Digital surveillance is no longer a remote intelligence issue. It now sits inside ordinary life, touching phones, platforms, private messages, children, journalism, protest and trust in public authority.
People are concerned about digital surveillance because they feel something basic has been taken from them: the right to think, speak, organise, read, search, ask, write, pray, protest, worry, make mistakes, change one’s mind and communicate without the permanent suspicion that every act may be logged, ranked, scanned or held for later use. That feeling should not be dismissed as paranoia. It is a democratic warning signal.
The United Kingdom now has a dense legal architecture for digital monitoring, online platform regulation, intelligence gathering, counter-terrorism policing and communications interception. Some of it is aimed at real harms: terrorism, child sexual exploitation, serious crime, hostile states, grooming, organised abuse and violent threats. Those dangers exist. They are not inventions.
But the existence of danger does not settle the question. A free society is measured by whether the innocent can live without being treated as a permanent potential suspect.
For Scotland, the issue is direct. Internet regulation, national security, interception and counter-terrorism are largely reserved to Westminster. Scotland’s people live inside the system, but Holyrood does not control its core machinery. Scottish families, journalists, schools, churches, campaigners, MSPs, small publishers, community groups, football supporters, land campaigners, women’s groups, trade unions and ordinary citizens are all affected by UK-wide digital law.
The starting point should be human freedom.
Under the Human Rights Act 1998, Article 8 protects the right to respect for private and family life, home and correspondence. Article 10 protects freedom of expression. Article 11 protects peaceful assembly and association. These rights are not absolute. The state can interfere with them in certain circumstances, including national security, public safety, prevention of crime and protection of the rights of others. But interference must be lawful, necessary and proportionate.
Those three words matter. Lawful does not mean “whatever the Government wants”. Necessary does not mean “convenient for the authorities”. Proportionate does not mean “technically possible”.
The problem with modern digital surveillance is that it changes the scale of state power. A police officer following one suspect is one kind of intrusion. A system that can gather, retain, search or compel access to millions of communications is another. A warrant aimed at a named person is not the same thing as a technical architecture that makes scanning, filtering or automated reporting part of daily life.
The Investigatory Powers Act 2016 placed many surveillance powers on a clearer statutory footing. It covers interception, equipment interference, communications data, bulk powers and oversight arrangements. The Government presents the Act as a system of legal safeguards, including approval by ministers and Judicial Commissioners for intrusive warrants. Civil-liberties groups argue that it normalised bulk surveillance powers that should never have been made routine.
Both claims can be true in different ways. The Act did create a formal warrant and oversight system. It also gave legal shape to powers that many citizens find far too wide.
One of the clearest asymmetries concerns parliamentarians. Under the Investigatory Powers Act, targeted warrants involving the communications of MPs, peers, members of the Scottish Parliament and other devolved legislatures receive an additional safeguard. This is often called the “triple lock”: Secretary of State approval, Judicial Commissioner approval and Prime Minister approval.
That does not make politicians untouchable or that they can never be investigated. It does mean the law recognises something important: surveillance of elected representatives is constitutionally dangerous.
The public should ask why that same seriousness is not extended more visibly to ordinary political life. A constituent writing to an MSP about corruption, abuse, policing, immigration, housing or public-service failure may be taking a personal risk. A whistleblower contacting a journalist may be exposing wrongdoing. A woman seeking help may be trying to escape violence. A campaigner opposing state policy may be acting within the deepest traditions of democratic life.
If privacy is essential for parliamentarians to do their work, it is also essential for the people who contact them.
The Online Safety Act 2023 raises a different but related concern. The Act regulates user-to-user services and search services. Its purpose is to reduce illegal and harmful content online, especially for children. That aim is not trivial. Parents in Scotland know the internet can expose children to cruelty, grooming, pornography, self-harm content, misogyny, scams and abuse.
