Legal fight against UK state hacking seeks crowdfunds

Privacy rights group, Privacy International, is running a crowdfunding campaign to try to raise funds to help cover its legal costs as it continues to challenge the UK government’s use of hacking as a mass surveillance technique for domestic security agencies to gather intelligence.

The group is hoping to raise £5,000 via this route, noting that an anonymous supporter has offered to match any donations it receives up to a maximum of £12,000.

It also says it has a ‘Protective Costs Order’ which limits its potential legal liability to £25k, i.e. should it lose the case and have to pay the government’s costs, but adds “that’s still a lot of money for a charity with very limited resources!”. Hence the crowdfunder.

It’s raised just over £1k at the time of writing.

Long battle against state hacking

The group has been fighting the government’s use of hacking as an investigatory power since 2014, filing an original complaint against state hacking with the IPT, the oversight court for UK intelligence agencies, in May 2014.

As part of that legal challenge more information emerged about the state’s use of hacking as an investigatory tool — including the fact it does not require individual warrants to hack devices or services. Rather it can use so-called “thematic warrants” to authorize hacking activities in bulk.

Privacy International went on to argue that untargeted hacking activities violate Articles 8 and 10 of the European Convention on Human Rights, pertaining to privacy and free speech rights.

Its contention is that the use of bulk hacking, “fundamentally undermines 250 years of English common law”, arguing that common law “has long rejected general warrants” and “is clear that a warrant must target an identified individual or individuals”.

“Parliament is presumed not to have overridden such a profound and fundamental right unless it clearly and expressly states that general warrants are now permissible — which it has not,” it wrote in May last year.

At the same time as the legal challenges to hacking as an investigatory tool of the state, thematic warrants were included by the UK government in a new draft surveillance framework, published in 2015, as it sought to bake existing operational powers, whose existence had been revealed by documents released by NSA whistleblower Edward Snowden, fully into UK law — rather than continuing to rely on authorization via a patchwork of outdated legislation.

Then, in February 2016, as the government’s new draft surveillance powers bill was being put before parliament, the IPT rejected Privacy International’s challenge to state hacking.

And in May last year the group filed for a judicial review in the UK High Court of the IPT ruling.

In November the UK High Court ruled it has no power to overturn an IPT ruling, citing a clause in UK legislation that oversees the state’s use of investigatory powers (RIPA) which apparently protects IPT decisions from being subject to appeal or questioning on points of law.

Privacy International is in the UK Appeals Court today to try to overturn the High Court decision and force a judicial review of the IPT’s ruling.

A spokesperson told us it does not expect the Appeals Court to pass judgement today.

The case could be referred to the UK’s Supreme Court, and — beyond that — to the European Court of Human Rights.

Privacy International has also — in August 2016 — filed a legal challenge to the state’s use of bulk hacking against foreigners with the European Court of Human Rights. So it has a parallel legal action ongoing.

“By taking this case to the European Court of Human Rights, we aim to bring the government’s hacking under the rule of law,” it wrote when it initiated that action. “The government is currently hacking abroad based on a very vague and broad power that provides few if any safeguards on this incredibly intrusive power.”

Controversial and risky

Bulk hacking as an investigatory tool for spies is especially controversial, enabling the UK’s security agencies to carry out mass hacking of devices and services which can potentially cover tens of thousands of people at a time who may be located anywhere in the world.

Not to mention potentially compromise the security of software programs used by many more people if backdoors are being intentionally inserted into systems.

An example of the kind of mass collateral damage that can result when state agencies utilize software exploits as an intelligence-gathering route occurred earlier this year when the WannaCrypt ransomware caused havoc across multiple countries, including shutting down hospitals and impacting comms businesses — relevant because the malware apparently made use of an exploit stolen from the NSA.

Last year the UK parliamentary Intelligence and Security Committee also raised concerns about bulk hacking as an investigatory technique, recommending the provision be removed entirely from the draft Investigatory Powers bill before parliament, saying it had not seen “sufficiently compelling evidence” to justify sanctioning such an intrusive capability.

Despite concerns from a normally hawkish committee, and despite a subsequent review of the bulk powers contained in the bill (pushed for by the opposition Labour party), the legislation was passed by parliament in November 2016 with bulk powers intact, becoming law by the end of the year.

The August 2016 review of the bill’s bulk powers, which was carried out by the government’s independent reviewer of terrorism legislation, rapidly concluded there was a distinct though not yet proven operational case for the inclusion of “bulk equipment interference” (as mass hacking is euphemistically termed).

Although the review did not consider whether bulk powers are proportionate or desirable — leaving such matters for the UK parliament to decide.

And with both government and the main opposition party in parliament backing the legislation that left little room for robust scrutiny — and its few critics in parliament to warn of “weakness of safeguards” in the legislation.

Privacy rights groups had also criticized the UK government’s terrorism legislation reviewer for focusing on “claimed successes of bulk power use”, relying on anecdotal evidence provided by the intelligence agencies, and for failing to “inspect evidence of their failures”.

The difficulty in evaluating and assessing risks when the state is engaging in bulk hacking that could cause unforeseen disruption is another point raised by critics — given the already complex interplay of digital devices and services, and an increasingly complex picture as more devices and things become critically reliant on connectivity.