The United Kingdom’s top spy agency is facing legal action following revelations published by The Intercept about its involvement in secret efforts to hack into computers on a massive scale.
Government Communications Headquarters, or GCHQ, has been accused of acting unlawfully by helping to develop National Security Agency surveillance systems capable of covertly breaking into potentially millions of computers and networks across the world.
In a legal complaint filed on Tuesday, the London-based civil liberties group Privacy International alleges that the hacking techniques violated European human rights law and are not subject to sufficient safeguards against abuse. The complaint cites a series of details contained in a report published by The Intercept in March, which exposed how GCHQ was closely involved in the NSA’s efforts to rapidly expand its ability to deploy so-called “implants” to infiltrate computers.
GCHQ and the NSA have developed an array of the sophisticated surveillance implants, according to documents from NSA whistleblower Edward Snowden, with each of the spy tools tailored for a different purpose. Some are used to compromise large-scale internet networks so that the spies can sweep up private data as it is passing through them. Others infect specific computers with malicious software that effectively gives the agencies total control of a target’s machine – enabling them to take covert snapshots using its webcam, record audio using its microphone, log what is being typed on the keyboard, collect data from any removable flash drive that is connected, and snoop its Web browsing history.
Privacy International argues in its 21-page legal complaint that the hacking tactics are more intrusive than more traditional eavesdropping methods, and that, if left unchecked, they could amount to “one of the most intrusive forms of surveillance any government has conducted”:
In allowing GCHQ to extract a huge amount of information (current and historical), much of which an individual may never have chosen to share with anybody, and to turn a user’s own devices against him by coopting them as instruments of video and audio surveillance, it is at least as intrusive as searching a person’s house and installing bugs so as to enable continued monitoring. In fact, it is more intrusive, because of the amount of information now generated and stored by computers and mobile devices nowadays, the speed, ease and surreptitiousness with which surveillance can be conducted, and because it allows the ongoing surveillance to continue wherever the affected person may be.
The case is the latest in a string of actions against GCHQ in the United Kingdom following the Snowden disclosures. But it is the first to focus specifically on the legality of hacking techniques used to infiltrate computers and spy on communications. It has been lodged with the U.K.’s Investigatory Powers Tribunal, a special judicial body that handles complaints about the conduct of spy agencies.
Eric King, head of research at Privacy International, said in a statement on Tuesday that GCHQ’s hacking programs were “done under a cloak of secrecy without any public debate or clear lawful authority,” adding that “unrestrained, unregulated government spying of this kind is the antithesis of the rule of law and government must be held accountable for their actions.”
A GCHQ spokesperson declined to comment on the complaint, saying only that the agency’s work is “carried out in accordance with a strict legal and policy framework which ensures that our activities are authorized, necessary and proportionate, and that there is rigorous oversight.”