Computer, smartphone and network hacking by UK intelligence agency GCHQ is legal, a security tribunal has said.
The Investigatory Powers Tribunal ruled on Friday that computer network exploitation (CNE) – which can include remotely activating microphones and cameras on electronic devices such as iPhones without the owner’s knowledge – is legal.
The case, which was heard in 2015, was the first time that GCHQ admitted to carrying out hacking in the UK and overseas. Previously, their policy had been to "neither confirm nor deny". The IPT, which deals with complaints about surveillance and the intelligence services, found in favour of the Cheltenham-based monitoring agency and the Foreign Office.
The ruling comes after Campaigners Privacy International’s legal challenge claiming GCHQ's hacking operations are too intrusive and break European law. Whistleblower Edward Snowden described the spying agency as “worse than the US”.
The case cannot be appealed to any higher UK court, but it could be taken to Europe.
During proceedings, GCHQ admitted that it carries out CNE outside the UK, and that in 2013 about a fifth of its intelligence reports contained information derived from hacking.
The Home Office has now published a code of practice for hacking, or "equipment interference" as it is also known, and aims to put it on a firmer legal footing in its Investigatory Powers Bill, which is due to become law later this year.
The IPT judgment said: “The use of CNE by GCHQ, now avowed, has obviously raised a number of serious questions, which we have done our best to resolve.
“Plainly, it again emphasises the requirement for a balance to be drawn between the urgent need of the intelligence agencies to safeguard the public and the protection of an individual’s privacy and/or freedom of expression.
“We are satisfied that with the new [equipment interference code] and whatever the outcome of parliamentary consideration of the investigatory powers bill, a proper balance is being struck in regard to the matters we have been asked to consider.”
According to the judgment, the legal structure under which warrants are issued for GCHQ to carry out equipment interference in the UK is compatible with the European convention on human rights.
Philip Hammond, the foreign secretary, who welcomed the ruling, said: "The ability to exploit computer networks plays a crucial part in our ability to protect the British public.”
“A proper balance is being struck between the need to keep Britain safe and the protection of individuals’ privacy.”
Scarlet Kim, a legal officer at Privacy International, said: “We are disappointed by the IPT’s judgment, which has found government hacking lawful based on a broad interpretation of a law dating back to 1994, when the internet and mobile phone technology were in their infancy.
“Until we brought this case, GCHQ would neither confirm nor deny that they were engaging in mass hacking of computers, mobile devices and entire computer networks.
“During the course of the proceedings, the government sought to create law ‘on the hoof’, changing anti-hacking laws [the 1990 Computer Misuse Act] through an addition to the 2015 Serious Crime Act and producing a code of practice for hacking. Hacking is one of the most intrusive surveillance capabilities available to intelligence agencies.
“The IPT has decided that GCHQ can use ‘thematic warrants’, which means GCHQ can hack an entire class of property or persons, such as ‘all phones in Birmingham’.
“In doing so, it has upended a longstanding English common law principle that such general warrants are unlawful. Allowing governments to hack places the security and stability of the internet and the information we exchange on it at stake.”Reuse content