Privacy International et al. v. Secretary of State for Foreign & Commonwealth Affairs et al. (UK Government Hacking)

Case No. IPT 14/85/CH

Investigatory Powers Tribunal

On Appeal

In May 2014, Privacy International brought a legal complaint to the Investigatory Powers Tribunal (IPT), challenging GCHQ hacking inside and outside of the UK. Seven internet and communications service providers from around the world submitted a similar complaint and the IPT joined the cases. Those providers were Chaos Computer Club (Germany), Greenhost (Netherlands), GreenNet (UK), Jinbonet (Korea), Mango Email Service (Zimbabwe), May First/People Link (US), and Riseup (US).

GCHQ hacking capabilities were revealed by the Snowden disclosures, which documented how GCHQ could:

  • activate a device’s microphone (NOSEY SMURF) or webcam (GUMFISH)
  • identify the location of a device with high-precision (TRACKER SMURF)
  • log keystrokes entered into a device (GROK)
  • collect login details and passwords for websites and record Internet browsing histories on a device (FOGGYBOTTOM)
  • hide malware installed on a device (PARANOID SMURF)

Our complaint alleged that GCHQ has no clear authority under UK law to conduct hacking operations and that such activities violate the Computer Misuse Act 1990, which criminalises hacking. We further alleged that GCHQ hacking violates Articles 8 and 10 of the European Convention on Human Rights, which respectively protect the right to privacy and the right to freedom of expression.

In February 2016, the IPT held that GCHQ hacking is lawful under UK law and the European Convention on Human Rights. The IPT further held that GCHQ may hack inside and outside of the UK using "thematic warrants." Thematic warrants are general warrants covering an entire class of property, persons or conduct, such as "all mobile phones in London."

In May 2016, Privacy International filed a claim for judicial review in the UK High Court, challenging the part of the IPT's decision sanctioning the Government's use of general warrants to hack. A judicial review is a type of collateral challenge to the lawfulness of a decision by a public body.

In August 2016, we filed an application at the European Court of Human Rights, challenging the IPT's decision with respect to GCHQ's foreign hacking powers. We are joined by five of the internet and communications service providers who litigated the case with us before the IPT.

Legal Documents

Investigatory Powers Tribunal Judgment (12 Feb. 2016)

Government Skeleton Argument (with Appendix) (25 Nov. 2015)

Privacy International Skeleton Argument (25 Nov. 2015)

Witness Statements (with Exhibits) of Ciaran Martin (for the Government) (16-24 Nov. 2015)

Government Response to Privacy International Schedule of Public Statements (19 Nov. 2015)

Government Re-Re-Amended Open Response to Statement of Grounds (13 Nov. 2015)

Government Disclosure 

    Index of Open Exhibits:

    Exhibit 1:

    Exhibit 2:

    Exhibit 3:

    Exhibit 4:

    Exhibit 5:

Witness Statement of Eric King (for Privacy International) (5 Oct. 2015)

Expert Report (with Appendix) of Prof. Ross Anderson (for Privacy International) (30 Sept. 2015)

GreenNet et al. Amended Statement of Grounds (19 May 2015)

Privacy International Amended Statement of Grounds (19 May 2015)

Government Response to Privacy International Agenda for Directions Hearing (13 May 2015)

Government Note for Directions Hearing (13 May 2015)

Privacy International Agenda for Directions Hearing (13 May 2015)

Privacy International Reply (1 April 2015)

Government Response to Statement of Grounds (1 July 2014)

Privacy International Statement of Grounds (13 May 2014)


Press statement: We will continue to challenge GCHQ’s hacking powers (12 Feb. 2016)

Investigatory Powers Tribunal rules GCHQ hacking lawful (12 Feb. 2016) 

Court Documents reveal oversight body struggling to control GCHQ domestic hacking (1 Dec. 2015) 

After legal claim filed against GCHQ hacking, UK government rewrite law to permit GCHQ hacking (15 May 2015)

UK government claims power for broad, suspicion less hacking of computers and phones (18 March 2015)

My device is me. GCHQ - stop hacking me (13 June 2014) 

Privacy International challenges GCHQ's unlawful hacking of computers, mobile phones (13 May 2014)

Explaining the law behind Privacy International’s challenge to GCHQ’s hacking (13 May 2014)


Whose World Is This?: US and UK Government Hacking (7 July 2016)

Privacy International's Work on Hacking (10 Feb. 2016)

Reports and Features

Privacy International and Open Rights Group's Submission in Response to the Consultation on the Draft Equipment Interference Code of Practice (Mar. 2015)

Attachment Size
Hacking_Judgment.pdf 632.15 KB