Reining in Government Hacking in the UK
A legal history of GCHQ computer hacking
On 8 January 2021, the High Court delivered its judgment on Privacy International v IPT & Others (2021), a case concerning computer hacking operations carried out by GCHQ. This ruling specifically focused on the scope of property interference warrants under section 5 of the Intelligence Services Act 1994 (ISA 1994). GCHQ applies for these warrants as part of its cyber intelligence operations.
The ruling is the first by the senior courts of the UK on government computer hacking, an activity which has traditionally not been subject to as much litigation as other surveillance powers (mainly due to the fact these capabilities were not avowed until 2016). Even so, this latest ruling from the High Court forms part of a growing body of caselaw examining such activities by UK security and intelligence agencies (SIAs).
However, it is noticeable that the Court restricted its analysis to the superficial review of the provisions of the legislation and thus did not give a view on the specific nature of computer hacking itself. Such an omission could be highly relevant to the whether particular instances of computer hacking are proportionate and thus compliant with international human rights law. Therefore, despite the High Court’s judgment, computer hacking is yet to be fully reined in.
What is property or equipment interference?
In the 1990s, GCHQ started hiring hackers of whom were given the more official title of “Computer Network Operators”.[1] These personnel “came from the ethical rather than the malicious branch of that tribe” and, together, they operated the distinct practice within GCHQ known as “cyber intelligence”.[2]
The work of these operators were then divided into three different categories: computer network exploitation (CNE) is a technique of which is focuses on gathering information from computer systems;[3] computer network attack (CNA) is designed to “incapacitate computers or corrupt the data they contain”;[4] and computer network defence (CND) aims to protect the UK from both CNE and CNA.[5] These cyber intelligence operations have become “central to GCHQ’s repertoire”, even eventually surpassing human intelligence in terms of value and importance.[6]
These various categories of cyber operations essentially authorise interference with computer devices that can be physical or remote. Physical interference may involve, for instance, “covertly downloading data from a device to which physical access has been gained”.[7] However, in the current internet age, it is perhaps more common for GCHQ to carry out operations remotely. This may entail “installing a piece of software on to a device over a wired and/or wireless network in order to remotely extract information from the device”.[8]
The principal component of GCHQ’s cyber intelligence is CNE;[9] “exploiting existing vulnerabilities in software in order to gain control of devices or networks to remotely extract material or monitor the user of the device”.[10] CNE is therefore not just limited to hacking in the traditional sense, and also encompasses techniques such as “spreading malware or otherwise disrupting computer systems, grids or databases”.[11] Nevertheless, there is a distinction between CNE and CNA. CNE is predominantly an investigative tool used to gather data and information about those of intelligence interest. GCHQ then uses these materials to devise strategies for disrupting or combatting identified threats, of which could take the form of CNA.[12] Thus, GCHQ would most likely seek authorisation for CNE under an equipment interference (EI) warrant under the Investigatory Powers Act 2016 (IPA 2016), whereas CNA would require a property interference warrant under the ISA 1994.
Entick v Carrington
The starting point for the regulation of computer hacking in the UK is Entick v Carrington (1765). This is a landmark case in UK public law that illustrates one of the fundamental principles of State interference with private rights.[13] In fact, this 18th century case could even be regarded as “the most visible early stepping stone in the development of the doctrine of the rule of law”.[14] Its stipulations are thus highly relevant to the legalities of government computer hacking today and indeed other powers exercised by UK public authorities.
In Entick, the messengers of the King of England were authorised, under a warrant issued by the Earl of Halifax (one of the Secretaries of State and the defendant in the case), to search the property of John Entick (the plaintiff in the case). The purpose of the warrant was to find and compromise seditious papers consisting of “scandalous reflections and invectives upon His Majesty’s Government, and upon both Houses of Parliament”.[15] The warrant allowed the constable and officers assisting in the search to break open doors and boxes and search the plaintiff’s private papers to find the supposedly seditious material. The messengers, however, found that the plaintiff was not in fact in possession of the seditious material specified in the warrant.
