Privacy International: Government Mass Hacking Is Modern Equivalent Of 'Stop And Search'

A double sided print of Article 8 of the Universal Declaration of Human Rights

According to Privacy International, a three-decade old UK-based nonprofit that promotes the right to privacy across the world, the UK government has given itself the power to issue “general warrants” that allow it to hack into the devices of thousands of people at once, even if most are not suspected of a crime. The organization launched a crowdfunding campaign on Crowdjustice, a crowdfunding platform for legal action, to raise money for its fight against the UK government for the human right to privacy.

Privacy International along with several ISPs launched a legal challenge against GCHQ in 2014, after evidence from Snowden’s documents showed that the intelligence agency was abusing its powers to do mass surveillance against UK citizens.

It was then revealed that GCHQ was also hacking into the devices and computers of thousands of UK citizens without first obtaining individual warrants for each victim. To justify the mass hacking, the agency was requesting “thematic warrants,” which would in theory allow it to spy or hack a category of users such as a company, a network, or any association or combination of persons.

However, Privacy International believes such warrants are unlawful, because they're too broad, and UK law doesn’t allow for a “class of authorization.” It should also be noted that in the UK, such a “warrant,” even one that isn’t as broad, is more of a misnomer. In practice, these intelligence warrants are more like signed orders given by the government’s Home Secretary, rather than being approved by the judiciary, as warrants usually are in most democracies.

The Court of Justice of the European Union has also recently ruled, in a case involving the UK’s previous surveillance law, that mass surveillance and hacking are not lawful under EU’s Charter of Fundamental Rights. However, the UK government may stall these legal challenges long enough for UK to exit the EU; then, it wouldn't have to abide by the Charter anymore.

That was a goal of David Cameron, the UK’s former prime minister. Under his leadership, UK also drafted the “Snooper’s Charter” legislation, which ended up legalizing many of the intelligence agencies’ mass surveillance operations. The law passed virtually unchanged despite much criticism from the Parliament’s intelligence committees.

Making Innocent People Less Secure

Going beyond the legality of such broad requests, Privacy International has argued that mass hacking makes innocent people less secure. This also puts into question the UK government’s argument that it’s doing the mass hacking for public safety reasons.

The nonprofit argues that mass hacking depends on allowing vulnerabilities in people’s computers to continue to exist, so that the hacking could be done in the first place. This is a dangerous play by surveillance agencies that seem to be prioritizing the ability to hack devices over the security of their country’s citizens against cyber attacks.

The two goals are in direct conflict with each other. We’ve already seen the dangers of allowing vulnerabilities to remain in computers for the purpose of making hacking easier for the intelligence agencies in the United States.

According to Microsoft, the NSA was the primary party responsible for the global WannaCry ransomware attack, because it kept those vulnerabilities for itself instead of warning Microsoft and the public about them. Not only that, but through its carelessness, the NSA allowed its mass hacking tools to leak as well, which provided malware makers a “turnkey” solution to hack into thousands of computers and organizations around the world.

We’ve also seen how past decisions by the U.S. government to mandate weak encryption in browsers have kept haunting security professionals to this day, as those weak protocols are what have allowed other attacks to happen against websites.

The decisions by some governments to mandate weak encryption or to keep citizens’ devices vulnerable to hacking are directly responsible for malicious actors launching cyber attacks later on, and they are in direct contrast to these governments’ supposed public safety objective.

Crowdfunded Fight For Right To Privacy And Digital Security

Privacy International believes that mass hacking shouldn’t be possible unless each and every one of the victims of such a hack are suspected of a crime. This is why the nonprofit has been fighting the UK government in court over this issue for the past three years. However, the fight has generated significant costs, and if the nonprofit loses, it would also have to pay up to £25,000 for the government’s legal costs. In the UK, as in most of Europe, the losing side often has to pay the costs of the the winning side.

This amount may be nothing to what a legal challenge may cost in the U.S., for instance, but the nonprofit admitted that it’s still a significant sum of money for an organization with limited resources. This is why it’s now asking the public for help via a crowdfunding campaign. All donations will be matched by an anonymous supporter who promised to pay up to £12,000 of their own money.

Those who pledge over £50 will receive the double-sided "Universal Declaration of Human Rights" print, where on one side the text is written in Morse code. Those who donate £100 or more will receive both the print and a large "Fingerprint" poster, where the fingerprint is made up of hundreds of tiny bugs.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.