New court documents made public today have revealed the UK's troublingly broad legal justification for state-sponsored hacking, including targeting individuals who are not under any suspicion of committing a crime.
The documents come as part of a case lead by British watchdog Privacy International, which has been pushing two separate court cases before the Investigatory Powers Tribunal, attempting to gain more details about the state hacking described in the Snowden documents. These admissions are the most tangible explanation yet of the legal framework behind the British surveillance described by Snowden. "Without any legitimate legal justification, they think they have the authority to target anyone they wish, no matter if they are suspected of a crime," said Privacy International's Eric King. "This suspicionless hacking must come to an end and the activities of our intelligence agencies must be brought under the rule of law."
"This suspicionless hacking must come to an end."
The noteworthy phrase comes at paragraph 77, when the GCHQ details a procedural point for "conduct[ing] equipment interference activity specifically against individuals who are not intelligence targets in their own right." The passage indicates the agency has no qualms about collateral hacks like the recently revealed attack on the SIM card manufacturer Gemalto, which surveilled civilian infrastructure as a means to gain broader access, rather than because of any specific suspicions. Even where warrants do apply, the requirements for obtaining one are often laughably meager. Later paragraphs state that the identity of the target is only necessary when its known by the agents, and the details of the offense committed are only necessary "where relevant."
The result is a legal carte blanche for intelligence gathering activities, one that already has much of the tech world up in arms. "Hacking of network infrastructure and people's phones and devices for claimed national security reasons is actually undermining the IT security on a structural level," said Jan Girlich, a spokesperson for Germany's Chaos Computer Club. "It leaves our infrastructure vulnerable."