Law changed to allow GCHQ hacking ... just as GCHQ hauled into court for hacking

It doesn't say what you think it says, sniggers gov


Updated Government legislation to exempt GCHQ from prosecution on charges of illegal hacking has been passed and come into effect – apparently torpedoing an ongoing claim against the surveillance agency being heard by the Investigatory Powers Tribunal.

Last July, a coalition of internet service providers and international organisations teamed up with Privacy International to take legal action against GCHQ.

Their claim, which arrived in court today, has been hobbled by what the privacy warriors said was the revelation that the government had quietly ushered through legislation amending the Computer Misuse Act to exempt GCHQ and law enforcement from prosecution, and did so while the case was ongoing.

Privacy International said it was notified of this change only on Thursday. The campaigners complained that as the legislative change occurred during the process of their action under that very legislation, proper consideration of the court's time meant that they should have been informed.

The amendment to the Computer Misuse Act was written into law on 3 March this year, after being introduced on 6 June 6 2014. Privacy International griped that its opaque language and the extraordinarily limited range of stakeholders which were consulted allowed the legislation to slip under the radar.

The explanatory notes that accompanied the act make no reference to the true impact of the change.

It appears no NGOs, Regulators, RIPA Commissioners, the Information Commissioners Office, Industry, or the public were notified or consulted about the proposed legislative changes. There was no published Privacy Impact Assessment.

Only the Ministry of Justice, Crown Prosecution Service, Scotland Office, Northern Ireland Office, GCHQ, Police and National Crime Agency were consulted as stakeholders. There was no public debate.

Privacy International state that the legislative change, which came into effect on 3 May, not only bulldozed their claim, but also granted British law enforcement new leeway – potentially allowing cyber attacks within the UK.

Eric King, PI's deputy director, criticised the "underhand and undemocratic manner in which the government is seeking to make lawful GCHQ's hacking operations."

Hacking is one of the most intrusive surveillance capabilities available to any intelligence agency, and its use and safeguards surrounding it should be the subject of proper debate.

Instead, the government is continuing to neither confirm nor deny the existence of a capability it is clear they have, while changing the law under the radar, without proper parliamentary debate.

While the government provided an open response to the claimants’ IPT complaint on 6 February 2015, it made no mention of amendments which were due to be made with the passage of the coming Serious Crime Bill.

It was not until yesterday that the government had indicated to the parties involved that amendments had been made to the CMA, leaving them with limited preparatory time because the parties entered court hours later.

Talking to The Register, King complained that the last-minute notification of these changes – which were also presented to the Tribunal only last night – had completely changed the landscape against which the claim was made.

"We do now need to change our argument," he said.

Asked what the claimants hoped would result from the hearing, King noted that this was the first time GCHQ had apparently been held accountable for its offensive hacking operations.

"Ultimately we want the Tribunal to find GCHQ's actions unlawful," he told the Reg.

Privacy International also complained that the case was to be heard "on hypothetical facts, as the government maintained a "neither confirm nor deny" stance in relation to the details of the hacking charges, despite GCHQ openly recruiting for hacking specialists on its website earlier this week."

The Register has contacted the Home Office and will update this article as and when it responds. ®

Update

A Home Office spokesman responded to the Reg's request for comment after publication of this article. He said:

There have been no changes made to the Computer Misuse Act 1990 by the Serious Crime Act 2015 that increase or expand the ability of the intelligence agencies to carry out lawful cyber crime investigation.

It would be inappropriate to comment further while proceedings are ongoing.

Similar topics


Other stories you might like

  • Heart FM's borkfast show – a fine way to start your day

    Jamie and Amanda have a new co-presenter to contend with

    There can be few things worse than Microsoft Windows elbowing itself into a presenting partnership, as seen in this digital signage for the Heart breakfast show.

    For those unfamiliar with the station, Heart is a UK national broadcaster with Global as its parent. It currently consists of a dozen or so regional stations with a number of shows broadcast nationally. Including a perky breakfast show featuring former Live and Kicking presenter Jamie Theakston and Britain's Got Talent judge, Amanda Holden.

    Continue reading
  • Think your phone is snooping on you? Hold my beer, says basic physics

    Information wants to be free, and it's making its escape

    Opinion Forget the Singularity. That modern myth where AI learns to improve itself in an exponential feedback loop towards evil godhood ain't gonna happen. Spacetime itself sets hard limits on how fast information can be gathered and processed, no matter how clever you are.

    What we should expect in its place is the robot panopticon, a relatively dumb system with near-divine powers of perception. That's something the same laws of physics that prevent the Godbot practically guarantee. The latest foreshadowing of mankind's fate? The Ethernet cable.

    By itself, last week's story of a researcher picking up and decoding the unintended wireless emissions of an Ethernet cable is mildly interesting. It was the most labby of lab-based demos, with every possible tweak applied to maximise the chances of it working. It's not even as if it's a new discovery. The effect and its security implications have been known since the Second World War, when Bell Labs demonstrated to the US Army that a wired teleprinter encoder called SIGTOT was vulnerable. It could be monitored at a distance and the unencrypted messages extracted by the radio pulses it gave off in operation.

    Continue reading
  • What do you mean you gave the boss THAT version of the report? Oh, ****ing ****balls

    Say what you mean

    NSFW Who, Me? Ever written that angry email and accidentally hit send instead of delete? Take a trip back to the 1990s equivalent with a slightly NSFW Who, Me?

    Our story, from "Matt", flings us back the best part of 30 years to an era when mobile telephones were the preserve of the young, upwardly mobile professionals and fixed lines ruled the roost for more than just your senior relatives.

    Back then, Matt was working for a UK-based fixed-line telephone operator. He was dealing with a telephone exchange which served a relatively large town. "I ran a reasonably ordinary, read-only command to interrogate a specific setting," he told us.

    Continue reading

Biting the hand that feeds IT © 1998–2021