The legality of deploying Regin by GCHQ
In the last two days multiple security vendors, newspapers and experts have weighed in on the existence of the “Regin" malware, among the most sophisticated ever discovered, and its possible origins at GCHQ and the NSA. The Intercept has now confirmed Regin was the malware found on infected internal computer systems and email servers at Belgacom, the Belgian telecommunications company. Last year, documents leaked by Edward Snowden established that it was GCHQ that had committed the attack on Belgacom, under the rubric of a programme called OPERATION SOCIALIST. The Regin revelations confirm the role of GCHQ in hacking Belgacom, and raise serious concerns about GCHQ and the NSA’s role in targeting other European computer systems.
Although we know more than ever before about the capabilities of British and American security services to conduct network exploitation and attacks, we still don't know on what legal authority GCHQ and the NSA purport to act. There is no clear legal framework in either country that sanctions and regulates the deployment of these kinds of intrusive tools.
Earlier this year, Privacy International filed a legal case against GCHQ for the hacking of phones and computers, and represented seven internet service and communications providers in taking a further case on network exploitation. We demanded an end to this kind of unlawful and unregulated surveillance. As our legal briefs assert, where there is no clear legal power to deploy malware and exploit network vulnerabilities, and only possible legal basis is an extremely broad power on the part of the Secretary of State to render lawful what would otherwise be unlawful, hacking by governments seriously infringes the right to privacy, among other human rights.
Below we discuss in further detail the relevant framework in the UK, and point out the gaps in legislation that render the use of intrusion tools by GCHQ unlawful.
Is GCHQ hacking regulated by RIPA?
The Regulation of Investigation Power Act 2000 (RIPA) is the primary piece of legislation authorising surveillance powers in the UK. It regulates, among other things, the interception of communications in the course of transmission (Part I Chapter I), the acquisition of communication data from persons providing a telecommunication service (Part I Chapter II), and intrusive surveillance and covert human intelligence sources (Part II).
Despite being over a hundred pages long, and the main legislative framework for governing surveillance in the UK, there is nothing in the act that expressly mentions or considers the deployment of malware for surveillance purposes. Indeed, the only possible way that RIPA might be interpreted to authorise the use of malware would be if an extraordinarily broad interpretation of the meaning of "interception of communications” was employed. In theory an authorisation under Part I Chaper I of RIPA might extend to some of the effects of deploying malware, such as the ability to record a phone call while it is being made. However, such an authorisation does not cover most of the functions that malware facilitates and thus is plainly insufficient to make such actions lawful.
For example, the extraction of documents from a hard disk or a mobile device would constitute the interception of a communication in the course of its transmission. Likewise, the ability to activate a user’s camera or microphone without their knowledge would go far beyond the simple interception of a communication. As a result it cannot be said that the implanting of malware is merely a modification “so […] as to make some or all of the contents of the communication available while being transmitted” (s.2(2) RIPA)
Prima facie unlawful
With no clear authorisation powers in RIPA, perhaps no authorisation is needed?
Fortunately the Computer Misuse Act 1990 (CMA) quickly dispells any such suggestion. It is an offence under s.1(1) CMA to cause a computer to perform any function with intent to secure access to any program or data held in it, or to enable any such access to be secured, if the access is unauthorised and known to be unauthorised. In essence, this means it would be an offence to deploy Regin without an authorisation by the person whose computer you're infecting, something GCHQ would be unlikely to ask for given they are in the secret surveillance business.
Further, under s.3 CMA it is an offence to do any unauthorised act in relation to a computer, in the knowledge that it is unauthorised, if (i) the intention is to impair the operation of the computer, to prevent or hinder access to any program or data, to impair the operation of any program or the reliability of any data, or to enable any of those things, or (ii) the perpetrator is reckless as to whether the act will do any of those things.
The malware at issue here, such as Regin, clearly impairs the operation of the target computers in multiple ways, including by draining battery life and using bandwidth and other computer resources. As such, the Computer Misuse Act means at least to the extent that such activities occur in England and Wales, any GCHQ activities that impair the operation of a computer are prima facie unlawful.
Old powers for new purposes
GCHQ's statutory function is “to monitor or interfere with electromagnetic, acoustic and other emissions and any equipment producing such emissions and to obtain and provide [to various organisations] information derived from or related to such emissions or equipment and from encrypted material”, provided such actions serve the legitimate aims of national security, economic well-being of the UK, or the prevention of crime and disorder.
In addition to placing GCHQ on a statutory footing, the Intelligence Services Act 1994 also gives broad power to the Secretary of State to make lawful what otherwise would not be so.
S.5(1) provides: “No entry on or interference with property or with wireless telegraphy shall be unlawful if it is authorised by a warrant issued by the Secretary of State under this section.” The Secretary of State may issue such a warrant on the application of GCHQ in respect of any action, provided he “thinks it necessary for the action to be taken for the purpose of assisting […] GCHQ in carrying out [its statutory functions],” “is satisfied that the taking of the action is proportionate to what the action seeks to achieve”, and is satisfied that satisfactory arrangements are in force with respect to section 4(2) in relation to onward disclosure.
If this power is being used to authorise the deployment of sophsticated malware like Regin, the apparent legal basis would be an extremely broad power on the part of the Secretary of State to render lawful what would otherwise be unlawful. This broad power is simply not sufficient to legally justify the use of highly advanced invasive surveillance techniques and technologies by GCHQ.
The Weber test
The European Court of Human Rights, in Weber sets out in clear terms the matters that any legal regime governing secret surveillance must expressly address in statute in order to be regarded as lawful:
The domestic law must be sufficiently clear in its terms to give citizens an adequate indication as to the circumstances in which and the conditions on which public authorities are empowered to resort to any such measures […] Moreover, since the implementation in practice of measures of secret surveillance of communications is not open to scrutiny by the individuals concerned or the public at large, it would be contrary to the rule of law for the legal discretion granted to the executive or to a judge to be expressed in terms of an unfettered power. Consequently, the law must indicate the scope of any such discretion conferred on the competent authorities and the manner of its exercise with sufficient clarity to give the individual adequate protection against arbitrary interference.”
As well as clear legal authorisation, additional safeguards are an essential part of any surveillance legal framework for it to be human rights compliant. The European Court continued in Weber to set out the tests a legal framework must meet.
In its case law on secret measures of surveillance, the Court has developed the following minimum safeguards that should be set out in statute law in order to avoid abuses of power: the nature of the offences which may give rise to an interception order; a definition of the categories of people liable to have their telephones tapped; a limit on the duration of telephone tapping; the procedure to be followed for examining, using and storing the data obtained; the precautions to be taken when communicating the data to other parties; and the circumstances in which recordings may or must be erased or the tapes destroyed.
There are no authorising powers in the UK sanctioning the deployment of malware like Regin that meet the Weber standards for authorisation, nor are there the safeguards in statute. This is why Privacy International, alongside seven internet service and communications providers from around the world have taken legal action against GCHQ, to stop the unlawful deployment of malware like Regin, and bring the intelligence agency under the rule of law.