UK's GCHQ Admits To Using Vulnerabilities To Hack Target Systems

Bismillah (993337) writes "Lawyers for the GCHQ have told the Investigatory Powers Tribunal in the UK that the agency carries out the same illegal Computer Network Exploitation (CNE) operations that criminals and hackers do. Except they do it legally. GCHQ is currently being taken to court by Privacy International and five ISPs from UK, Germany, the Netherlands, Zimbabwe and South Korea for CNE operations that the agency will not confirm nor deny as per praxis."

Re:Bunch of criminals.

[fustakrakich]

Their behavior is highly rewarding. The voters approve, on both sides of the pond. What do they have to be ashamed of? The public that allows this are the ones who should be ashamed.

Hmm

[cascadingstylesheet]

"Police carry the same projectile weapons that criminals do. Except they do it legally."

Re:Hmm

[AmiMoJo]

Good job the police never accidentally shot anyone. Good job that no-one else will ever discover these exploits and begin quietly using them to screw the people that GCHQ is supposed to be protecting.

Re:Per praxis?

[Chrisq]

will not confirm nor deny as per praxis.

What does an explodey Klingon moon have to do with this?

Didn't you know that the UK establishment is run by Klingons? Though they have let a Ferengi and a Vulcan enter the government too.

Re:Who says it's "illegal"? Timothy?

" If there is no law or treaty that interdicts the GCHQ from hacking third parties then it cannot be illegal."

They have already been found to have broken the law in UK jurisdiction.
https://privacyinternational.org/?q=node/482

There are plenty of laws. And GCHQ are not protected by Jurisdiction, Belgacom can prosecute for the Belgian telephone hack as can everyone else. The bit we know from Snowden shows its far worse than IPT are admitting, they did bulk collection, and defined British telecoms as foreign simply by defining it as foreign if it passed through any offshore server along the way. So all gmail and hotmail email were defined as foreign and open to surveillance, even Brit to Brit comms was intercepted and handed over the NSA.

Computer Misuse Act 1990 ..

[DougPaulson]

@phayes: "Something is illegal when there are laws or treaties adopted by the country in question that render the actions illegal. If there is no law or treaty that interdicts the GCHQ from hacking third parties then it cannot be illegal.

Computer Misuse Act 1990

'Sections 1-3 of the Act introduced three criminal offences:

unauthorised access to computer material, punishable by 6 months' imprisonment or a fine "not exceeding level 5 on the standard scale" (currently £5000);

unauthorised access with intent to commit or facilitate commission of further offences, punishable by 6 months/maximum fine on summary conviction or 5 years/fine on indictment;

unauthorised modification of computer material, subject to the same sentences as section 2 offences.'

Re:Who says it's "illegal"? Timothy?

[Sique]

Just because a police officer in the UK has the right to arrest and interrogate suspects, it is not legal for him to arrest and interrogate people in other countries too. And the lawsuits are in other countries.

Re:Who says it's "illegal"? Timothy?

I look forward to those responsible being identified and prosecuted to the full extent of the law.

Or past offences ignored and new laws enacted to make future actions legal or new laws enacted and applied retrospectively.

How can voters 'approve' of secret programs?

How can voters 'approve' of secret programs, to spy on them?

Their people in the House of Lords recently tried to slip 'snoopers charter' into an amendment, the Lords rejected it demanding instead a debate of surveillance. Hence nobody can pretend this has approval, even the Lords want to find the details of it and debate it. Also you don't try to legalize something that is already legal. We found out they have a huge database of private British info, and its freely accessed by Ministry staff. No warrants, no checks, and Snoopers Charter would have made it legal retrospectively.

Good luck telling a judge that his private info, and that of his family are freely available to everyone in certain ministries without so much as a warrant, or check.

Fearmongering isn't necessary if approval is given:
https://www.privacysos.org/node/1660

"If you’re submitting budget proposals for a law enforcement agency, for an intelligence agency, you’re not going to submit the proposal that ‘We won the war on terror and everything’s great,’ cuz the first thing that’s gonna happen is your budget’s gonna be cut in half. You know, it’s my opposite of Jesse Jackson’s ‘Keep Hope Alive’—it’s ‘Keep Fear Alive.’ Keep it alive." - FBI assistant director Thomas Fuentes

Re:How can voters 'approve' of secret programs?

[gl4ss]

also, it still wouldn't make it legal elsewhere.

what all this shit is leading into is countries soon flat out refusing to even investigate hacker claims from other countries - I mean, why should they when the other country does jack all shit nothing to help to solve the crimes their agents committed?

Re:How can voters 'approve' of secret programs?

