GCHQ broke the law in its access to billions of emails and online address books gathered by American spies, the UK’s surveillance watchdog has ruled.
For the first time in its 15-year history the Investigatory Powers Tribunal (IPT) has ruled against the Government Communications HQ, whose work it oversees.
In June 2013, top-secret documents from former American intelligence analyst Edward Snowden showed that GCHQ had taken advantage of two systems run by America’s National Security Agency (NSA) to gather swathes of internet communications, including emails and online chats.
Prism allowed US spies to tap into traffic from internet giants including Google, Facebook and Apple. UPSTREAM enabled them to trawl the raw data as it passed along the network of fibre-optic cables carrying it around the world. Thanks to its close relations with the NSA, GCHQ was able to tap into these stockpiles of private communications.
Campaign groups including Privacy International, Bytes for All and Liberty challenged whether this breached the European convention on human rights, which protects privacy and freedom of expression.
During the case it emerged GCHQ does not necessarily require a warrant to get copies of the emails, chats and other information from the NSA (as it would in the UK). However, GCHQ insists it has never utilised that power.
In its ruling the IPT confirmed that GCHQ’s use of NSA data breached the European rules, because the guidelines that governed its behaviour had not been opened up to public scrutiny. But the tribunal went on to say that now those guidelines have been made public, there is enough scrutiny and GCHQ’s behaviour is legal.
The end result is that snooping done before December 2014 is illegal, but after that date, it is within the law.
GCHQ argued that it has always operated within the rules. The spy agency insists it does not carry out mass surveillance, and that it was selective about what data it pulled out from the NSA stockpile.
A spokesperson for GCHQ said: “Today’s IPT ruling re-affirms that the processes and safeguards within the intelligence-sharing regime were fully adequate at all times – it is simply about the amount of detail about those processes and safeguards that needed to be in the public domain.”