UK RIPA & Surveillance Law

RIPA 2000 / IPA 2016 / GCHQ / MI5

800K+

RIPA authorisations issued per year at peak

500+

Public bodies granted surveillance powers under RIPA

2016

"Snoopers' Charter" passed — IPA expands powers further

12mo

Bulk internet connection records retained per citizen

What Is RIPA?

The Regulation of Investigatory Powers Act 2000 (RIPA) is the UK's primary legal framework governing surveillance, interception, and covert intelligence gathering. Passed under the Blair government, ostensibly to update outdated wiretapping laws for the internet age, RIPA became one of the most expansive surveillance authorisation frameworks ever enacted in a liberal democracy.

Unlike US surveillance law — where federal courts and a specialist FISA court provide some independent oversight — RIPA originally allowed surveillance to be self-authorised by the very agencies conducting it. Senior police officers, intelligence chiefs, and — critically — local councils could approve their own surveillance operations with minimal external check.

The Scope Problem

At its peak, RIPA authorisations were issued to over 500 public bodies — including local councils, the Royal Mail, the Food Standards Agency, and the Department for Work and Pensions. A law ostensibly designed to combat terrorism and serious crime became the legal basis for surveilling benefit claimants, dog fouling violations, school catchment area fraud, and journalists' sources.

The Powers RIPA Grants

Part I — Interception of Communications

RIPA 2000, Part I — Now principally in IPA 2016

Permits the Secretary of State to issue warrants authorising interception of communications in transit — phone calls, emails, internet traffic. Originally required a ministerial warrant; the IPA 2016 added judicial "double-lock" review, though critics note this is after-the-fact review by a judicial commissioner rather than a true prior warrant requirement. Domestic interception requires a targeted warrant; bulk interception of international communications is permitted under a separate bulk warrant regime.

Documented abuse: The Investigatory Powers Tribunal (IPT) found in 2016 that GCHQ had unlawfully shared bulk intercepted communications with the NSA for years without adequate legal basis — a breach it had concealed from the public and Parliament.

Part II — Directed & Intrusive Surveillance

RIPA 2000, Part II — Sections 26–48

Directed surveillance covers covert monitoring of a person in a public place — following them, photographing them, recording their movements. Intrusive surveillance covers bugging homes, vehicles, or private premises, and requires a higher authorisation level. Both can be self-authorised by senior officers within the surveilling agency. No judicial approval is required for directed surveillance; intrusive surveillance requires a "Surveillance Commissioner" sign-off, but commissioners are retired judges with no investigatory staff and conduct paper reviews only.

Documented abuse: Multiple councils were caught using directed surveillance powers to investigate minor offences — Poole Borough Council famously placed a family under sustained surveillance to verify their school catchment area claim. No criminal conduct was alleged; the family was watched for weeks.

Part III — Covert Human Intelligence Sources (CHIS)

RIPA 2000, Part II — Extended by CHIS Act 2021

Governs the use and management of undercover officers and informants. The Covert Human Intelligence Sources (Criminal Conduct) Act 2021 — passed with minimal public debate during COVID-19 — went significantly further: it grants MI5, police, and a list of other agencies the power to authorise undercover sources to commit any crime, including violent crime, with legal immunity, as long as an authorising officer deems it necessary. The Act explicitly exempts authorised criminal conduct from prosecution.

Documented abuse: The undercover policing scandal (the "spy cops" inquiry, still ongoing as of 2026) revealed that Metropolitan Police officers conducted undercover operations spanning decades, forming intimate and sexual relationships with female activists — sometimes fathering children — while operating under assumed identities. RIPA's CHIS framework provided the legal cover. At least 33 women are confirmed to have been deceived into sexual relationships by undercover officers.

Part IV — Communications Data (Metadata)

RIPA 2000, Part I Chapter II — Superseded by IPA 2016, Part III

Requires telecoms providers to retain and disclose "communications data" — who called whom, when, for how long, from where — on authorisation. Under RIPA, over 500 public bodies could self-authorise access to communications metadata. Under the IPA 2016, this was consolidated but expanded: ISPs must now retain all subscribers' internet connection records (ICRs) — every website visited, every app connected to — for 12 months, accessible on authorisation from a long list of agencies. No warrant is required to access metadata; only content of communications triggers the higher-tier interception warrant.

