Aerial view of the GCHQ (Government Communications Headquarters) building, taken on October 10, 2005.
Civil-liberties groups have sued the NSA and its British sister agency, the UK Government Communications Headquarters (GCHQ), over their spying activities in the wake of whistleblower Edward Snowden's revelations. Now, for the first time, a privacy group is suing the GCHQ for hacking millions of computers and cellphones worldwide.
Privacy International, a London-based digital-rights advocacy organization, filed a legal complaint against the GCHQ before the Investigatory Powers Tribunal, a UK court that hears cases about government surveillance, on Tuesday. The group is accusing the spy agency of using invasive hacking techniques, such as infecting targets with malware, which have no legal justification.
In the complaint (embedded, below), Privacy International equates hacking into a computer with "entering someone’s house, searching through his filing cabinets, diaries and correspondence, and planting devices to permit constant surveillance in future, and, if mobile devices are involved, obtaining historical information including every location he had visited in the past year."
Considering the invasive nature of such activities, which allegedly enable the GCHQ and NSA to access all data on a target's computer — including communications, passwords and even webcam feeds — the spy agency is required to have legitimate reasons for hacking.
But according to Eric King, a lawyer who teaches IT law at the London School of Economics and the deputy director of Privacy International, the GCHQ has never justified being in the "hacking business."
"To invade people's fundamental rights, it is essential that government have clear laws and justification that govern when they do so," he told Mashable in a phone interview.
"To have a single broad power that says, 'We can do whatever we want, whenever we like, at any time,' is the antithesis of what rule of law is meant to be about.""To have a single broad power that says, 'We can do whatever we want, whenever we like, at any time,' is the antithesis of what rule of law is meant to be about."
In the complaint, Privacy International details a long list of secret NSA and GCHQ programs, such as NOSEY SMURF (allows hackers to take over a target's microphone), TRACKER SMURF (used to track a target's location) and GUMFISH (used to take over a target's webcam).
Privacy International argues that the programs violate articles 8 and 10 of the European Convention on Human Rights, which protect the the right to privacy and freedom of expression, respectively. The programs also don't have a legal justification in UK law, according to the activist group.
What's more, the NSA and GCHQ appear to doubt the legality of the programs in two separate documents, cited in Privacy International's complaint.
The first, leaked by Snowden, is an NSA presentation that describes QUANTUM, an NSA-GCHQ hacking program. The document reads, "Continued GCHQ involvement may be in jeopardy due to British legal/policy restrictions."
The second, uncovered by journalist Ryan Gallagher, was prepared by a GCHQ representative, and discusses implanting malware. It reads, "An additional concern in the UK is that performing an active attack ... may be illegal."
At this point, it's impossible to know whether Privacy International's complaint will be successful. One argument that could be used against it: The organization is not the victim of these hacking techniques, so it doesn't have the authority to challenge them.
This issue, technically called legal standing, has long been a problem in lawsuits against intelligence companies, especially in the U.S. In several cases, civil-liberties groups such as the American Civil Liberties Union and the Electronic Frontier Foundation have seen their lawsuits dismissed because courts ruled they were not targets of the surveillance, or at least could not prove that they were.
In the latest case, however, Privacy International is confident this won't be a problem. In the complaint, it says given the fact that its employees use computers and mobile phones — usual targets of these hacking techniques — and "given the apparently indiscriminate nature of the activity in question," the group could be a target, and has the right to sue.