Privacy International challenges GCHQ malware attacks

A 21-page legal challenge seeks a definition of what is legal - and what is not - under RIPA.

GCHQ accused of monitoring Facebook Likes and YouTube views
GCHQ accused of monitoring Facebook Likes and YouTube views

Privacy International has launched a legal challenge with the Investigatory Powers Tribunal (IPT) over what it claims are GCHQ's extensive malware and hacking operations.

The privacy advocacy charity claims that the government monitoring agency has been acting illegally by developing spy programs that remotely hijack computers' (and smartphone) cameras plus microphones without the user's consent,

The legal challenge - which was lodged on Tuesday of this week with the IPT - calls for the malware-driven surveillance technique, which Privacy International alleges is more intrusive than simply intercepting of communications – to be outlawed.

The legal spat follows in the wake of a raft of documents released in recent months by former NSA whistleblower Edward Snowden, who claims that GCHQ and its US counterpart, the National Security Agency, are targeting civilian users' computers and smartphones.

In its 21-page submission, the privacy charity details a variety of malware - with nicknames such as CaptivateAudience, Warrior Pride, Gumfish, Dreamy Smurf and Foggybottom  - which are allegedly used by GCHQ to gain hidden remote access to most aspects of a user's IT devices, allowing personal and company details to be exfiltrated at will.

Eric King, the deputy director of Privacy International, said that the hacking programmes being undertaken by GCHQ are the modern equivalent of the government entering your house, rummaging through your filing cabinets, diaries, journals and correspondence, before planting bugs in every room you enter.

"Intelligence agencies can do all this without you even knowing about it, and can invade the privacy of anyone around the world with a few clicks," he said.

"All of this is being done under a cloak of secrecy without any public debate or clear lawful authority. Arbitrary powers such as these are the purview of dictatorships not democracies. Unrestrained, unregulated Government spying of this kind is the antithesis of the rule of law and Government must be held accountable for their actions," he added.

According to Professor Peter Sommer, a digital forensics expert and visiting professor with de Montfort University, the IPT legal challenge is all about gaining a precise definition of what monitoring techniques are legal under the Regulation of Investigatory Powers Act (RIPA), which dates back to 2000 when it was first introduced. 

"The legal challenge forms part of a multi-layered approach by Privacy International to define the scope of RIPA. There are two issues here - the first is to seek a legal definition of what can, and cannot, be carried out under the Act. The second seeks clarification from the IPT about its scope and, if the challenge fails, it opens up the route for an appeal to Europe, if it is required," he explained.

SCMagazineUK.com notes that the IPT's role is to act as a specialist court -  which holds sessions behind closed doors under national security rules - to investigate complaints about the intelligence agencies, including MI5, MI6, GCHQ and allied agencies.

Interestingly, the Tribunal is highly unusual in being exempt from the Freedom of Information Act, meaning that information made available to it in the course of considering a complaint cannot be obtained under a freedom of information request.

According to Keith Bird, UK managing director with Check Point, irrespective of the legality and motivation behind malware-induced surveillance activities, the fact that this vector is being used by GCHQ shows how the same malware tools can be used to access sensitive information - whether the organisation behind the attack is a criminal gang or a state agency.

"Our 2014 Security Report showed that on average, new malware hits companies six times per hour - and two of those malware types will not be recognised by an organisation's anti-malware defences," he said, adding that it is clear that companies need layers of defence to protect themselves against attacks from all sides.