Yet the Act also gives Ofcom technology-notice powers in relation to terrorism content and child sexual exploitation and abuse content. Ofcom says such powers would be used where necessary and proportionate. Privacy groups warn that these powers could pressure services, including encrypted messaging services, toward scanning systems that undermine private communication.
This is where people feel violated. They hear “safety”, but they see the direction of travel: more checking, more proof, more platform enforcement, more age assurance, more scanning, more records, more systems that decide whether a person may enter the digital mercat square.
The state may say it is not reading everyone’s messages. The public hears something else: that the private space of the device is no longer assumed to belong to the citizen.
That concern is not anti-child. It is not pro-crime. It is not extremist. It is an ordinary democratic objection to the idea that freedom must be surrendered quietly whenever technology makes intrusion possible.
There is also a serious class problem. People with secure official devices, legal teams, institutional IT systems, parliamentary privilege, private offices and internal networks experience the digital state differently from ordinary citizens. A minister or senior civil servant does not live online in the same way as a low-income parent using a single smartphone for banking, school messages, benefits, GP appointments, work rotas, transport, children’s photos and family contact.
A smartphone is no longer just a phone. For many people it is identity, money, diary, camera, address book, map, pass, bank, workplace, school bag, medical file and family album. When the state, regulators or platforms intrude into that object, people feel the intrusion physically. They are not wrong.
The protections and exposures are uneven.
| Person or group | Main legal position | Extra protection | Main exposure |
|---|---|---|---|
| Ordinary adult citizen | Protected by Article 8 privacy, Article 10 expression and Article 11 association, but subject to surveillance and policing powers where legal tests are met | General human-rights protections; possible legal challenge after interference | Communications data, platform moderation, age or identity checks, police powers, data retention, device extraction in investigations |
| Child or teenager | Protected by privacy and family-life rights, but also subject to child-protection systems and online safety duties | Laws and policy aimed at protection from abuse and harmful content | Age assurance, school monitoring systems, parental controls, platform filtering, possible loss of private space |
| Parent or family | Privacy and family-life rights apply | Can challenge disproportionate interference | Increasing dependence on digital school, health, banking and government systems creates traceable records |
| MP, peer, MSP or devolved legislator | Communications can be subject to targeted warrants only with additional safeguards under the Investigatory Powers Act | “Triple lock” for targeted interception involving parliamentarians | Not immune, but better protected than ordinary citizens against targeted surveillance |
| Minister or senior official using official systems | Official communications may sit inside secure government systems and internal tools | Institutional security, official devices, internal networks, legal and departmental controls | Official records may still be retained, searched, disclosed under law or subject to inquiry |
| Civil servant using official device | Protected as an employee and citizen, but work communications belong to official systems | Secure IT and workplace controls | Monitoring by employer/government systems; official records management; less privacy on work devices |
| Journalist | Article 10 protects expression and source confidentiality; specific safeguards exist for journalistic material in some surveillance contexts | Strong public-interest arguments; source protection recognised in human-rights law | No absolute immunity; anti-terror, police and surveillance powers have been used in ways that affected journalistic material |
| Lawyer and client | Legal professional privilege is strongly protected | Higher safeguard around privileged material | Not absolute in every operational context; disputes may arise over access, seizure or handling |
| Protester or campaigner | Article 10 and Article 11 protect expression, protest and association | Lawful peaceful protest is protected | Public-order law, surveillance, facial recognition, social media monitoring, terrorism laws if authorities allege serious ideological violence or support for proscribed groups |
| Person suspected of terrorism | Subject to counter-terrorism investigation and powers | Warrants, oversight, codes of practice and human-rights limits should apply | MI5, counter-terrorism police, GCHQ and others may gather intelligence; Schedule 7 border powers can be used without ordinary suspicion threshold |
| Traveller at UK border | Schedule 7 Terrorism Act powers may apply at ports and borders | Codes of practice and some safeguards, especially around protected material | Can be stopped, questioned, searched and detained to determine involvement in terrorism, even without ordinary suspicion |
| Person with no smartphone | Still protected by human rights law | Less app tracking, less platform data, fewer location trails | Still traceable through CCTV, payment cards, travel systems, ANPR, internet use, landlines, official records and other people’s devices |
The question many people ask is simple: can I avoid being tracked?
