Court documents reveal oversight body struggling to control GCHQ domestic hacking

London, United Kingdom (PI) – Documents released today confirm GCHQ, the UK intelligence agency, is hacking computers in the United Kingdom without individual warrants. The documents contain previously unknown details and defenses of GCHQ’s use of “thematic warrants” to hack. The legal challenge in which these documents are being disclosed was brought by Privacy International and seven internet and communications service providers from around the world in response to disclosures made by Edward Snowden.

The Commissioner of the Intelligence Services was slow to respond to hacking. Many of the concerns the Commissioner raised in his 2014 report [published July 2015] are the subject of PI’s legal complaint, including whether it is lawful to use broad “thematic warrants” to justify the hacking of people in the UK.  The Commissioner questioned this practice in depth.  He was concerned that current law “does not expressly allow for a class of authorisation”, and therefore the warrants were too broad. As a result, the Commissioner was worried that the Secretary of State was unable to properly assess whether the warrant authorised activity was necessary and proportionate. [ibid, p18] This means that GCHQ could get a warrant in the UK to hack the computer of everyone in Birmingham with little meaningful oversight.

GCHQ first avowed the use of hacking in February 2015, when the Secretary of State released a draft Code of practice in response to our legal challenge. Previously secret documents, and witness statements produced by GCHQ now reveal and confirm:

* GCHQ confirmed that the Secretary of State does not individually sign off on most hacking operations abroad, but only when “additional sensitivity” or “political risk” are involved [Witness Statement of Ciaran Martin, paras 65, 72C].

* Overseas hacking does not require authorisations to name or describe a particular piece of equipment, or an individual user of the equipment [Witness Statement of Ciaran Martin, para 56].

* The Commissioner only formally reviewed the individual targets of GCHQ hacks overseas in April 2015 [Witness Statement of Ciaran Martin, para 71I].

* The Intelligence and Security Committee Report in March 2015 called MI5’s and SIS’s failure to keep accurate records of their overseas hacking activities “unacceptable”, [ISC report, p.66] as it makes effective oversight impossible [Witness Statement of Ciaran Martin, 71L].

Today’s revelations highlight how important strict authorisation and oversight regimes are.  The draft Investigatory Powers Bill introduced to Parliament by the Home Office on 4 November 2015  attempts to codify the lax authorisation processes that gave rise to the problems we see in the documents released today.  In particular, the provision permitting “Bulk” Equipment Interference gives an almost unfettered power to the intelligence services to decide who and when to hack.

Image Source: Frerk Meyer, Flickr, Creative Commons GCHQ ! Delete my data!

Image Source: Frerk Meyer, Flickr, Creative Commons
GCHQ ! Delete my data!

Caroline Wilson Palow, General Counsel at Privacy International said:

“Eighteen months after we first brought this challenge, GCHQ have come to court today to defend their asserted power to hack computers in the UK without individual warrants. The light touch authorisation and oversight regime that GCHQ has been enjoying should never have been permitted. Perhaps it wouldn’t have been if Parliament had been notified in the first place that GCHQ was hacking. We hope the tribunal will stand up for our rights and reign in GCHQ’s unlawful spying.”

[Commissioner Report] Report of the Intelligence Services Commissioner for 2014, Presented to Parliament pursuant to section 60(4) of RIPA 2000, June 25 2015.

https://www.gov.uk/…/50100_HC_225_Intel_Services_Commissioner_accessible.pdf

[1] The term CNE – Computer Network Expoitation, CNO – Computer Network Operation, and CNA – Computer Network Attack was defined first by the NSA in a Five Eyes relesaed document “Per DCID 7/3, Information Operations and Intelligence Community Related Activities” which was effective 01 July 1999.

https://ia801507.us.archive.org/17/items/spiegel_-_media-35656/spiegel_-_media-35656.pdf

[ISC report] Intelligence and Security Committee, Privacy and Security: A modern and transparent legal framework, March 2015.

http://isc.independent.gov.uk/committee-reports/special-reports

For further details on the case, questions, or comments, please contact Sara Nelson at press@privacyinternational.org or +44 (0)7771 567533.

This report prepared by Privacy International.