[ememisya]

Well, I think you should complain to your local government about your government spying on you... So yea... I personally believe Abraham Lincoln had a great quote when he said, "You can fool some of the people all of the time, and all of the people some of the time, but you can not fool all of the people all of the time." That is the post-Snowden era. But the million dollar question is, "Who can do what about it?" and the answer is obvious, it's here to stay because no one person can do anything about it. The technical reason is one of liability. When something bad happens, you don't want to hear, "Sorry, the data was encrypted.", or "We didn't collect everything because of privacy or constitutional reasons." A technical person told me, "We don't care about what porn you watch, it's just not what we do." But it is also interesting that a person out there does know what type of porn you watch, and again if one was to specifically categorize porn DNS not to be monitored, that's what all the hackers would use knowing it's not being monitored, that's the argument there. Another thing is, there is no monetary incentive on the side of privacy it would seem. There is a ton of money to be made from data of people. So that's where the world stands right now. Government's argument would be, "We've been watching you this whole time, it's just that you didn't know it, so shut up, forget about it, and we can go back to way things were." Concerned citizen argument is, "The authors of the government promised that it would work to make it impossible to have a system in which all your actions are recorded without your knowledge." It's pretty similar to stalking. Only time will tell.

Re:You're not going to get anywhere with this crow

What they've done is to use a blanket warrant to grab ALL data on the excuse of 'terrorism', that gives them a searchable database, which no longer has the individual judicial checks. In particular they've done a full take on the pipes into the UK, which by its nature carries mostly UK to UK data.

GCHQ then handed this feed to the NSA, who have indexed it, on the promise they won't misuse it, and NSA in return has given them access to a search interface, PRISM back on this data and others.

NSA built a haystack, and the one thing we know is it isn't likely to contain needles, because its easy-to-get bulk data on everyone, not difficult-to-get signals intelligence on terrorists. The quantity of 'hay' they collect is connected to the ease by which they can intercept it, not the likeliness of it for 'terrorism'.

And of course once you remove the judicial protections and checks and balances, it all goes out the window. We learned of the memo saying NSA should keep any UK intelligence useful to the US, despite the 5 eyes 'no-spy' treaty, and that the SWIFT agreement was circumvented by simply assigning NSA staff to the treasury. Well duh!

In the process of turning US industry into surveillance machines, they've undermined encryption, withheld security holes, signed secret corporate commercial surveillance agreements. Undermining US products by coercion and bribery.

All because one General decided that instead of 'thin thread' approach of going after just the info they needed, they'd do a big 'store it all', and then do the searches adhoc without judicial checks after the fact.

You say 'clear legal framework' but it was clear from the leaks that the FISA judge was misled about the database stuff. He approved a tap, for a specific purpose, and instead it went into a database for other purposes. If FISA judges cannot be told the truth then how can this be a 'clear' anything?

NSA lied to the court:
https://www.techdirt.com/articles/20130821/16331524274/declassified-fisa-court-opinion-shows-nsa-lied-repeatedly-to-court-as-well.shtml

None of this has been approved by the democracy it operates in. We get glimpses of how abused the systems was sometimes:
https://www.techdirt.com/articles/20140813/23203228207/unsealed-jewel-v-nsa-transcript-doj-has-nothing-contempt-american-citizens.shtml

Keep in mind we're not talking about detail here, the basis of "collect everything one judicial warrant then search it later without warrant", for Britain this was one of the parts of Snoopers Charter. When GCHQ failed to get it, it went ahead with Tempora anyway with a faulty legal interpretation. It was clearly a breach of the law, yet they did it anyway.

So now we're in the position where politics is corrupted in 5 eyes countries, where the hard line military leaders win elections, and up coming parties have their telephone calls leaked against them. All of that needs to be pulled back in, the protections put back in place, GCHQ staff involved need to be ejected (prosecuted even) and replaced by people loyal to their country, and GCHQ need to only hand narrow data over, on terrorism, with proper judicial checks each time.

Should GCHQ be spying on data, which is mostly British, including sensitive data on commercial, political, journalistic and democratic actors from 200 fibre optics, handing it to NSA who give it to 800,000 NSA staff and private contractors ? It's a no-brainer. No they should not.

https://orderoftruth.wordpress.com/2013/06/22/uk-communications-bill-snoopers-charter-legalises-illegal-activity-of-gchq-and-nsa-in-uk-exposed-by-snowden/

GCHQ staff, to me you are compartmentalized into seeing tiny parts of the bigger picture. Classic 'rubes'.

Re:Who says it's "illegal"? Timothy?

[ledow]

This is why almost every law is covered by an exemption for the purposes of law enforcement (police pretending to be someone else in a sting operation, for example) or national security (which is what GCHQ hide behind).

Like the "Google not paying UK tax" thing - what they did was ENTIRELY legal, or else they'd be before the courts. But it's considered morally "wrong" so the law gets changed over time to match with the expectation (the "spirit" of the law and not just the "word" of the law).

Almost by definition, anything that GCHQ - a military department, effectively, like MI5 etc. - claim they did in the name of national security is legal. Even murder. Otherwise all war would be illegal too.

The law is not one line in a book. Like group policy, it's the result of overlap of thousands of lines from hundreds of books, all with different precedence and priority, and all with confusing text to describe how they operate, to arrive at a single answer for whether someone is allowed to do X or not.

Laugh

[koan]

the agency carries out the same illegal Computer Network Exploitation (CNE) operations that criminals and hackers do. Except they do it legally.

LOL, So... it is a crime, not because it is morally and ethically questionable, but because you told us it is, and you told us it's OK for you to do it.