Privacy International and Open Rights Group's Submission in Response to the Consultation on the Draft Equipment Interference Code of Practice

On 20 March 2015, Privacy International and Open Rights Group submitted comments on the UK Government's draft Equipment Interference Code of Practice.

The UK has been hacking for over a decade, yet the release of the draft Code of Practice is the first time the UK intelligence services have sought public authorisation for their activities. Indeed, it is the first time the intelligence services have publicly acknowledged they engage in hacking. 

Unfortunately, the draft Code of Practice is too little, too late. The serious concerns raised by government hacking, which include intruding upon privacy in new and extremely invasive ways, undermining the security of the internet, and setting a precedent for other spy agencies around the world, require that the UK intelligence agencies’ hacking operations be closely controlled, if they are permitted at all. Privacy International and Open Rights Group believe that the draft Code of Practice is not the proper way to address government hacking. 

While maintaining their objection to the process, Privacy International and Open Rights Group take this opportunity to assist the Secretary of State and Parliament as they consider the draft Code of Practice. First, we describe the technology underlying hacking, and its ability to enable the State to reach into every aspect of an individual's life, while also undermining the security of both any computer targeted and the internet as a whole. Given these concerns, we seriously question whether hacking should ever be deployed by the intelligence services. In the case that hacking is authorised, in the second part of this submission we put forth a set of policies we think any hacking operation must abide by in order to help lessen the intrusion on privacy and security. We then critique the draft Code of Practice, which in its current form grants the intelligence services far too much leeway to hack anyone in the world with minimal authorisation, few safeguards and limited oversight. Both substantively and procedurally, therefore, the draft Code of Practice is deficient.