Investigatory Powers Tribunal Rules GCHQ Hacking Lawful
The Investigatory Powers Tribunal (“IPT”) today held that GCHQ hacking of computers, mobile devices and networks is lawful, wherever it occurs around the world. We are disappointed that the IPT has not upheld our complaint and we will be challenging its findings.
Our complaint is the first UK legal challenge to state-sponsored hacking, an exceptionally intrusive form of surveillance. We contended that GCHQ hacking operations were incompatible with democratic principles and human rights standards. We further argued that GCHQ, which until these proceedings was hacking in secret, had no clear authority under UK law to deploy these capabilities.
The IPT condoned GCHQ’s use of a broad legal basis — the power to interfere with “property” under section 5 of the Intelligence Services Act 1994 (“ISA”) — to authorise hacking. It then concluded that adequate safeguards existed to prevent abuses of that power. But the IPT refused to rule on whether GCHQ’s use of an even broader power under ISA section 7 — authorising any unlawful acts committed abroad — complies with the European Convention on Human Rights (“ECHR”). That refusal represents a startling departure from its approach in our separate case challenging mass surveillance and intelligence sharing with the NSA, which assessed the legality of both regimes in light of the ECHR.
ECHR Articles 8 and 10 require that any interference with the fundamental rights to privacy and freedom of expression be “prescribed by law”. Before these proceedings, nothing at all was known about any rules or safeguards governing GCHQ hacking. Over the course of the proceedings, the Government scrambled to articulate such a regime. On the day the Government served its Response to our complaint, it also released a draft Code of Practice purporting to govern GCHQ hacking. At the same time, the Government asserted that bare bones authorisation contained in the ISA demonstrated compliance with the ECHR, an argument accepted by the IPT despite the Government’s sudden unveiling of the draft Code.
The IPT further accepted the Government’s position that the ISA authorises “thematic warrants”, which could cover an entire class of property, persons or conduct, such as “all mobile phones in Birmingham”. English law has rejected such warrants as unlawful for hundreds of years. As a matter of fundamental constitutional law, Parliament is presumed not to have overridden such bedrock principles unless it uses clear and express language, which it did not in the ISA. Nevertheless, the IPT accepted the Government’s exorbitant interpretation of the ISA on the grounds that where the statutory context is national security, basic common law principles protecting liberty are not “a useful or permissible aid.” In effect, the IPT said that the principle of legality — that Parliament must speak with deliberate intent when overturning a fundamental right — does not apply to the Security and Intelligence services.
Finally, the IPT refused to find GCHQ hacking unlawful under the Computer Misuse Act 1990 (“CMA”), which criminalises hacking, despite the Government’s introduction of amendments to the CMA midway through these proceedings. Those amendments, which passed into law as part of the Serious Crime Bill 2015, now exempt law enforcement and GCHQ from future criminal liability for hacking. The Government submitted that the amendments it introduced did not change the law in any relevant way and that GCHQ hacking had always been lawful. The IPT again agreed.
Privacy International will challenge the Tribunal’s findings.
GCHQ publicly admits to hacking
Hacking, which the Government describes as “equipment interference” or “computer network exploitation”, entails a serious interference with the right to privacy. Hacking can log keystrokes, track locations, take covert photographs and videos, and access stored information. Hacking can also be used to corrupt a target device’s files, plant or delete documents and data, or send fake communications from the device. These techniques can be mobilised against entire networks, comprising the devices of large groups of people.
Hacking fundamentally weakens the security of computers and the internet. It is typically carried out by remotely accessing a target device. Common techniques include sending emails that install malware when the recipient clicks on a link in the message or by utilizing pre-existing vulnerabilities in computer systems to install malware. By its very nature, hacking therefore exploits weaknesses in software and hardware used by millions of people. It is akin to unlocking a person’s window without their knowledge and leaving it open for any attacker — whether GCHQ, another country’s intelligence agency or a cyber criminal — to access. Hacking may leave a single individual vulnerable or render countless unintended targets subject to attack. It undermines the security of all our communications, including those forming the core of financial and other everyday transactions.
Until Privacy International brought this case, GCHQ “neither confirmed nor denied” (“NCND”) whether it had ever hacked a computer. Over the course of the proceedings, the Government shifted from NCND to admitting its use of hacking at an alarmingly broad scale. GCHQ admitted hacking within and outside the UK using such techniques to:
Obtain information from a particular device, server or network
Create or modify information on a device
Carry out intrusive activity
In the proceedings, the Government admitted that it may undertake hacking against a specific device or an entire computer network. It also admitted that it undertakes both “persistent” and “non-persistent” operations, the former referring to hacking activities covering an extended period of time.
GCHQ forced to articulates rules, albeit inadequate, on governing hacking
Given that GCHQ maintained a position of NCND with respect to hacking prior to this case, it should come as no surprise that any rules and safeguards governing this practice were also shrouded in secrecy.
