U.K. Spy Agency Does Not Require Individual Warrants To Hack

More details about U.K. intelligence agency GCHQ’s use of hacking — aka: ‘computer network interference’ in euphemistic official parlance — and the oversight regime governing its hacking activities have emerged via an ongoing legal challenge filed by civil liberties group Privacy International and several ISPs, which is continuing to put witness statements into the public domain.

The legal complaint, filed back in July 2014, calls for an end to “GCHQ’s attacking and exploitation of network infrastructure in order to unlawfully gain access to potentially millions of people’s private communications.”

Earlier this year the legal action was instrumental in forcing GCHQ to confirm publicly that it engages in hacking. Albeit it subsequently emerged that the U.K. government had quietly ushered through amendments to the Computer Misuse Act — exempting the spy agency and law enforcement from prosecution, and doing this in the midst of the legal challenge to these hacking practices.

The government is now in the process of reworking U.K. surveillance legislation more generally. The Investigatory Powers Bill, introduced to Parliament last month, lists “equipment interference” as a key provision. The draft legislation also sanctions the use of so-called “bulk” equipment interference — i.e. non-targeted hacking that can be applied across multiple end-points, so long as the intelligence agencies are applying the justification that it’s a matter of ‘national security’.

GCHQ could get a warrant in the UK to hack the computer of everyone in Birmingham with little meaningful oversight. Privacy International

With such a wide-ranging power to hack into devices and software en masse set to be explicitly fixed in U.K. law, the historical lack of a strict and robust authorization and oversight regime governing state agency hacking powers is hugely concerning.

“The draft Investigatory Powers Bill introduced to Parliament by the Home Office on 4 November 2015 attempts to codify the lax authorisation processes that gave rise to the problems we see in the documents released today,” argues Privacy International. “In particular, the provision permitting ‘Bulk’ Equipment Interference gives an almost unfettered power to the intelligence services to decide who and when to hack.”

The organization points to witness statements arising from its challenge that it says confirm GCHQ has been using hacking without obtaining individual warrants — but rather using “thematic warrants” to authorize its hacking activities.

Whether it is lawful to use broad “thematic warrants” to justify the hacking of people in the U.K. is one of the subjects of the legal challenge.

Privacy International notes that the Commissioner of the intelligence services raised specific concerns about the practice in a 2014 report on the grounds that such warrants might be too broad. “This means that GCHQ could get a warrant in the UK to hack the computer of everyone in Birmingham with little meaningful oversight,” it adds.

It also points to various other details emerging from witness statements made by GCHQ board member and director general for cyber security, Ciaran Martin — including that:

  • The Secretary of State does not individually sign off on most hacking operations abroad, but only when “additional sensitivity” or “political risk” are involved
  • Overseas hacking does not require authorisations to name or describe a particular piece of equipment, or an individual user of the equipment
  • The intelligence services Commissioner only formally reviewed the individual targets of GCHQ hacks overseas in April 2015
  • The Intelligence and Security Committee Report in March 2015 called MI5’s and SIS’s failure to keep accurate records of their overseas hacking activities “unacceptable,” as it makes effective oversight impossible

Commenting in a statement, Caroline Wilson Palow, General Counsel at Privacy International, said the revelations about how GCHQ has been using hacking powers underline how important strict authorization and oversight regimes are.

“Eighteen months after we first brought this challenge, GCHQ have come to court today to defend their asserted power to hack computers in the U.K. without individual warrants. The light touch authorisation and oversight regime that GCHQ has been enjoying should never have been permitted. Perhaps it wouldn’t have been if Parliament had been notified in the first place that GCHQ was hacking. We hope the tribunal will stand up for our rights and reign in GCHQ’s unlawful spying,” she adds.

Earlier this year the Investigatory Powers Tribunal, the oversight court for the U.K.’s intelligence agencies, ruled against GCHQ for the first time in its 15-year history, saying it had acted illegally prior to December 2014 by receiving data from the NSA’s surveillance dragnets.

In the summer the IPT again ruled GCHQ had acted illegally in the past by breaching its own internal policies in the handling of intercepted communications — specifically pertaining to emails from two human rights organizations.