You are here
UK Government Hacking Challenge
Privacy International v. Secretary of State for Foreign and Commonwealth Affairs et al.
Reference: Case Nos. IPT/14/85/CH & IPT/120-126/CH
Venue: Investigatory Powers Tribunal
Hearing date: 1-3.12.2015
In May 2014, Privacy International filed a legal complaint in the Investigatory Powers Tribunal, challenging GCHQ hacking. In July 2014, seven internet service and communications providers from around the world - GreenNet (UK), Riseup (US), Mango Email Service (Zimbabwe), Jinbonet (Korea), Greenhost (Netherlands), May First/People Link (US), and the Chaos Computer Club (Germany) - filed a similar complaint in the Tribunal. The Tribunal subsequently joined the cases.
GCHQ hacking capabilities were revealed by the Snowden disclosures, which documented how GCHQ could:
- activate a device’s microphone (NOSEY SMURF) or webcam (GUMFISH)
- identify the location of a device with high-precision (TRACKER SMUF)
- log keystrokes entered into a device (GROK)
- collect login details and passwords for websites and record Internet browsing histories on a device (FOGGYBOTTOM)
- hide malware installed on a device (PARANOID SMURF)
The complaints alleged that GCHQ had no clear authority under UK law to conduct hacking operations and that such activities violated the Computer Misuse Act 1990, which criminalises hacking. They further alleged that GCHQ hacking was in violation of Articles 8 and 10 of the European Convention on Human Rights, which respectively protect the right to privacy and the right to freedom of expression.
Investigatory Powers Tribunal
The Tribunal held hearings in the case on 1-3 December 2015. On 12 February 2016, the Tribunal held that GCHQ hacking is lawful both under UK law and the European Convention on Human Rights.
In the judgment, the Tribunal held that GCHQ had authority to hack under UK law pursuant to section 5 of the Intelligence Services Act 1994. The Tribunal further held that this authority permits GCHQ to hack - inside and outside the UK - pursuant to “thematic warrants”. Thematic warrants are general warrants that can cover an entire class of property, persons or conduct, such as “all mobile phones in Birmingham".
Finally, the Tribunal held that the broad authorisation under ISA section 5 was also sufficient to comply with Articles 8 and 10 of the European Convention on Human Rights, which require that the interference with the rights to privacy and freedom of expression be “prescribed by law”. By “prescribed by law”, the European Court of Human Rights has explained that the law must be “sufficiently clear in its terms to give citizens an adequate indication as to the circumstances in which and the conditions on which public authorities are empowered to resort to this secret and potentially dangerous interference”.
On 9 May 2016, Privacy International filed a claim for judicial review in the Administrative Court, a branch of the High Court, in the UK. Judicial review is the process of challenging the lawfulness of a decision made by a public body. Our challenge focuses on the Tribunal’s finding that GCHQ had authority to seek general warrants to hack. This finding overturns 250 years of English common law, which has long prohibited general warrants. Parliament is presumed not to have interfered with such a fundamental right, unless it uses clear and express language, which it has not.
Privacy International Statement of Facts and Grounds (9 May 2016)
Investigatory Powers Tribunal
Investigatory Powers Tribunal Judgment (12 Feb. 2016)
Government Skeleton Argument (with Appendix) (25 Nov. 2015)
Privacy International Skeleton Argument (25 Nov. 2015)
Witness Statements (with Exhibits) of Ciaran Martin (for the Government) (16-24 Nov. 2015)
Government Response to Privacy International Schedule of Public Statements (19 Nov. 2015)
Government Re-Re-Amended Open Response to Statement of Grounds (13 Nov. 2015)
Index of Open Exhibits: https://www.privacyinternational.org/sites/default/files/Table_Of_Exhibits.pdf
Witness Statement of Eric King (for Privacy International) (5 Oct. 2015)
Expert Report (with Appendix) of Prof. Ross Anderson (for Privacy International) (30 Sept. 2015)
GreenNet et al. Amended Statement of Grounds (19 May 2015)
Privacy International Amended Statement of Grounds (19 May 2015)
Government Response to Privacy International Agenda for Directions Hearing (13 May 2015)
Government Note for Directions Hearing (13 May 2015)
Privacy International Agenda for Directions Hearing (13 May 2015)
Privacy International Reply (1 April 2015)
Government Response to Statement of Grounds (1 July 2014)
Privacy International Statement of Grounds (13 May 2014)
Investigatory Powers Tribunal rules GCHQ hacking lawful (12 Feb. 2016)
Court Documents reveal oversight body struggling to control GCHQ domestic hacking (1 Dec. 2015)
UK government claims power for broad, suspicion less hacking of computers and phones (18 March 2015)
My device is me. GCHQ - stop hacking me (13 June 2014)
Explaining the law behind Privacy International’s challenge to GCHQ’s hacking (13 May 2014)
Press statement: We will continue to challenge GCHQ’s hacking powers (12 Feb. 2016)
After legal claim filed against GCHQ hacking, UK government rewrite law to permit GCHQ hacking (15 May 2015)