The honest answer is: not completely, unless one withdraws from much of modern life, and even then not fully.
A smartphone generates many trails. Mobile networks know roughly where a phone connects through cell towers. Apps may collect location, device identifiers, contact patterns, advertising IDs, browsing behaviour and usage data. Messaging platforms may protect message content with encryption, but metadata can still reveal who contacted whom, when and from what account. Cloud backups may expose material that people thought was only on the device. Photos can contain location and time data. Payment apps, travel apps and social media accounts add more layers. Some steps may reduce exposure. Use fewer apps. Remove unnecessary permissions. Turn off advertising IDs. Avoid cloud backups for sensitive material. Use strong passwords and two-factor authentication. Keep separate work and personal devices. Do not carry a phone to every private conversation. Use cash where lawful and practical. Avoid logging into every service through a single account. Use privacy-respecting browsers and search engines. Keep devices updated. Do not put intimate or sensitive material into platforms you do not trust.
A dumb phone reduces some tracking. It usually avoids app ecosystems, advertising trackers, social media permissions and constant background data collection. But it is not invisible. A dumb phone still connects to cell towers. Calls and texts create records. A SIM card links to a network account. If carried everywhere, it can still create a movement pattern.
For journalists, lawyers, campaigners and whistleblowers, the advice becomes more serious. Do not assume ordinary email, ordinary messaging or ordinary phones are safe for sensitive work. Separate roles. Minimise retained data. Use secure channels. Protect sources. Understand that border powers, device seizure, malware, compromised accounts and cloud access may matter as much as message encryption. This is not advice to evade lawful investigation. It is advice to preserve ordinary human privacy in a country where digital life has become structurally exposed.
Under the Terrorism Act 2000, terrorism is defined broadly. It involves the use or threat of action designed to influence government or intimidate the public or a section of the public, made for the purpose of advancing a political, religious, racial or ideological cause, where the action involves serious violence, serious damage to property, endangering life, serious public safety risk, or serious interference with or disruption of an electronic system.
That definition is not limited to bombs. It can reach conduct connected to serious cyber disruption, violent ideological activity, preparation, support, encouragement and possession of certain material. The breadth of the definition has long concerned civil-liberties lawyers because it gives the state considerable interpretive power.
Who monitors terrorism threats?
In broad terms, MI5 investigates threats to national security inside the UK. Counter Terrorism Policing works with MI5 and local police forces, including Police Scotland in relevant operations. GCHQ provides signals intelligence and cyber capabilities. MI6 deals with overseas intelligence. The National Crime Agency also has roles in serious crime and receives certain reports, including child sexual exploitation and abuse reports under online safety duties. Ofcom regulates platforms under the Online Safety Act, including duties around terrorism content online.
Who decides someone is a threat?
There is no single simple answer. Intelligence agencies assess intelligence. Police investigate crime. Prosecutors decide whether evidence supports charges. Ministers may authorise certain national-security powers. Judicial Commissioners approve many intrusive warrants. Courts decide guilt. At the border, Schedule 7 allows examining officers to stop, question, search and detain people to determine whether they are involved in terrorism. The Government’s own code says those powers can be used without ordinary grounds for suspicion.
Can journalists be considered terrorists?
Journalism itself is not terrorism. Publishing, investigating, criticising government, exposing state wrongdoing, protecting sources and reporting on national security are activities protected by Article 10.
But journalists do not possess total immunity from terrorism law. If authorities allege that a person possesses, carries, publishes or transmits material in a way that falls within terrorism legislation, a journalist or someone assisting journalism can be caught up in those powers. The David Miranda case showed the danger. Miranda, who was connected to the Guardian’s reporting on Edward Snowden material, was detained at Heathrow under Schedule 7 of the Terrorism Act. The Court of Appeal later found that the Schedule 7 power, as it then stood, was incompatible with Article 10 because it lacked adequate safeguards for journalistic material.
