Explaining the Law behind Privacy International's Challenge to GCHQ's Hacking

Long Read
Explaining the Law behind Privacy International's Challenge to GCHQ's Hacking

Today, Privacy International lodged a legal challenge to GCHQ's extensive and intrusive hacking of personal computers and devices. Below, we answer a few questions about the law underlying our complaint, and why it matters.

Is hacking legal?

As a result of the Snowden revelations, we have learned that GCHQ, often in partnership with the NSA, has been using malicious software to intrude upon our computers and mobile devices.

This type of activity, often called "hacking," is a criminal offense in the UK. The Computer Misuse Act 1990 ("CMA") prohibits unauthorised access to a computer, both to get at any programmes or data on that computer (Section 1) or with knowledge or reckless disregard for the fact that such access may impair the operation of the computer (Section 3).

GCHQ's intrusive use of malware, as we have described in this related post, almost certainly does both. The goal is clearly to obtain information from the target computers, or utilise their cameras and microphones to conduct surveillance, and such intrusion impairs their operation in multiple ways, including by draining battery life, using bandwidth and other computer resources, or leaving the computer open to future exploitation.

But even if it's a crime for others to hack computers, isn't GCHQ exempt from that law?

GCHQ's authority to take complete control over our computers is far from clear.

Section 10 of the CMA provides that Section 1 generally does not apply where governmental "powers of inspection, search or seizure" are invoked. But this exception does not apply to Section 3, meaning, at least to the extent that such activities occur in or affect computers in England and Wales, any GCHQ hacking that impairs the operation of a computer – for instance, by leaving it vulnerable to future exploitation -- is unlawful under the CMA.

Given this prohibition, GCHQ is likely deriving its legal authority to hack from the Intelligence Services Act 1994 ("ISA"). In particular, Section 5(1) of the ISA provides: “No entry on or interference with property or with wireless telegraphy [by GCHQ] shall be unlawful if it is authorised by a warrant issued by the Secretary of State under this section." In other words, so long as GCHQ is acting under a warrant then its interference with computer and mobile devices may be authorised under Section 5, even if its otherwise against the law.

But this apparent legal basis for GCHQ's hacking is an extremely broad, essentially allowing the Secretary of State arbitrarily to render lawful what would otherwise be unlawful. This conflicts with another law with which GCHQ is obliged to comply – the European Convention on Human Rights.

So why are you saying GCHQ's hacking is unlawful?

This sort of arbitrary power, even if authorised by a national law like the ISA, does not make GCHQ's activities lawful.

That is because GCHQ is also governed by the requirements of the European Convention on Human Rights ("ECHR"). The ECHR protects both our right to privacy (Article 8) and our right to freedom of expression (Article 10). Both rights are implicated by hacking because, in accessing the extremely intimate and private information kept on and accessible through our computers and mobile devices, GCHQ is not only invading our privacy, they are also chilling our free expression.

Under the ECHR, any interference with privacy or freedom of expression must be "prescribed by law" and "necessary in a democratic society." GCHQ's intrusion activities fail both tests.

In particular, in order to be prescribed by law, GCHQ's actions must be governed by national law that is

sufficiently clear in its terms to give citizens an adequate indication as to the circumstances in which and the conditions on which public authorities are empowered to resort to any such measures […] Moreover, since the implementation in practice of measures of secret surveillance of communications is not open to scrutiny by the individuals concerned or the public at large, it would be contrary to the rule of law for the legal discretion granted to the executive or to a judge to be expressed in terms of an unfettered power. Consequently, the law must indicate the scope of any such discretion conferred on the competent authorities and the manner of its exercise with sufficient clarity to give the individual adequate protection against arbitrary interference. 1

Thus, according to Weber, the law authorizing GCHQ's hacking must at the least set out the nature of the offenses that might lead GCHQ to intrude on our personal devices, define that categories of people who might be affected, limit the duration and extent of any intrusion, set out the procedure for examining, using and storing any information obtained, prescribe how that information will be secured and shared with other parties, and define when the data collected will be erased or destroyed. The ISA's bare bones authorisation most certainly does not meet these basic requirements.
  
GCHQ's hacking also cannot be said to be necessary in a democratic society. In order to fulfil this requirement, the surveillance at issue must be a proportionate to a legitimate aim. Yet hacking is so intrusive, giving GCHQ unlimited control over any target device, that it is hard to imagine how it could made proportionate. Hacking goes far beyond any other traditional form of surveillance, including interception of communications and even searching a person's home, in the depth and breadth of intimate details to which it gives GCHQ access. This intrusion is only compounded when it is indiscriminately deployed to potentially millions of devices. 

What happens now you've filed with the IPT?

For these reasons, today Privacy International filed a complaint in the UK's Investigatory Powers Tribunal ("IPT") challenging GCHQ's hacking. We went to the IPT (again) because it is the only body in the UK allowed to hear challenges to the activities of the intelligence services.

The UK government will now be given an opportunity to respond to our complaint. We hope that response, and the subsequent proceedings in the IPT, will remain as open as possible to allow further public scrutiny of the legal basis for GCHQ's activities.