GCHQ headquartersPrivacy International, an activist group that fights for privacy rights all over the world, challenged the UK’s “bulk hacking” abroad at the European Human Rights Court. The filing is supported by the following co-claimants: Chaos Computer Club (Germany), GreenNet (UK), Jinbonet (Korea), May First (U.S.) and RiseUp (U.S.).
The UK recently voted to exit the European Union, which means that it will soon be able to ignore the EU Charter of Fundamental Rights and Court of Justice of the European Union (CJEU) rulings on privacy. However, the UK is still part of the 47-member strong Council of Europe, and a signatoree of the European Convention on Human Rights (ECHR) that aims to protect human rights and fundamental freedoms in 47 European countries.
That means the UK can still be challenged over rights violations at the European Court of Human Rights (ECtHR) in France and Strasbourg, and that’s exactly what Privacy International is doing now. The organization argued that the UK’s current “bulk hacking” powers are too broadly defined in the law, which gives intelligence agencies “incredibly intrusive power.”
In 2014, Privacy International first sued GCHQ, UK’s biggest signal intelligence agency, at the Investigatory Powers Tribunal (IPT), arguing that the agency violated Articles 8 and 10 (rights to privacy and free speech) of the European Convention on Human Rights. This year, the IPT refused to rule on whether GCHQ’s broad hacking powers comply with the ECHR, which means the intelligence agency can continue its hacking with no checks on its power.
The activist group also filed a separate “Judicial Review” at the UK’s High Court, challenging a different aspect of the IPT’s ruling. The ruling allows GCHQ to hack the electronic devices of broad classes of people, such as, for instance, “all mobile phones in London.”
“Our Judicial Review asserts that the IPT's decision fundamentally undermines 250 years of English common law, which has long rejected general warrants, and contradicts Article 8 of the ECHR,” said Privacy International in a recent post.
“By permitting the Government to hack large groups of people without judicial authorization and individualized suspicion, general warrants fail to protect against arbitrary interference and abuse,” added the organization.
Privacy International also noted that hacking is not only a technique used by an unauthorized person or entity to gain access to someone’s devices, but also a way to expose their devices to other bad actors. If the UK government installs malware on a device so it can hack it, or disables certain security protections, then other attackers could more easily gain access to the same systems.
Over the course of the lawsuit against GCHQ at the IPT, the activist group managed to get the intelligence agency to admit that it has hacked computers and networks, modified or implanted files on them, and carried out “persistent” operations over extended periods of time.