Investigatory Powers Tribunal faces challenge in appeal court over mass hacking

Appeal court will decide whether UK citizens have the right to challenge controversial decisions made by Britain’s most secret court, the Investigatory Powers Tribunal

Non-governmental organisation Privacy International will challenge the government in court over the legality of GCHQ’s use of mass hacking of mobile phones and computer equipment using broad warrants that do not identify individual people for surveillance.

The Court of Appeal will test the right of the intelligence services to hack the computers and mobile phones of wide categories of people under programs that enable agencies to indiscriminately sweep up vast volumes of private and corporate information.

The legal action, due to be heard tomorrow (5 October 2017), will determine whether the High Court has the power to review or challenge legal decisions made by the UK’s most secret court, the Investigatory Powers Tribunal, a non-departmental body sponsored by the Home Office.

Privacy International aims to challenge the legality of the use of “thematic warrants” by intelligence agencies MI5, MI6 and GCHQ, to hack, for example, the computers of everyone who has travelled to the Middle East, or the entire population of Birmingham, using a single warrant.

The existence of thematic warrants remained secret until June 2015, when intelligence services commissioner Mark Walker revealed their use in a public report that raised concerns about their wide scope and called for greater oversight in their use.

Indiscriminate hacking by intelligence agencies

The non-government organisation (NGO), represented by Dinah Rose and Ben Jaffey, will argue that gaining information from bulk hacking, using powers under Section 5 of the Intelligence Services Act, is highly intrusive for individuals and companies.

Bulk hacking, known by the intelligence services as computer network exploitation (CNE), enables the UK’s intelligence services to gather personal information without the consent of the owner. This can include personal photos, videos, documents and details about a person’s finances or sexual orientation.

“The government can seek a warrant without having any individual suspicion. It could seek a warrant to hack the mobile phones of everyone who travelled to Turkey in the past 30 days. That covers a lot of people who are not under suspicion,” said Scarlet Kim, legal officer at Privacy International.

The Investigatory Powers Tribunal ruled last year that bulk hacking is lawful both under UK law and the European Convention on Human Rights.

No jurisdiction over secret intelligence court

The NGO is pressing for judicial review to overturn the decision, but the government is expected to argue in the Court of Appeal that the UK courts have no jurisdiction to review or question decisions made by the Investigatory Powers Tribunal.

“The Investigatory Powers Tribunal unlawfully sanctioned the UK government’s use of sweeping powers to hack hundreds of thousands of phones with a single warrant,” said Kim.

“Rather than debate the necessity and proportionality of their expansive hacking powers, the government is instead arguing that the UK courts should have no jurisdiction to review the legality of the tribunal’s decisions.”

Growing number of security vulnerabilities

The intelligence agencies are increasingly turning to hacking as more people and organisations use encryption to protect their sensitive files and communications.

Privacy International is expected to argue that the practice is leaving the devices of millions of people with security vulnerabilities that criminal hackers or other nation states could exploit.

It emerged during court hearings, for example, that GCHQ has sought and likely obtained a warrant to rewrite commercial software, such as antivirus software, to insert malware and backdoors.

Read more about surveillance

The release of US National Security Agency (NSA) hacking software on the internet, by a group known as the Shadow Brokers, led to widespread disruption of businesses and UK hospitals and surgeries when hackers incorporated the leaked NSA tools into the WannaCry virus.

“By permitting the government to hack large groups of people without judicial authorisation and individualised suspicion, general warrants fail to protect against arbitrary interference and abuse. They are also, by virtue of their untargeted nature, intrinsically disproportionate,” said the NGO.

The appeal court challenge follows a ruling in November 2016 by two High Court judges that the courts have no power to carry out a judicial review of decisions made by the Investigatory Powers Tribunal.

The High Court found that a clause in the Regulation of Investigatory Powers Act (Ripa) effectively prevented any court from second-guessing a decision made by the Investigatory Powers Tribunal, even if it was wrong in law.

