Privacy International is fighting back against hacking powers increasingly used by governments around the world for surveillance.

What is the problem

As a form of government surveillance, hacking presents unique and grave threats to our privacy and security. It has the potential to be far more intrusive than any other surveillance technique, permitting the government to remotely and surreptitiously access our personal devices and all the intimate information they store. It also permits the government to conduct novel forms of real-time surveillance, by covertly turning on a device's microphone, camera, or GPS-based locator technology, or by capturing continuous screenshots or seeing anything input into and output from the device. Hacking allows governments to manipulate data on our devices, by deleting, corrupting or planting data; recovering data that has been deleted; or adding or editing code to alter or add capabilities, all while erasing any trace of the intrusion. Government hacking targets are not confined to devices, but can extend also to communications networks and their underlying infrastructure.

At the same time, government hacking has the potential to undermine the security of targeted devices, networks or infrastructure, and potentially even the internet as a whole. Computer systems are complex and, almost with certainty, contain vulnerabilities that third parties can exploit to compromise their security. Government hacking often depends on exploiting vulnerabilities in systems to facilitate a surveillance objective. Government hacking may also involve manipulating people to interfere with their own systems. These techniques prey on user trust, the loss of which can undermine the security of systems and the internet.

A growing number of governments around the world are embracing hacking to facilitate their surveillance activities. But many deploy this capability in secret and without a clear basis in law. In the instances where governments seek to place such powers on statutory footing, they are doing so without the safeguards and oversight necessary to minimise the privacy and security implications of hacking.

What is the solution