GCHQ, the UK electronic spy agency, has admitted for the first time in court that it engages in computer hacking.
The admission came after internet companies and privacy campaigners brought complaints about the agency’s “extremely intrusive” activities to the Investigatory Powers Tribunal.
The case has been brought by seven internet service providers and Privacy International, a charity, against the Government Communications Headquarters and the Foreign Office for hacking in the UK and abroad. Ben Jaffey QC, for the ISPs and Privacy International, told the tribunal, which investigates complaints against the security services, that until the case was brought, GCHQ had refused to confirm or deny whether it had Computer and Network Exploitation capabilities — the ability to carry out computer hacking.
Since the case was lodged it has made a number of avowals — admitting it undertakes such operations in the UK and abroad. Mr Jaffey said it was also common ground that in 2013 about a fifth of GCHQ’s intelligence reports contained information derived from the use of CNE. GCHQ also undertakes “persistent” CNE operations where an implant “resides” in a targeted computer for an extended period to transmit information or “non-persistent operations” where an implant expires at the end of a user’s internet session, the tribunal heard.
The ISPs and Privacy International allege that GCHQ’s actions are illegal and are asking the tribunal to investigate whether it has complied with domestic law and with the human rights act when hacking or deploying malware on computers. Mr Jaffey told the hearing that intercepting an individual’s smartphone would give the agency access to far more than it would through traditional surveillance.
He told the hearing it was “equal to carrying a bug everywhere I go . . .” and comes at a “lower risk” to the agencies than breaking into a home or workplace. “If CNE were carried out on my mobile you would get all the meetings I attend by turning on the microphone and access to all my chamber’s files, bank details, my passwords, all my personal material and all my photos,” he told the hearing.
In his written arguments, reference was also made to secret documents released by Edward Snowden. the former NSA contractor, on GCHQ capabilities. They included claims relating to a programme known as Nosey Smurf that involved implanting malware to activate the microphone on smartphones. GCHQ and the UK government say CNE is lawful under domestic and human rights law. It denies “that GCHQ is engaged in any unlawful and indiscriminate mass-surveillance activities”.
Six alleged terror plots had been stopped in the year before September 2015, it said. CNE may “in some cases, be the only way to acquire intelligence coverage of a terrorist suspect or serious criminal in a foreign country . . .” “The claimants make extreme assertions about the intelligence-gathering activities of GCHQ, including their alleged indiscriminate and arbitrary nature,” the written arguments say.
It adds of the legal framework governing CNE: “That regime is both accessible and has a proper basis in domestic law. It is a regime which provides for stringent safeguards if GCHQ wishes to carry out CNE activities. It is also proportionate given the need for CNE to be carried out to protect the public from serious terrorist and other threats,” the written arguments add.