In a remarkable, though unsurprising ruling the Investigatory Powers Tribunal has stated that it is perfectly legal for Britain’s spy agency, GCHQ, to hack into anyone’s computer and to continue with their practice of bulk surveillance of not just sections of population but entire populations anywhere in the world. This ruling opens the way for massive security breaches as well as an escalation of computer fraud. No one’s email, communications or financial transactions will be safe. The ruling paves the way for the Investigatory Powers Bill, which will enforce these practices. Privacy International, which was listed as the main claimant to the tribunal (together with seven ISPs), stated it will be taking the matter further via the European courts.
Note: Appendix 1 (below) is a lengthy statement by Privacy International on the IPT ruling; Appendix 2 is a list of factsheets on the draft Investigatory Powers Bill by Big Brother Watch.
Ruling says GCHQ hacking warrants need not name specific individuals – means OK to hack entire orgs/govts/companies: pic.twitter.com/HByqNOVq1l
— Ryan Gallagher (@rj_gallagher) February 12, 2016
The Tribunal ruling revealed how GCHQ conducts hacking of computers around the globe – no person, wherever they reside, is safe. Here is the ruling in full (courtesy of Edward Snowden). Those who made the ruling (all establishment figures) included: Mr Justice Burton, R Justice Mitting, Mr Robert Flint QC and The Hon. Christopher Gardner QC.
Here is the Intelligence & Security Committee’s report on the draft Bill. (Note the slender number of witnesses: Home Secretary Theresa May, GCHQ head Robert Hannigan, MI5 head Andrew Parker and MI6 head Alex Younger.) The report makes a number of recommendations to ‘tweak’ the Bill. Here are the establishment figures on the ISC.
The Investigatory Powers Bill if passed will be able to force internet service providers to store the browsing history of their customers for 12 months. The bill would also oblige service providers to help intercept data and hack suspects’ devices.
Below, using a variety of sources – mostly revelations by Edward Snowden via an article by Ryan Gallagher in The Intercept – is a mapping of what the draft bill is really about…Note: for a more forensic analysis of the draft bill, see “Investigatory Powers Bill: The Juicy Bits”
(See also: 10 reasons why you should be worried.)
It would appear that encryption will not be ‘banned’, as banking and other financial services depend on it. However, measures in the draft bill will require that tech firms and ISPs provide unencrypted communications to the police or spy agencies if requested through a warrant. These firms will not be able to comply with this requirement unless they provide encryption to their users that can be decrypted.
The new legislation will attempt to force companies outside the UK to adhere to this requirement, though even if this did not happen, according to one document the NSA’s troves of data are searched by GCHQ for data on British citizens anyway. Also, what Theresa May fails to understand is that there are a myriad of tools and applications that are outside the reach of UK legislation – consequently, GCHQ will end up mostly monitoring stuff about shopping habits (that may be of use to the capitalist establishment).
Note, too, that British police already have the power to compel someone, on penalty of imprisonment, to disclose cryptographic keys under RIPA (i.e., to compel decryption on the order of intelligence or police authorities – with no judicial or ministerial warrant required).
2. Web histories
The Government says that the bill will only allow for the retention of metadata, not web histories. But this is not the case: all ISPs and CSPs will be required by law to retain all web histories, as well as phone usage and social media usage of all users, for 12 months and to make these histories available to the authorities when a warrant is issued. Access to web histories (trawled by GCHQ) will be granted to the police, the National Crime Agency, the intelligence agencies and HM Revenue and Customs.
The bill will seek to legitimise the mass hacking activities of GCHQ, which, as anyone studying the revelations of Edward Snowden will know, has been operating bulk surveillance operations for many years. One example, according to Ryan Gallagher of The Intercept, is Karma Police, which was launched some seven years back. Another system “builds profiles showing people’s web browsing histories; another analyses instant messenger communications, emails, Skype calls, text messages, cell phone locations, and social media interactions. Separate programs were built to keep tabs on “suspicious” Google searches and usage of Google Maps.”
