Seven ISPs filed a legal complaint on Wednesday with the UK Investigatory Powers Tribunal, an organization founded in October 2000 as a result of the Regulation of Investigatory Powers Act. This agency fields complaints about powers used by intelligence services, public authorities and law enforcement agencies.
The companies that filed the complaint are Greenet Limited based in England, Riseup Networks, Inc. Seattle, WA, Mango Email Service, Zimbabwe, Korean Progressive Network, South Korea, Greenhost, Netherlands, Media Jumpstart, Inc. Brooklyn, NY, and Chaos Computer Club, Hamburg, Germany. The claimants provide internet, email and hosting services.
Cedric Knight, of GreenNet, said, “Snowden’s revelations have exposed GCHQ’s view that independent operators like GreenNet are legitimate targets for internet surveillance, so we could be unknowingly used to collect data on our users. We say this is unlawful and utterly unacceptable in a democracy. Our long established network of NGOs and charities, or simply individuals who value our independent and ethical standpoint, rely on us for a level of integrity they can’t get from mainstream ISPs. Our entire modus operandi is threatened by this illegal and intrusive mass surveillance.”
In March, the UK Labour Party called for major changes in how intelligence agencies deal with cybersecurity, surveillance and crime in the light of the Snowden revelations. Shadow home secretary Yvette Cooper argued that the oversight and legal frameworks are out of date and major reforms are needed “to keep up with changing technology.” These latest allegations would appear to indicate reform has a way to go.
“These proceedings concern GCHQ’s apparent targeting of internet and communications service providers in order to compromise and gain unauthorized access to their network infrastructures in pursuit of its mass surveillance activities,” according to item 3 of the legal document. “The claims set out below arise out of reports, published by the German newspaper Der Spiegel, that GCHQ has conducted targeted operations against internet service providers to conduct mass and intrusive surveillance.”
This complaint is significant to all service providers since the type of surveillance described by Der Speigel and being carried out by the GCHQ and NSA is not necessarily limited to companies listed in the report. It’s unclear how far reaching these activities may be.
The document goes on to describe the account of surveillance activities reported by Der Spiegel, which includes the use of a Quantum Insert to engage in the surveillance of users of the Belgian telecom, Belgacom. Der Spiegel also reported injecting data into existing streams to infect users, and using exchange points to spy on all internet traffic.
The claim cites four possible legal issues. Computers and network assets belonging to the company altered without the company’s consent would be illegal under the Computer Misuse Act 1990 in the absence of consent. Surveillance of employee activity violates their personal rights under Articles 8 and 10 ECHR. GCHQ surveillance by exploitation of network infrastructure contravenes Articles 8 and 10 ECHR. Lastly, use of the infrastructure destroys the relationship between users and the company.
“The fact that the internet and communications service providers are essentially deputised by GCHQ to engage in heavily intrusive surveillance of their own customers threatens to damage or destroy the goodwill in that relationship, itself an interference with the provider’s rights under A1P1,” stated the complaint.
GCHQ has not identified any legal reason for its conduct. The complaint explains the relevant laws and statutes in which the GCHQ is in violation. Articles 8, 10, and A1P1 require legal justification of a certain nature befor the network interference is deemed legal. “First, they require that the interference be ‘in accordance with the law’, ‘prescribed by law’, or ‘subject to the conditions provided for by law’: in other words that there be a clear and ascertainable legal regime in place which contains sufficient safeguards against abuse of power and arbitrary use. Second, Articles 8 and 10 require that the interference be necessary in a democratic society and a proportionate means of achieving a legitimate aim; A1P1 requires that any deprivation of possessions be ‘in the public interest’, which itself imposes a requirement of proportionality.”
Jan Girlich, spokesperson for the Chaos Computer Club, Germany, said, “The GCHQ’s dragnet surveillance takes away all citizens’ privacy rights indiscriminately. Thus, not only lawyers, doctors, journalist, and many more people are robbed of their working basis, but everybody is stripped of his or her ability to object to their government’s opinion without fear of retribution.”