That case should never be forgotten. It shows how anti-terror powers can collide with journalism when the state treats national-security reporting as a security problem rather than a democratic function.
The European Court of Human Rights later found in Big Brother Watch and others v United Kingdom that aspects of the UK’s bulk interception regime had violated Article 8, and that there had been insufficient protection for confidential journalistic material under Article 10. The Court did not say bulk interception is always unlawful. It said safeguards matter, especially where private life, expression and source protection are at stake.
This is the heart of the matter. A state may need powers to protect the public from real threats. But once those powers exist, they tend to expand. Once systems are built, they seek uses. Once data is retained, it becomes searchable. Once platforms are made responsible for policing speech, they will often over-remove, over-check and over-comply. Once age checks become normal, identity checks can follow. Once scanning is technically possible, pressure builds to widen what is scanned.
People are not wrong to feel the walls moving inward.
The Scottish public should not be asked to choose between child safety and privacy, or between counter-terrorism and freedom. That is a false choice. The proper democratic demand is harder: protect children without normalising inspection of everyone; investigate terrorists without treating political dissent as suspicion; regulate platforms without making private speech dependent on state-approved technology; protect parliamentarians without leaving citizens as the exposed class.
No digital surveillance power should be accepted unless it is openly stated, narrowly defined, independently authorised, time limited, auditable, challengeable in court, reported publicly as far as possible, and protected by strong safeguards for journalism, legal privilege, children, domestic abuse survivors, political activity, religious life, trade union activity and communications with elected representatives.
Scotland should also insist that Westminster explain, in plain language, how UK online safety and investigatory powers affect Scottish citizens. Holyrood should scrutinise the practical consequences even where powers are reserved. Scottish public bodies should not quietly build local versions of surveillance culture through schools, councils, health systems or policing. Public trust will not survive if every institution responds to risk by collecting more data.
People are entitled to say no to a society where every private act must become legible to a machine.
They are entitled to use simpler phones to keep parts of life offline. They are entitled to ask whether age checks create new identity systems. They are entitled to ask why official systems are protected while ordinary people are exposed. They are entitled to expect journalists to protect sources.
The state should be transparent to the citizen. The citizen should not be made transparent to the state.
That is not extremism. It is the old democratic bargain. If Britain is now changing that bargain by statute, code, platform rule and technical notice, Scotland should not sleepwalk through it.
SOURCES
Human Rights Act 1998, Schedule 1
https://www.legislation.gov.uk/ukpga/1998/42/schedule/1
Equality and Human Rights Commission, Article 8: Respect for your private and family life
https://www.equalityhumanrights.com/human-rights/human-rights-act/article-8-respect-your-private-and-family-life
Equality and Human Rights Commission, Article 10: Freedom of expression
https://www.equalityhumanrights.com/human-rights/human-rights-act/article-10-freedom-expression
Equality and Human Rights Commission, Article 11: Freedom of assembly and association
https://www.equalityhumanrights.com/human-rights/human-rights-act/article-11-freedom-assembly-and-association
Investigatory Powers Act 2016
https://www.legislation.gov.uk/ukpga/2016/25/contents
Investigatory Powers Act 2016, section 26: Members of Parliament etc.
