Britain’s security services have acknowledged they have the worldwide
capability to bypass the growing use of encryption by internet
companies by attacking the computers themselves.
The Home Office release of the innocuously sounding “draft equipment
interference code of practice” on Friday put into the public domain the
rules and safeguards surrounding the use of computer hacking outside the
UK by the security services for the first time.
The publication of the draft code follows David Cameron’s speech last
month in which he pledged to break into encryption and ensure there was
no “safe space” for terrorists or serious criminals which could not be
monitored online by the security services with a ministerial warrant,
effectively spelling out how it might be done.
Privacy campaigners said the powers outlined in the draft guidance
detail the powers of intelligence services to sweep up content of a
computer or smartphone, listen to their phonecalls, track their
locations or even switch on the microphones or cameras on mobile phones.
The last would allow them to record conversations near the phone or
laptop and snap pictures of anyone nearby.
The code spells this out by saying the new rules give the security
services the power to use hacked computers to “enable and facilitate
surveillance activity”.
Eric King of Privacy International, said: “They hack their way,
remove and substitute your hardware and software and enable intelligence
collection by turning on your webcams and mice and shipping the data
back to GCHQ at Cheltenham.”
The security minister, James Brokenshire, said the draft code, which
is subject to a six-week consultation ending on 20 March, details the
safeguards applied to different surveillance techniques, including
“computer network exploitation” to identify, track and disrupt the most
sophisticated targets.
Computer
network exploitation, or mass hacking, is a technique through which
computer networks are used to infiltrate target computers’ networks in
order to extract and gather intelligence data.
It enables intelligence services to penetrate and collect any
sensitive or confidential data which is typically kept hidden and
protected from the public. It may also be used to bypass the end-to-end
encryption increasingly used by the US internet companies to protect
their customers’ communications in the aftermath of the Snowden
disclosures of bulk internet surveillance. End-to-end encryption secures
messages by ensuring that only the recipient of a message can decode
it: not any of the supplying companies computers’ in between.
The publication for the first time of the legal codes of practice
under the Regulation of Investigatory Powers Act 2000 surrounding
“equipment interference” was timed to coincide with the landmark ruling
that GCHQ had been operating a bulk intelligence sharing operation with
the Americans within an unlawful framework for the past seven years.
That ruling by the investigatory powers tribunal required the
internal GCHQ rules and safeguards to be made public surrounding their
receipt of the bulk collection of British citizens’ personal data by the
American National Security Agency.
Privacy campaigners say the powers outlined in the draft code were
more intrusive than intercepting the content of phone calls or emails or
scooping up communications data, because they included sweeping up
files and material on the computer that had never been shared with
anybody else.
The powers in the draft code at 7.11 also appear to give the security
services wide-ranging powers to “self-authorise” or give “internal
approval” for particular operations once they have the authorisation of a
secretary of state for a “broad class of operations”. This would mean
that, unlike an operation to put a bug a particular house, they would
not necessarily need a specific warrant to do the same thing by hacking a
computer.
Carly Nyst, legal director of Privacy International, said they
believed any steps that made the security services more transparent
about and accountable for their surveillance activities should be
welcomed.
She said: “However, GCHQ cannot legitimise their unlawful activities
simply by publishing codes of conduct with no legislative force. In
particular, the use by intelligence agencies of hacking – an incredibly
invasive and intrusive form of surveillance – cannot be snuck in by the
back door through the introduction of a code of conduct that has
undergone neither parliamentary nor judicial scrutiny. It is surely no
mistake that this code of conduct comes only days before GCHQ is due to
argue the lawfulness of its hacking activities in court.”
But the Home Office security minister said that terrorists and
paedophiles were increasingly sophisticated in their use of technology
and in their efforts to evade detection.
“The abilities to read or listen to a suspect’s communications or to
interfere with his or her computer equipment are amongst the most
important, sensitive, and closely scrutinised powers available to the
state,” said Brokenshire.
He added: “It is vital that the police and their partners in the
security and intelligence agencies are able to stop them. There are
limits on what can be said in public about this work. But it is
imperative that the government is as open as it can be about these
capabilities and how they are used.”
He said the revised and updated codes provided more information than
ever before on the safeguards, including in the use of computer network
exploitation, and other techniques to “identify, track and disrupt the
most sophisticated targets”.
The Home Office also published an updated and revised code of
practice surrounding the interception of communications, including
details of the rules. There were also stronger safeguards surrounding
the security services’ interception of the most sensitive
communications, including between lawyers and their clients, doctors and
patients and journalists and sources. These are generally protected by
laws of confidentiality.
It is thought that these previously secret rules have been put into
the public domain for the first time in anticipation of two further
rulings challenging the lawfulness of security services’ activity later
this year.
In the first ruling expected next month the IPT will rule on whether
the intelligence services have routinely intercepting legally privileged
communications in sensitive security cases without adequate safeguards.
The case involves two Libyans, Abdel-Hakim Belhaj and Sami al-Saadi and
their families after they were abducted in a joint MI6-CIA operation
and sent back to be tortured by Colonel Muammar Gaddafi’s regime in
2004.
The second ruling follows a legal claim brought by Privacy
International demanding an end to the use of computer hacking tools by
GCHQ and the NSA. They claim they have used the hacking tools disclosed
by the whistleblower Edward Snowden to infect potentially millions of
computers and mobile devices around the world with malicious software to
surreptitiously conduct a new dimension of surveillance.
Source:
Guardian, UK
No comments:
Post a Comment