GCHQ sued by ISPs over state-sponsored hacking

ISPs and Privacy International seek legal clarification on how far GCHQ can go with its state-sponsored surveillance activities.

GCHQ sued by ISPs over state-sponsored hacking
GCHQ sued by ISPs over state-sponsored hacking

The post-Snowden argument over whether governments should be pro-actively eavesdropping on their citizens via ISPs took a interesting twist this week after seven international internet service providers (ISPs) took legal action against GCHQ, the UK's government signals intelligence agency.

The essence of the case centres on GCHQ's alleged - and widely reported - hacking of Belgacom, the Belgian state telco, last year.

As reported last September by Der Spiegel, Belgacom employees were reported to have been fed fake LinkedIn pages that included malware that allowed their machines to be remotely monitored by GCHQ's computers. 

`Operation Socialist,' as the project was called, drew widespread condemnation from the European security community, an investigation by the European Commission and the summoning of GCHQ Director Iain Lobban before Parliament to explain his staff actions.

The entities in the legal action - GreenNet in the UK and Riseup in the US, along with Greenhost (Netherlands), Mango (Zimbabwe), Jinbonet (Korea) and May First/People Link (US) – enjoined by the Chaos Computer Club in Germany - argue that GCHQ's actions contravene several laws, most notably Articles 8 and 10 of the European Convention on Human Rights and the UK's Computer Misuse Act.

According to Privacy International, the lawsuit has been filed via the UK's Investigatory Powers Tribunal, asserting that GCHQ's attacks on ISPs are not only illegal, but are destructive, undermine the goodwill the organisations rely on, and damage the trust in security and privacy that makes the Internet such a crucial tool of communication and empowerment.

The civil liberties charity notes that the `quantum insert' methodology used by GCHQ forms part of a larger malware campaign known as Turbine, which automates and scales the malware insertion process up to millions of code infections.

Commenting on the lawsuit, Eric King, Privacy International's deputy director, said that these widespread attacks on providers and collectives undermine the trust we all place on the Internet and greatly endanger the world's most powerful tool for democracy and free expression.

"It completely cripples our confidence in the internet economy and threatens the rights of all those who use it. These unlawful activities, run jointly by GCHQ and the NSA, must come to an end immediately," he said.

Digital forensics specialist Professor Peter Sommer - who has been following the case with interest - told SCMagazineUK.com that the lawsuit is one of several legal actions being taken by Privacy International and is designed to check out the various extents of surveillance law.

"They seek to challenge official interpretations of law," he said, adding that, in the UK, this is mostly about the Regulation of Investigatory Powers Act 2000 (RIPA), and the Intelligence Services Act of 1994, although there are also other laws involved 

Professor Sommer - a visiting professor with de Montfort University - says that the lawsuit also seeks to discover the limitations in the powers of the courts.

"The Investigatory Powers Tribunal is particularly interesting, as it nearly always meets in secret and claims that no appeal from its decisions is possible. If Privacy International cannot get satisfaction from UK legal proceedings, it is very likely to go to the European courts," he explained.

"Even if Privacy International loses in its legal proceedings, it can still hope to win in the court of public opinion," he said, adding that other Privacy International actions - working in co-operation with other privacy organisations - include accusing GCHQ of using illegal hacking techniques and complaining that the UK government is allowing the export of sophisticated surveillance devices to authoritarian regimes.

This legal approach to campaigning, he says, works alongside others, such as petition raising, mass meetings, parliamentary lobbying and submissions to government select committees.