https://www.legislation.gov.uk/ukpga/2016/25/section/26
Home Office report on operation of the Investigatory Powers Act 2016
https://www.gov.uk/government/publications/report-on-the-operation-of-the-investigatory-powers-act-2016/home-office-report-on-the-operation-of-the-investigatory-powers-act-2016-accessible-version
House of Commons Library, The Wilson Doctrine
https://commonslibrary.parliament.uk/research-briefings/sn04258/
Investigatory Powers Commissioner’s Office
https://www.ipco.org.uk/
GOV.UK, Investigatory Powers Commissioner’s Office
https://www.gov.uk/government/organisations/investigatory-powers-commissioners-office
MI5, Bulk data
https://www.mi5.gov.uk/how-we-work/gathering-intelligence/bulk-data
MI5, Partnerships
https://www.mi5.gov.uk/about-us/partnerships
Online Safety Act 2023
https://www.legislation.gov.uk/ukpga/2023/50
Online Safety Act 2023, Schedule 1
https://www.legislation.gov.uk/ukpga/2023/50/schedule/1
Online Safety Act 2023, section 121: Technology notices
https://www.legislation.gov.uk/ukpga/2023/50/section/121
Ofcom, Statement: Technology Notices
https://www.ofcom.org.uk/online-safety/illegal-and-harmful-content/consultation-technology-notices
Ofcom, approach to implementing the Online Safety Act
https://www.ofcom.org.uk/online-safety/illegal-and-harmful-content/roadmap-to-regulation
Ofcom annual report on notices to deal with terrorism and/or CSEA content 2025
https://www.gov.uk/government/publications/ofcoms-online-safety-act-section-128-annual-report-2025/ofcom-annual-report-on-notices-to-deal-with-terrorism-andor-csea-content-2025
Scottish Parliament written answer S6W-35089, internet regulation reserved
https://www.parliament.scot/chamber-and-committees/questions-and-answers/question?ref=S6W-35089
Scottish Government, Online Safety Taskforce Action Plan 2026/27
https://www.gov.scot/publications/online-safety-taskforce-action-plan-2026-27/
Terrorism Act 2000, section 1: Terrorism interpretation
https://www.legislation.gov.uk/ukpga/2000/11/section/1
Terrorism Act 2000, Schedule 7
https://www.legislation.gov.uk/ukpga/2000/11/schedule/7
Counter Terrorism Policing, Schedule 7
https://www.counterterrorism.police.uk/what-we-do/counter-terrorism/protect/schedule-7/
GOV.UK, Schedule 7 code of practice
https://www.gov.uk/government/publications/codes-of-practice-for-officers-using-examination-powers-at-ports/examining-officers-and-review-officers-under-schedule-7-to-the-terrorism-act-2000-accessible-version
Crown Prosecution Service, Terrorism
https://www.cps.gov.uk/types-crime/terrorism
Liberty, Investigatory Powers Act legal challenge
https://www.libertyhumanrights.org.uk/issue/legal-challenge-investigatory-powers-act/
Liberty, confidential journalistic material safeguards
https://www.libertyhumanrights.org.uk/issue/government-agrees-to-protect-confidential-journalistic-material-after-legal-challenge/
Liberty, Miranda and Schedule 7 press freedom case
https://www.libertyhumanrights.org.uk/issue/victory-for-press-freedom-as-appeal-court-rules-schedule-7-incompatible-with-article-10-of-human-rights-act/
Miranda v Secretary of State for the Home Department, Court of Appeal judgment
https://www.judiciary.uk/wp-content/uploads/2016/01/miranda-v-home-sec-judgment.pdf
European Court of Human Rights, Big Brother Watch and others v United Kingdom
https://hudoc.echr.coe.int/app/conversion/pdf/?filename=Grand+Chamber+judgment+Big+Brother+Watch+and+Others+v.+the+United+Kingdom+-+UK+surveillance+regime%3A+some+aspects+contrary+to+the+Convention+.pdf&id=003-7028496-9484349&library=ECHR
Open Rights Group, Save Encryption
https://www.openrightsgroup.org/campaign/save-encryption/
ARTICLE 19, Online Safety Bill and encrypted messaging
https://www.article19.org/resources/uk-online-safety-bill-must-protect-encrypted-messaging/
Hansard Society, online safety and delegated legislation
https://www.hansardsociety.org.uk/publications/briefings/online-safety-delegated-legislation-social-media-ai
Bugs in our Pockets: The Risks of Client-Side Scanning
https://arxiv.org/abs/2110.07450
