Today, the UK government has been forced to appear before the Investigatory Powers Tribunal (IPT) to justify the use of intrusive hacking powers, known as Computer Network Exploitation (CNE), by GCHQ. This is the result of legal action last year brought by Privacy International and seven Internet and communications service providers from around the world. The IPT is the only body that can rule on complaints about GCHQ and the UK's other intelligence agencies. The hearing is expected to last four days.
Privacy International contends that "the infection of devices with malicious software, which enables covert intrusion into the devices and lives of ordinary people, is so invasive that it is incompatible with democratic principles and human rights standards." The claimants also assert that "GCHQ’s attacks on [communications] providers are not only illegal, but are destructive, undermine the goodwill the organisations rely on, and damage the trust in security and privacy that makes the internet such a crucial tool of communication and empowerment."
The legal challenge has already forced the UK government to reveal more details of its hitherto secret hacking programmes. Witness Statements by Ciaran Martin, director general for cyber security at GCHQ, show that the secretary of state does not individually sign off on most CNE operations abroad, but only when "additional sensitivity" or "political risk" is involved. Moreover, Martin also said that the commissioner of the intelligence services only formally reviewed the individual targets of GCHQ hacks overseas in April 2015.
From government documents released as a result of the case, it also emerged that the commissioner of the intelligence services was concerned about the legality of using very broad "thematic warrants" to justify the hacking of people in the UK. He was worried that current law "does not expressly allow for a class of authorisation," and therefore the warrants were too broad. As Privacy International explains: "This means that GCHQ could get a warrant in the UK to hack the computer of everyone in Birmingham with little meaningful oversight."
When the legal challenges were filed last year, GCHQ had no lawful authority to break into computer systems. To remedy that situation, the UK government quietly amended the Computer Misuse Act to provide legal cover for the hacking. It also issued a draft Equipment Interference Code of Practice, which sought to formalise these activities. Most recently, the draft Investigatory Powers Bill tries to put CNE on a stronger statutory footing.
Privacy International and the other claimants have updated their legal challenges to reflect those developments, and have also made available expert reports by Ross Anderson, professor of security engineering at Cambridge University, and Peter Sommer, visiting professor at De Montfort University Cyber Security Centre.
The claimants seek the following orders from the IPT: a declaration that GCHQ’s intrusion into computers and mobile devices is unlawful and contrary to Articles 8 and 10 of the European Convention on Human Rights; an order requiring the destruction of any unlawfully obtained material; an injunction restraining further unlawful conduct.GCHQ - Schedule Of Public Statements CNE Final - 20151119x