Update: GCHQ and police hackers protected by revised Computer Misuse Act
The Computer Misuse Act 1990 has quietly been updated, handing out life sentences to hackers and seemingly giving more power and protection to law enforcement and surveillance agencies.
Details of this change were revealed at the Investigatory Powers Tribunal which is hearing a challenge to the legality of computer hacking by UK law enforcement and intelligence agencies, as filed by Privacy International.
The amendments were passed in March as an addition to the Serious Crime Bill, while the Computer Misuse Act has also been updated to serve life sentences for some computer-related crimes.
"It appears no regulators, commissioners responsible for overseeing the intelligence agencies, the Information Commissioner's Office, industry, NGOs or the public were notified or consulted about the proposed legislative changes... There was no public debate” complained Privacy International.
The activism group further suggested that this change to law, which relates specifically to clause 10 where immunity is stated under “savings”, was directly in response to its complaint filed last year. Back in May 2014, Privacy International and seven communications providers filed a complaint with the UK Investigatory Powers Tribunal (IPT), claiming that GCHQ's hacking activities were unlawful under the Computer Misuse Act.
Just weeks later, on June 6, the UK government introduced the new legislation via the Serious Crime Bill that would allow GCHQ, intelligence officers, and the police to hack without criminal liability. The bill passed into law on March 3 this year, and became effective earlier this month, on May 3.
Privacy International's legal experts said that the amended Computer Misuse Act "grants UK law enforcement new leeway to potentially conduct cyber-attacks within the UK” while others have argued that this is simply a form of insurance for GCHQ, which may have been found guilty of hacking under the previous ruling.
Eric King, the deputy director of Privacy International, said in a statement: “The underhand and undemocratic manner in which the Government is seeking to make lawful GCHQ's hacking operations is disgraceful.
“Hacking is one of the most intrusive surveillance capabilities available to any intelligence agency, and its use and safeguards surrounding it should be the subject of proper debate. Instead, the Government is continuing to neither confirm nor deny the existence of a capability it is clear they have, while changing the law under the radar.”
However, others said that this amendment was likely to consolidate existing powers under RIPA and the Intelligence Services Act, to avoid any ambiguity.
Daniel Cuthbert, chief operating officer at white hat hacking outfit Sensepost, was pleased with the changes, adding that this actually extends police powers in tricky cyber-crime cases, pointing out that paedophiles and other nefarious characters have excellent OPSEC.
“The Computer Misuse Act is an awful law…it's incredibly vague,” he told SCMagazineUK.com, adding he had his own personal experience with the dated legislation.
“The law is actually preventing law enforcement and agencies from investigating these things…they're being handcuffed from doing that.”
Cuthbert said that criminal use of encryption and Tor anonymising service was making life difficult for law enforcement.
“It's given them a bit more of a helping hand,” he said of the new changes, which will give police investigators immunity from legal action, so long as they've taken the necessary steps.
The problem, he said, is that this quietly added change is helpful when agencies still “need to build up people's confidence, and win people's trust”, especially in light of Edward Snowden's revelations.
As long as there are “checks and balances” people will be OK, he said.
Alan Woodward, Europol adviser on cyber-crime and visiting professor at the University of Surrey, added that he too was dismayed by the “fuss” because the update had “not really changed anything”. “It may have clarified things, but that's all,” he told SC.
He said that agency powers were already explained in Intelligence Services Act from 1996, RIPA and said that this was likely a case of simple ‘cross referencing' in Serious Crime Bill. Section 7 of the ISA, nicknamed the James Bond clause, is believed to permit activities abroad that would otherwise be illegal.
“It's not changed anything fundamentally,” said Woodward, although he admitted though that the fact the changes were done on the sly “hadn't helped”, especially when it comes to trusting the government.
“Of course, post-Snowden, transparency is everything," said Woodward, who went onto claim that new head Robert Hannigan had made GCHQ more transparent. The agency, said the professor, is staffed by normal civil servants who are “proud” and doing a job with “great diligence,” careful not to flout rules or regulations.
“The UK has more oversight than most; it is layers upon layers. If you think we have a problem, go to Russia or China,” he said, citing the ISC and Interception Commissioner, which publishes a yearly report on local state interception. Foreign intelligence “do what they can, spies will always spy, and have always done so.”
“The issue people have is they've lost trust in the government,” said Woodward, admitting that the proposed Draft Communications Data Bill, dubbed ‘Snooper's Charter', would do little to arrest that slide, especially with concerns over how long data will be kept.
Woodward said that government surveillance had been at a peak shortly after 9/11, with the US Patriot Act, but said that the “pendulum is now swinging back.” However, he added that agencies would always need “a haystack to look for the needle.”