New UK law says GCHQ agents cannot be prosecuted for hacking

In a job posting published last week, the Government Communications Headquarters (GCHQ) – the UK version of US’ National Security Agency – openly announced its intention to recruit “committed and responsible individuals who have the potential to carry out computer network operations to keep the UK safe.”

“This is the first time that GCHQ has openly recruited for Computer Network Operations Specialists (CNOS). At GCHQ, CNOS work in both cyber security and cyber intelligence roles,” the posting explained.

“In cyber security, operations specialists may find themselves working in a team detecting and preventing attempts to attack the critical national infrastructure, or seeking to defend government systems against criminals seeking to steal information, identities or money. Cyber intelligence specialists might need to develop software to access the computers of a terrorist group, or carry out operations to retrieve vital online clues about the location and identity of members of an organised crime ring.”

One of the reasons why the GCHQ has now decided to start openly recruiting this type of talent could rest in the fact that, as of May 3, 2015, a new legislation named Serious Crime Bill 2015 exempts intelligence services’ employees from being prosecuted for hacking.

The legislation, which is an amendment of the Computer Misuse Act (CMA), was ushered quietly and without public debate.

This was discovered by UK-based charity Privacy International, which in May 2014 filed a complaint with the Investigatory Powers Tribunal challenging GCHQ’s hacking activities.

The organization believes that these complaints were, at least in part, what made the UK Government introduce the Serious Crime Bill 2015 in June 2014. Privacy International discovered that the bill was passed into law and became effective only when they received a notification about it on May 14, 2015 – just hours prior to a hearing of their claim.

“The change not only affects Privacy International’s claim, but also grants UK law enforcement new leeway to potentially conduct cyber attacks within the UK,” the organization pointed out.

“The explanatory notes that accompanied the act make no reference to the true impact of the change. It appears no regulators, commissioners responsible for overseeing the intelligence agencies, the Information Commissioner’s Office, industry, NGOs or the public were notified or consulted about the proposed legislative changes. There was no published Privacy Impact Assessment. Only the Ministry of Justice, Crown Prosecution Service, Scotland Office, Northern Ireland Office, GCHQ, Police and National Crime Agency were consulted as stakeholders. There was no public debate.”

“The underhand and undemocratic manner in which the Government is seeking to make lawful GCHQ’s hacking operations is disgraceful. Hacking is one of the most intrusive surveillance capabilities available to any intelligence agency, and its use and safeguards surrounding it should be the subject of proper debate,” commented Eric King, Deputy Director of Privacy International.

“Instead, the government is continuing to neither confirm nor deny the existence of a capability it is clear they have, while changing the law under the radar, without proper parliamentary debate.”


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss