The UK's digital spy agency, GCHQ, has admitted for the first time in court that it hacks computers, smartphones, and networks in the UK and abroad. GCHQ's use of hacking — known in official parlance as computer network exploitation or CNE — has been an open secret since the Snowden revelations in 2013, but a legal case brought by Privacy International and seven ISPs has confirmed the agency's methods. The case was initiated in May last year and alleges that GCHQ's use of hacking lacks oversight and breaks both domestic laws and the human rights act.
Persistent hacking means leaving bugs on devices
In evidence published this week, GCHQ says it undertakes "persistent" hacking, leaving monitoring software on targeted devices. Ben Jaffey, the lawyer for Privacy International and the ISPs, told the court that this gathers up far more information than traditional surveillance. Hacking a smartphone, he said, was "equal to carrying a bug everywhere I go," reports the Financial Times. "If CNE were carried out on my mobile you would get all the meetings I attend by turning on the microphone and access to all my chamber’s files, bank details, my passwords, all my personal material and all my photos," said Jaffey.
GCHQ also admitted that it does not need to seek individual warrants before hacking a target device. Instead, the agency primarily relies on "thematic" or "class" warrants, which give permission to intercept communications from "a defined group or network." According to a report from The Guardian, Jaffey stated that this definition is interpreted as broadly as possible, letting, for example, the agency target "all mobile phones" in a given city. Evidence submitted to the court noted that extra permissions are needed for targets which involve "political risk."
"The modern equivalent of breaking in to a residence and leaving the locks broken."
Experts also testified that GCHQ's hacking could be dangerous to the public. Ross Anderson, a professor of security engineering at Cambridge University, said it was his belief, that as computers are embedded in everything from medical devices to cars, "it's only a matter of time before CNE causes fatal accidents." International Privacy's own statement of grounds notes that GCHQ's use of malware to compromise devices could leave them "more vulnerable to attack by third parties." This, the charity said, is "the modern equivalent of breaking in to a residence, and leaving the locks broken or damaged afterwards."
GCHQ says encryption has made hacking more important
GCHQ has denied that its activities are unlawful, and claims that information it has gathered has stopped six alleged terrorist plots in 2015 alone. Giving evidence at the tribunal, GCHQ director general Ciaran Martin said the "advent of ubiquitous encryption" had made targeted hacking even more important for the spy agency. "Indeed CNE may in some cases by the only way to acquire intelligence coverage of a terror suspect or serious criminal in a foreign country." Martin also added that GCHQ's activities help protect consumers, and that "in the last two years, [the spy agency] has disclosed vulnerabilities in every major mobile and desktop platform."
In a press statement, Privacy International's general counsel said: "The light touch authorization and oversight regime that GCHQ has been enjoying should never have been permitted. Perhaps it wouldn't have been if Parliament had been notified in the first place that GCHQ was hacking. We hope the tribunal will stand up for our rights and reign in GCHQ's unlawful spying." The case is ongoing.