The UK government has been forced to disclose the security services’ internal policies for dealing with legally privileged information. The move comes as a result of a legal claim that could not have been argued without Edward Snowden’s revelations about mass surveillance.
Earlier this year, in an unusual emergency hearing at the UK’s Information Powers Tribunal, lawyers acting on behalf of Abdel Hakim Belhaj and his family secured an assurance that any legally privileged material that had been surveilled would not be used in the case. However, it was not confirmed whether legally privileged material had in fact been subject to government surveillance. Today’s developments bring greater clarity to that issue.
“You may in principle target the communications of lawyers”
As Reprieve’s explanatory note explains, the UK’s intelligence services – including GCHQ – do in fact intentionally target and use legally privileged material. GCHQ’s advice to personnel states that “you may in principle target the communications of lawyers.”
This means that the UK’s three intelligence agencies have been spying on the communications of those who are taking legal action against them and using that knowledge to their own advantage – as in the Belhaj case, many of those cases concern victims of torture.
The documentation released today, which has been published by Reprieve, suggests that the UK’s three intelligence agencies hurriedly drew up and implemented policies for protecting legally privileged material as a direct result of Edward Snowden’s disclosures, anticipating likely legal challenges. Nevertheless, these new rules themselves have significant weaknesses: as Reprieve points out, GCHQ still do not regard the fact of lawyers meeting with their clients and witnesses – including the identities of those witnesses – as privileged material.
Legal privilege and the Snowden revelations
This is not the first insight into the way the Five Eyes regard legal privilege we have gained as a result of Edward Snowden’s disclosures.
In February this year, James Risen and Laura Poitras revealed in the New York Times that Australia’s signals intelligence agency had targeted a US-based law firm that had been advising the Indonesian government in trade negotiations. The Australians sought guidance from the NSA’s liaison and general counsel’s offices on whether it would be acceptable to share that data given that “information covered by attorney-client privilege may be included.” While the guidance supplied by the NSA has not been published, we do know that the data collection and sharing continued.
Social media, data sharing and GCHQ
Today’s revelations are also not the first information about GCHQ practices to be forced into the public domain by post-Snowden legal action. A case brought by Privacy International and other civil society organisations in July 2013 has brought two important documents to light so far.
This summer, a government witness statement made clear that GCHQ regarded UK citizens’ social media use as “external” communication under the Regulation of Investigatory Powers Act (RIPA), meaning that it can be surveilled and processed without the restrictions that would otherwise apply to citizens’ communictions.
Another, more recent disclosure, has even wider-reaching implications: clarifying the rules – or rather the lack thereof – that govern the sharing of raw intelligence between Five Eyes partners.
The short excerpt from GCHQ’s internal “arrangements” made publicly available last week confirms that the agency can receive unlimited bulk surveillance data from the NSA or other foreign agencies without a warrant. GCHQ’s internal rules allow it to hold on to that data, including content and including the communications of individuals based in the UK, for two years and search it at will.
In the UK, the RIPA warrants that enable GCHQ programmes like Tempora are signed by ministers and are not subject to judicial oversight. A specific request to the NSA for targeted information would also require a warrant. We now know that bulk information GCHQ acquires from the NSA and other agencies is not subject to even these minor protections: not only do RIPA’s rules on acquisition not apply, nor do RIPA’s rules on searching and analysis. As Privacy International notes, this appears to directly contradict public assurances delivered by the parliamentary committee charged with overseeing GCHQ in July 2013.
With the UK’s historically weak oversight, the internal operating procedures of GCHQ have arguably been even more opaque than its US counterpart. It bears reiterating that none of this new information would have come to light had organisations not acted on the information brought into the public domain by Edward Snowden and the journalists reporting the documents he disclosed.