The Crown argued that its justification for its conduct was that it was in the interests of the State to identify those in possession of seditious material and that such warrants had been issued by the Crown since the English Revolution of 1688. However, the Court of Common Pleas rejected this finding and instead Lord Camden found that the Crown had committed an unlawful trespass, giving the following judgment:
“If this is law it would be found in our books, but no such law ever existed in this country; our law holds property of every man so sacred that no man can set his foot upon his neighbour’s close without his leave; if he does he is a trespasser, though he does no damage at all; if he will tread upon his neighbour’s ground, he must justify it by law…we can safely say there is no law in this country to justify the defendants in what they have done; if there was, it would destroy all the comforts of society; for papers are often the dearest property a man can have”.[16]
The Court also commented on the Crown’s contention that is had issued such general warrants before without being challenged on their legality:
“[T]his is the first instance of an attempt to prove modern practice of a private office to make and execute warrants to enter a man’s house, search for and take away all his books and papers in the first instance, to be law, which is not to be found in our books. It must have been the guilt or poverty of those upon whom such warrants have been executed, that deterred or hindered them from contending against the power of a Secretary of State and the Solicitor of the Treasury, or such warrants could never have passed for lawful till this time”.[17]
Altogether, Entick established two important principles regarding property interference warrants. Firstly, such warrants, given their capacity to interfere with one’s private property, must, at the very least, have a basis in law. Secondly, even if there is a basis in law for ‘general’ property warrants, their unjustified broadness may in any case be deemed unlawful given the level of intrusion that such warrants may permit. Such principles reflect the requirements specified under the European Convention on Human Rights (ECHR), namely that interference with the right to privacy must be (a) in accordance with the law (ie have a legal basis), and (b) necessary and proportionate in pursuance of a legitimate aim.[18] Thus, since the ECHR regulates UK State surveillance, the principles of Entick that the Convention enshrines are as applicable to modern computer hacking as they were to property interference in the late 1700s.
The Intelligence Services Act 1994
The existence and functions of GCHQ had remained secret until the organisation was put on statutory footing for the first time with the enactment of the ISA 1994. Section 3(1) of that Act states that there shall continue to be a Government Communications Headquarters under the authority of the Secretary of State.
The ISA 1994 describes the two main functions of GCHQ. Its first function is to monitor or interfere with electromagnetic, acoustic and other emissions and any equipment producing such emissions and to obtain and provide information derived from or related to such emissions or equipment and from encrypted material.[19] The second function is to provide advice and assistance on languages, including terminology used for technical matters, and cryptography and other matters relating to the protection of information and other material.[20] That advice or assistance can be provided to the armed forces, the UK Government or even to the general public if it considers this appropriate. An example of its public advice function is the National Cyber Security Centre, which is a branch of GCHQ helping organisations protect the cybersecurity of the UK’s digital infrastructure.[21]
GCHQ may only perform these above functions for three purposes: in the interests of national security; in the interests of the economic well-being of the UK in relation to the actions or intentions of persons outside the British Islands; or in support of the prevention or detection of serious crime.[22]
Property Interference Warrants
Following the first principle of Entick, when GCHQ carries out computer hacking, authorisation for such operations require a warrant to be issued under section 5 ISA 1994. Under subsection (1), it is stated that no entry on or interference with property or with wireless telegraphy shall be unlawful if it is not authorised by a warrant issued by the Secretary of State under section 5. Such interference may take place in respect of any property or wireless telegraphy so specified in the warrant.
