The government has agreed to bring in legislation to require MI5 and GCHQ to seek independent authorisation before accessing confidential journalistic material obtained through the bulk hacking of phones or computer systems.
The Investigatory Powers (Amendment) Bill, which was debated in the House of Commons yesterday (Monday 19 February), will require the intelligence services to seek independent approval from the investigatory powers commissioner before accessing journalistic material or material that could identify a confidential journalistic source.
The concession follows a seven-year legal challenge brought by human rights organisation Liberty with the support of the National Union of Journalists (NJU).
It follows separate warnings from technology companies and rights organisations that proposed changes to the Investigatory Powers Act would disrupt the ability of technology companies to apply security updates and introduce end-to-end encryption.
The government has asked Liberty to drop legal proceedings against it in the light of a proposed amendment to the Investigatory Powers Bill 2016 that will require an independent body to review all requests to search and retain confidential journalistic information obtained through bulk hacking of computers, phones and tablets.
Journalists exposed to state surveillance and interference
Under current law, security and intelligence agencies and other state bodies can search for confidential journalist material, including emails, calls and texts, among data obtained through bulk hacking operations without the need for prior authorisation from a judicial commissioner.
The government introduced similar protections for journalistic material obtained through bulk interception in March 2023 following a landmark ruling by the European Court of Human Rights in the case of “Big Brother Watch and others v UK”, which found that bulk interception of communications data breached the privacy rights of UK citizens.
Megan Goulding, a lawyer for Liberty, said journalists have been exposed to state surveillance and interference for more than a decade with few safeguards or protections.
“The introduction of a new requirement for an independent body to oversee when the intelligence agencies can search for and retain confidential journalistic material is a welcome development,” she said.
But she added that journalists and sources were still at risk from other bulk surveillance powers.
Lord Andrew Sharpe, representing the government, introduced an amendment to the Investigatory Powers (Amendment) Bill during its report stage on 23 January 2024.
The amendment, in Section 27 of the bill, requires security and intelligence agencies to seek prior approval from the investigatory powers commissioner if they intend to access confidential journalistic information or material that could identify or confirm the identity of a journalist’s sources collected under a bulk equipment interference warrant.
The commissioner could only approve access or retention of confidential journalistic material if the public interest in accessing or storing the material outweighs the public interest in the confidentiality of journalist material and there is no less intrusive way that the information could reasonably be obtained.
Journalists and sources still at risk from bulk surveillance
Goulding told Computer Weekly that confidential journalistic material and sources were still at risk under other UK bulk surveillance powers that had not been addressed by the government.
Megan Goulding, lawyer for Liberty International
These include journalistic material held in bulk personal datasets – databases containing information about the population – the majority of whom are of no intelligence interest. They are believed to contain data such as travel records and emails organisations have sent and received which could be used to identify journalists’ sources.
Other powers by intelligence and law enforcement to obtain bulk communications data from telecoms companies also place journalists and their sources at risk, Liberty argues.
“Whatever the bulk power is, if you are searching for journalistic material, the intrusion is the same,” Goulding told Computer Weekly.
How journalistic protections were bypassed
The government first conceded in April 2022, following a High Court ruling in a case brought by Liberty, that the Investigatory Powers Act 2016, also known as the Snoopers’ Charter, failed to provide adequate safeguards to protect confidential journalistic material from bulk hacking.
The lack of protection meant equipment interference or hacking could be used to bypass the need for prior authorisation to identify a journalist’s source.
For example, if a journalist received a text message from a source, law enforcement and intelligence services would need to obtain prior authorisation from a judicial commissioner to obtain a copy of the message.
But if the same journalist received a message through WhatsApp, which is encrypted, there would be no requirement to seek prior authorisation to recover the message through bulk equipment interference or hacking.
Liberty puts legal action on hold
Liberty has agreed to delay a court hearing to challenge the government over the lack of journalistic protection in bulk equipment interference powers, from the summer to the autumn, while it seeks clarification from the government of its timeline for implementing the new measures.
However, it also plans to bring an appeal to the European Court of Human Rights on the grounds that bulk powers authorised under the Investigatory Powers Act 2016 do not comply with the ruling by the European Court of Human Rights in Big Brother Watch v UK which found the UK in breach of human rights laws.
It is also calling for the government to require that security and intelligence agencies seek prior authorisation before they access communications between lawyers and their clients.
“These are particularly sensitive and confidential relationships that the state should not be able to access easily,” said Goulding.
Liberty will also challenge what it describes as a blurring of the distinction between the content of communications and metadata about communications under the Investigatory Powers Act (IPA) 2016.
For example, URLs are now classed as communications data, which means state agencies can monitor what articles people read on the internet, whereas before the IPA 2016, a complete URL was regarded as content and was protected by stronger legal safeguards.
“The IPA has kind of shifted those definitions so that a lot of what was previously thought to be content now gets defined as communications data with fewer safeguards. It’s just calling one thing another thing to make access easier,” said Goulding.
NUJ urges government to move quickly to protect journalists
Michelle Stanistreet, general secretary of the National Union of Journalists, said measures in the Investigatory Powers Act permitting access to confidential journalistic information had proved harmful.
Michelle Stanistreet, NUJ
“The right to protect sources’ and journalists’ communications will always be defended by the NUJ. State bodies should never have been granted unfettered access, and the government’s ill-placed efforts should have been dropped several years ago,” she said.
“We urge government to now recognise the need for swift implementation of safeguards and urge an end to legislation that undermines media freedom and threatens journalists’ safety,” she added.
Computer Weekly has previously reported that the Police Service of Northern Ireland covertly accessed phone data and records of investigative journalist Barry McCaffrey after he made an open and legitimate press inquiry about police corruption. The case is being investigated by the Investigatory Powers Tribunal.
Risk over leaked documents
Goulding said there were still outstanding concerns that documents leaked by government officials to journalists may not benefit from protection against government intrusion because they could be considered as material “created … with the intention of furthering a criminal purpose”.
Liberty has also raised concerns about targeted equipment interference (TEI) warrants, which were used, for example, to authorise the National Crime Agency to use supposedly encrypted messages obtained by the French state hacking of the EncroChat encrypted phone network.
She said targeted equipment interference was a misnomer, and in practice, TEI warrants can be used for bulk surveillance against large groups of people, locations or equipment.