A group of internet and communication service providers claim GCHQ's exploitation of networks for surveillance is illegal.
Image: Wikimedia Commons/GCHQ
Today, a group of internet service and communications providers are filing a legal complaint against GCHQ and the UK government. They are calling for an end to the intelligence agency's exploitation of network infrastructure, which allows it to illegally access potentially millions of individuals' private communications.
Those involved are a mixture of organisations from various countries. Riseup is an email provider from the US favoured by activists; Chaos Computer Club is the infamous group of hacktivists from Hamburg; and GreenNet describes itself as an "ethical" Internet Service Provider (ISP).
Others include Mango from Zimbabwe, Jinbonet from South Korea, Greenhost from the Netherlands, and finally May First/People Link from New York. They may not be big dogs like BT or Yahoo, but this is the first time that both internet and communication providers have taken collective action against GCHQ's targeted attack efforts.
Specifically, there are a few cases that this group—along with Privacy International, which supports the action—are concerned about. The first is GCHQ's alleged attack on Belgian telecommunications group Belgacom. German newspaper Der Spiegel reported in September 2013 that Belgacom determined it had been targeted in an elaborate ploy which involved redirecting its staff to websites that planted malware onto their devices. Belgacom's customers include the European Commission, the European Council and the European Parliament.
Another project that has worried the ISPs is TURBINE—a system that is said to allow the automated hacking of networks and computers. Detailed in The Intercept in March, TURBINE is capable of reaching a truly colossal scale, consisting of “millions” of malware implants.
A third outlines that companies including three German internet exchange points were directly targeted by GCHQ, allowing intelligence agencies to spy on all traffic travelling through them. That was also reported by Der Spiegel in March.
"These widespread attacks on providers and collectives undermine the trust we all place on the internet."
The group is concerned more generally with the NSA and GCHQ's “network exploitation and intrusion capabilities,” according to a press release provided by Privacy International.
When it comes to the legal grit, the claimants assert that GCHQ has contravened the UK Computer Misuse Act and the European Convention of Human Rights, because of the agency's effect on privacy and freedom of expression.
This latest case follows two others filed by Privacy International. The first was targeted towards the mass surveillance programmes TEMPORA, PRISM and UPSTREAM, and the other was directed at GCHQ's use of spyware.
I asked GCHQ to comment on the challenge, and they emphasised the legality of this work. A spokesperson said: “It is a longstanding policy that we do not comment on intelligence matters. Furthermore, all of GCHQ's work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Parliamentary Intelligence and Security Committee. All our operational processes rigorously support this position.”
They added, “The United Kingdom's interception regime is entirely compatible with the European Convention on Human Rights.”
You may be asking, if these companies weren't specifically targeted by GCHQ, why are they doing all of this? Although none of those filing the legal challenge were directly mentioned in the documents leaked by Edward Snowden, “the type of surveillance being carried out allows them to challenge the practices […] because they and their users are at threat of being targeted,” Privacy International explained. This is because the surveillance methods detailed in the documents and subsequent articles could, theoretically, be carried out against any internet or communications provider.
"Ideally, of course, we'd like to get an order finding that this practice ... is an illegal usurpation of the fundamental right to communicate freely."
Cedric Knight of GreenNet said that “we could be unknowingly used to collect data on our users.”
As for the motivation behind this challenge, Eric King, Deputy Director of Privacy International said, “These widespread attacks on providers and collectives undermine the trust we all place on the internet and greatly endangers the world’s most powerful tool for democracy and free expression. It completely cripples our confidence in the internet economy and threatens the rights of all those who use it. These unlawful activities, run jointly by GCHQ and the NSA, must come to an end immediately.” So it's not just about the legality of the actions, but also their consequences on the internet as a space for free speech.
Whether this latest legal battle will bring about any tangible change in GCHQ's policies and actions remains to be seen. Being challenged by a group of relatively small companies is unlikely to make the agency or UK government quake in its boots, even if their actions are illegal.
Riseup, the US email provider, seems to know this. “Ideally, of course, we'd like to get an order finding that this practice, like the similar practices of the NSA and other organizations, is an illegal usurpation of the fundamental right to communicate freely,” a representative told me. “Failing that, we hope to continue the critical discussion taking place around the world about the issue of widespread, state surveillance.”
I reached out to BT, Britain's largest ISP, to ask if they had anything similar planned. They didn't get back to me by the time of publication.
Even if it isn't necessarily going to halt GCHQ dead in its tracks, the challenge can't be completely shrugged off. The international spread of companies that have come together, and the fact that some of them are ISPs—the type of company that is absolutely fundamental to the type of mass surveillance programs that have been revealed—could set the precedent for future cases, and may encourage more organisations to take a stand against what they see as an attack on their services.