Privacy group sues UK government over surveillance programs

The spying programs are seemingly operating outside the law, Privacy International said

A privacy group has filed legal action against the U.K. government for conducting mass surveillance on citizens across the U.K., including accessing data about people located in the U.K. that is collected and passed on by the U.S. National Security Agency.

Privacy International, a charity in London that works in the area of privacy, has charged in a statement Monday that "the expansive spying regime is seemingly operated outside of the rule of law, lacks any accountability, and is neither necessary nor proportionate."

The claim in the Investigatory Powers Tribunal is based on disclosures through newspaper reports by former NSA contractor, Edward Snowden, about the surveillance programs of the NSA and British intelligence agency Government Communications Headquarters (GCHQ). The tribunal was set up in 2000 to consider complaints about the use of intrusive powers by intelligence services, law enforcement agencies and public authorities.

One of the programs cited in the complaint is called Prism and reportedly gives the NSA real-time access to the content on servers of Internet companies like Facebook and Google. The Internet companies have denied their participation in the program. The other program referred to in the complaint, called Tempora, is said to be a GCHQ program for tapping fiber-optic cables and sharing the data with the NSA.

The reports about mass surveillance in the U.S., U.K. and some other countries have triggered off a variety of legal actions. In the U.S., Electronic Privacy Information Center (EPIC) asked the Supreme Court on Monday to throw out an order by the Foreign Intelligence Surveillance Court, a secret surveillance court, allowing the NSA to collect all Verizon phone records.

The American Civil Liberties Union also filed a lawsuit in a U.S. federal court last month challenging the legality of the collection of metadata from Verizon customers.

To intercept phone calls, emails, and other communications of individuals located in the U.K., or require the disclosure of that information when it is stored by telecommunications or Internet companies, U.K. authorities must comply with the Regulation of Investigatory Powers Act 2000, according to the complaint from Privacy International. But RIPA does not apply if U.K. authorities solicit or otherwise receive the information from their US counterparts, even if the communications in question were sent and received in the U.K., it added.

The complaint also refers to a news report in the Guardian that under Tempora the GCHQ has intercepted more than 200 fiber-optic cables landing in the U.K.

Tempora was purportedly authorized under certificated warrants issued under RIPA that do not have to name or describe any one person or a single set of premises as the subject of the interception, according to Privacy International. The certificates are renewed on a rolling basis by the Secretary of State for the U.K. Home Office, and do not require judicial authorization or approval of warrants or certificates.

The effect of Tempora is that all communications using fiber-optic cables are subject to the risk of interception, search and storage, putting at risk of interception all Internet and telephone users in the U.K. and other parts of the world, Privacy International said in the complaint.

The privacy group has asked the tribunal for a declaration that Tempora is in violation of various regulations including RIPA and the European Convention on Human Rights. It has also asked for an order to destroy all unlawfully obtained material. The complaint also cites rights to privacy and freedom of expression in ECHR to ask the tribunal for a declaration against the Secretary of State for not ensuring that there is in place a legal regime governing the soliciting, receiving, storing and transmitting by U.K. authorities of private communications of individuals located in the U.K. which have been obtained by US authorities.

John Ribeiro covers outsourcing and general technology breaking news from India for The IDG News Service. Follow John on Twitter at @Johnribeiro. John's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags Privacy InternationalNational Security Agencyregulationsecuritylegallegislationgovernment

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Ribeiro

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place