Section 5 goes on to specify the requirements that such property interference warrants must meet. Firstly, the conduct authorised by the warrant must be necessary for the first function of GCHQ, which is essentially to interfere with equipment emanating electromagnetic, acoustic and other emissions.[23] Secondly, the interference must be proportionate to what is sought to be achieved with the warrant.[24] Thirdly, certain arrangements must be in place with respect to the disclosure of information obtained by virtue of the warrant.[25] Before issuing the warrant, the Secretary of State must also consider whether what is sought to be achieved with the warrant could reasonably be achieved by other means.[26]
The Greennet Case
The Investigatory Powers Tribunal (IPT) is a specialist court with the jurisdiction to hear cases against the SIAs, including GCHQ. In 2016, the IPT handed down a judgment concerning the legality of computer hacking operations carried out by the agency, colloquially known as the Greennet Case.[27]
In this case, Privacy International, an NGO advocating for privacy rights, and several internet service providers, including Greennet Limited, sought to challenge the lawfulness of CNE conducted by GCHQ. One of the issues addressed by the Tribunal was the warrants that can be authorised under section 5 of the ISA 1994. More specifically, the issue was about clarifying the meaning of the words ‘in respect of any property so specified’ under section 5 for property interference warrants.[28]
Citing Entick and the common law disapproval of general warrants, the claimants argued that, while section 5 warrants can potentially permit warrants relating to an unlimited number of persons, it cannot permit warrants “authorising an entire operation or suite of operations”.[29] In particular, the warrant “cannot depend upon the belief, suspicion or judgment of the officer acting under the warrant”.[30] It must therefore “be possible to identify the property/equipment at the date of the warrant”.[31]
In opposition to this, the Government contended that, for section 5 warrants, “the requirement is for the actions and property to be objectively ascertainable”.[32] This means that the application for the warrant must only contain “as much information as possible to enable a Secretary of State to make a decision as to whether to issue the warrant, and, if so, as to its scope”.[33]
The IPT accepted the submissions made by the Government. On Entick, the Tribunal stated the following:
“Eighteenth Century abhorrence of general warrants issued without express statutory sanction is not in our judgment a useful or permissible aid to construction of an express statutory power given to [an SIA], one of whose principal functions is to further the interests of UK national security, with particular reference to defence and foreign policy. The words should be given their natural meaning in the context in which they are set”.[34]
Thus, whether a warrant under section 5 of the ISA 1994 is sufficiently specific depends on the particular facts of the case. Nevertheless, the Tribunal made clear that, in its view, it is not necessary for a warrant “to be limited to a named or identified individual or list of individuals”.[35] Instead, it will suffice for the warrant to specify the property only to the extent that the interference caused by CNE is “reasonably foreseeable”.[36] This can be the case where the property is defined “by reference to persons or a group or category of persons”.[37] Overall, the IPT held that section 5 does not require the specification of ‘particular property’, but merely specification of ‘the property’ to be interfered with, and thus the word ‘specified’ is merely a word of description and not limitation.[38]
The consequence of such a ruling is that computer hacking need not be limited to “one or more individual items of property by reference to their name, location or owner”.[39] Additionally, it is not necessary to “identify property in existence at the date on which the warrant was issued”.[40] As a result, it would be lawful for GCHQ:
“…to interfere with computers used by members, wherever located, of a group whose activities could pose a threat to UK national security, or be used to further the policies or activities of a terrorist organisation or grouping, during the life of a warrant, even though the members or individuals so described and/or of the users of the computers were not and could not be identified when the warrant was issued”.[41]
Ouster Clauses
Unsatisfied with the IPT’s decision, Privacy International applied for judicial review of the conclusions on general warrants under the ISA 1994, believing that the Tribunal had incorrectly interpreted section 5. However, one stumbling block to pursuing this legal action was section 67(8) of the Regulation of Investigatory Powers Act 2000 (RIPA 2000). Under that provision, decisions of the IPT cannot be subject to appeal or be liable to be questioned in any court. Such a provision is known as an ‘ouster clause’. Proceedings against the IPT were therefore stayed until the scope of this ouster clause was settled.
This was not forthcoming until May 2019, when the UK Supreme Court handed down its judgment in R (Privacy International) v Investigatory Powers Tribunal (2019).[42] The Court ruled in that case that RIPA 2000 does not prevent the High Court from being able to judicially review a decision of the IPT that is based on an error of law.
In coming to this judgment, the Supreme Court firstly held that if Parliament wanted to exclude all possibility of judicial review from another court, then it would have used clear and explicit wording to that effect.[43] If such wording is not present, then there is a common law presumption against ouster clauses. Accordingly, the Court found that the wording in section 67(8) did not contain the necessary wording so as to explicitly exclude all possibility of judicial review and thus the common law presumption against ouster clauses was applicable.
Part of this common law presumption against ouster clauses is that such a clause will not protect against a ‘nullity’, namely a decision that is based on an error of law. Thus, the Court held that the exclusion in section 67(8) “applies, not to all determinations, awards or other decisions whatever their status, but only to those which are “legally valid” in that sense”. Therefore, “if the IPT's decision in [Greennet] were found to have been reached on an erroneous interpretation of section 5 of the [ISA 1994], those words [under section 67(8) of RIPA] would not save it from intervention by the courts”.[44] Furthermore, “in the case of the IPT, the potential for overlap with legal issues which may be considered by the ordinary courts...makes it all the more important that it is not able to develop its own “local” law without scope for further review”.[45]
The High Court on General Warrants
As a consequence of the Supreme Court’s judgment, Privacy International was able to continue with its judicial review proceedings against the IPT concerning the Tribunal’s decision in Greennet. As such, the High Court delivered its judgment on the issue in January 2021 in the case of Privacy International v IPT & Others (2021).[46]
In this ruling, the Court held that section 5 of the ISA 1994 does not permit the issuing of general property interference warrants as articulated in Greennet. More specifically, the Secretary of State cannot issue warrants to GCHQ where the property that may be interfered with is not sufficiently specified so as to be objectively ascertainable and therefore allows GCHQ to use its own discretion to decide which property can be interfered with.
