Privacy Group Sues British Spy Agency over Use of Malware
By Seth Fitzgerald / CIO Today. Updated May 08, 2014.
Britain's spy agency, GCHQ, is being targeted by Privacy International for what the grou considers to be illegal spy techniques. The privacy group filed a lawsuit Tuesday against GCHQ after documents reportedly from former U.S. National Security Agency contractor Edward Snowden revealed the extent to which both GCHQ and the NSA spy on civilians.
With leaked documents in hand, Privacy International alleges that the British spy agency has violated and continues to violate articles 8 and 10 of the European Convention on Human Rights. Article 8 deals with privacy and since the GCHQ may have used malware to intentionally infect devices, privacy laws would have been broken.
Just as widespread surveillance in the U.S. has met with strong criticism, British organizations say the tapping of wireless devices or computers should not be allowed. This argument has been met with legal opposition, but given the existence of wiretap laws and warrant requirements, Privacy International may have a legitimate claim against the GCHQ on behalf of British citizens.
The lawsuit, filed with the UK's Investigatory Powers Tribunal, is the first against GCHQ to be filed since January, when a series of Snowden documents showed how the NSA and GCHQ used mobile apps to spy on individuals. With the suit, Privacy International hopes to bring "an end to the unlawful hacking being carried out by GCHQ."
GCHQ said it would not comment on the lawsuit.
According to the privacy group, this is the first case in the UK's history that directly challenges the use of malware and other hacking tools by intelligence services. With the exception of a failed class-action lawsuit brought in the U.S. by Sen. Rand Paul, R-Kentucky, there have not been lawsuits against the NSA for its use of similar tools.
Privacy organizations and individuals are not pleased with phone surveillance or metadata collection but those spy techniques are harder to combat in a legal setting. With this in mind, Privacy International is targeting the use of malware and hacking, since those tools are invasive and potentially illegal.
In the group's 21-page lawsuit the existence of malware with names like Warrior Pride and Gumfish is mentioned. According to information in the leaked documents, the malware is placed in phones and computers so that the GCHQ can log keystrokes, collect data and even tap into cameras.
Privacy International argued that the use of cameras is no different from "entering someone's house, searching through his filing cabinets, diaries and correspondence, and planting devices to permit constant surveillance in future, and, if mobile devices are involved, obtaining historical information including every location he had visited in the past year."
The use of malware when collecting data on groups of British citizens has unintended consequences as well. Even after the GCHQ is no longer actively spying on someone, the malware has compromised the security of the phone or computer, leaving it open to other malicious attacks. Privacy International is not sure how many devices have been affected by these programs, but it is entering the lawsuit with the knowledge that millions of devices could have been compromised.