A further example of data mining used by GCHQ is TEMPORA, which monitors emails, instant messages, voice calls and other communications and makes the data accessible through XKEYSCORE. According to The Intercept, as of September 2012, TEMPORA, which was first revealed by The Guardian in June 2013, was collecting “more than 40 billion pieces of content a day”.
GCHQ will continue with its blanket surveillance regime of monitioring everyone’s metadata. This metadata monitoring can be more powerful than simply monitoring web page activity. Metadata provides information about all sorts of things – who, where, what, why. Metadata can reveal networks of networks. It can reveal activities. Marry this information with the web histories (available via warrants) and the authories will have everything.
According to Edward Snowden, as of 2012, GCHQ was storing about 50 billion metadata records about online communications and web browsing activity every single day, with plans in place to boost capacity to 100 billion daily by the end of that year alone. The Intercept explains that data revealed by Snowden showed that between August 2007 and March 2009, GCHQ documents revealed an operation called Black Hole that was used to store more than 1.1 trillion “events” — a term GCHQ uses to refer to metadata records — with about 10 billion new entries added every day. By 2010, according to these documents, GCHQ was logging 30 billion metadata records per day. By 2012, collection had increased to 50 billion per day, and work was underway to double capacity to 100 billion.
GCHQ has always maintained that authorisation to collect metadata is “not needed for individuals in the U.K.,” because metadata is “less intrusive than communications content.” A GCHQ document (see image below) lists the range of information it regards as metadata — location data, email data, instant messenger data, and social networking logs that show who you have communicated with by phone or email, the passwords you use to access “communications services” (such as an email account), and information about websites you have viewed.
The bill also requires that the mobile phone providers track location of every call made, to keep that data for a year and to provide that data in bulk to GCHQ. (Note: MI5 has subsequently admitted that it – presumably via GCHQ – has been logging all phone calls of everyone in the UK for the past 10 years.)
Under the draft Investigative Powers bill the practice of warrants being approved by the Home Secretary will continue – though additional ‘oversight’ (of procedure only) is to be provided by an investigatory powers commissioner (former Appeal Court judge, Sir Stanley Burnton) and seven judicial commissioners (also retired judges). This may seem like a concession, albeit a small one, but when one considers that the judicial commissioner will be handpicked (and that the majority of British judges are Tories from the shires)… Also, in the USA, all warrants are approved by judges, though less than 1% of warrants were rejected. So, hardly a panacea.
Note, too, that warrants will also be issued to enable police and the security services to legally access the communications data of journalists, lawyers or other legally privileged professions (but not MPs – the Wilson Doctrine is to be written into law). Further note, that the police already have access to bulk communications data under RiPA, with around 500,000 requests each year without judicial or ministerial approval (just the agreement of a senior officer)and this will continue.
Appendix 1: Statement from Privacy International on the IPT ruling
Our complaint is the first UK legal challenge to state-sponsored hacking, an exceptionally intrusive form of surveillance. We contended that GCHQ hacking operations were incompatible with democratic principles and human rights standards. We further argued that GCHQ, which until these proceedings was hacking in secret, had no clear authority under UK law to deploy these capabilities.
The IPT condoned GCHQ’s use of a broad legal basis – the power to interfere with “property” under section 5 of the Intelligence Services Act 1994 (“ISA”) – to authorise hacking. It then concluded that adequate safeguards existed to prevent abuses of that power. But the IPT refused to rule on whether GCHQ’s use of an even broader power under ISA section 7 – authorising any unlawful acts committed abroad – complies with the European Convention on Human Rights (“ECHR”). That refusal represents a startling departure from its approach in our separate case challenging mass surveillance and intelligence sharing with the NSA, which assessed the legality of both regimes in light of the ECHR.
ECHR Articles 8 and 10 require that any interference with the fundamental rights to privacy and freedom of expression be “prescribed by law”. Before these proceedings, nothing at all was known about any rules or safeguards governing GCHQ hacking. Over the course of the proceedings, the Government scrambled to articulate such a regime. On the day the Government served its Response to our complaint, it also released a draft Code of Practice purporting to govern GCHQ hacking. At the same time, the Government asserted that bare bones authorisation contained in the ISA demonstrated compliance with the ECHR, an argument accepted by the IPT despite the Government’s sudden unveiling of the draft Code.
