Privacy International has filed a legal complaint against the U.K. government in an attempt to stop the country's intelligence service GCHQ from hacking into devices to gather information.
GCHQ, together with its U.S. counterpart the National Security Agency, reportedly developed technology to infect computers and mobile devices with malware, giving them the ability to switch on users' microphones or cameras, listen to phone calls and track locations. The extent of these capabilities was revealed in documents leaked by former NSA contractor Edward Snowden and could potentially be used to affect millions of devices, Privacy International said Tuesday.
"GCHQ and NSA are using malware to conduct surveillance that is potentially far more intrusive than any other current surveillance technique, including the interception of communications," the organization said. It filed a complaint with the U.K.'s Investigatory Powers Tribunal (IPT) in order to end this "unlawful hacking."
The IPT is a secret court that can investigate complaints about any alleged conduct by, or on behalf of, the intelligence services, according to its site. It is the only U.K. tribunal to whom complaints about the intelligence services can be directed.
Besides listening in to phone calls and tracking locations, the intelligence services are also said to have the ability to record Internet browsing histories and collect log-in details used to access websites and email accounts. They can also log keystrokes, extract data from removable flash drives and retrieve any content from a phone, including text messages, emails, Web history, call records, videos, photos, address books, notes and calendars, Privacy International said.
The complaint filed with the IPT contends that "covert intrusion into the devices and lives of ordinary people is so invasive that it is incompatible with democratic principles and human rights standards." GCHQ and the NSA have no clear lawful authority to do so and are in clear violation of Article 8 (the right to privacy) and Article 10 (right to freedom of expression) of the European Convention on Human Rights, the organization said.
Privacy International already filed a legal complaint against the U.K. government with the IPT last July. That complaint concerns mass surveillance on U.K. citizens via GCHQ's Tempora and the NSA's Prism program.
A first hearing in that case to determine the scope and direction of the case took place in February and a second hearing is scheduled for July, said Privacy International spokesman Mike Rispoli.
Until the IPT reaches a decision in that case, a similar complaint is on hold, Rispoli said. The similar case is about the Tempora and Prism programs and was filed with the European Court of Human Rights (ECHR) in October by U.K. groups Big Brother Watch, Open Rights Group and English PEN.
"It is the proper legal channel," he said, adding that if the IPT should rule against Privacy International the case can be appealed with the ECHR.
It might be a while before that could happen because cases at the IPT can drag on for seven to eight years, according to Rispoli.
Privacy International has also tried a different route to battle mass surveillance. In November, it filed complaints against U.K. telecommunications companies for assisting GCHQ with mass interception of telephone and Internet traffic that passes through undersea fiber-optic cables.
That complaint was filed with the U.K. office of the Organisation for Economic Cooperation and Development (OECD), which isn't a court and cannot impose sanctions. Privacy International hopes the OECD will investigate and share how the companies participated with the surveillance program.
Privacy International has not hear back from the OECD, Rispoli said.
Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to email@example.com
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.