Campaign group Privacy International has mounted a legal challenge in the court of appeal today against GCHQ for their bulk hacking of smartphones, computers and networks in the UK without specific warrants.
Long battle against state hacking
This is the latest in a long and protracted battle against state hacking. The group originally launched a legal case in 2014 along with several internet service providers, to the Investigatory Powers Tribunal (IPT) following revelations from the whistleblower Edward Snowden, that the state was carrying out mass surveillance on citizens as a tool for intelligence gathering.
During that case more information emerged about the state’s use of hacking on citizens, including the fact that individual warrants were not required to hack electronic devices of members of the public. Instead, agencies had been using non-specific ‘thematic warrants’ to authorise bulk hacking and surveillance.
Privacy international argued that untargeted hacking violates Articles 8 and 10 of the European Convention on Human Rights, pertaining to privacy and free speech rights. They also argued that the English common law has opposed the use of such general warrants since the 18th century.
However, in February 2016 the IPT controversially said that warrants do not need to be “defined by reference to named or identified individuals,” prompting surprise from many quarters. Privacy International then launched a Judicial Review into the IPT’s decision, and in November the high court reportedly ruled that it has no power to overturn an IPT ruling, due to a clause in the Regulation of Investigatory Powers Act (RIPA), which ostensibly protects IPT decisions from appeal or legal questioning. Following that the high court ruled in favour of the state in February this year.
Today, the next stage of the legal battle has gone before the court of appeal. A legal officer at Privacy International, Scarlet Kim, said before the hearing:
“The [IPT] unlawfully sanctioned the UK government’s use of sweeping powers to hack hundreds or thousands of people’s computers and phones with a single warrant. Rather than debate the necessity and proportionality of their expansive hacking powers, the government is instead arguing that the UK courts should have no jurisdiction to review the legality of the tribunal’s decisions.
“Too often, the government justifies intrusive surveillance powers by telling the public that ‘if you have nothing to hide, you have nothing to fear’. We throw that mantra back to the government: ‘If you have nothing to hide about your hacking, you have nothing to hide from our courts.’”
The group is also fighting a parallel legal challenge to the UK government in the European Court of Human Rights.
What can the government see?
Government agencies are reportedly able to monitor what individuals type on their computers and smartphones, as well as “taking over” devices, turning on the cameras and microphones and gaining access to stored information. The current practises allow mass hacking of devices and services that can cover potentially tens of thousands of people at a time, anywhere in the world, by specifying large “communities” to be under surveillance. As Dr Gus Hosein, Executive Director of Privacy International, put it,
“It is the modern equivalent of a stop and search, but against whole communities simultaneously without you ever knowing about it. That has never been possible in the history of government power.”
However, it can also affect millions more indirectly. It can also potentially compromise the security of software programmes and networks, since “backdoors” are being intentionally inserted into systems. This can and has been exploited by other hackers with malicious intent, such as when an exploit taken from the NSA was used to shut down hospitals and communications companies across multiple countries earlier this year.
Public fundraising for the challenge
The group has launched a public Crowd Justice fundraising page to help raise funds for the mounting legal costs of the ongoing challenge.