Sneaky Change Allows UK Spies to Legally Hack

The UK government has craftily changed the law to allow GCHQ, the UK’s communications spy agency, to hack without fear of legal consequences. The law was amended quietly, and has only come to public attention as a consequence of a legal action by Privacy International, the campaign group.

Activists from Privacy International were notified of the change just hours before the Investigatory Powers Tribunal (IPT) reviewed their complaint about GCHQ hacking. One of Privacy International’s complaints was that GCHQ had infringed the Computer Misuse Act (CMA), but this law has now been amended to exempt the UK’s intelligence services. The CMA criminalizes hacking in the UK.

Privacy International joined forces with seven internet and communications service providers to file a complaint about GCHQ hacking in mid-2014. However, the government quietly instigated its change to the CMA soon after. The amendment to the CMA was included in the Serious Crime Bill 2015, which was introduced on 6th June 2014, passed into law on 3rd March 2015 and become effective on May 3rd.

As Privacy International put it:

The… notes that accompanied the [Serious Crime] Act make no reference to the true impact of the change. It appears no regulators, commissioners responsible for overseeing the intelligence agencies, the Information Commissioner’s Office, industry, NGOs or the public were notified or consulted about the proposed legislative changes. There was no published Privacy Impact Assessment. Only the Ministry of Justice, Crown Prosecution Service, Scotland Office, Northern Ireland Office, GCHQ, Police and National Crime Agency were consulted as stakeholders. There was no public debate.

The Government provided an open response to the claimants’ IPT complaint on 6 February 2015, but was silent on forthcoming passage of the Serious Crime Bill. Indeed, it was not until yesterday, a day before the parties were due in court to determine the legal issues that will be addressed in the case, that the government indicated that amendments to the CMA had been made.

A UK parliamentary committee recently published a tame review of GCHQ’s spying and hacking activities, concluding that there was a need for increased public awareness of what spies do, and why. These legal shenanigans suggest that nobody in authority is taking any practical steps to deliver increased transparency.

You can read Privacy International’s press release here.

Eric Priezkalns
Eric Priezkalns
Eric is a recognized expert on communications risk and assurance. He was Director of Risk Management for Qatar Telecom and has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and others.

Eric was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He was a member of Qatar's National Committee for Internet Safety and the first leader of the TM Forum's Enterprise Risk Management team. Eric currently sits on the committee of the Risk & Assurance Group. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.

Commsrisk is edited by Eric. Look here for more about Eric's history as editor.