Privacy Group Right to Challenge Bulk Hacking Powers

The privacy rights group and seven ISPs are taking the government to court over its ability to hack the British public en masse. As well undermining 250 years of common law, it rides roughshod over our inalienable human rights and makes us all more exposed to criminal hackers.

Snoopers Charter Court Challenge Privacy International
Phil Muncaster
By Phil Muncaster

The UK government’s response to its increasingly dystopic-looking surveillance laws is to repeat the same old mantra: “We’re here to catch the bad guys, so if you’ve got nothing to hide, you’ve got nothing to worry about.” In reality, it’s far more complicated than this – but they wouldn’t want you to know that, because it might actually mobilize public opposition to the current legal regime.

The good news is that UK-based registered charity and privacy advocate Privacy International (PI) is fighting in the courts on behalf of the British public. You might not know it, but if it loses to the government, we’ll all be more at risk from fraudsters and criminal hackers.

Three years and counting

Like many court cases against Her Majesty’s Government, this one is a long-running saga. It dates back to May 2014, when PI brought a complaint before the Investigatory Powers Tribunal (IPT) – a judicial body which hears cases involving the intelligence services. Following revelations of mass surveillance by UK and US intelligence agencies GCHQ and the NSA from the Edward Snowden leaks, PI argued the UK listening post had no legal authority to hack the British public.

Yes, that’s right. Hacking isn’t just something done by shadowy cybercriminals and foreign spies; the UK authorities are also able to conduct covert online raids against the British public. They do so using malware – sometimes designed in-house – to exploit inherent weaknesses on our connected devices and PCs which are difficult but not impossible to find.

In its decision, the IPT agreed with the government that it could also seek so-called “thematic warrants“: general warrants to hack inside and outside the UK. These can be extremely broad – for example “all mobile phones in London” or “all PCs in Glasgow” – and can be issued without the need for proper judicial authorization.

Now we might think of the judiciary as vaguely ridiculous men and women who sit in oversized gowns and wigs pontificating over the minutiae of laws which no one really understands and which will have little bearing on our lives. Not so. In reality, they provide an essential check and balance on the power of the government and its intelligence services. The judiciary – along with a free press and sovereign parliament – are the difference between the UK and a country like China, where innocent citizens are routinely arrested and held without charge for days, weeks, months and years if the government doesn’t like what they’re doing.

What’s happening now?

After losing its initial case before the IPT, PI filed a judicial review of the decision in the High Court in May 2016. The government again triumphed after the court ruled that it doesn’t have the jurisdiction to review a decision of the semi-secretive Tribunal. Now PI is taking matters to the Court of Appeals where it will once again argue that bulk hacking is illegal – under Articles 8 and 10 of the European Convention on Human Rights which protect the rights to privacy and freedom of speech. The appeals court will also rule whether civil courts should have primacy over the intelligence tribunal, ie whether they can review IPT decisions.

Incidentally, these bulk hacking powers are now part of the Investigatory Powers Act (IPA), or “Snoopers’ Charter”, widely regarded as the most authoritarian piece of legislation enacted by any democratic government in terms of the surveillance powers it grants the British state. Given that its predecessor, known as DRIPA, was ruled illegal in a landmark case last year, it could well face the same fate in time. Rights group Liberty was recently granted the right to legally challenge parts of the IPA.

Why bulk hacking matters

Irrespective of whether seemingly far-away courts in Europe rule bulk hacking illegal or not, we have to ask ourselves why we should care. In truth, the argument “if you’ve got nothing to hide, you’ve got nothing to worry about” is both hugely patronizing and misses the point completely. Our intelligence services do a great job of protecting the country from those that seek to do us harm and undermine our way of life. But they will always call for more powers to make their job even easier. At some point we have to say “enough”, because the powers being granted have overstepped the mark and could actually do more harm than good to society.

Bulk hacking is clearly one such case. Why? Because there’s an alternative. Our secret services have the right to request much more targeted hacking warrants for the devices and computers of individual named suspects, or small groups of suspects. This is proportionate and subject to judicial oversight each time to avoid arbitrary interference and abuse. It has been proven more than once in the past that the authorities frequently misuse our private data. Why give them more opportunities?

In fact, English common law has long rejected general or bulk warrants, according to PI. Over its 250-year history it is clear that a warrant must target an identified individual or individuals – not generalized bulk spying as is enshrined in the IPA. Even if you trust the current government with these powers, can you say with certainty that 10 or 20 years down the line we’ll still be governed by a relatively moderate centrist party with no desire to spy on the general populace? I certainly can’t. So why take that risk by allowing the state to intrude even further into our lives in the name of national security?

A slippery slope

If you still think “so what – I’ve got nothing to hide”, then maybe this will change your mind. By hacking our devices en masse, the government is willfully putting them at risk from follow-on attacks by cybercriminals and even nation state spies. Want an example? The WannaCry ransomware campaign tore around the world back in May, infecting over 250,000 organizations including scores of NHS Trusts which had to cancel vital operations. It was made possible by hacking tools which were stolen from the NSA by suspected Russian operatives.

If GCHQ is allowed to engineer and turn such tools on our devices – and remember, we’ll never know if we’ve been hacked by the state – it could make us vulnerable to all sorts of digital threats. Cybercriminals are smart, agile, and determined. They’ll be quick to capitalise on any mistakes GCHQ might make to exploit our devices and machines en masse. Attacks could steal data for use in identity fraud scams, download malware to drain our bank accounts, spy on our private browsing to blackmail us, and even freeze the device completely until a ransom is paid. All because the UK government wants to make life as easy as possible for GCHQ, at whatever cost to our personal privacy and wellbeing.

Hacking is a global criminal menace of epic proportions that the government should be protecting law-abiding citizens from, not exposing them to.

As Scarlet Kim, Legal Officer at Privacy International, argued last week, the government’s position against PI has been not to defend and debate the merits of bulk hacking, but to argue that UK courts should have no jurisdiction to review the Investigatory Powers Tribunal’s decision. She quite rightly threw the government’s oft-repeated mantra right back at it: “If you have nothing to hide about your hacking, you have nothing to hide from our courts.”

Image credit: Sherwood