The IPT further accepted the Government’s position that the ISA authorises “thematic warrants”, which could cover an entire class of property, persons or conduct, such as “all mobile phones in Birmingham”. English law has rejected such warrants as unlawful for hundreds of years. As a matter of fundamental constitutional law, Parliament is presumed not to have overridden such bedrock principles unless it uses clear and express language, which it did not in the ISA. Nevertheless, the IPT accepted the Government’s exorbitant interpretation of the ISA on the grounds that where the statutory context is national security, basic common law principles protecting liberty are not “a useful or permissible aid.” In effect, the IPT said that the principle of legality – that Parliament must speak with deliberate intent when overturning a fundamental right – does not apply to the Security and Intelligence services.
Finally, the IPT refused to find GCHQ hacking unlawful under the Computer Misuse Act 1990 (“CMA”), which criminalises hacking, despite the Government’s introduction of amendments to the CMA midway through these proceedings. Those amendments, which passed into law as part of the Serious Crime Bill 2015, now exempt law enforcement and GCHQ from future criminal liability for hacking. The Government submitted that the amendments it introduced did not change the law in any relevant way and that GCHQ hacking had always been lawful. The IPT again agreed.
Privacy International will challenge the Tribunal’s findings.
GCHQ publicly admits to hacking
Hacking, which the Government describes as “equipment interference” or “computer network exploitation”, entails a serious interference with the right to privacy. Hackers can log keystrokes, track locations, take covert photographs and videos, and access stored information. Hacking can also be used to corrupt a target device’s files, plant or delete documents and data, or send fake communications from the device. These techniques can be mobilised against entire networks, comprising the devices of large groups of people.
Hacking fundamentally weakens the security of computers and the internet. It is typically carried out by remotely accessing a target device. Common techniques include sending emails that install malware when the recipient clicks on a link in the message or by utilizing pre-existing vulnerabilities in computer systems to install malware. By its very nature, hacking therefore exploits weaknesses in software and hardware used by millions of people. It is akin to unlocking a person’s window without their knowledge and leaving it open for any attacker – whether GCHQ, another country’s intelligence agency or a cyber criminal – to access. Hacking may leave a single individual vulnerable or render countless unintended targets subject to attack. It undermines the security of all our communications, including those forming the core of financial and other everyday transactions.
Until Privacy International brought this case, GCHQ “neither confirmed nor denied” (“NCND”) whether it had ever hacked a computer. Over the course of the proceedings, the Government shifted from NCND to admitting its use of hacking at an alarmingly broad scale. GCHQ admitted hacking within and outside the UK using such techniques to:
- Obtain information from a particular device, server or network
- Create or modify information on a device
- Carry out intrusive activity
In the proceedings, the Government admitted that it may undertake hacking against a specific device or an entire computer network. It also admitted that it undertakes both “persistent” and “non-persistent” operations, the former referring to hacking activities covering an extended period of time.
GCHQ forced to articulates rules, albeit inadequate, on governing hacking
Given that GCHQ maintained a position of NCND with respect to hacking prior to this case, it should come as no surprise that any rules and safeguards governing this practice were also shrouded in secrecy.
In February 2015, nine months after we filed our complaint, the Government released a draft Equipment Interference Code of Practice purporting to govern hacking. The Government claimed the draft Code mirrored internal GCHQ guidance on hacking but refused, on national security grounds, to disclose earlier versions of the Code or explain when it was first drafted.
The IPT bizarrely commends the Government on its production of the draft Code during the course of the proceedings. But the rules and safeguards governing GCHQ’s hacking powers should have been publicly debated and established before such powers were ever deployed. The Government should be criticised, rather than praised, for belatedly producing them as a result of our case.
