Intelligence agencies in the UK are preparing to “significantly increase their use of large-scale data hacking,” the Guardian reported on Saturday, in a move that is already alarming privacy advocates.
According to the Guardian, UK intelligence officials plan to increase their use of the “bulk equipment interference (EI) regime”—the process by which the Government Communications Headquarters, the UK’s top signals intelligence and cybersecurity agency, collects bulk data off foreign communications networks—because they say targeted collection is no longer enough. The paper wrote:
A letter from the security minister, Ben Wallace, to the head of the intelligence and security committee, Dominic Grieve, quietly filed in the House of Commons library last week, states: “Following a review of current operational and technical realities, GCHQ have … determined that it will be necessary to conduct a higher proportion of ongoing overseas focused operational activity using the bulk EI regime than was originally envisaged.”
The paper noted that during the passage of the 2016 Investigatory Powers Act, which expanded hacking powers available to police and intelligence services including bulk data collection for the latter, independent terrorism legislation reviewer Lord David Anderson asserted that bulk powers are “likely to be only sparingly used.” As the Guardian noted, just two years later, UK intelligence officials are claiming this is no longer the case due to growing use of encryption:
… The intelligence services claim that the widespread use of encryption means that targeted hacking exercises are no longer effective and so more large-scale hacks are becoming necessary. Anderson’s review noted that the top 40 online activities relevant to MI5’s intelligence operations are now encrypted.
“The bulk equipment interference power permits the UK intelligence services to hack at scale by allowing a single warrant to cover entire classes of property, persons or conduct,” Scarlet Kim, a legal officer at UK civil liberties group Liberty International, told the paper. “It also gives nearly unfettered powers to the intelligence services to decide who and when to hack.”
Liberty also took issue with the intelligence agencies’ 180 on how often the bulk powers would be used, as well as with policies that only allow the investigatory powers commissioner to gauge the impact of a warrant after the hacking is over and done with.
“The fact that you have the review only after the privacy has been infringed upon demonstrates how worrying this situation is,” Liberty policy and campaigns officer Hannah Couchman told the Guardian. One possibility, she said, is that GCHQ will use their expanded surveillance powers to obtain information overseas that they can then trade for intel on UK citizens.
Liberty was one of the groups that challenged the 2016 law in court, securing a ruling in April 2018 that said the act was incompatible with European Union law because it did not limit access to retained data to investigations of “serious crime” and did not require prior independent review. Per Computer Weekly, changes made to the Investigatory Powers Act made after the ruling included expanding the minimum sentence required to qualify as a serious crime from six to 12 months. Liberty also secured a more recent ruling that gave it a right to judicial review of parts of the act that give government agencies the power to “collect electronic communications and records of internet use, in bulk, without reason for suspicion,” Computer Weekly added.
The European Court of Human Rights also ruled in September 2018 that the UK’s bulk interception techniques did not include proper safeguards against abuse and that its methods of obtaining data from service providers violated the EU law on the right to privacy, the Register reported, though it left intact an intelligence-sharing program with other governments. That ruling only applied to bulk surveillance methods used prior to the passage of the 2016 law. But it also stemmed from leaked U.S. intelligence documents from former National Security Agency contractor Edward Snowden that showed GCHQ was intercepting and storing communications from millions of people, many of whom were not valid intelligence targets.
“Under the guise of counter-terrorism, the UK has adopted the most authoritarian surveillance regime of any Western state, corroding democracy itself and the rights of the British public,” Silkie Carlo of Big Brother Watch told the Register. “… Since the new Investigatory Powers Act arguably poses an ever greater threat to civil liberties, our work is far from over.”
In a statement to the Guardian, a government spokesman wrote:
The evolution of GCHQ’s position with regards to the authorisation of equipment interference operations does not increase investigative activity. Rather, it reflects that due to rapid changes in technology and the communications environment since the Investigatory Powers Act was taken through Parliament, a higher proportion of that activity would be more appropriately authorised under the bulk equipment interference regime, which includes additional controls and safeguards
Equipment interference is subject to the world-leading oversight of the investigatory powers commissioner and any bulk equipment interference warrant must be approved by an independent judicial commissioner before it can be issued.