GCHQ Details Cases of When It Would Use Bulk Hacking
A new review of the UK's mass surveillance powers includes case studies from intelligence agencies.
As the UK prepares to solidify the country's mass surveillance powers in law, the Independent Reviewer of Terrorism Legislation on Friday published his review of those capabilities.
A looming power that is yet to be formalised into law but may become increasingly crucial is "bulk equipment interference," a term used to reference mass hacking. The security and intelligence agencies have argued that they need equipment interference (EI) powers owing to the increased proliferation of encryption and anonymisation technologies.
Under the proposed Investigatory Powers Bill, security and intelligence agencies could apply for bulk EI warrants, allowing them to hack a large number of devices. The operations must be geared towards national security and have a foreign focus. (Similar "targeted thematic warrants" will also be introduced; although those are not the subject of the review).
In his review, David Anderson concludes there is a "distinct (though not yet proven) operational case" for including bulk EI powers in the Bill.
For the review, GCHQ provided examples of case studies where it would like the power to use bulk EI. As this is not yet permitted, it included a couple of examples where the agencies actually acted under a different piece of legislation—the Intelligence Services Act—but where they might, in other circumstances, want to use a bulk equipment interference warrant. (Part of the point of the Bill is to bring the oversight and regulation of many of the UK's surveillance powers under one piece of legislation.)
In one case, GCHQ identified the devices of previously unknown Islamist extremists in Syria who allegedly posed a threat to the UK and other countries. One reason the agency turned to hacking was because "the UK cannot work co-operatively with the Syrian government to identify and disrupt these attack plans," the review reads.
Using bulk interception (when GCHQ passively intercept communications or data through its mass surveillance programs), the agency identified a location in Syria used by extremists. But because of the "widespread use" of encryption and anonymisation technologies—perhaps referring to the Tor network—GCHQ says it was unable to identify specific individuals, or listen in on their communications.
The review does not explain what technique was used, but GCHQ was able to identify around 80 individuals for further investigation after turning to hacking.
This is one of the main reasons given for bulk hacking powers: target identification.
"It was emphasised that bulk EI operations will be designed to bring back the minimum amount of information required to rule out devices not of intelligence interest," Anderson writes. From there, GCHQ could focus on more specific targets, and perhaps hack the devices for more detailed information, including the content of communications.
"The risks to any human agent would have been great, and the information would have taken longer to obtain and would have been less complete"
The second real-life example given by GCHQ also detailed an operation targeting extremists in Syria, this time a group responsible for hostage-taking and attempted attacks on UK nationals. GCHQ carried out hacking over "the wider area in which they operated," in order to determine how these people were communicating.
According to the review, the only other potentially viable option for obtaining this sort of information would have been through the use of human sources—informants or spies. But, "the risks to any human agent would have been great, and the information would have taken longer to obtain and would have been less complete," the review reads.
Anderson also includes three previously published hypothetical situations in which bulk equipment interference might be needed for intelligence agencies. One proposes a scenario in which a terrorist group suddenly stops using its devices, indicating it has moved to new devices and is preparing an attack; another suggests gaining information on a totalitarian regime's biological weapons program, and the third concerns the protection of UK critical infrastructure from a state actor.
This new bulk equipment interference power will be limited to GCHQ. But, according to the review, MI6 said that it will also be "increasingly dependent" on GCHQ's use of bulk equipment interference.
If the Investigatory Powers Bill is made into law—and after passing through the House of Commons and seeing its final debate in the Lords, it seems likely—bulk equipment interference will be legal.
Other powers reviewed by Anderson include mass interception, the collection of communications data, and so-called bulk personal datasets—large swaths of information, most of which concerns people of no intelligence value, but that the agencies use to comb for leads.