After legal claim filed against GCHQ hacking, UK government rewrite law to permit GCHQ hacking

Press release

The Government has quietly ushered through legislation amending the anti-hacking laws to exempt GCHQ from prosecution. Privacy International and other parties were notified of this just hours prior to a hearing of their claim against GCHQ's illegal hacking operations in the Investigatory Powers Tribunal.

In its legal filings, sent to Privacy International only the day before the hearing began, the Government notified claimants that the Computer Misuse Act was rewritten on 3 March 2015 to exempt the intelligence services from provisions making hacking illegal.

Beginning in May 2014, Privacy International, along with seven internet and communications service providers, filed complaints with the IPT challenging GCHQ’s hacking activities. The claimants asserted that GCHQ’s actions were both unlawful under the Computer Misuse Act (CMA), which criminalises hacking, and that there was not sufficiently detailed legal authority to make GCHQ’s hacking “in accordance with law”, as any violation of privacy is required to be by Article 8 of the European Convention on Human Rights.

Yesterday, the parties were notified that, only a few weeks after the claim was filed, the Government quietly introduced legislation on 6 June 2014 that would amend the CMA to provide a new exception for law enforcement and GCHQ to hack without criminal liability. The change not only affects Privacy International's claim, but also grants UK law enforcement new leeway to potentially conduct cyber attacks within the UK.

The explanatory notes that accompanied the act make no reference to the true impact of the change. It appears no regulators, commissioners responsible for overseeing the intelligence agencies, the Information Commissioner's Office, industry, NGOs or the public were notified or consulted about the proposed legislative changes. There was no published Privacy Impact Assessment. Only the Ministry of Justice, Crown Prosecution Service, Scotland Office, Northern Ireland Office, GCHQ, Police and National Crime Agency were consulted as stakeholders. There was no public debate.

That legislation, deemed the Serious Crime Bill 2015, passed into law on 3 March 2015 and become effective on 3 May 2015.

The Government provided an open response to the claimants’ IPT complaint on 6 February 2015, but was silent on forthcoming passage of the Serious Crime Bill.  Indeed, it was not until yesterday, a day before the parties were due in court to determine the legal issues that will be addressed in the case, that the government indicated that amendments to the CMA had been made.

This is not the Government’s first attempt to make “under the radar” changes to UK law in connection with this claim.  On 6 February 2015, the Government released a draft Equipment Interference Code of Practice, which it claimed mirrors internal GCHQ guidance. Despite this, the Government is refusing to disclose GCHQ's earlier versions of the Code, or reveal when it was first drafted, claiming to do so would damage national security. The draft Code purports to grant the UK spy agencies sweeping powers to hack targets, including those who are not a threat to national security nor suspected of any crime. Yet it is not primary legislation, and will not be subject to the normal parliamentary process, including democratic debate, that such a sensitive subject should receive.

The case will be heard on hypothetical facts, as the Government maintains a “neither confirm nor deny” stance in relation to the details of the hacking charges, despite GCHQ openly recruiting for hacking specialists on its website earlier this week.

Eric King, Deputy Director of Privacy International, said:

“The underhand and undemocratic manner in which the Government is seeking to make lawful GCHQ's hacking operations is disgraceful. Hacking is one of the most intrusive surveillance capabilities available to any intelligence agency, and its use and safeguards surrounding it should be the subject of proper debate. Instead, the government is continuing to neither confirm nor deny the existence of a capability it is clear they have, while changing the law under the radar, without proper parliamentary debate.”

For media enquiries please call Harmit Kambo on +44 (0)20 3422 4321

Notes for editors:

This is a separate legal challenge to the claim made by Privacy International, alongside Liberty and Amnesty International, against GCHQ mass surveillance and intelligence sharing practices. Privacy International is currently awaiting a final judgement on those cases, and is pursuing a challenge in the European Court of Human Rights against decisions of 5 December 2014 and 6 February 2015.

Privacy International assisted in filing two separate complaints to the IPT challenging GCHQ’s widespread hacking. The first, in which Privacy International is the claimant centres around GCHQ and the NSA’s reported power to infect potentially millions of computer and mobile devices around the world with malicious software that gives them the ability to sweep up reams of content, switch on users' microphones or cameras, listen to their phone calls and track their locations. It is the first UK legal challenge to the use of hacking tools by intelligence services.

The second complaint was filed by seven internet service and communications providers from around the world, who are calling for an end to GCHQ’s exploitation of network infrastructure in order to gain unlawful access to potentially millions of people’s private communications. The complaint, filed by Riseup (US), GreenNet (UK), Greenhost (Netherlands), Mango (Zimbabwe), Jinbonet (Korea), May First/People Link (US), and the Chaos Computer Club (Germany), is the first time that internet and communication providers have taken collective action against GCHQ’s targeting, attacking and exploitation of network communications infrastructure.