The first step in coming to this decision was to interpret the scope of section 5. In doing so, the Court made a preliminary point that this exercise relies solely on the Parliament’s intention as derived from the wording it chose in drafting the legislation. Accordingly, issues such as the fact that CNE is crucial for safeguarding national security or consists of a grave interference with the right to privacy are immaterial.[47]
However, the purpose of the statute was held to be relevant as this allowed the wording of section 5 to be put into the appropriate context. Thus, the Court recognised that the overall purpose of section 5 warrants is to allow GCHQ “to protect the United Kingdom's national security and economic well-being, and play its part in the prevention of serious crime”. Accordingly, the intention of Parliament “will be derived from the meaning of individual words read in the context of the enactment as a whole”.
The High Court also made mention of Entick in determining the scope of section 5 of the ISA 1994. Relying on this case, it was recognised that “a person's papers (containing private information) are their owner's “dearest property” whose secret nature cannot be the subject of intrusion without legal authority”.[48] As such, the Secretary of State cannot order the search of one’s private property, such as their computer device, “without authority conferred by an Act of Parliament or the common law”.[49] The Court found this to be one of the fundamental principles of UK law and thus “it may not be overridden by statute unless the wording of the statute makes clear that Parliament intended to do so”.[50]
On that basis, the Court held that, under section 5, “Parliament deliberately used the word “specified” rather than “of a specified description” or “described”, and that the provision as drafted does not permit the issue of a general warrant”.[51]
With the scope of section 5 defined, the High Court then went on to address what kind of warrants may be issued under that provision. On this, the Court adopted a different interpretation of the concept of ‘objective ascertainability’ that the IPT had given in Greennet. The Court held that for a property interference warrant to be objectively ascertainable, it must be “sufficiently specific to indicate to individual officers at GCHQ...whose property, or which property, can be interfered with, rather than leaving it to their discretion”.[52]
Therefore, it was held by the High Court that a warrant under section 5 of ISA 1994 could authorise “use of CNE across a broad geographical area (such as a town or city)” like Birmingham or Kent, as geographical area is capable of being specified in the warrant.[53] Contrastingly, “a warrant which referred to the property of anyone engaged in an activity (for example “the mobile phone of any person conspiring to commit acts of terrorism”) would be insufficiently specific”.[54] Thus, so long as the property specified in the warrant is objectively ascertainable, it is permissible under the 1994 Act.[55]
Still an Unruly Horse?
While the judgment narrows the scope of property interference warrants under the ISA 1994, that very scope still remains broad. That computer hacking may be limited to a geographical area does not prevent its effects from spreading beyond such boundaries. This is due to the fact that the exploitation of one device can lead to the exploitation of another as made possible by the interconnectedness of such devices through the internet. This could cause the exploitation of devices belonging to individuals who are not necessarily the targets of cyber intelligence by GCHQ. Moreover, this is exacerbated by the fact that government computer hacking “could create major vulnerabilities in the security of personal data that third parties, such as criminals, could exploit”.[56] The use of section 5 warrants in the way permitted by the High Court in its latest judgment can therefore act as a catalyst for extensive damage to cybersecurity, in-turn giving way to grave interferences with digital privacy.
This also applies to the use of EI warrants under the IPA 2016. Under section 101 of that Act, it is possible for the Secretary of State to issue so-called ‘thematic’ EI warrants, whereby the range of equipment to be interfered with is linked by a common theme. For example, EI warrants under the IPA 2016 can authorise interference with equipment belonging to, used by or in the possession of a group of persons who share a common purpose or who carry on, or may carry on, a particular activity.[57] Thus, the broadness of such warrants is explicitly provided in the legislation itself, giving rise to the same cybersecurity risks as cyber intelligence conducted under the ISA 1994.
