Government Hacking and Surveillance: 10 Necessary Safeguards

A growing number of governments around the world are embracing hacking to facilitate their surveillance activities. But many deploy this capability in secret and without a clear basis in law. In the instances where governments seek to place such powers on statutory footing, they are often doing so without the safeguards and oversight applicable to surveillance activities under international human rights law.

Hacking can present unique and grave threats to our privacy and security. For these reasons, even where governments conduct surveillance in connection with legitimate activities, such as gathering evidence in a criminal investigation or intelligence, they may never be able to demonstrate that hacking as a form of surveillance is compatible with international human rights law. To date, however, there has been insufficient public debate about the scope and nature of these powers and their privacy and security implications.

Our proposed safeguards are designed to help interested parties assess government hacking in light of applicable international human rights law. They are further designed to address the security implications of government hacking. Generally speaking, security considerations must be embedded into surveillance safeguards and oversight mechanisms. We separately explain the legal and conceptual bases for our proposed safeguards in “Government Hacking and Surveillance: Commentary to the 10 Necessary Safeguards.”   

These safeguards form part of a comprehensive strategy pursued by Privacy International and others across civil society to ensure that:

  • Governments and industry prioritise defensive security;
  • Our devices, networks and services are secure and privacy-protective by design and that these protections are maintained; and 
  • Legal and technological protections apply to everyone across the world.

Scope of Our Safeguards

The term "hacking" is difficult to define. For these safeguards, Privacy International posits the following definition:

Hacking is an act or series of acts, which interfere with a system, causing it to act in a manner unintended or unforeseen by the manufacturer, user or owner of that system. System refers both to any combination of hardware and software or a component thereof.

Privacy International recognises that there may be instances of government hacking that do not conform to this definition and should nonetheless be subject to scrutiny. We are open to feedback as to how to alter this definition to accommodate those other forms of government hacking.

Governments conduct hacking for a broad range of purposes. The safeguards only address hacking activities whose purpose is either to gather evidence in a criminal investigation or intelligence or to assist the evidence or intelligence gathering process. The safeguards do not address hacking that rises to the level of a threat or a use of force or armed attack, or which is conducted as part of an active armed conflict. For example, a hacking operation to shut down critical infrastructure, such as an energy grid, in a foreign country would not be covered by these safeguards. However, an operation to re-route the traffic of a telecommunications provider so that such traffic will flow past an interception point, would be subject to these safeguards. 

The safeguards apply to government hacking conducted both within the territory of a state and extraterritorially. One of the safeguards also explicitly addresses hacking conducted extraterritorially. The safeguards apply regardless of whether hacking is conducted by government officials or persons exercising elements of governmental authority, directed or controlled by a government, or whose conduct is later acknowledged and adopted by a government as its own.