Documented abuse: The Metropolitan Police used RIPA communications data requests to identify and access the phone records of journalists at The Sun and Mirror, tracing their sources without any warrant. This was confirmed by the Leveson Inquiry. In several cases, police had accessed journalists' records without even informing them, let alone obtaining judicial approval.

The Investigatory Powers Act 2016 — "The Snoopers' Charter"

RIPA was already sweeping. The Investigatory Powers Act 2016 (IPA) — branded the "Snoopers' Charter" by civil liberties groups — went substantially further, creating the most comprehensive legal framework for mass surveillance in any Western democracy.

Bulk Powers — Mass Surveillance Without Suspicion

The IPA explicitly legalises bulk collection operations that GCHQ had been conducting secretly for years but without clear legal basis — operations Snowden had exposed and the courts had ruled unlawful:

Bulk interception warrants: Intercept all communications passing through a bearer (undersea cable, satellite link) regardless of whether the sender or recipient is suspected of anything
Bulk equipment interference: Hack into networks, devices, or infrastructure in bulk — "thematic" hacking operations targeting entire categories of device or network without individual targeting
Bulk personal datasets: Acquire and retain large datasets about people who are not suspects — medical records, financial data, travel records, social media archives — held in databases that can be queried for intelligence
Bulk communications data: Collect metadata in bulk from international communications without any individual suspicion requirement

Court of Justice Ruling

The EU Court of Justice ruled in 2020 (Privacy International v Secretary of State) that the UK's bulk communications data regime was incompatible with fundamental rights. The UK government responded by arguing that, post-Brexit, EU human rights jurisprudence no longer applied — and continued the bulk collection. The regime was renewed and strengthened under the IPA 2023 amendments.

Equipment Interference — State-Sponsored Hacking

The IPA legalises what GCHQ calls "equipment interference" — hacking into computers, phones, networks, and smart devices. This includes:

Targeted equipment interference: hacking a specific suspect's devices
Thematic equipment interference: hacking entire categories of device or network — all phones on a given network, all devices at a location, all members of an organisation — without individual suspicion for each target
Bulk equipment interference: mass hacking of overseas targets, with few operational restrictions

There is no requirement to disclose to a suspect that their device was hacked, no requirement to notify them after the fact, and the existence of hacking warrants themselves is classified.

The "Double Lock" — Judicial Theatre?

The IPA introduced a "double lock" for the most intrusive warrants: they require both ministerial authorisation and approval by a Judicial Commissioner (a retired senior judge). Proponents called this a meaningful safeguard. Critics identified fundamental problems:

Judicial Commissioners review warrant applications based only on the material provided by the agency seeking the warrant — there is no adversarial process
Commissioners apply a "judicial review" standard rather than evaluating the necessity of the surveillance themselves — they ask whether the minister's decision was irrational, not whether surveillance is actually warranted
Emergency authorisations can proceed without commissioner review for up to five days
The Investigatory Powers Commissioner's Office (IPCO) has a very small staff relative to the volume of warrants it reviews

How RIPA/IPA Powers Are Abused

1. Surveillance of Journalists and Sources

The Metropolitan Police, South Yorkshire Police, and other forces have used RIPA communications data powers to identify journalists' confidential sources — effectively using surveillance law to circumvent press freedom protections. The Leveson Inquiry documented multiple instances. Despite amendments to the IPA requiring a "judicial authorisation" before accessing journalists' communications data, the definition of "journalist" is narrow and the process remains opaque.

2. Surveillance of Lawyers and Legal Privilege

Multiple intelligence agencies — including MI5 and GCHQ — were found by the Investigatory Powers Tribunal to have unlawfully retained legally privileged communications between lawyers and their clients. In the Belhaj case, the IPT found the intelligence agencies had intercepted and retained lawyer-client communications, a fundamental breach of legal privilege, for years. The agencies argued they had internal guidelines to protect privileged material — the Tribunal found those guidelines had not been followed.