In any event, the draft Code was too little, too late. First, hacking powers should be robustly and publicly debated. Given the privacy intrusion and security risks involved, we question whether hacking can ever be a legitimate aspect of state surveillance. If approved, however, they should be enshrined in primary legislation, rather than codes of practice. We are pleased that such a discussion is now occurring in the context of the draft Investigatory Powers Bill (“IP Bill”) although we maintain serious reservations, discussed below, about the powers outlined in that legislation.
Second, the draft Code, in its current form, fails to properly delineate the rules and safeguards GCHQ hacking so desperately needs. Its most serious failings include authorising “thematic warrants” under the ISA, as discussed above, and allowing the hacking of devices and networks of those who are not even intelligence targets. The draft Code further fails to require any filtering of data collected through bulk hacking abroad, which would ensure, for example, that any information collected about those in the UK is not accessed without proper authorisation. The result is a hacking regime with minimal authorisation, few safeguards, and limited oversight. Both procedurally and substantively, therefore, the draft Code is deficient.
Public scrutiny of GCHQ hacking through the Draft Investigatory Powers Bill
The inclusion of hacking in the draft IP Bill is the result of our litigation. Without these proceedings, GCHQ would still be hacking without public knowledge of the scope of such activities or the rules governing them. As the IPT itself notes, the IP Bill “plainly drew upon the ideas and submissions . . . openly canvassed” in the case.
The draft IP Bill places the power of law enforcement and intelligence services to hack on statutory footing for the first time. While we welcome a public debate regarding hacking, we question, as noted above, whether the state can ever justifiably deploy this power. If it is to be used at all, it must be in only the most narrowly defined circumstances with the strictest safeguards. Those important privacy safeguards do not yet exist; Parliament should add them.
As it currently stands, the draft IP Bill perpetuates the broad scope of GCHQ hacking while leaving it subject to weak safeguards and a light touch authorisation and oversight regime. Part 5 of the IP Bill, the supposedly “targeted” hacking provisions, permits attacks on broad categories of equipment, including those belonging to communications service providers (“CSPs”). Part 6, Chapter 3, of the IP Bill compounds this problem by permitting hacking to be carried out “in bulk” when directed overseas. This “bulk” provision gives almost unfettered powers to the intelligence services to decide who and when to hack.
The Intelligence and Security Committee (“ISC”), which released its report on the draft IP Bill this week, criticised the IP Bill’s provisions on GCHQ hacking as being “too broad and lack[ing] sufficient clarity.” At the same time, it condemned the IP Bill for failing to address certain forms of hacking, which will continue “to sit under the broad authorisations provided . . . under the Intelligence Services Act 1994.” The ISC observed that “retaining” these “operations under the broad . . . provisions of the [ISA] fails to achieve transparency in this area and effectively means that such operations remain ‘secret’ and thus not subject to clear safeguards”, the very claim at the heart of our case.
The draft IP Bill also compels CSPs to take any steps, unless “not reasonably practicable”, to assist the hacking activities of law enforcement and intelligence agencies. This assistance could conceivably include forcing CSPs to send false security updates to a customer in order to install malware that state agencies can then use to control the target’s device. It might also include requiring CSPs to host a “watering hole” attack, by installing code on a website they operate that will infect with malware any device that visits that site. Both examples would not only undermine the security of the internet but also degrade our trust in modern forms of telecommunications on which we critically rely. It is worth noting that, due to strict non-disclosure provisions in the IP Bill, the general public is likely never to know what kind of hacking assistance CSPs have provided to the Government.
We will continue to advocate for a more robust regime governing hacking in the IP Bill. At the same time, we will challenge the IPT’s findings that past GCHQ hacking was lawful. As David Anderson QC has put it,
Obscure laws . . . corrode democracy itself, because neither the public to whom they apply, nor even the legislators who debate and amend them, fully understand what they mean. Thus: . . . ISA 1994 ss 5 and 7 . . . are so baldly stated as to tell the citizen little about how they are liable to be used.
We cannot accept the Government’s assertion that its broad hacking powers derived from such an “obscure” and “baldly” stated piece of legislation. Our position seeks to bolster the current discussion surrounding the IP Bill while protecting the future of democratic debate in the UK.
Appendix 2: Big Brother Warch factsheets on IPB