​UK's National Crime Agency Is Using a 90s Law to Justify Its Hacking Operations

On Thursday, it was revealed for the first time that the UK's National Crime Agency (NCA) has the technological capability to hack. Through documents released as part of the draft Investigatory Powers Bill, a proposed piece of surveillance legislation, it is now clear that the NCA, which is sometimes referred to as the UK's version of the US FBI, has "Equipment Interference" (EI) capabilities, which may include hacking into phones, tablets or computers.

The law used to govern those powers is one that dates from the late 90s, leading experts to worry that highly intrusive technological powers are being regulated by a law that was written well before law enforcement were even hacking computers.

"NCA activity which would constitute Equipment Interference under the Investigatory Powers Bill is currently carried out under property interference authorisations under Part III of the Police Act 1997 alongside other authorisations as appropriate," an NCA spokesperson told Motherboard in an email.

The "property interference authorisations" that the NCA spokesperson mentioned can be applied to cases where police wish to install a bug or eavesdropping device in a car, perhaps to record speech within the vehicle, according to a Home Office document, entitled "Covert Surveillance and Property Interference: Revised Code of Practice."

But, strictly speaking, that isn't hacking, a practice that is arguably much more intrusive than bugging a car. Eric Metcalfe, a barrister who specialises in human rights and public law, and who was the director of human rights policy at JUSTICE from 2003 until 2011, told Motherboard in an email he was concerned "that the Police Act 1997 is being used for something that was plainly never contemplated at the time that it was drafted, particularly given the need for proper safeguards to prevent abuse of highly intrusive powers."

"It is also doubtful whether the judges approving such measures understand the nature and extent of the interference involved," he continued.

Indeed, the language used by the UK government to describe hacking operations is vague at best. "Equipment Interference" is unclear in itself, but the sparse public details about it don't provide many specifics either.

A document released as part of the draft Investigatory Powers Bill, entitled "Factsheet—Targeted Equipment Interference," says EI can cover anything from using the login credentials of a target to access data on a computer, right up to more sophisticated cases such as "remotely installing a piece of software on to a device." The document states that "the software could be delivered in a number of ways and then be used to obtain the necessary intelligence."

There is already voluminous evidence that the UK's signals intelligence agency, Government Communications Headquarters (GCHQ), breaks into the computer systems of targets. And as Motherboard previously reported, the UK's domestic spy agency MI5 claims that it has "relied" on hacking in the majority of high priority investigations in the past year.

Regardless, with the information available, equipment interference can be more appropriately described as hacking. So when it comes to the NCA, surveillance experts are also concerned about the application of an outdated law to regulate such practices.

"The Police Act 1997 was never intended to cover computer hacking," Eric King, deputy director of Privacy International, told Motherboard in an email. "Aggressively stretching the meaning of words in this is way is plainly wrong. The secret reinterpretation of powers, in entirely novel ways, that have not been tested in an adversarial court processes, is everything that is wrong with the British government's approach to surveillance."