The British government quietly changed anti-hacking laws to exempt GCHQ and other law enforcement agencies from criminal prosecution, it has been claimed.
Details of the change were revealed at the Investigatory Powers Tribunal which is hearing a challenge to the legality of computer hacking by UK law enforcement and intelligence agencies.
The Government amended the Computer Misuse Act (CMA) two months ago. It used a little-noticed addition to the Serious Crime Bill going through parliament to provide protection for the intelligence services. The change was introduced just weeks after the Government faced a legal challenge that GCHQ’s computer hacking to gather intelligence was unlawful under the CMA.
The challenge, by the charity Privacy International and seven internet service providers, claims GCHQ’s actions were unlawful and called for the techniques to be stopped.
It followed revelations by Edward Snowden, the US intelligence whistle-blower, that US and UK agencies were carrying out mass surveillance operations of internet traffic. He claimed that GCHQ and its US counterpart – the National Security Agency – had the ability to infect potentially millions of computer and mobile handsets with malware which enabled them to gather up immense amounts of digital content, switch on microphones or cameras on user’s computers, listen to phone calls and track their locations.
Eric King, the deputy director of Privacy International, said: “The underhand and undemocratic manner in which the Government is seeking to make lawful GCHQ’s hacking operations is disgraceful.
“Hacking is one of the most intrusive surveillance capabilities available to any intelligence agency, and its use and safeguards surrounding it should be the subject of proper debate. Instead, the Government is continuing to neither confirm nor deny the existence of a capability it is clear they have, while changing the law under the radar.”
Government sources insisted the amendment did not change the law as the intelligence agencies had powers under the Intelligence Services Act. Parliamentary guidance notes explaining the amendment described its purpose was to “remove any ambiguity over the interaction between the lawful exercise of powers … and the offence provisions.”
Privacy International insisted that the notes accompanying the changes to the Serious Crime Bill did not explain its full impact, and that no regulators, commissioners, industry or members of the public were consulted before it came into law. The legislation came into effect on 3 May.
The charity said it wasn’t the first time the Government has changed the law. In February, a code of practice for GCHQ which gives “spy agencies sweeping powers to hack targets, including those who are not a threat to national security nor suspected of any crime”, was released, a charity spokesman claimed.
The Home Office rejected the activists' claims. A spokesperson said: "There have been no changes made to the Computer Misuse Act 1990 by the Serious Crime Act 2015 that increase or expand the ability of the intelligence agencies to carry out lawful cyber crime investigation.
“It would be inappropriate to comment further while proceedings are ongoing.”
Privacy International launched its challenge asserting the use of malware was illegal in England and Wales under the 1990 CMA. It claimed that protection provided by warrants signed by a secretary of state under the Intelligence Services Act conflicted with individuals’ right to privacy under the European Convention on Human Rights.
The full hearing is expected later this year.