International Service Providers Sue GCHQ For Potentially Hacking Their Networks
from the could-get-interesting dept
A group of seven smaller international ISPs, many of which tend to be used by activists, are now suing GCHQ via the Investigatory Powers Tribunal, for hacking into their networks. The focus of the lawsuit is on the GCHQ’s now infamous hacking of Belgian telco Belgacom, via a quantum insert, to get access to a variety of communications. While those revelations don’t name any of the service providers filing suit, they note that “the type of surveillance being carried out allows them to challenge the practices in the IPT because they and their users are at threat of being targeted.” The seven service providers are:
There may be a big question as to whether or not any of those organizations really have standing if there’s no evidence they were actually targeted by GCHQ, but I don’t know enough about how the Investigatory Powers Tribunal works when it comes to the question of who has standing to judge at the outset. Either way, the service providers note that GCHQ’s activities violate the European convention on human rights:
First, in the course of such an attack, network assets and computers belonging to the internet and communications service provider are altered without the provider?s consent. That is in itself unlawful under the Computer Misuse Act 1990 in the absence of some supervening authorisation. Depending on the nature and extent of the alterations, the attacks may also cause damage amounting to an unlawful interference with the internet and communications service provider?s property contrary to Article 1 of the First Protocol (?A1P1?) to the European Convention on Human Rights (?ECHR?).
Second, the surveillance of the internet and communications service provider?s employees is an obvious interference with the rights of those employees under Articles 8 and 10 ECHR, and by extension the provider?s own Article 10 rights. As Der Spiegel reported in relation to a separate attack on Mach, a data clearing company, a computer expert working for the company was heavily targeted: ?A complex graph of his digital life depicts the man?s name in red crosshairs and lists his work computers and those he uses privately (?suspected tablet PC?). His Skype username is listed, as are his Gmail account and his profile on a social networking site. [?] In short, GCHQ knew everything about the man?s digital life.? It is not simply a question of GCHQ confining its interest to employees? professional lives. They are interested in knowing everything about the staff and administrators of computer networks, so as to be better able to exploit the networks they are charged to protect.
Third, the exploitation of network infrastructure enables GCHQ to conduct mass and intrusive surveillance on the customers and users of the internet and communications service providers? services in contravention of Articles 8 and 10 ECHR. Network exploitation of internet infrastructure enables GCHQ to undertake a range of highly invasive mass surveillance activities, including the application of packet capture (mass scanning of internet communications); the weakening of encryption capabilities; the observation and redirection of internet browsing activities; the censoring or modification of communications en route; and the creation of avenues for targeted infection of users? devices. Not only does each of these actions involve serious interferences with Article 8 ECHR rights, by creating vulnerabilities and mistrust in internet infrastructure they also chill free expression in contravention of Article 10 ECHR.
Fourth, the use by GCHQ of internet and communications service providers? infrastructure to spy on the providers? users on such an enormous scale strikes at the heart of the relationship between those users and the provider itself. The fact that the internet and communications service providers are essentially deputised by GCHQ to engage in heavily intrusive surveillance of their own customers threatens to damage or destroy the goodwill in that relationship, itself an interference with the provider?s rights under A1P1.
Certainly a case worth watching if it can get past the standing issue.