The UK’s intelligence agencies are to significantly increase their use of large-scale data hacking after claiming that more targeted operations are being rendered obsolete by technology.
The move, which has alarmed civil liberty groups, will see an expansion in what is known as the “bulk equipment interference (EI) regime” – the process by which GCHQ can target entire communication networks overseas in a bid to identify individuals who pose a threat to national security.
A letter from the security minister, Ben Wallace, to the head of the intelligence and security committee, Dominic Grieve, quietly filed in the House of Commons library last week, states: “Following a review of current operational and technical realities, GCHQ have … determined that it will be necessary to conduct a higher proportion of ongoing overseas focused operational activity using the bulk EI regime than was originally envisaged.”
The expansion of EI is likely to prove highly controversial.
“The bulk equipment interference power permits the UK intelligence services to hack at scale by allowing a single warrant to cover entire classes of property, persons or conduct,” explained Scarlet Kim, legal officer at Privacy International, which has taken the government to court over GCHQ’s hacking activities abroad. “It also gives nearly unfettered powers to the intelligence services to decide who and when to hack.”
Potential targets can be extremely large, Kim suggested. “Hacking presents unique and grave threats to privacy and security,” she said. “It’s not just directed at computers and phones, but can target communications networks and their underlying infrastructure, permitting surveillance against whole groups or countries, or across numerous jurisdictions.”
When the government was piloting the Investigatory Powers Act through parliament two years ago, Lord Anderson, the government’s independent reviewer of terrorism legislation, stated in his Report of the Bulk Powers Review that “Bulk EI [equipment interference] is likely to be only sparingly used”.
However, the intelligence services claim that the widespread use of encryption means that targeted hacking exercises are no longer effective and so more large-scale hacks are becoming necessary. Anderson’s review noted that the top 40 online activities relevant to MI5’s intelligence operations are now encrypted.
“This is really alarming to hear because at the time [when the legislation was passing through parliament] there were really robust assurances that these would be sparingly used,” said Hannah Couchman, policy and campaigns officer at Liberty. “Something that was the exception is moving towards the norm and that’s deeply problematic for us.”
Wallace’s letter concedes that the intelligence agencies will not be able to determine some of the consequences of a bulk hacking exercise, claiming: “It is not always possible to adequately foresee the extent of all interferences with privacy to a sufficient degree … at the point of issue of a warrant.”
Instead, the investigatory powers commissioner will be able to make an assessment of the warrant’s impact after the hack has taken place. “This is too little, too late,” said Couchman, who questioned whether the expansion of bulk equipment interference would see more intelligence being traded with other countries, in return for information they have gathered on UK citizens.
“The fact that you have the review only after the privacy has been infringed upon demonstrates how worrying this situation is,” Couchman added. “With bulk powers, the state can hoover up and keep enormous quantities of data about an enormously wide range of people. Bulk equipment interference powers allow a broad range of hacking activities, including accessing computers and mobile phones. Imagine what the average person has on their devices.”
A government spokesman said: “Equipment interference is subject to the world-leading oversight of the investigatory powers commissioner and any bulk equipment interference warrant must be approved by an independent judicial commissioner before it can be issued.”