British intelligence officials have quietly opened a door into the inner workings of international surveillance.
In a information release last Friday, the U.K. government published guidelines it purportedly uses to determine when and how it decides to hack computers, mobile devices and other forms of technology for the purposes of spying. It is the first such public disclosure by the British government.
The rather banal sounding, 69-page document, entitled “Interception of communications and equipment interference: draft codes of practice,” not only confirms the wide-ranging hacking capabilities possessed by British intelligence, it also offers a rare insight into how these capabilities are regulated.
Published by the Home Office, the code of practice outlines, among other things, when warrants can be issued to allow investigators to monitor computers, servers, routers, laptops, cellphones and other devices. As Steve Ranger at ZDNet points out, the guidelines also explain how agencies should deal with “collateral” damage that comes from spying on the wrong person or gathering content subject to legal privilege. The draft rules further explain how collected data should be stored and later destroyed.
In the draft policy, which has been published as part of a public review and comment period lasting until March 20, the government states that warrants typically lasts six months, though they may be renewed. In fact, warrants are often renewed because of the amount of time it takes to undo hacks.
The code of conduct is being made public as part of a broader response by the U.K. government to the revelations of the Edward Snowden leaks. Along with the U.S. National Security Agency (NSA), British intelligence Government Communications Headquarters (GCHQ) was implicated in domestic spy activities in the leaks, sparking a push for greater transparency.
But transparency in and of itself is not enough for critics who are upset at the power and reach of U.K. hacking confirmed in the draft code of conduct.
“GCHQ cannot legitimize their unlawful activities simply by publishing codes of conduct with no legislative force,” said Carly Nyst, legal director of the watchdog group Privacy International, speaking to the Guardian. “In particular, the use by intelligence agencies of hacking—an incredibly invasive and intrusive form of surveillance—cannot be snuck in by the back door through the introduction of a code of conduct that has undergone neither parliamentary nor judicial scrutiny. It is surely no mistake that this code of conduct comes only days before GCHQ is due to argue the lawfulness of its hacking activities in court.”
Nyst and other privacy advocates object to the powers exercised by British intelligence, which they say are far broader and more intrusive than traditional bugging and wiretapping techniques used prior to the Internet age. For instance, there is the capability – confirmed in the code of conduct – to bypass end-to-end encryption that has been increasingly used by Internet companies since the Snowden leaks to avoid unwanted government surveillance.
However, the government’s actions are defended by officials like James Brokenshire, the U.K.’s minister of immigration and security.
“As the threat to the U.K. from terrorism, espionage, and organized crime has diversified, these powers have become more important,” he said, adding, “There are limits on what can be said in public about this work. But it is imperative that the government is as open as it can be about these capabilities and how they are used.”
Photo via U.K. Ministry of Defence/Flickr (CC BY-SA 2.0)