The UK intelligence agency has been hacking computers, phones and networks at home and abroad since at least 2013, and that activity has now been judged legal, thanks to a Feb. 12 ruling by the court in charge of overseeing privacy infringements by state agencies. This judgment could give the government new momentum in its bid to enact a controversial new surveillance law.
The Investigatory Powers Tribunal was responding to a complaint brought by the rights group Privacy International and seven internet service providers. During the course of the hearing, the UK intelligence agency, GCHQ, admitted for the first time that it had conducted “equipment interference”, a euphemism for hacking, since at least 2013. The agency previously adopted a position of neither confirming nor denying that it was hacking computers, phones and networks.
As the case went on, the intelligence agency revealed (pdf, p. 11) that:
- It carried out hacking activities in the UK and abroad.
- About 20% of the agency’s intelligence reports in 2013 contained information derived from hacking activities.
- The agency used “implants”, or spyware, that was active over different lengths of time. Some were active for the duration of an internet session while others resided on a computer for an extended period.
The tribunal also ruled that “thematic warrants” for hacking are legal. This lets the spy agency hack groups of people or “property”, which includes hardware and software. Privacy International argued during the hearing (pdf, p. 10) that the agency could apply for warrants for the following groups, for example:
- All mobile telephones in Birmingham.
- All computers used by suspected members of a drug gang.
- All copies of Microsoft Windows used by a person in the UK who is suspected of having traveled to Turkey in the last year.
- All software obtained by GCHQ.
Impact on draft surveillance bill
The ruling couldn’t have come at a better time for the government. It’s taking a beating over a controversial new surveillance law it has proposed. Three parliamentary groups in the last two weeks have issued reports lambasting the draft law, known as the Investigatory Powers bill, or IP bill. And government-sanctioned hacking is a key area of concern for groups scrutinizing the draft legislation.
The chair of a parliamentary committee tasked with considering the draft bill called it “flawed” in its current form. The committee’s final report on the bill contained dozens of recommendations for improvement. “The fact that we have made 86 recommendations shows that we think that part of the bill is flawed and needs to be looked at in greater detail,” the committee chair, Lord Murphy, said.
The world’s biggest technology companies fear the bill’s provisions for government-mandated hacking could have severe repercussions for their businesses. Apple has criticized the UK government for being “the first national government to attempt to provide a legislative basis for equipment interference.” Microsoft, Facebook, Google, Yahoo and Twitter jointly submitted evidence to parliament calling the bill’s provisions for hacking “a very dangerous precedent” and a “step in the wrong direction.”
The tribunal hearing and the draft bill are intertwined. The hearing put government hacking in the open for the first time, leading to its inclusion in the draft law. The tribunal’s judgment (pdf) noted that “the draft Investigatory Powers bill … plainly drew upon the ideas and submissions which have now been openly canvassed before us.”
Privacy International told Quartz it’s exploring options to challenge the tribunal’s decision. It’s not worried that the ruling will boost support for the bill. Scarlet Kim, the group’s legal officer, told Quartz that the bill already faced too much criticism from the parliamentary groups. “We believe that they will considerably undermine the tribunal’s ruling,” Kim said.
The government, for its part, is hoping to build on the favorable judgment. The foreign secretary, Philip Hammond, sought to link the judgment to the draft surveillance law. “The ability to exploit computer networks plays a crucial part in our ability to protect the British public,” he said in a statement. The proposed law, he said, would “strengthen the safeguards” over intelligence agencies’ use of their hacking powers. For privacy campaigners, it would be ironic if their efforts exposed UK government hacking, only for it to be enshrined in a new law once revealed.