The security and intelligence services cannot use “general warrants” to indiscriminately hack into large numbers of mobile phones and computers in the UK, judges have decided.
The High Court ruled on 8 January that it was unlawful for GCHQ and MI5 to use the warrants issued under Section 5 of the Intelligence Services Act (ISA) to interfere with electronic equipment and other property.
The decision, described by Privacy International as a major victory for the rule of law, follows a five-year legal battle by the non-governmental organisation (NGO) to challenge the legality of warrants that can be used to hack a broad classes of computers and mobile phones.
The judgment means that targets for equipment interference – government language for hacking – will have to be scrutinised by a secretary of state, rather than being left to the discretion of intelligence agencies. Warrants will only be lawful if they are specific enough for the targeted equipment to "be objectively ascertainable".
General warrants, also known as “thematic warrants”, give the intelligence agencies the capability to hack equipment belonging to thousands of people, such as all of the people in a particular town.
The High Court judges drew on common law principles established more than 250 years ago to declare that “general” hacking warrants violated individual’s rights not to have their property searched without lawful authority.
Caroline Wilson Pallow, legal director at Privacy International, said: “Today’s victory rightly brings 250 years of legal precedent into the modern age. General warrants are no more permissible today than they were in the 18th century. The government has been getting away with using them for too long.”
The UK’s intelligence services receive warrants from the secretary of state to allow equipment interference, also known as Computer Network Exploitation (CNE), to hack and infect targeted devices with malicious computer software.
GCHQ’s activities range from rewriting commercially produced software, such as antivirus products, to incorporating malware and backdoors to the automated delivery of malware to thousands of computers.
The court found that CNE can be a critical tool in investigations into threats against the United Kingdom, such as terrorism, serious and organised crime and other national security threats.
CNE is necessary to allow intelligence services to address the “ever increasing use of encryption” when targeting people for interception the judges found.
Intelligence Services Act
Warrants to interfere with electronic devices in the UK are governed by Section 5 of the Intelligence Services Act (ISA) 1994, which also allows intelligence and security agents to covertly enter and search buildings, as well as interfere with goods and intellectual property rights by, for example, reverse engineering commercial software.
The court found that Section 5 can only be used to issue equipment interference warrants against targets in the UK if the intelligence agencies identify specific acts against specified property or individuals.
Section 5 of the Intelligence Services Act 1994 allows:
- The covert entry and search of premises or goods.
- Interference with goods.
- Interference with intellectual property rights.
- Computer hacking with the aim of destroying or manipulating the function of electronic systems.
Lord justice Bean and justice Farbey rejected arguments from the government that the need to safeguard citizens from terrorist attacks justified giving the “widest possible construction” to the Intelligence Services Act.
The court referred to series of 18th century legal precedents including a case where messengers of the king used a search warrant to break into the home and seize letters and property of anyone they felt might be suspicious.
“The real point, as it seems to us, is whether the warrant is on its face sufficiently specific to indicate to individual officers at GCHQ – who, for these purposes, are the successors to the king’s messengers in the 1760s – whose property, or which property, can be interfered with, rather than leaving it to their discretion,” the judges said.
It would be unlawful, for example, to issue a general warrant to hack the mobile phones of anyone in the UK conspiring to commit acts of terrorism, but it would be lawful to hack the phones and computers at a specific premises, or belonging to named individuals, the judges found.
What equipment inference is allowed in the UK under Section 5 of the ISA
- A warrant to hack the mobile phone of any person conspiring to commit acts of terrorism, or any other activity.
- A warrant to hack one or more mobile phones, computers or other equipment with listed serial numbers.
- A warrant to hack the phones or computers used by one or more named individuals.
- A warrant to hack the phones or electronic equipment located or being used at specific premises.
- A warrant to hack the phone of, for example, a blond-haired man, name unknown, seen leaving One Acacia Avenue on 1 December 2015.
- A warrant to hack any device used at, for example, the Acacia Avenue Internet Café during the period of six months from the date of issue of the warrant.
- Hacking anyone who appears on the diplomatic list of a specified country for a period of six months.
Lawful if conditions are met:
- A warrant to interfere with the property of anyone suspected of being a member of an organisation would only be allowed if a person’s membership of the organisation was “objectively ascertainable”.
- A warrant to interfere or hack mobile phones across a wide geographical area such as a town or city is in principal lawful under Section 5 of the Intelligence Services Act 1994. But whether it can necessary and proportionate “is another question”.
Overseas hacking allowed
Much computer hacking by the state is now authorised under part 5 of the Investigatory Powers Act 2016, which introduced additional oversights, including a requirement that each warrant is signed off by an independent judicial commissioner.
But the Intelligence Services Act 1994 still remains in force for some types of computer hacking where the aim is to destroy or manipulate the function of electronic systems.
The court refused to make a ruling on whether equipment interference warrants issued before the government published its equipment interference code in 2016 were lawful.
Privacy International had argued that, until this point, almost nothing about Computer Network Exploitation had been acknowledged, making domestic law insufficiently clear to be lawful under Article 8 (2) of the European Convention of Human Rights.
“We do not think the court should give a ruling on a complaint relating to a state of affairs which had ceased to exist more than four years before the complaint was made,” the judgment said.
Privacy International’s Pallow said that following the ruling, intelligence agencies would need to be specific to obtain equipment interference warrants against UK targets.
“Just saying someone is engaged in a particular activity is not enough. The judgment says the warrant must sufficiently describe who could be targeted,” she said.
“It’s a very important protection, for all of us to have a senior decision maker like a secretary of state to authorise surveillance, otherwise you are delegating decisions to intelligence agents – potentially very junior intelligence agents. It protects us from abuse of those surveillance powers.”