Such extensive damage may challenge the proportionality of computer hacking warrants when issued in a broad manner. However, the High Court appeared unwilling to entertain such a question. The possible reasoning for this was provided in a separate case from 2019 on the legalities of the bulk powers under the IPA 2016; the purpose of the senior courts is to assess whether the legislation permitting such powers is lawful, and not to make an assessment of actual practices or activities carried out by the SIAs based on that legislation.[58] This latter issue is reserved for the IPT, of which is equipped with the necessary powers to investigate those practices or activities to make an assessment of their lawfulness.[59]
It would therefore seem that the collateral damage of GCHQ cyber intelligence, and the question of whether this contravenes the proportionality principle under human rights law, can only be considered by the Tribunal when it is lodged with the relevant complaint (as it did to a limited extent in Greennet).[60] The judiciary is thus yet to address the issue of computer hacking in a comprehensive manner that is not just limited the prima facie lawfulness of the legislation permitting its use. Until then, government computer hacking remains an unruly horse.
[1] John Ferris, Behind the Enigma: The Authorised History of GCHQ, Britain’s Secret Cyber-Intelligence Agency (Kindle Edition, Bloomsbury Publishing 2020), 85%.
[2] Ibid.
[3] Ibid.
[4] Ibid.
[5] Ibid.
[6] Ibid.
[7] Home Office, Equipment Interference Code of Practice (March 2018), [3.11].
[8] Ibid.
[9] David Anderson QC, Report of the Bulk Powers Review (Cm 9326, 2016), [7.4].
[10] EI Code of Practice (n 7), [3.17].
[11] Nóra Ni Loideain, ‘A Bridge too Far? The Investigatory Powers Act 2016 and Human Rights Law’ in Lilian Edwards (ed) Law, Policy and the Internet (Hart Publishing 2019) 181.
[12] R (Privacy International) v Investigatory Powers Tribunal & Others [2021] EWHC 27 (Admin), [54].
[13] Entick v Carrington (1765) 95 ER 807 (KB).
[14] Richard Gordon, ‘Entick v Carrington [1765] Revisited: All the King’s Horse’ in Satvinder Juss et al (eds), Landmark Cases in Public Law (Hart Publishing 2017), 2.
[15] Entick (n 13), 808.
[16] Ibid, 817.
[17] Ibid, 818.
[18] European Convention on Human Rights, Article 8(2).
[19] Intelligence Services Act 1994, s.3(1)(a).
[20] Ibid, s.3(1)(b).
[21] HM Government, National Security Strategy and Strategic Defence and Security Review 2015 (Cm 9161, 2015), [4.109].
[22] ISA 1994 (n 12), s.3(2).
[23] Ibid, s.5(2)(a)(iii).
[24] Ibid, s.5(2)(b).
[25] Ibid, s.5(2)(c).
[26] Ibid, s.5(2A).
[27] Privacy International v Secretary of State for Foreign and Commonwealth Affairs & GCHQ [2016] UKIPTrib 14_85-CH.
[28] Ibid, [34].
[29] Ibid, [35(iii)].
[30] Ibid.
[31] Ibid.
[32] Ibid, [36(iii)].
[33] Ibid.
[34] Ibid, [37].
[35] Ibid, [38].
[36] Ibid.
[37] Ibid.
[38] Ibid, [39].
[39] Ibid, [45(i)].
[40] Ibid, [45(ii)].
[41] Ibid.
[42] R (Privacy International) v Investigatory Powers Tribunal [2019] UKSC 22.
[43] Ibid, [111].
[44] Ibid, [107].
[45] Ibid, [112].
[46] Privacy International v IPT (n 12).
[47] Ibid, [34].
[48] Ibid, [46].
[49] Ibid.
[50] Ibid, [48].
[51] Ibid, [52].
[52] Ibid, [57].
[53] Ibid, [61].
[54] Ibid, [63].
[55] Ibid, [64].
[56] Nóra Ni Loideain (n 11), 182.
[57] Investigatory Powers Act 2016, s.101(1)(b).
[58] R (Liberty) v Secretary of State for the Home Department & Others [2019] EWHC 2057 (Admin), [196].
[59] Ibid.
[60] Greennet (n 27), [54] - [59].
Other Sources:
Example of property interference warrant under section 5 of the Intelligence Services Act 1994