Brit spies can legally hack PCs and phones, say Brit spies' overseers

So that's that, then

Blighty's spying nerve center GCHQ has a licence to hack computers and devices at will, a UK intelligence oversight court has ruled.

The judgment was handed down on Friday after Privacy International and seven ISPs launched a legal challenge against the agency's hacking operations – operations that were laid bare by documents leaked by NSA whistleblower Edward Snowden.

During the case, GCHQ officially admitted infiltrating PCs and mobiles for the first time.

"The use of computer network exploitation by GCHQ, now avowed, has obviously raised a number of serious questions, which we have done our best to resolve in this Judgment," reads the lengthy ruling [PDF] from the Investigatory Powers Tribunal (IPT).

"Plainly it again emphasises the requirement for a balance to be drawn between the urgent need of the Intelligence Agencies to safeguard the public and the protection of an individual's privacy and/or freedom of expression."

The tribunal is tasked with scrutinizing Blighty's agents; it says it "investigates and determines complaints of unlawful use of covert techniques by public authorities infringing our right to privacy."

During the case, some of which was held in closed sessions for national security reasons, GCHQ said that about 20 per cent of the reports produced by the agency use material obtained by hacking. The agency said it had installed malware, used a phone's microphone and camera remotely, and tracked suspects via GPS.

All this is done under a self-imposed code of conduct, and the IPT ruled that this gave it legal cover of its activities at home and abroad. These will be reinforced by the forthcoming Investigatory Powers Bill, aka the Snooper's Charter.

"We are disappointed that the IPT has not upheld our complaint and we will be challenging its findings," said Scarlet Kim, legal officer at Privacy International.

Kim said that Privacy International would be challenging the ruling on the grounds that it broke the European Convention on Human Rights when it comes to surveilling people in the trading block but outside of the UK.

"The ability to exploit computer networks plays a crucial part in our ability to protect the British public," Foreign Secretary Philip Hammond told the BBC.

"Once again, the law and practice around our Security and Intelligence Agencies' capabilities and procedures have been scrutinised by an independent body and been confirmed to be lawful and proportionate. It will provide our Security and Intelligence agencies with the powers they need to deal with the serious threats our country faces, subject to strict safeguards and world-leading oversight arrangements." ®

Similar topics

Other stories you might like

  • Israeli air raid sirens triggered in possible cyberattack
    Source remains unclear, plenty suspect Iran

    Air raid sirens sounded for over an hour in parts of Jerusalem and southern Israel on Sunday evening – but bombs never fell, leading some to blame Iran for compromising the alarms. 

    While the perpetrator remains unclear, Israel's National Cyber Directorate did say in a tweet that it suspected a cyberattack because the air raid sirens activated were municipality-owned public address systems, not Israel Defense Force alarms as originally believed. Sirens also sounded in the Red Sea port town of Eilat. 

    Netizens on social media and Israeli news sites pointed the finger at Iran, though a diplomatic source interviewed by the Jerusalem Post said there was no certainty Tehran was behind the attack. The source also said Israel faces cyberattacks regularly, and downplayed the significance of the incident. 

    Continue reading
  • Five Eyes nations reveal 2021's fifteen most-exploited flaws
    Malicious cyber actors go after 2021's biggest misses, spend less time on the classics

    Security flaws in Log4j, Microsoft Exchange, and Atlassian's workspace collaboration software were among the bugs most frequently exploited by "malicious cyber actors" in 2021 , according to a joint advisory by the Five Eyes nations' cybersecurity and law enforcement agencies.

    It's worth noting that 11 of the 15 flaws on the list were disclosed in 2021, as previous years' lists often found miscreants exploiting the older vulns for which patches had been available for years.

    Of course, the US Cybersecurity and Infrastructure Security Agency (CISA) and friends note that malicious cyber actors have not stopped trying to exploit older flaws – but reckon those efforts are happening to a "lesser extent" than in the past.

    Continue reading
  • UK spy agencies sharing bulk personal data with foreign allies was legal, says court
    Yes, that thing they've never publicly admitted they do

    A privacy rights org this week lost an appeal [PDF] in a case about the sharing of Bulk Personal Datasets (BPDs) of UK residents by MI5, MI6, and GCHQ with foreign intelligence agencies.

    The British agencies have never stated, in public, whether any of them have shared BPDs with foreign intelligence agencies – they have a so-called "neither confirm nor deny" (NCND) policy – but the judgment noted it "proceeds on the assumption that sharing has taken place."

    The true position, as noted by Queen's Bench Division president Dame Victoria Sharp in the judgement, was revealed to the defendant in its closed hearings.

    Continue reading

Biting the hand that feeds IT © 1998–2022