Privacy International has filed for Judicial Review at the UK's High Court, challenging the Investigatory Powers Tribunal's (IPT) decision to allow the Government to issue ‘thematic warrants' which allow for general hacking.
This decision will allow British intelligence agency GCHQ to continue hacking into the computers and phones of broad classes of people - including those residing in the UK - as the Investigatory Powers Bill seeks to further enshrine this power into law.
The case filed by Privacy International today calls on the High Court to stop the practice of bulk hacking within the UK.
Despite the explicit recommendation of the Joint Committee on the Draft Investigatory Powers Bill, which recommended that both interception and hacking warrants should not be "used as a way to issue thematic warrants concerning a very large number of people", the inclusion of these warrants directly contradicts the UK Government's decision to approve general warrants as part of its so-called "targeted" interception and hacking regimes.
Scarlet Kim, legal officer at Privacy International, told SCMagazineUK.com, “The current legal authorities for interception and collection of data are unclear, obscure and not fit for purpose. Despite English common law prohibiting thematic warrants as far back as the 1760s, they aren't just something which has been made law and left to rot. They have been re-affirmed again and again throughout history”.
Kim added, “According to RIPA, specific interception warrants should be limited to a single person, premises or operation. The government then interpreted this to mean ‘persons' and that is their basis for claiming their spying activities are entirely legal.”
In May of 2014, Privacy International brought a complaint to the IPT against GCHQ hacking and were soon joined in their complaint by seven internet and communications providers from around the world.
The complaint argued that GCHQ had no authority under UK law to hack, and that such activities violated Articles 8 and 10 of the European Convention on Human Rights. Articles 8 and 10 respectively protect the rights to privacy and freedom of speech. The IPT rejected both these claims in February 2016.
In its decision, the IPT echoed the Government's position that GCHQ was permitted to seek "thematic warrants", which are general warrants to hack inside and outside the UK. General warrants can cover an entire class of unidentified persons or property, such as "all mobile phones in Nottingham".
Reasons for and against
General hacking warrants are perceived as a dangerous and unprecedented expansion of state surveillance capabilities. The IPT has not only sanctioned state-sponsored hacking of individuals, but also permitted its use at an industrial scale.
Using hacking capabilities, the Government can log keystrokes, track locations, take covert photographs and videos, and access stored information. Hacking can also be used to corrupt files, plant or delete documents and data, or send fake communications from a device. These techniques can be mobilised against entire networks, comprising the devices of large groups of people.
Hacking is fundamentally designed to permit an unauthorised person to control another person's device. The security holes created by hacking can be exploited by many other people, including cyber-criminals and other governments' intelligence agencies.
Darran Rolls, CTO at SailPoint commented: “Weakened protocols are arguably the biggest issue when discussing the changing role of encryption. How can we ensure consumer communication channels are safe given the proposed changes that would allow government services to snoop? Or that backdoor encryption, which makes access to secure data easier, doesn't open up a gateway to hackers?”
Rolls added: “Governments and organisations worldwide are currently weighing the trade-offs between consumer privacy and combatting the evolving threat to public safety. Given the recent acts of terror in Paris and further afield, security services are increasingly demanding the power to view encrypted consumer messages on the ground in the pursuit of national security.”
English common law - not so common?
According to Privacy International, the IPT's decision fundamentally undermines 250 years of English common law, which has long rejected general warrants. The common law is clear that a warrant must target an identified individual or individuals. Parliament is presumed not to have overridden such a profound and fundamental right unless it clearly and expressly states that general warrants are now permissible - which it has not.
The IPT's decision also ignores that general warrants fail to comply with international human rights law, particularly Article 8 of the European Convention on Human Rights. By permitting the Government to hack large groups of people without judicial authorisation and individualised suspicion, general warrants fail to protect against arbitrary interference and abuse.
In a statement on Privacy International's website, Scarlet Kim, Legal Officer at Privacy International said: "The IPT's decision grants the Government carte blanche to hack hundreds or thousands of people's computers and phones with a single warrant. General warrants permit GCHQ to target an entire class of persons or property without proving to a judge that each person affected is suspected of a crime or a threat to national security. By sanctioning this power, the IPT has upended 250 years of common law that makes clear such warrants are unlawful. Combined with the power to hack, these warrants represent an extraordinary expansion of state surveillance capabilities with alarming consequences for the security of our devices and the internet."