Hacking of computers, networks and smartphones in the UK or abroad by GCHQ staff does not breach human rights, a security tribunal has ruled.
A panel of five members of the investigatory powers tribunal (IPT) decided on Friday that computer network exploitation (CNE), which may involve remotely activating microphones and cameras on electronic devices without the owners’ knowledge, is legal.
In a lengthy judgment, the IPT, which deals with complaints about surveillance and the intelligence services, found in favour of the Cheltenham-based monitoring agency and the Foreign Office. It dismissed complaints brought by the campaign group Privacy International and seven internet service providers from around the world.
The case, which was heard last year, was the first in which GCHQ admitted to carrying out “persistent” hacking in the UK and overseas. Some sessions of the IPT are closed and held in secret.
Part of the legal dispute focused on whether such activity is permissible under thematic warrants that do not identify targeted individuals. Responding to the decision, Privacy International said it would “challenge this undermining of the fundamental right that a warrant should identify a specific property or person”. There is no right of appeal to any higher UK court, but cases can be taken to Europe.
In the course of the hearing, GCHQ admitted that it carries out CNE within and outside the UK, that in 2013, about 20% of its intelligence reports contained information derived from hacking, and that it undertakes “persistent” – where bugs are left implanted on a targeted device – as well as “non-persistent” operations.
The IPT judgment said: “The use of CNE by GCHQ, now avowed, has obviously raised a number of serious questions, which we have done our best to resolve.
“Plainly, it again emphasises the requirement for a balance to be drawn between the urgent need of the intelligence agencies to safeguard the public and the protection of an individual’s privacy and/or freedom of expression.
“We are satisfied that with the new [equipment interference code] and whatever the outcome of parliamentary consideration of the investigatory powers bill, a proper balance is being struck in regard to the matters we have been asked to consider.”
The judgment concluded that the legal regime under which warrants are issued for the agency to carry out equipment interference in the UK is compatible with the European convention on human rights.
In relation to the authorisation of actions outside Britain, the IPT ruling said there might be circumstances in which an individual claimant may be able to claim a breach of their rights under articles 8 or 10 of the convention, which relate to the right to private and family life and freedom of expression. However, it said this does not lead to a conclusion that the regime is non-compliant with the articles.
The Foreign Office said the ruling made it clear that the legal regime under which GCHQ carries out equipment interference “is, and has always been, compatible with human rights law”.
The foreign secretary, Philip Hammond, welcomed the ruling “and its judgment that a proper balance is being struck between the need to keep Britain safe and the protection of individuals’ privacy”.
“The ability to exploit computer networks plays a crucial part in our ability to protect the British public. Once again, the law and practice around our security and intelligence agencies’ capabilities and procedures have been scrutinised by an independent body and been confirmed to be lawful and proportionate.”
Scarlet Kim, a legal officer at Privacy International, said: “We are disappointed by the IPT’s judgment, which has found government hacking lawful based on a broad interpretation of a law dating back to 1994, when the internet and mobile phone technology were in their infancy.
“Until we brought this case, GCHQ would neither confirm nor deny that they were engaging in mass hacking of computers, mobile devices and entire computer networks.
“During the course of the proceedings, the government sought to create law ‘on the hoof’, changing anti-hacking laws [the 1990 Computer Misuse Act] through an addition to the 2015 Serious Crime Act and producing a code of practice for hacking. Hacking is one of the most intrusive surveillance capabilities available to intelligence agencies.
“The IPT has decided that GCHQ can use ‘thematic warrants’, which means GCHQ can hack an entire class of property or persons, such as ‘all phones in Birmingham’.
“In doing so, it has upended a longstanding English common law principle that such general warrants are unlawful. Allowing governments to hack places the security and stability of the internet and the information we exchange on it at stake.”
The seven internet service providers involved in the case were GreenNet, Riseup, Mango, Jinbonet, Greenhost, Media Jumpstart and Chaos Computer Club.