Seven Internet service providers and non-profit groups from various countries have filed a legal complaint against the British spy agency GCHQ. Their issue: that the clandestine organization broke the law by hacking the computers of Internet companies to access their networks.
The complaint, filed with the Investigatory Powers Tribunal, calls for an end to the spy agency’s targeting of system administrators in order to gain access to the networks of service providers and conduct mass surveillance. The legal action was filed in conjunction with Privacy International, and stems from reports last year that GCHQ hacked employees of the Belgian telecom Belgacom in order to access and compromise critical routers in the company’s infrastructure to monitor the communication of smartphone users that passed through the router.
The complaint notes that the employees of Belgacom were not targeted because they posed any national security threat or concern, but were instead subject to intrusive surveillance only “because they held positions as administrators of Belgacom’s networks.”
GCHQ, working in conjunction with the NSA, also reportedly targeted internet exchange points operated by three German companies—Stellar, Cetel and IABG—for a similar purpose, violating international laws, the complainants say.
“These widespread attacks on providers and collectives undermine the trust we all place on the internet and greatly endangers the world’s most powerful tool for democracy and free expression,” said Eric King, deputy director of Privacy International, in a statement. “It completely cripples our confidence in the internet economy and threatens the rights of all those who use it.”
The seven complainants include Riseup and May First/People Link in the U.S.; GeenNet in the UK; Greenhost in the Netherlands; Jinbonet in South Korea; Mango Email Service in Zimbabwe and the Chaos Computer Club, a nonprofit, in Germany.
Although none of the complainants know if their workers or systems were directly targeted by the spy agencies, they say they have standing to file because they and their users are all at threat of being targeted by the surveillance.
The group accuses GCHQ and the secretary of state for foreign and commonwealth affairs of violating several laws, including the Computer Misuse Act 1990 and the European Convention on Human Rights.
The first violation stems from the fact that in hacking the network assets and computers of the service providers, the attackers alter these systems without the consent of their owners—potentially introducing vulnerabilities in the infrastructure that other parties may exploit—which, the group argues, is unlawful under the Computer Misuse Act 1990 without specific authorization.
The attacks on company computers and the surveillance of employees to conduct the attacks may also violate several articles of the European Convention on Human Rights, including Article 8, which states that everyone has the right “to respect for his private and family life, his home and his correspondence” and Article 10, which governs the right to free expression. The groups say the latter is threatened when GCHQ conducts mass surveillance that affects every user of an ISP.
The complainants argue that they don’t have to show that they specifically were the target of the attacks and surveillance since the European Court of Human Rights has determined in the past that “the mere existence of legislation which allows a system for the secret monitoring of communications entails a threat of surveillance for all those to whom the legislation may be applied.” Similarly, the mass surveillance “strikes at freedom of communication between users of the telecommunications services and thereby amounts in itself to an interference with the exercise of the applicants’ rights under art.8, irrespective of any measures actually taken against them.”
It’s unclear whether the complaint will have any effect. But GCHQ appears to have been concerned at various points about legal justifications for some of its hacking activity under British law.
An official, quoted in one of the NSA documents leaked by Edward Snowden last year referencing a hacking technique used against Belgacom, noted that “continued GCHQ involvement” in the activity “may be in jeopardy due to British legal/policy restrictions.”
In another document, a GCHQ representative discussing a software implant that conducts a so-called man-in-the-middle attack to decrypt communications, remarks that its use might be illegal.
“The UK Computer Misuse Act 1990 provides legislative protection against unauthorised access to and modification of computer material,” the representative wrote. “The act makes specific provisions for law enforcement agencies to access computer material under powers of inspection, search or seizure. However, the act makes no such provision for modification of computer material. A Man-in-the-Middle attack causes modification to computer data and will impact the reliability of the data” and therefore may not be allowed “within the current legal constraints.”
No comments:
Post a Comment