting privacy, producing: “a scheme which provides greater protection than that indicated by the European Parliament and Council in a particular Directive, for instance in order to ensure that an individual’s right to privacy, when viewed broadly in this context, is substantively upheld”. And in this case Parliament did just that, he asserts. Again the issue is preserving privacy, not claiming exemptions according to the nature of the technology or where the bits of information that make up the communication actually are when tapped and stored.

Defences
If a court found GCHQ in breach of the law, as properly construed in the light of the Directive, it might well mean GCHQ was in breach without realizing it. Would it have any defences? GCHQ, after all, insists it acts lawfully in all it does:

“The purposes for which interception may be permitted are set out explicitly in these Acts: national security, safeguarding our economic well being and the prevention and detection of serious crime. Interception for other purposes is not lawful and we do not do it. The Acts also set out the procedures for Ministers to authorise interception; GCHQ follow these meticulously.” (GCHQ: Accountability and the law)

The Home Secretary has to sign warrants for individual interceptions and has done so, presumably on numerous occasions. It is most unlikely, though, that he has signed or could legally sign a general warrant for the interception of every email GCHQ can get its hands on, their copying and storage. Any necessary measure to deal with crime or security risks would have to be proportionate. It would take some pretty strong arguments to suggest that saving almost everybody’s emails to sift through them would be considered proportionate to any threat or “a necessary, appropriate and proportionate measure within a democratic society”.

EU and economic dimensions
Particularly interesting in the GCHQ statement is the suggestion that it acts in “safeguarding our economic well being”. GCHQ does not expand on that but it is also an argument being put by the US authorities for its own cyberspying activities – including against its allies, among them the European Union.

Article 8(2) of the ECHR allows for this, an exception for legally authorised interference with privacy “in the interests of … economic well-being of the country”. But for GCHQ to justify copying and storing people’s emails on the grounds of protecting the national economy would be wholly against the ideological foundations of the European Union, the source of RIPA, and hence fundamentally at odds with the 1997 and 2002 Directives, which are as much a protection for companies as individuals. All sorts of business emails will be caught in the trawl. Any might provide information that could help protect UK economic interests – to the detriment of EU partners.

Paragraph 6 of the preamble to the 2002 Directive notes:

“The Internet is overturning traditional market structures by providing a common, global infrastructure for the delivery of a wide range of electronic communications services. Publicly available electronic communications services over the Internet open new possibilities for users but also new risks for their personal data and privacy.”

The EU wants the new possibilities developed without individuals holding back from taking advantage of them for fear of surveillance. Article 1(1) of the Directive says the intention is “to ensure the free movement of such data and of electronic communication equipment and services in the Community”.

The EU would be concerned to ensure that no nation within it and no companies within that nation have an unfair advantage over others in the EU through monitoring of communications. Additionally there should be no disincentive to individuals and firms using, say, UK communication systems for fear of extensive monitoring by the national government. There must be level playing fields.

GCHQ’s alleged activities are very much an issue between Britain and the EU, and an economic one at that. The EU allows for security to be a wholly national issue (“national security remains the sole responsibility of each Member State” Art 4(2) of the Treaty of the European Union) but not economic well-being. If RIPA has not accurately implemented the Directive, leaving loopholes to get round it, and UK judges cannot interpret it as being in compliance, then Britain will be in breach of its legal obligations to the EU.

Note: In 2011 the Commons Home Affairs Committee was so concerned at the implication of the “unread emails” versus “read emails” distinction (with the implication that the latter were not protected) that it suggested a change in RIPA would be needed to protect all emails. The Court of Appeal has in effect done this job. See Home Affairs Committee here

Note: Charles Farr, UK security official, has now (17/6/2014) revealed the Government’s defence to claims of illegality, along the lines above (that interception is of “external communications” so not unlawful. See Privacy International here. His statement does not answer the legal points set out above. Communications that start or end in the UK are arguably not to be regarded as simplistically “external” just because US servers are involved in between or the security services access them “externally”.

Addendum: The NTL case
The Edmondson case briefly considered R (on the application of NTL Group Ltd) v Crown Court at Ipswich (2002). NTL stored emails for an internet provider but they were as a matter of course destroyed an hour after reading by the recipient. The police wanted material to be saved for longer than that to pursue an investigation but NTL feared it would be in breach of the law in doing so:

“The claimant was of the opinion that the only way to comply with the notice was to intercept the e-mails by transferring them to a different e-mail address to that intended for the recipient which would involve it in committing an offence under S.1 of the Regulation of Investigatory Powers Act 2000 namely intentionally and without lawful authority intercepting any communication in the course of its transmission.”

In other words they would be tapped, copied and stored contrary to the legislation and the EU Directive. Tapping and storing the emails “would fall within the meaning of interception contained in S.2(2), (7) and (8) of the 2000 Act”. The judges agreed that, on reading those sections “it was clear where an email was preserved by transmitting it to a different address to that of the recipient an offence would be committed”.

In the event the judges decided that NTL had been given legal authorization to tap and save the emails by the police, but the point remains that tapping, copying and saving emails and other such material is unlawful unless authorized – and that authorisation, of course, should be lawful.

Note: Jemima Stratford QC has now (29/1/2014) given a legal opinion to MPs that includes the main points outlined above: “In short, the rules concerning communications data are too uncertain and do not provide sufficient clarity to be in accordance with the law … we consider the mass interception of communications via a transatlantic cable to be unlawful, and that these conclusions would apply even if some or all of the interception is taking place outside UK territorial waters.” She also makes the ECHR Article 8 disproporionality point. 

On the GCHQ’s putative defence (surveillance was “effected” outside the UK so not covered by RIPA) she says: “In that case, the security services might contend that the interception is “effected by conduct” outside the UK (the words used at the start of section 8(4) of RIPA) and thereby seek to evade the limitations of RIPA. We seriously doubt whether a court would accept that argument, not least because there would still be conduct connected with the interception in the UK.”
Her advice  is here: Advice  and the All Party Group on Drones considers it here

The Guardian reports her advice here: Huge swath of GCHQ mass surveillance is illegal, says top lawyer
This case is relevant to proportionality: Liberty v UK (2008)

Advertisement