Press Release: Privacy International And Five Internet And Communications Providers Challenge British Government's Bulk Hacking Abroad Before The European Court Of Human Rights

Press release

Today, Privacy International, together with five internet and communications providers from around the world, have lodged an application before the European Court of Human Rights to challenge the British Government's use of bulk hacking abroad. Until we brought our original case at the Investigatory Powers Tribunal (IPT) in 2014, the Government had never admitted that it engaged in hacking. Now we are learning for the first time how far-reaching the Government's global hacking capabilities are.

By taking this case to the European Court of Human Rights, we aim to bring the Government's hacking under the rule of law.  The Government is currently hacking abroad based on a very vague and broad power that provides few if any safeguards on this incredibly intrusive power.

How We Got Here

In May 2014, Privacy International brought a complaint in the IPT against hacking by Government Communications Headquarters (GCHQ), the British signals intelligence agency. We were soon joined in our complaint by multiple internet and communications providers from around the world. Our complaint argued that GCHQ had no authority under UK law to hack, and that such activities violated Articles 8 and 10 of the European Convention on Human Rights (ECHR). Articles 8 and 10 respectively protect the rights to privacy and freedom of speech.

In February 2016, the IPT refused to rule on whether GCHQ's use of a broad power under section 7 of the Intelligence Service Act 1994 (ISA) to hack outside the UK complies with the ECHR. That refusal means that GCHQ's bulk hacking abroad can continue unchecked. It also represents a departure from the IPT's approach in our separate case challenging mass surveillance and intelligence sharing with the US government, which assessed the legality of these regimes in light of the ECHR.

Bulk hacking inside the United Kingdom

Privacy International has also filed a separate Judicial Review at the UK High Court, challenging a separate aspect of the IPT's decision, which determined that the British Government can issue general warrants to hack the electronic devices of broad classes of people - both inside and outside the UK. General warrants can cover an entire class of unidentified persons or property, such as "all mobile phones in London". Our Judicial Review asserts that the IPT's decision fundamentally undermines 250 years of English common law, which has long rejected general warrants, and contradicts Article 8 of the ECHR. By permitting the Government to hack large groups of people without judicial authorisation and individualised suspicion, general warrants fail to protect against arbitrary interference and abuse.

The Consequences of Hacking

Hacking is one of the most intrusive surveillance capabilities available to the Government and entails a serious interference with the right to privacy. Using hacking capabilities, the Government can log keystrokes, track locations, take covert photographs and videos, and access stored information. Hacking can also be used to corrupt files, plant or delete documents and data, or send fake communications from a device. These techniques can be mobilised against entire networks, comprising the devices of large groups of people.

Hacking also undermines the security of computers and the internet, especially when conducted on a large scale. Hacking is fundamentally designed to permit an unauthorised person to control another person's device. The security holes created by hacking can be exploited by many other people, including cyber-criminals and other governments' intelligence agencies.

Before we brought our case before the IPT, GCHQ had refused to "confirm or deny" whether it had ever hacked a computer. Over the course of the proceedings, the British Government admitted to hacking to:

  • obtain information from a particular device, server, or network
  • create or modify information on a device
  • carry out intrusive activity

The British Government further admitted that it may also undertake hacking against an entire computer network and that it may carry out "persistent" operations, which cover an extended period of time.

Co-claimants

We are fighting the British Government alongside five internet and communications providers: Chaos Computer Club (Germany), GreenNet (UK), Jinbonet (Korea), May First (US) and RiseUp (US). The application challenges the IPT's decision that the British Government may lawfully conduct bulk hacking of computers, mobile devices, and networks located anywhere outside of the UK.

Scarlet Kim, Legal Officer at Privacy International said:

"The IPT's decision permits the British Government to hack untold numbers of computers devices or networks abroad without any proper legal framework, oversight or safeguards. Hacking is extremely intrusive, allowing the hacker to, for example, switch on the webcam of a computer, or the mic of a phone without the owner having any idea. Allowing the British Government to hack therefore sanctions an extraordinary expansion of state surveillance capabilities, with alarming consequences for the privacy and security of many people around the world. The European Court of Human Rights has a strong track record of ensuring that intelligence agencies act in compliance with human rights law. We call on the Court to hold GCHQ accountable for its unlawful bulk hacking practices."

Cedric Knight of GreenNet said:

"The court case has shown that the secret services interpreted a vague law completely arbitrarily, evading the need for specific warrants and providing no protection for journalists, activists or the general public. We are now even more convinced of the need for judicial pre-authorisation and for these sections of the Intelligence Services Act to be clarified. It is regrettable that the failure of the IPT to address the lack of either technological or legal limitations on assumed powers has made this challenge necessary."

Jan Girlich, a Spokesperson for the Chaos Computer Club said:

"Hacking and manipulating the infrastructure the Internet is built on goes far beyond surveillance. Instead of using its powers to violate people's right to privacy and even to manipulate their computers, GCHQ should start really protecting people by reporting found flaws in operating systems, applications or hardware to the creator through a responsible disclosure policy. With this application at the European Court of Human Rights, we encourage GCHQ to turn from threatening people's privacy and security into securing them."

Byoung-il Oh, Activist and Coordinator of Jinbonet said:

"Intrusive surveillance technology such as hacking by law enforcement and intelligence agencies should not be permitted, in particular without any effective oversight mechanism. The IPT's decision would fuel competitive use of hacking technology by other governments. We call on the European Court of Human Rights to make the right decision to keep the internet free and open."

END