Updated Government legislation to exempt GCHQ from prosecution on charges of illegal hacking has been passed and come into effect – apparently torpedoing an ongoing claim against the surveillance agency being heard by the Investigatory Powers Tribunal.
Last July, a coalition of internet service providers and international organisations teamed up with Privacy International to take legal action against GCHQ.
Their claim, which arrived in court today, has been hobbled by what the privacy warriors said was the revelation that the government had quietly ushered through legislation amending the Computer Misuse Act to exempt GCHQ and law enforcement from prosecution, and did so while the case was ongoing.
Privacy International said it was notified of this change only on Thursday. The campaigners complained that as the legislative change occurred during the process of their action under that very legislation, proper consideration of the court's time meant that they should have been informed.
The amendment to the Computer Misuse Act was written into law on 3 March this year, after being introduced on 6 June 6 2014. Privacy International griped that its opaque language and the extraordinarily limited range of stakeholders which were consulted allowed the legislation to slip under the radar.
The explanatory notes that accompanied the act make no reference to the true impact of the change.
It appears no NGOs, Regulators, RIPA Commissioners, the Information Commissioners Office, Industry, or the public were notified or consulted about the proposed legislative changes. There was no published Privacy Impact Assessment.
Only the Ministry of Justice, Crown Prosecution Service, Scotland Office, Northern Ireland Office, GCHQ, Police and National Crime Agency were consulted as stakeholders. There was no public debate.
Privacy International state that the legislative change, which came into effect on 3 May, not only bulldozed their claim, but also granted British law enforcement new leeway – potentially allowing cyber attacks within the UK.
Eric King, PI's deputy director, criticised the "underhand and undemocratic manner in which the government is seeking to make lawful GCHQ's hacking operations."
Hacking is one of the most intrusive surveillance capabilities available to any intelligence agency, and its use and safeguards surrounding it should be the subject of proper debate.
Instead, the government is continuing to neither confirm nor deny the existence of a capability it is clear they have, while changing the law under the radar, without proper parliamentary debate.
While the government provided an open response to the claimants’ IPT complaint on 6 February 2015, it made no mention of amendments which were due to be made with the passage of the coming Serious Crime Bill.
It was not until yesterday that the government had indicated to the parties involved that amendments had been made to the CMA, leaving them with limited preparatory time because the parties entered court hours later.
Talking to The Register, King complained that the last-minute notification of these changes – which were also presented to the Tribunal only last night – had completely changed the landscape against which the claim was made.
"We do now need to change our argument," he said.
Asked what the claimants hoped would result from the hearing, King noted that this was the first time GCHQ had apparently been held accountable for its offensive hacking operations.
"Ultimately we want the Tribunal to find GCHQ's actions unlawful," he told the Reg.
Privacy International also complained that the case was to be heard "on hypothetical facts, as the government maintained a "neither confirm nor deny" stance in relation to the details of the hacking charges, despite GCHQ openly recruiting for hacking specialists on its website earlier this week."
The Register has contacted the Home Office and will update this article as and when it responds. ®
A Home Office spokesman responded to the Reg's request for comment after publication of this article. He said:
There have been no changes made to the Computer Misuse Act 1990 by the Serious Crime Act 2015 that increase or expand the ability of the intelligence agencies to carry out lawful cyber crime investigation.
It would be inappropriate to comment further while proceedings are ongoing.