The UK government has quietly passed new legislation that exempts GCHQ, police, and other intelligence officers from prosecution for hacking into computers and mobile phones.
While major or controversial legislative changes usually go through
normal parliamentary process (i.e. democratic debate) before being
passed into law, in this case an amendment to the Computer Misuse Act
was snuck in under the radar as secondary legislation. According to Privacy International,
"It appears no regulators, commissioners responsible for overseeing the
intelligence agencies, the Information Commissioner's Office, industry,
NGOs or the public were notified or consulted about the proposed
legislative changes... There was no public debate."
Privacy International also suggests that the change to the law was in
direct response to a complaint that it filed last year. In May 2014,
Privacy International and seven communications providers filed a
complaint with the UK Investigatory Powers Tribunal (IPT), asserting
that GCHQ's hacking activities were unlawful under the Computer Misuse
On June 6, just a few weeks after the complaint was filed, the UK government introduced the new legislation via the Serious Crime Bill
that would allow GCHQ, intelligence officers, and the police to hack
without criminal liability. The bill passed into law on March 3 this
year, and became effective on May 3. Privacy International says there
was no public debate before the law was enacted, with only a rather
one-sided set of stakeholders being consulted (Ministry of Justice,
Crown Prosecution Service, Scotland Office, Northern Ireland Office,
GCHQ, police, and National Crime Agency).
Despite filing its complaint back way back in 2014, Privacy
International wasn't told about the changes to the Computer Misuse Act
until last week; until after the new legislation became effective. The
UK government is allowed to do this, of course, but it's a little more
underhanded and undemocratic than usual.
According to Privacy International's legal experts, the amended
Computer Misuse Act "grants UK law enforcement new leeway to potentially
conduct cyber attacks within the UK." Following Snowden's leaks
throughout 2013 and 2014, a cynical person might see this new
legislation as something of an insurance policy: under the previous
Computer Misuse Act, the courts might have found GCHQ's hacking
activities within the UK to be illegal—now they're on more solid ground.