On Friday, activist group Privacy International and five internet and communications providers lodged an application before the European Court of Human Rights to challenge the UK's use of bulk hacking powers abroad.
"The European Court of Human Rights has a strong track record of ensuring that intelligence agencies act in compliance with human rights law. We call on the Court to hold GCHQ accountable for its unlawful bulk hacking practices," Scarlet Kim, legal officer at Privacy International, said in a statement.
The application has been made with UK-based non-profit GreenNet, the Chaos Computer Club from Germany, Jibonet from South Korea, US internet service provider May First, and communications provider Rise Up.
In 2014, Privacy International filed a complaint over the country's bulk hacking powers with the UK's Investigatory Powers Tribunal, a court which determines if public authorities have unlawfully used covert techniques. In February of this year, the IPT concluded that GCHQ's hacking was legal under the UK's Intelligence Service Act 1994.
Privacy International is now challenging whether the UK's interpretation of the Intelligence Service Act for using bulk hacking powers complies with the European Convention of Human Rights (ECHR).
"As currently practiced, GCHQ's hacking powers are neither in accordance with law nor proportionate, both of which they must be in order to satisfy Articles 8 and 10 [of the ECHR]. Our case focuses on the in accordance with law requirement, which says that if an intrusive surveillance practice like hacking is to be used, it must have an explicit legal basis that makes its use foreseeable and must be accompanied by stringent safeguards," Privacy International General Counsel Caroline Wilson Palow told Motherboard in an email.
Regardless this challenge, the UK will likely soon have explicit legal authority to hack in bulk overseas. Those powers will be authorised under the Investigatory Powers Bill, or IP Bill, if passed. The Bill is currently making its way through the House of Lords, after passing an overwhelming majority vote in the House of Commons.
One example of how GCHQ could use bulk warrants given in the IP Bill's hacking draft code of practice imagines the scenario of a terrorist cell in the Middle East using a particular piece of software. After hacking a number of devices in the area, GCHQ could then filter out those that didn't use the software in question.
Even though bulk hacking powers would be cemented in law by the Investigatory Powers Bill, Privacy International still thinks it has a case.
"While the IP Bill will make bulk hacking explicit in law, in its current form we do not think it resolves the legal issues surrounding the practice," Palow continued. "Hacking is an extremely intrusive form of surveillance, which should only be authorised in the narrowest of circumstances with stringent safeguards. The breadth of the bulk hacking warrants fail to satisfy these requirements."