3. The "Spy Cops" — Undercover Officers and Sexual Deception

The Public Inquiry into Undercover Policing (the "Spy Cops Inquiry"), chaired by Sir John Mitting, has documented the Metropolitan Police's Special Demonstration Squad and National Public Order Intelligence Unit operating for decades under RIPA's CHIS framework — and its predecessors — in ways that violated the human rights of targeted individuals:

Officers adopted false identities and infiltrated political, environmental, and activist groups
Sexual relationships were formed with women under false identities — relationships lasting years
At least two officers fathered children while undercover, then abandoned those families when their deployment ended
Files were compiled on thousands of individuals engaged in entirely lawful political activity
Police "blacklisted" construction workers based on political activity — covertly-obtained intelligence was shared with employers

CHIS Act 2021 — Legal Immunity for Crimes

The Covert Human Intelligence Sources (Criminal Conduct) Act 2021 grants law enforcement the power to authorise informants and undercover officers to commit virtually any crime — including violent crime — with criminal immunity. Human rights organisations including Liberty and Amnesty International challenged this as incompatible with the Human Rights Act. The government argued the powers were necessary to maintain undercover capability. Critics point out the law was passed during a global pandemic with minimal parliamentary scrutiny.

4. Councils Spying on Residents

Local authorities were granted RIPA directed surveillance powers on the premise they needed them for serious crime investigation. In practice:

Poole Borough Council surveilled a family for weeks to verify a school catchment area claim
Councils used RIPA powers to investigate noise complaints, unlicensed street trading, and dog fouling
Birmingham City Council was found to have authorised surveillance against a local businessman over a dispute about a market licence
The Home Office eventually restricted council use of RIPA for lower-level offences — but the powers remain broadly available for any offence carrying a prison sentence

5. National Security Pretext for Political Surveillance

Documents obtained through litigation and FOI requests have revealed that RIPA/IPA "national security" authorisations have been used to monitor:

Environmental protest groups (Extinction Rebellion, Just Stop Oil)
Trade union organisers
Anti-war activists
Journalists covering intelligence agencies
Lawyers bringing cases against police or intelligence agencies

Because national security authorisations are classified, affected individuals have no mechanism to learn they were surveilled unless a whistleblower or litigation forces disclosure.

Notable Cases & Rulings

Liberty & Privacy International v. GCHQ / Secretary of State

Investigatory Powers Tribunal — 2015

The IPT found that GCHQ's mass surveillance programme — sharing bulk intercept data with the NSA — had been unlawful for years due to insufficient legal safeguards. The government's response was to pass the IPA 2016, retroactively legalising the previously unlawful conduct.

Big Brother Watch v. United Kingdom

European Court of Human Rights — Grand Chamber 2021

The Grand Chamber found the UK's bulk interception regime violated Article 8 (right to private life) and Article 10 (freedom of expression) of the European Convention on Human Rights. It specifically found that the regime lacked adequate safeguards for journalist sources. The UK government disputed aspects of the ruling and the IPA 2023 amendments were partly a response — but critics argue the core bulk collection regime remains ECHR-incompatible.

R (Watson) v. Secretary of State — Communications Data Retention

Court of Appeal — 2018

Following earlier CJEU rulings, the Court of Appeal found that indiscriminate bulk retention of communications data was incompatible with EU law. The Data Retention and Investigatory Powers Act (DRIPA) had already been struck down. The IPA's ICR retention regime was subsequently found by multiple courts to require stronger safeguards — which the government provided through the IPA 2023 amendments, though civil liberties organisations continue to challenge the regime's compatibility with the Human Rights Act.

"The UK has constructed a surveillance architecture that would make authoritarian governments envious — and dressed it in the language of liberal democracy and judicial oversight. The oversight is, in many cases, theatre."

— Silkie Carlo, Director, Big Brother Watch (2022 testimony to Joint Committee on Human Rights)

Primary Sources & Further Reading

Regulation of Investigatory Powers Act 2000 — full text, legislation.gov.uk
Investigatory Powers Act 2016 — full text and explanatory notes, legislation.gov.uk
Covert Human Intelligence Sources (Criminal Conduct) Act 2021
Big Brother Watch v. United Kingdom, ECtHR Grand Chamber (2021)
Liberty & Privacy International v. GCHQ, Investigatory Powers Tribunal (2015)
Investigatory Powers Commissioner Annual Report 2022 & 2023
Public Inquiry into Undercover Policing — interim and final reports (2023–2024)
Leveson Inquiry Part 1 Report (2012) — police and journalists section
Liberty, "A Snoopers' Charter: Our Briefing on the Investigatory Powers Act" (2016)
Privacy International, "State of Privacy: United Kingdom" (2023)
Open Rights Group, "The IPA: What You Need to Know" (2023)
Edward Snowden, Permanent Record (2019) — GCHQ/NSA collaboration