Government use of 'general warrants' to authorise computer and phone hacking is unlawful

The security and intelligence services cannot use “general warrants” to indiscriminately hack into large numbers of mobile phones and computers in the UK, judges have decided.

The High Court ruled on 8 January that it was unlawful for GCHQ and MI5 to use the warrants issued under Section 5 of the Intelligence Services Act (ISA) to interfere with electronic equipment and other property.

The decision, described by Privacy International as a major victory for the rule of law, follows a five-year legal battle by the non-governmental organisation (NGO) to challenge the legality of warrants that can be used to hack a broad classes of computers and mobile phones.

The judgment means that targets for equipment interference – government language for hacking – will have to be scrutinised by a secretary of state, rather than being left to the discretion of intelligence agencies. Warrants will only be lawful if they are specific enough for the targeted equipment to "be objectively ascertainable". 

General warrants, also known as “thematic warrants”, give the intelligence agencies the capability to hack equipment belonging to thousands of people, such as all of the people in a particular town.

The High Court judges drew on common law principles established more than 250 years ago to declare that “general” hacking warrants violated individual’s rights not to have their property searched without lawful authority.

Caroline Wilson Pallow, legal director at Privacy International, said: “Today’s victory rightly brings 250 years of legal precedent into the modern age. General warrants are no more permissible today than they were in the 18^th century. The government has been getting away with using them for too long.”

Equipment interference

The UK’s intelligence services receive warrants from the secretary of state to allow equipment interference, also known as Computer Network Exploitation (CNE), to hack and infect targeted devices with malicious computer software.

GCHQ’s activities range from rewriting commercially produced software, such as antivirus products, to incorporating malware and backdoors to the automated delivery of malware to thousands of computers.

The court found that CNE can be a critical tool in investigations into threats against the United Kingdom, such as terrorism, serious and organised crime and other national security threats.

CNE is necessary to allow intelligence services to address the “ever increasing use of encryption” when targeting people for interception the judges found.

Intelligence Services Act

Warrants to interfere with electronic devices in the UK are governed by Section 5 of the Intelligence Services Act (ISA) 1994, which also allows intelligence and security agents to covertly enter and search buildings, as well as interfere with goods and intellectual property rights by, for example, reverse engineering commercial software.

The court found that Section 5 can only be used to issue equipment interference warrants against targets in the UK if the intelligence agencies identify specific acts against specified property or individuals.

Lord justice Bean and justice Farbey rejected arguments from the government that the need to safeguard citizens from terrorist attacks justified giving the “widest possible construction” to the Intelligence Services Act.

The court referred to series of 18^th century legal precedents including a case where messengers of the king used a search warrant to break into the home and seize letters and property of anyone they felt might be suspicious.

“The real point, as it seems to us, is whether the warrant is on its face sufficiently specific to indicate to individual officers at GCHQ – who, for these purposes, are the successors to the king’s messengers in the 1760s – whose property, or which property, can be interfered with, rather than leaving it to their discretion,” the judges said.

It would be unlawful, for example, to issue a general warrant to hack the mobile phones of anyone in the UK conspiring to commit acts of terrorism, but it would be lawful to hack the phones and computers at a specific premises, or belonging to named individuals, the judges found.

Overseas hacking allowed

Much computer hacking by the state is now authorised under part 5 of the Investigatory Powers Act 2016, which introduced additional oversights, including a requirement that each warrant is signed off by an independent judicial commissioner.

But the Intelligence Services Act 1994 still remains in force for some types of computer hacking where the aim is to destroy or manipulate the function of electronic systems.

The court refused to make a ruling on whether equipment interference warrants issued before the government published its equipment interference code in 2016 were lawful.

Privacy International had argued that, until this point, almost nothing about Computer Network Exploitation had been acknowledged, making domestic law insufficiently clear to be lawful under Article 8 (2) of the European Convention of Human Rights.

“We do not think the court should give a ruling on a complaint relating to a state of affairs which had ceased to exist more than four years before the complaint was made,” the judgment said.

Privacy International’s Pallow said that following the ruling, intelligence agencies would need to be specific to obtain equipment interference warrants against UK targets.

“Just saying someone is engaged in a particular activity is not enough. The judgment says the warrant must sufficiently describe who could be targeted,” she said.

“It’s a very important protection, for all of us to have a senior decision maker like a secretary of state to authorise surveillance, otherwise you are delegating decisions to intelligence agents – potentially very junior intelligence agents. It protects us from abuse of those surveillance powers.”

The ruling does not affect the ability of UK intelligence agencies to apply for thematic warrants or general warrants to interfere with mobile phones and computer systems overseas on a large scale, under Section 7 of the Intelligence Services Act 1994.

The government has until the end of January to appeal the decision.

How GCHQ uses equipment interference

A leaked equipment interference warrant, first published in the Intercept, shows that GCHQ applied for a single warrant that would allow it to interfere with commercial software.

The warrant, marked “Top Secret Strap2 UK Eyes Only”, reveals that the electronic intelligence agency has reverse engineered widely used web forum software, including vBulletin and Invision PowerBoard, to identify software vulnerabilities that could be used to attack target users.

In another case, GCHQ modified software used by an internet service provider (ISP) to allow it to modify the ISP’s site and attempted an “implant delivery”.

The agency targeted software from the Russian anti-virus company Kaspersky, and other anti-virus software suppliers, which it said posed a challenge to the agency’s Computer Network Exploitation programmes.

Software reverse engineering (SRE) “is essential to be able to exploit such software and to prevent detection of our activities”, the application said.

In another operation, GCHQ modified Cisco routers on the Pakistan Internet Exchange, allowing it access to any internet user in Pakistan.

GCHQ’s National Technical Assistance Centre (NTAC) reverse engineered commercial encryption software, allowing it to decrypt material used in police investigations.

Other documents revealed by whistleblower Edward Snowden showed, for example, that GCQH used an automatic system called Turbine to deliver and control malware in bulk to millions of computer systems at a time.

In 2011 and 2012, it used technology called QuantumInstert to penetrate the computer networks of Belgium’s largest telecommunications provider, Belgacom.

The agency redirected staff to fake websites containing malware without their knowledge, allowing it to gain access not just to the company’s internal communications, but to telecommunications and data traffic travelling across its network, from Europe, the Middle East and North Africa (EMEA).

GCHQ gained access to the internal networks of Gemalto, which produces mobile phone SIM cards, including their encryption keys, in a joint operation with the US National Security Agency (NSA). The spies were able to steal encryption keys, allowing them to monitor mobile communications overseas without the need for a warrant or a phone tap.

In 2013, according to independent reviewer of terrorism David Anderson, around 20% of GCHQ’s intelligence reports contained information derived from hacking.

The figure is likely to be higher today, as more individuals and organisations are turning to encryption to protect their computer files and communications, forcing intelligence agencies to use more sophisticated means to gather data.

An estimated 60 British computer networks and data companies have also been deliberately hacked and infected with malicious computer software by hackers from GCHQ’s US partner, the NSA, according to documents provided by former NSA analyst Edward Snowden, this publication has revealed.