In a court case brought forward by Privacy International and seven ISPs, GCHQ has admitted for the first time that it has hacked computers, smartphones, and networks in the UK and abroad.
Claiming that GCHQ's actions lack oversight and breaks both domestic laws and the Human Rights Act, evidence published this week showed GCHQ undertakes "persistent" hacking, leaving monitoring software on targeted devices. The legal case has confirmed the agency's methods of uses of CNE, which it would use to capture mass data.
Telling the court that this gathers up far more information than traditional surveillance, Ben Jaffey, the lawyer for Privacy International and the ISPs, said it was "equal to carrying a bug everywhere I go," according to a report in the FT.
“If CNE were carried out on my mobile you would get all the meetings I attend by turning on the microphone and access to all my chamber's files, bank details, my passwords, all my personal material and all my photos," said Jaffey.
GCHQ said it did not need individual warrants before hacking a target device – it said it primarily relies on "thematic" or "class" warrants which give permission to intercept communications from "a defined group or network".
The Guardian reported that according to Jaffey, if this definition is interpreted as broadly as possible, the agency could for example target "all mobile phones" in a given city.
Ed Wallace from MWR InfoSecurity commented on the case saying that: “Thematic warrants are typically used where there is a long term requirement for surveillance. People imagine that GCHQ would listen in to everyone's conversations in say, all of Birmingham area, but technically that isn't possible as the manpower requirements are too high. Most likely it would be that GCHQ had identified an individual in a room they wanted to track, and then they would look at the nearest cell tower to see what other phone numbers were in the area, and which had made contact with the original number they are investigating in order to open up more lines of enquiry. They are not interested in all the data, and work very hard to find the real points of interest.”
Denying its activities are unlawful, GCHQ claims that information it has gathered has stopped six alleged terrorist plots in 2015 alone. Giving evidence at the tribunal, GCHQ director general Ciaran Martin said the "advent of ubiquitous encryption" had made targeted hacking even more important for the spy agency.
"Indeed CNE may in some cases by the only way to acquire intelligence coverage of a terror suspect or serious criminal in a foreign country." Martin also added that GCHQ's activities help protect citizens and that "in the last two years, [GCHQ] has disclosed vulnerabilities in every major mobile and desktop platform".
Commenting on GCHQ's activities, Ed Wallace said: “The spying GCHQ carries out is no different to an undercover police officer carrying out a drug deal – there are laws such as the Intelligent Services Act which allow them [GCHQ] to carry these actions out under the pretence of an investigation without getting into trouble.”