GCHQ is being challenged over its offensive hacking practices at a hearing that started on Tuesday morning. The challenge is being heard by the Investigatory Powers Tribunal, which is the only judicial body in the country with the authority to hear complaints about the intelligence agencies.
Two complaints were filed last year, by Privacy International and a global coalition of ISPs and related organisations, regarding offensive hacking practices that GCHQ is alleged to have conducted unlawfully.
Privacy International claims there was no clear lawful authority for GCHQ to conduct computer network exploitation (CNE) operations when these cases were filed. The government subsequently introduced an amendment to the Computer Misuse Act which Privacy International alleged was an "underhand and undemocratic" act which was "seeking to make lawful GCHQ's hacking operations."
A Home Office spokesperson denied the amendment "increase[d] or expand[ed] the ability of the intelligence agencies to carry out lawful cyber crime investigation."
CNE, as defined by MI5, "allows a hostile actor to steal information remotely, cheaply and on an industrial scale. It can be done with relatively little risk to a hostile actor's intelligence officers or agents overseas."
According to Privacy International, the government has tried to fill a legal void by publishing a draft Equipment Interference Code of Practice (PDF), while the new draft Investigatory Powers Bill (PDF) attempts to firmly place CNE "on a statutory footing, including provisions for 'Equipment Interference' (Part 5) and 'Bulk Equipment Interference' (Part 6, Chapter 3)."
Draft Equipment Interference Code of Practice, section 1.9
The potential cross-purposes of GCHQ's offensive and defensive security practices have consistently concerned technologists. Speaking at IA15, an information assurance conference organised by GCHQ's information assurance arm, CESG, the agency's director-general dismissed accusations that the agency's actions are not conducive to the UK's security ecology.
GreenNet Limited (UK)
Riseup Networks, Inc (US)
Mango Email Service (Zimbabwe)
Korean Progressive Network aka "Jinbonet" (South Korea)
May First/People Link (US)
Chaos Computer Club (Germany)
Speaking to The Register at the time, Privacy International technologist Dr. Richard Tynan said: "Mr Hannigan is extremely nuanced with his words when he asserts that GCHQ does not encourage system weaknesses and regularly reports found vulnerabilities. While we may never know the full extent of coercion used by GCHQ, we do know that its big brother, the NSA, paid $10m to RSA, a company that provides encryption products."
Dr Tynan continued:
We also know from the Edward Snowden revelations that GCHQ does not disclose all the vulnerabilities it finds and instead uses them for offensive hacking purposes. We have seen GCHQ target a variety of providers, from anti-virus vendors to software commonly used for online blogs and forums around the world.
There is no basis in law at present, or in the proposed Investigatory Powers Bill, authorising GCHQ to fail in its duty to protect the privacy and security of the public. Furthermore, this conduct undermines trust in devices, networks and services as users can be betrayed at any moment by anyone aware of the flaw, including cyber criminals and governments.
GCHQ declined to comment when questioned by The Register about the existence of a Vulnerabilities Equity Policy, such as that the NSA uses to hoard zero-day exploits.
Privacy International maintains that CNE "is far more intrusive than any single surveillance technique currently deployed by the intelligence services because once entry to a device is gained, there is no technical barrier preventing agents from obtaining far more information."
In the campaign group's words:
The [GCHQ] agent can gain access to any stored data, including documents, emails, diaries, contacts, photographs, internet messaging chat logs, and location records on mobile equipment.
The agent can also see anything typed into the device, including passwords, internet browsing, and draft documents and communications never intended to share.
Deleted files can be accessed and the functionality of the device can be controlled, such as turning on the microphone, webcam, and GPS-based locator technology.
CNE is not only deployed against individual computers and mobile phones, but can be used against entire communications networks, undermining privacy and security en masse.
The hearing begins at 10:30 this morning. ®