Under Section 67(8) of Ripa, “determinations, awards, orders and other decisions of the tribunal (including decisions as to whether they have jurisdiction) shall not be subject to appeal or be liable to be questioned in any court”.

The NGO argues that the decision undermines 250 years of English common law, which makes it clear that a warrant must target identifiable individuals for search or surveillance, and claims that it fails to comply with Article 8 of the European Convention on Human Rights

Privacy International raising funds to fight case

Privacy international has been granted a “protective costs order”, but maybe required to pay costs of up to £25,000 if it loses in the Court of Appeal. It has launched a fundraising appeal to raise money to continue the legal action.

The case is likely to go the Supreme Court, and may reach the European Court of Human Rights.

Privacy International’s fight against bulk hacking

May 2014: Privacy International files a legal complaint in the Investigatory Powers Tribunal, challenging computer network interference (hacking) by GCHQ.

July 2014: Seven internet service and communications providers from a range of countries file a second complaint challenging hacking by GCHQ. The case is joined with Privacy International.

December 2015: The Investigatory Powers Tribunal hears the complaints against GCHQ. The NGOs argue that GCHQ had no clear authority under UK law to conduct hacking, that it was in violation of the Computer Misuse Act 1990 and Articles 8 and 10 of the European Convention on Human Rights, which protect the right to privacy and the right to freedom of expression.

12 February 2016: The Investigatory Powers Tribunal rules that GCHQ bulk hacking is lawful under UK law and the European Convention on Human Rights.

9 May 2016: Privacy International files judicial review in the UK High Court, challenging the Investigatory Powers Tribunal’s decision that the UK government can use “general warrants” or “thematic warrants” to conduct bulk hacking.

2 November 2016: Two judges in the High Court rule that the courts have no jurisdiction to conduct a judicial review of the Investigatory Powers Tribunal’s decisions. One of the judges expresses serious reservations about the decision.

5 October 2017: The Court of Appeal hears an appeal from Privacy International, challenging the exemption of decisions by the Investigatory Powers Tribunal from judicial review.

How GCHQ uses thematic warrants for mass hacking of phones and computer systems

Documents disclosed by Edward Snowden revealed the extent of GCHQ’s capabilities to hack mobile phones and computer networks through bulk thematic warrants. Its activities extend from rewriting commercially produced software, such as antivirus products, to incorporate malware and backdoors, the automated delivery of malware to thousands of computers, and bulk monitoring of people’s browsing activities.

In 2013, according to independent reviewer of terrorism David Anderson, about 20% of GCHQ’s intelligence reports contained information derived from hacking, known by the intelligence agencies as computer network exploitation (CNE). The figure is likely to be higher today, as more individuals and organisations are turning to encryption to protect their computer files and communications, forcing intelligence agencies to use more sophisticated means to gather data.

GCHQ’s programs often have fanciful names, such as Nosey Smurf, which allows GCHQ to remotely turn on the microphone of an individual’s smartphone and use it as a bugging device; Dreamy Smurf, which enables GCHQ to turn on a phone that has been switched off; and Tracker Smurf, which provides high-precision tracking of individuals.

An automated system called Turbine allows GCHQ to deliver and control malware in bulk to millions of computer systems at a time. While another program known as Operation Mullenzie allows the large-scale monitoring of people’s browsing activities.

How GCHQ uses bulk hacking to take over company networks

GCHQ has used its bulk hacking capabilities to infiltrate business networks. In 2011 and 2012, it used technology called QuantumInstert to penetrate the computer networks of Belgium’s largest telecommunications provider, Belgacom.

The agency redirected staff to fake websites, containing malware, without their knowledge, allowing it to gain access, not just to the company’s internal communications, but telecommunications and data traffic travelling across its network, from Europe, the Middle East and North Africa.

GCHQ also gained access to the internal networks of Gemalto, which produces mobile phone SIM cards, including their encryption keys, in a joint operation with the US National Security Agency. The spies were able to steal encryption keys, allowing them to monitor mobile communications overseas, without the need for a warrant or a phone tap.

Source: David Anderson – A Question of Trust, The Intercept.

Read more on IT legislation and regulation