In February 2015, nine months after we filed our complaint, the Government released a draft Equipment Interference Code of Practice purporting to govern hacking. The Government claimed the draft Code mirrored internal GCHQ guidance on hacking but refused, on national security grounds, to disclose earlier versions of the Code or explain when it was first drafted.
The IPT bizarrely commends the Government on its production of the draft Code during the course of the proceedings. But the rules and safeguards governing GCHQ’s hacking powers should have been publicly debated and established before such powers were ever deployed. The Government should be criticised, rather than praised, for belatedly producing them as a result of our case.
In any event, the draft Code was too little, too late. First, hacking powers should be robustly and publicly debated. Given the privacy intrusion and security risks involved, we question whether hacking can ever be a legitimate aspect of state surveillance. If approved, however, they should be enshrined in primary legislation, rather than codes of practice. We are pleased that such a discussion is now occurring in the context of the draft Investigatory Powers Bill (“IP Bill”) although we maintain serious reservations, discussed below, about the powers outlined in that legislation.
Second, the draft Code, in its current form, fails to properly delineate the rules and safeguards GCHQ hacking so desperately needs. Its most serious failings include authorising “thematic warrants” under the ISA, as discussed above, and allowing the hacking of devices and networks of those who are not even intelligence targets. The draft Code further fails to require any filtering of data collected through bulk hacking abroad, which would ensure, for example, that any information collected about those in the UK is not accessed without proper authorisation. The result is a hacking regime with minimal authorisation, few safeguards, and limited oversight. Both procedurally and substantively, therefore, the draft Code is deficient.
Public scrutiny of GCHQ hacking through the Draft Investigatory Powers Bill
The inclusion of hacking in the draft IP Bill is the result of our litigation. Without these proceedings, GCHQ would still be hacking without public knowledge of the scope of such activities or the rules governing them. As the IPT itself notes, the IP Bill “plainly drew upon the ideas and submissions . . . openly canvassed” in the case.
The draft IP Bill places the power of law enforcement and intelligence services to hack on statutory footing for the first time. While we welcome a public debate regarding hacking, we question, as noted above, whether the state can ever justifiably deploy this power. If it is to be used at all, it must be in only the most narrowly defined circumstances with the strictest safeguards. Those important privacy safeguards do not yet exist; Parliament should add them.
As it currently stands, the draft IP Bill perpetuates the broad scope of GCHQ hacking while leaving it subject to weak safeguards and a light touch authorisation and oversight regime. Part 5 of the IP Bill, the supposedly “targeted” hacking provisions, permits attacks on broad categories of equipment, including those belonging to communications service providers (“CSPs”). Part 6, Chapter 3, of the IP Bill compounds this problem by permitting hacking to be carried out “in bulk” when directed overseas. This “bulk” provision gives almost unfettered powers to the intelligence services to decide who and when to hack.
The Intelligence and Security Committee (“ISC”), which released its report on the draft IP Bill this week, criticised the IP Bill’s provisions on GCHQ hacking as being “too broad and lack[ing] sufficient clarity.” At the same time, it condemned the IP Bill for failing to address certain forms of hacking, which will continue “to sit under the broad authorisations provided . . . under the Intelligence Services Act 1994.” The ISC observed that “retaining” these “operations under the broad . . . provisions of the [ISA] fails to achieve transparency in this area and effectively means that such operations remain ‘secret’ and thus not subject to clear safeguards”, the very claim at the heart of our case.
The draft IP Bill also compels CSPs to take any steps, unless “not reasonably practicable”, to assist the hacking activities of law enforcement and intelligence agencies. This assistance could conceivably include forcing CSPs to send false security updates to a customer in order to install malware that state agencies can then use to control the target’s device. It might also include requiring CSPs to host a “watering hole” attack, by installing code on a website they operate that will infect with malware any device that visits that site. Both examples would not only undermine the security of the internet but also degrade our trust in modern forms of telecommunications on which we critically rely. It is worth noting that, due to strict non-disclosure provisions in the IP Bill, the general public is likely never to know what kind of hacking assistance CSPs have provided to the Government.
We will continue to advocate for a more robust regime governing hacking in the IP Bill. At the same time, we will challenge the IPT’s findings that past GCHQ hacking was lawful. As David Anderson QC has put it,
Obscure laws . . . corrode democracy itself, because neither the public to whom they apply, nor even the legislators who debate and amend them, fully understand what they mean. Thus: . . . ISA 1994 ss 5 and 7 . . . are so baldly stated as to tell the citizen little about how they are liable to be used.
We cannot accept the Government’s assertion that its broad hacking powers derived from such an “obscure” and “baldly” stated piece of legislation. Our position seeks to bolster the current discussion surrounding the IP Bill while protecting the future of democratic debate in the UK.