UK government monitoring station admits hacking devices for the first time during case brought by Privacy International and internet service providers
GCHQ carries out “persistent” illegal hacking of phones, computers and networks worldwide under broad “thematic” warrants that ignore privacy safeguards, a security tribunal has heard.
Microphones and cameras on electronic devices can be remotely activated without owners’ knowledge, photographs and personal documents copied and locations discovered, the Investigatory Powers Tribunal (IPT) has been told.
GCHQ, the government monitoring station in Cheltenham, has for the first time in a court case admitted that it carries out computer network exploitation (CNE) – commonly known as hacking – both in the UK and overseas.
Some CNE operations are said to be “persistent” – where listening programs are left on targeted devices – while others are “non-persistent”, where the monitoring ends with each internet session.
The claim that the government’s hacking activities are disproportionate and illegal has been brought by Privacy International and seven international internet service providers.
The case is being heard at the IPT, which deals with complaints about the intelligence services and surveillance by government organisations. The four-day hearing is at the Rolls Building in central London.
“The [legal] regime governing CNE … remains disproportionate,” Ben Jaffey, counsel for Privacy International, told the tribunal. “Given the high potential level of intrusiveness, including over large numbers of innocent persons, there are inadequate safeguards and limitations.”
GCHQ's spy malware operation faces legal challenge
The case has been brought in the wake of revelations by the American whistleblower Edward Snowden who exposed the extent of surveillance carried out by the US’s National Security Agency and the UK’s GCHQ.
Snowden’s documents referred to GCHQ’s CNE capabilities, the tribunal was told, including “a programme called Nosey Smurf which involved implanting malware to activate the microphone on smartphones; Dreamy Smurf, which had the capability to switch on smartphones; Tracker Smurf, which had the capability to provide the location of a target’s smartphone with high precision; and Paranoid Smurf, which ensured all malware remained hidden”.
One illegal aspect of GCHQ’s hacking, Jaffey said, is making changes to targeted computers, an activity that undermines their later use as evidence. “What parliament did not authorise was CNE that impairs the operation of a computer …” he said.
“If state authorities are permitted to alter or impair the operation of a computer, the reliability and admissibility of such evidence will be called into question, as will the need to disclose a past CNE operation to the defence.”
In 2013, the tribunal was told, 20% of GCHQ’s intelligence reports contained information derived from hacking.
The reliance of the intelligence services on what are termed “thematic” warrants – that do not name individuals or addresses but rely on generalised categories of people or places – are an “exorbitant” extension of normal powers, Jaffey told the tribunal.
Under section five of the Intelligence Services Act, he said, proper safeguards are being bypassed so that groups as widely defined, for example, as “all mobile telephones” in Birmingham could be targeted.
Some of the intelligence oversight commissioners, such as Sir Mark Waller, had recently warned in their reports that the security agencies’ interpretation of thematic warrants were “very arguable”, Jaffey pointed out.
Snowden surveillance revelations drive UK and US policy in opposite directions
Newly released documents from the long-running case include a warning from Ross Anderson, professor of security engineering at Cambridge University, that “it is only a matter of time before CNE causes fatal accidents”.
Citing denial of service attacks by online protesters in Oregon, USA, who hijacked hospital servers, installed malware and interfered with medical equipment, Anderson said: “Computers are becoming embedded in ever more devices, on which human societies depend ever more in ways that are complex and ever harder to predict.”
In a written response, Ciaran Martin, director of cyber security at GCHQ, said: “[We] never carry out reckless and irresponsible CNE operations ... GCHQ’s processes for CNE include an expert risk assessment panel.”
The documents include a “gist” – or summary – of internal GCHQ advice to staff about the legality of hacking. They explain that: “The [Intelligence Services Act] warrant and authorisations scheme is a mechanism for removing liability that would otherwise attach to interference with property such as computers, phones and routers. This interference would otherwise be a criminal offence under the Computer Misuse Act.”
Another GCHQ instruction states: “CNE involves gaining remote access to computers and networks and possibly modifying their software without the knowledge or consent of the owners and users with the aim of obtaining intelligence ... CNE operations carry political risk. These risks are assessed by the relevant team – consult them at an early stage if you’re considering a CNE operation”
Lawyers for GCHQ argue that its CNE activities are “proportionate”. They dismissed Privacy International’s claims as “extreme allegations” that do not accurately describe the reality of GCHQ’s operations.
“Over the last year the threat to the UK from international terrorism has continued to increase,” James Eadie QC, for GCHQ, told the tribunal in written submissions. “GCHQ and other intelligence agencies must develop innovative and agile technical capabilities to meet these serious national security challenges. Computer network exploitation is one such capability … CNE may, in some cases, be the only way to acquire intelligence coverage of a terrorist suspect or serious criminal in a foreign country.”
The legal regime governing its deployment provides “stringent safeguards” for CNE activities, Eadie added. “It is denied that GCHQ is engaged in any unlawful and indiscriminate mass surveillance activities.”
Commenting on the hearing, Caroline Wilson Palow, general counsel at Privacy International, said: “The light-touch authorisation and oversight regime that GCHQ has been enjoying should never have been permitted. Perhaps it wouldn’t have been if parliament had been notified in the first place that GCHQ was hacking. We hope the tribunal will stand up for our rights and reign in GCHQ’s unlawful spying.”
The seven internet service providers involved in the case are: GreenNet, Riseup Networks, Mango Email Service, Jinbonet from Korea, Greenhost, Media Jumpstart, and Chaos Computer Club.
Some sessions of the IPT are closed and held in secret. The case continues.