The British government has for the first time offered an official definition of computer hacking by the security services. In a Home Office “draft equipment interference code of practice” released on Friday, the government defines it as:
Any interference (whether remotely or otherwise) by the intelligence services, or persons acting on their behalf or in their support, with equipment producing electromagnetic, acoustic and other emissions, or information derived from or related to such equipment, which is to be authorised under section 5 of the 1994 [Intelligence Services] Act, in order to do any or all of the following:
a) obtain information from the equipment in pursuit of intelligence requirements;
b) obtain information concerning the ownership, nature and use of the equipment with a view to meeting intelligence requirements;
c) locate and examine, remove, modify or substitute equipment hardware or software which is capable of yielding information of the type described in a) and b);
d) enable and facilitate surveillance activity by means of the equipment.
‘Information’ may include communications content, and communications data as defined in section 21 of the 2000 [Regulation of Investigatory Powers] Act.
Britain’s security services have acknowledged they have the worldwide capability to bypass the growing use of encryption by internet companies by attacking the computers themselves.
The Home Office release of the innocuously sounding “draft equipment interference code of practice” on Friday put into the public domain the rules and safeguards surrounding the use of computer hacking outside the UK by the security services for the first time.
The publication of the draft code follows David Cameron’s speech last month in which he pledged to break into encryption and ensure there was no “safe space” for terrorists or serious criminals which could not be monitored online by the security services with a ministerial warrant, effectively spelling out how it might be done.
Privacy campaigners said the powers outlined in the draft guidance detail the powers of intelligence services to sweep up content of a computer or smartphone, listen to their phonecalls, track their locations or even switch on the microphones or cameras on mobile phones. The last would allow them to record conversations near the phone or laptop and snap pictures of anyone nearby.
The code spells this out by saying the new rules give the security services the power to use hacked computers to “enable and facilitate surveillance activity”.
Eric King of Privacy International, said: “They hack their way, remove and substitute your hardware and software and enable intelligence collection by turning on your webcams and mice and shipping the data back to GCHQ at Cheltenham.”
The security minister, James Brokenshire, said the draft code, which is subject to a six-week consultation ending on 20 March, details the safeguards applied to different surveillance techniques, including “computer network exploitation” to identify, track and disrupt the most sophisticated targets.
It enables intelligence services to penetrate and collect any sensitive or confidential data which is typically kept hidden and protected from the public. It may also be used to bypass the end-to-end encryption increasingly used by the US internet companies to protect their customers’ communications in the aftermath of the Snowden disclosures of bulk internet surveillance. End-to-end encryption secures messages by ensuring that only the recipient of a message can decode it: not any of the supplying companies computers’ in between.
The publication for the first time of the legal codes of practice under the Regulation of Investigatory Powers Act 2000 surrounding “equipment interference” was timed to coincide with the landmark ruling that GCHQ had been operating a bulk intelligence sharing operation with the Americans within an unlawful framework for the past seven years.
That ruling by the investigatory powers tribunal required the internal GCHQ rules and safeguards to be made public surrounding their receipt of the bulk collection of British citizens’ personal data by the American National Security Agency.
Privacy campaigners say the powers outlined in the draft code were more intrusive than intercepting the content of phone calls or emails or scooping up communications data, because they included sweeping up files and material on the computer that had never been shared with anybody else.
The powers in the draft code at 7.11 also appear to give the security services wide-ranging powers to “self-authorize” or give “internal approval” for particular operations once they have the authorization of a secretary of state for a “broad class of operations”. This would mean that, unlike an operation to put a bug in a particular house, they would not necessarily need a specific warrant to do the same thing by hacking a computer.
A 2008 GCHQ memo from the Snowden cache, addressed to the then foreign secretary, David Miliband, and classified with one of the UK’s very highest restrictive markings: “TOP SECRET STRAP 2 EYES ONLY”, requested a renewal of the legal warrant allowing GCHQ to “modify” commercial software in violation of licensing agreements.
The document cites examples of software the agency had hacked, including commonly used software to run web forums, and website administration tools. Such software are widely used by companies and individuals around the world.
The document also said the agency had developed “capability against Cisco routers”, which would “allow us to re-route selected traffic across international links towards GCHQ’s passive collection systems”.
GCHQ had also been working to “exploit” the anti-virus software Kaspersky, the document said. The report contained no information on the nature of the vulnerabilities found by the agency.
Security experts regularly say that keeping software up to date and being aware of vulnerabilities is vital for businesses to protect themselves and their customers from being hacked. Failing to fix vulnerabilities leaves open the risk that other governments or criminal hackers will find the same security gaps and exploit them to damage systems or steal data, raising questions about whether GCHQ and the NSA neglected their duty to protect internet systems in their quest for more intelligence.
The Home Office also published an updated and revised code of practice surrounding the interception of communications, including details of the rules. There were also stronger safeguards surrounding the security services’ interception of the most sensitive communications, including between lawyers and their clients, doctors and patients and journalists and sources. These are generally protected by laws of confidentiality.
It is thought that these previously secret rules have been put into the public domain for the first time in anticipation of two further rulings challenging the lawfulness of security services’ activity later this year.
In the first ruling expected next month the IPT will rule on whether the intelligence services have routinely intercepted legally privileged communications in sensitive security cases without adequate safeguards. The case involves two Libyans, Abdel-Hakim Belhaj and Sami al-Saadi and their families after they were abducted in a joint MI6-CIA operation and sent back to be tortured by Colonel Muammar Gaddafi’s regime in 2004.
The second ruling follows a legal claim brought by Privacy International demanding an end to the use of computer hacking tools by GCHQ and the NSA. They claim they have used the hacking tools disclosed by the whistleblower Edward Snowden to infect potentially millions of computers and mobile devices around the world with malicious software to surreptitiously conduct a new dimension of surveillance.