UK pulls back the curtain on hacking campaigns

A United Kingdom spy agency acknowledged in court on Tuesday that it has carried out numerous hacking campaigns both domestically and abroad.

The hacks range from monitoring a single Internet session, to planting eavesdropping software on a device, to hijacking that device completely, according to the testimony of Ciaran Martin, the director general of cybersecurity at the Government Communications Headquarters (GCHQ).

{mosads}Martin was testifying in a case brought by digital rights advocate Privacy International and seven Internet service providers following Edward Snowden’s disclosure of secret U.S. and U.K. surveillance programs.

Snowden, a former U.S. intelligence contractor, revealed that both countries were collecting telephone and Internet records in bulk without warrants. He’s also outed several advanced hacking techniques that each country used, including the GCHQ’s “Smurf Suite,” a slate of hacking powers designed to remotely hijack anyone’s phone.

Martin said hacking “has become increasingly important in recent years and will become more important yet in the years ahead,” given the rise of “strong encryption across many Web services.”

“Historically, GCHQ’s ability to identify individuals of intelligence interest has been based largely on bulk interception,” he said. “This capability remains critical to the identification and mitigation of threats, but increasingly it is being threatened.”

Privacy International believes these activities are disproportionate and illegal. And much of it occurs without individual warrants.

The advocacy group noted that the GCHQ does not need to name a specific person or device before getting authorization to hack overseas. The spy agency has also been criticized for not keeping thorough records of its overseas hacking activities.

“The light touch authorisation and oversight regime that GCHQ has been enjoying should never have been permitted,” said Caroline Wilson Palow, general counsel at Privacy International, in a statement. “Perhaps it would have been if Parliament had been notified in the first place that GCHQ was hacking.”

The outcome of the case could have a direct effect on a controversial investigatory powers bill currently pending in Parliament.

The measure would require Internet and phone companies to store all U.K. citizen’s Web records for a year in case government officials need to access the data. The bill would also clarify the government’s legal authority to hack into devices.

The Paris terror attacks in November caused some lawmakers to suggest fast-tracking the bill, but now it appears the measure will proceed at the normal pace.