Privacy group Privacy International has launched a legal challenge with the Investigatory Powers Tribunal over GCHQ’s extensive malware and hacking operations.
The programme came to light as a result of the leak of US National Security Agency information by whistleblower Edward Snowden.
In a 22-page submission, Privacy International claims that GCHQ’s activities breach Articles eight and 10 of the European Convention on Human Rights (PDF). It also requests “the destruction of any unlawfully obtained material” and “an injunction restraining further unlawful conduct”.
“GCHQ has not identified any legal basis for the alleged conduct which, if performed by a private individual, would involve the commission of criminal offences,” claims the submission.
Privacy International accuses GCHQ of infecting PCs and mobile devices “on a widespread scale” in order to gain access to the devices and the data stored on them, even activating functions such as cameras and microphones, without the users’ consent.
The Privacy International submission lists a number of different forms of malware that have been commissioned and used by GCHQ. These include:
Warrior Pride, developed specifically for infecting mobile phones;
Captive Audience, which enables GCHQ to take over a target’s computer microphone and record conversations;
Gumfish, which can covertly take over a PC webcam and take photographs;
Foggybottom, which logs internet browsing histories. It also has a keystroke logger to record login details and passwords;
Grok, another keystroke logger;
Salvagerabbit, which exfiltrates data from removable flash drives connected to an infected PC;
Turbine, which helps GCHQ manage its network of compromised computers;
Computer Network Exploitation and Computer Network Attack, which can implant malware on millions of PCs at a time.
GCHQ has been especially keen to compromise the security of Apple iPhone and BlackBerry smartphones because of the wealth of information they typically hold.
GCHQ can now obtain “any content from [a] phone, e.g. SMS, MMS, emails, web history, call records, videos, photos, address book, notes, calendar”, claims Privacy International.
However, the legal foundation for such wide-ranging hacking, which would be illegal if perpetrated by an individual, and suggests that GCHQ now operates above the law, is shaky, it argues.
“The hacking programmes being undertaken by GCHQ are the modern equivalent of the government entering your house, rummaging through your filing cabinets, diaries, journals and correspondence, before planting bugs in every room you enter,” said Privacy International deputy director Eric King.
“Intelligence agencies can do all this without you even knowing about it, and can invade the privacy of anyone around the world with a few clicks.
“All of this is being done under a cloak of secrecy without any public debate or clear lawful authority. Arbitrary powers such as these are the purview of dictatorships, not democracies.
“Unrestrained, unregulated government spying of this kind is the antithesis of the rule of law and government must be held accountable for their actions.”
Public debate and reporting in the press about GCHQ’s internet surveillance activities have reportedly been muted by the issuance of ‘D-Notices’ forbidding media groups from reporting certain aspects of the disclosure from Edward Snowden, although they have been reported freely in the US and German media.