The ruling does not affect the ability of UK intelligence agencies to apply for thematic warrants or general warrants to interfere with mobile phones and computer systems overseas on a large scale, under Section 7 of the Intelligence Services Act 1994.
The government has until the end of January to appeal the decision.
How GCHQ uses equipment interference
A leaked equipment interference warrant, first published in the Intercept, shows that GCHQ applied for a single warrant that would allow it to interfere with commercial software.
The warrant, marked “Top Secret Strap2 UK Eyes Only”, reveals that the electronic intelligence agency has reverse engineered widely used web forum software, including vBulletin and Invision PowerBoard, to identify software vulnerabilities that could be used to attack target users.
In another case, GCHQ modified software used by an internet service provider (ISP) to allow it to modify the ISP’s site and attempted an “implant delivery”.
The agency targeted software from the Russian anti-virus company Kaspersky, and other anti-virus software suppliers, which it said posed a challenge to the agency’s Computer Network Exploitation programmes.
Software reverse engineering (SRE) “is essential to be able to exploit such software and to prevent detection of our activities”, the application said.
In another operation, GCHQ modified Cisco routers on the Pakistan Internet Exchange, allowing it access to any internet user in Pakistan.
GCHQ’s National Technical Assistance Centre (NTAC) reverse engineered commercial encryption software, allowing it to decrypt material used in police investigations.
Other documents revealed by whistleblower Edward Snowden showed, for example, that GCQH used an automatic system called Turbine to deliver and control malware in bulk to millions of computer systems at a time.
The agency redirected staff to fake websites containing malware without their knowledge, allowing it to gain access not just to the company’s internal communications, but to telecommunications and data traffic travelling across its network, from Europe, the Middle East and North Africa (EMEA).
GCHQ gained access to the internal networks of Gemalto, which produces mobile phone SIM cards, including their encryption keys, in a joint operation with the US National Security Agency (NSA). The spies were able to steal encryption keys, allowing them to monitor mobile communications overseas without the need for a warrant or a phone tap.
In 2013, according to independent reviewer of terrorism David Anderson, around 20% of GCHQ’s intelligence reports contained information derived from hacking.
The figure is likely to be higher today, as more individuals and organisations are turning to encryption to protect their computer files and communications, forcing intelligence agencies to use more sophisticated means to gather data.
An estimated 60 British computer networks and data companies have also been deliberately hacked and infected with malicious computer software by hackers from GCHQ’s US partner, the NSA, according to documents provided by former NSA analyst Edward Snowden, this publication has revealed.
Privacy International’s five-year court battle over thematic warrants
1989: The government for the first time publicly acknowledges the existence of the MI5 in the Security Services Act 1989.
1994: The government publicly acknowledges the existence of the Secret Intelligence Service, MI6, and GCHQ in the Intelligence Services Act 1994.
2008: GCHQ applies to renew a warrant under Section 5 of the Intelligence Services Act to permit interference with computer software.
2014: Disclosures by Edward Snowden reveal that the UK security and intelligence services use hacking techniques in bulk to gain access to “potentially millions of devices”, including computers and mobile phones.
Leaked documents refer to GCHQ implanting software, for example, to enable it to switch on a smartphone and listen to conversations without the user’s knowledge.
July 2014: Privacy International begins legal proceedings in the Investigatory Powers Tribunal challenging the legality of thematic warrants used by the intelligence services for the remote hacking of mobile phones and computers, known as Computer Network Exploitation (CNE).
25 June 2015: Mark Waller, the Investigatory Powers Commissioner, raised concerns over the lawfulness of thematic warrants, which allow intelligence services to interfere with broad classes of equipment. He said in a report to Parliament that the thematic warrants were arguably too broad to comply with the law.
February 2015: The government “publicly avows” that intelligence services are using Section 5 of Intelligence Services Act (ISA) to authorise computer hacking. At the same time, it publishes a draft version of an Equipment Interference Code.
January 2016: The government publishes a final version of the Equipment Interference Code to govern the use of equipment interference by the intelligence services.
12 Feb 2016: Britain’s most secret court, the Investigatory Powers Tribunal (IPT), hands down a judgment that the intelligence services could lawfully hack into mobile phones and computers belonging to UK citizens using general thematic warrants. It found the practice was authorised by Section 5 of the Intelligence Services Act 1994.
9 May 2016: Privacy International applies for a judicial review of the IPT’s decision. The government argued that under the Regulation of Investigatory Powers Act 2000, the High Court did not have jurisdiction to quash a decision by the IPT on a matter of law.
2 November 2016: The Court of Appeal rules in favour of the government that the courts had no jurisdiction for a judicial review on decisions of the IPT.
29 November 2016: The Investigatory Powers Act 2016 comes into force. It introduces clear legal powers for the secretary of state to issue “targeted equipment warrants” and “bulk equipment interference warrants”. It adds safeguards missing from Section 5 of the Intelligence Security Act, including a requirement for the warrant to be authorised by an independent judicial commissioner.
Section 5 of the Intelligence Services Act 1994 remains in force for computer hacking “where the aim is not to acquire data, but to destroy or otherwise manipulate the functioning of electronic systems”, interference with intellectual property rights, such as reverse engineering of commercial software, interference with goods, and covert entry and searches.
December 2017: Privacy International is granted permission to appeal to the Supreme Court. It argues that it has a right to bring a judicial review against the IPT.
15 May 2019: The Supreme Court ruled that decisions by Investigatory Powers Tribunal could be challenged in a judicial review.
8 January 2021: The High Court rules that the intelligence services can no longer rely on general warrants to allow interfere with mobile phones, computers and other property. The decision means that intelligence services do not have the right to hack thousands or potentially millions of devices based on a single warrant.