FYI.

This story is over 5 years old.

Tech

Privacy Activists Say GCHQ Permits Itself to Hack Anyone

Even if they're not an intelligence target.
​Image: ​Sarah/Flickr

Over the past year, we've learned that the UK's Government Communications Headquarters (GCHQ) likes to hack. According to Snowden documents, they'v​e gone after Belgium's largest telco; and played a part in​ the hack of the world's main SIM card manufacturer.

Now, according to privacy group Privacy International, GCHQ has "admitted" that it has the legal power to hack into anyone's network, computer, or phone, in the world.

Advertisement

​A document was provided to Privacy International by the UK government as part of an ongoing case challenging the surveillance powers of GCHQ. In it, some specifics of the agency's legal justification for breaking into computer networks are detailed.

One paragraph states that the hacking (or "computer network exploitation) of "individuals who are not intelligence targets in their own right" is permissible, and another says that hacks conducted on targets outside the British Isles don't have to be part of specific operations, but can be targeted as part of a "broad class of operations." Privacy International says that this could extend to targets who are not a national security or serious crime threat.

"In a lot of ways it matches what we've seen from the US," Paul Bernal, a lecturer in IT, IP and Media Law at the University of East Anglia, told me in an email. "There's a sense that activities by intelligence services on 'foreigners' or 'foreign computers' are somehow 'OK': the NSA's ability to do pretty much whatever they want to non-US citizens barely raised a blink in the US press while the possibility they were monitoring US citizens got the US press and people pretty excited. Spying on foreigners always seems to be more acceptable."

So, have we learned anything new here?

"Yes, I do think this is new, in the sense that the GCHQ are admitting some things that were previously just suspected," said Bernal. "Privacy International's suggestion that 'GCHQ is equally permitted to break into computers anywhere in the world even if they are not connected to a crime or a threat to national security' does seem to be what GCHQ are asserting—the main point about the code is that it largely leaves decisions in the hands of GCHQ."

The "code" is a draft code on equi​pment interference that was only recently made public. The newly-revealed document, called the Government's Open Response, states that the code "fully reflects the practices, procedures and safeguards which GCHQ has always applied to any equipment interference activities carried out by GCHQ."

For its part, GCHQ said in a statement that, "As will be seen from the Government's Open Response, assertions/suggestions that GCHQ can carry out CNE ["computer network exploitation"] operations in an unregulated way are simply untrue. Strict legal controls, safeguards and requirements apply to this activity, which can only be carried out for the statutory purposes e.g. national security."

Privacy International's publication of the document comes after a report released by the Intelligence and Security Committee (ISC), a body of the government that watches over GCHQ and some other agencies, state​d that the country's legal framework related to surveillance is "unnecessarily complicated" and "lacks transparency." It mentioned that GCHQ's "computer network exploitation" is justified by a general power, with "no additional ministerial authorisation."

"Perhaps the most important thing that I got from the ISC report last week was that it indicated what an inadequate form of oversight it provided," Bernal added. "The ISC clearly did not understand either the technology or the way that GCHQ monitored it."