International Service Providers Sue GCHQ For Potentially Hacking Their Networks
from the could-get-interesting dept
A group of seven smaller international ISPs, many of which tend to be used by activists, are now suing GCHQ via the Investigatory Powers Tribunal, for hacking into their networks. The focus of the lawsuit is on the GCHQ's now infamous hacking of Belgian telco Belgacom, via a quantum insert, to get access to a variety of communications. While those revelations don't name any of the service providers filing suit, they note that "the type of surveillance being carried out allows them to challenge the practices in the IPT because they and their users are at threat of being targeted." The seven service providers are:Riseup (US), GreenNet (UK), Greenhost (Netherlands), Mango (Zimbabwe), Jinbonet (Korea), May First/People Link (US), and the Chaos Computer Club (Germany), along with Privacy InternationalThere may be a big question as to whether or not any of those organizations really have standing if there's no evidence they were actually targeted by GCHQ, but I don't know enough about how the Investigatory Powers Tribunal works when it comes to the question of who has standing to judge at the outset. Either way, the service providers note that GCHQ's activities violate the European convention on human rights:
First, in the course of such an attack, network assets and computers belonging to the internet and communications service provider are altered without the provider’s consent. That is in itself unlawful under the Computer Misuse Act 1990 in the absence of some supervening authorisation. Depending on the nature and extent of the alterations, the attacks may also cause damage amounting to an unlawful interference with the internet and communications service provider’s property contrary to Article 1 of the First Protocol (“A1P1”) to the European Convention on Human Rights (“ECHR”).Certainly a case worth watching if it can get past the standing issue.
Second, the surveillance of the internet and communications service provider’s employees is an obvious interference with the rights of those employees under Articles 8 and 10 ECHR, and by extension the provider’s own Article 10 rights. As Der Spiegel reported in relation to a separate attack on Mach, a data clearing company, a computer expert working for the company was heavily targeted: “A complex graph of his digital life depicts the man’s name in red crosshairs and lists his work computers and those he uses privately (‘suspected tablet PC’). His Skype username is listed, as are his Gmail account and his profile on a social networking site. […] In short, GCHQ knew everything about the man’s digital life.” It is not simply a question of GCHQ confining its interest to employees’ professional lives. They are interested in knowing everything about the staff and administrators of computer networks, so as to be better able to exploit the networks they are charged to protect.
Third, the exploitation of network infrastructure enables GCHQ to conduct mass and intrusive surveillance on the customers and users of the internet and communications service providers’ services in contravention of Articles 8 and 10 ECHR. Network exploitation of internet infrastructure enables GCHQ to undertake a range of highly invasive mass surveillance activities, including the application of packet capture (mass scanning of internet communications); the weakening of encryption capabilities; the observation and redirection of internet browsing activities; the censoring or modification of communications en route; and the creation of avenues for targeted infection of users’ devices. Not only does each of these actions involve serious interferences with Article 8 ECHR rights, by creating vulnerabilities and mistrust in internet infrastructure they also chill free expression in contravention of Article 10 ECHR.
Fourth, the use by GCHQ of internet and communications service providers’ infrastructure to spy on the providers’ users on such an enormous scale strikes at the heart of the relationship between those users and the provider itself. The fact that the internet and communications service providers are essentially deputised by GCHQ to engage in heavily intrusive surveillance of their own customers threatens to damage or destroy the goodwill in that relationship, itself an interference with the provider’s rights under A1P1.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: gchq, hacking, security, surveillance, uk
Companies: chaos computer club, greenhost, greennet, investigatory powers tribunal, jinbonet, mango, may first, people link, riseup
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
The courts need to dismiss this lawsuit as nothing more than frivolous.
[ link to this | view in chronology ]
Re:
And while were at it, I hope you also get sued for copyright infringement, especially if you haven't done what you are getting sued for, just so that you can have the fun of trying to get your ass out of this situation.
Morons like you only learn if they experience all the pain firsthand.
[ link to this | view in chronology ]
Re:
"As Der Spiegel reported in relation to a separate attack on Mach, a data clearing company, a computer expert working for the company was heavily targeted: “A complex graph of his digital life depicts the man’s name in red crosshairs and lists his work computers and those he uses privately (‘suspected tablet PC’). His Skype username is listed, as are his Gmail account and his profile on a social networking site. […] In short, GCHQ knew everything about the man’s digital life.""
You might make a better case. But would you sue the intelligence agency that directed the surveillance carried out on you? Or would you feel that might make you, your employer, anyone you know, even more of a target?
[ link to this | view in chronology ]
Ye of exaulted and superior knowledge and position
*Just cause it is secret does not make it right!
**Just cause it is the 'gobmint' doing it does not make it right!
[ link to this | view in chronology ]
After that, they would have to show that GCHQ actually did the hack, that the hack was done entirely without the knowledge or help of the ISP or any equipment manufacture, and a whole bunch of other details. It's really not a simple case to make.
As the AC points out as well, do we truly want to be able to sue the government spy agency for doing it's job?
[ link to this | view in chronology ]
Re:
When the MEANS it uses to do it's job breach the law and/or constitutional protections, then definitely YES.
The ends do NOT justify the means.
The security agencies are not above the law, no matter how much they and the executive wish they are.
And while legally they are not above the law, the way things seem to be heading it is looking more and more like in practice they are above the law.
[ link to this | view in chronology ]
Re: Re:
Okay, show me the criminal charges brought against them for breaking the law. Oh, they don't exist.
You don't consider perhaps that while distasteful, perhaps the security "holes" are there by intention and agreement by at least two parties (government and equipment maker, example) and as such, may be nothing more than a civil case for failure to disclose by the equipment maker?
It's pretty easy to say "they broke the law", but if they did, where are the criminal (not civil) actions?
They are not above the law, but "the law" must take action to prosecute them criminally if they have in fact broken the law in a provable fashion. Otherwise, they can stand "over there" with the guys from TPB claiming they aren't doing anything wrong.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Under the way the law/legal systems work in (nominally) free societies, ANYTHING you do IS legal unless/until a law against it is passed and/or the activity is challenged in court to get a ruling on it.
Therefore what GCHQ is doing is, nominally, legal, until it is ruled as illegal. And the way to test if it is illegal is to take it to court and get a ruling. Which is what is being attempted here. If the courts agree that it is legal, then there will be no repurcussions on GCHQ. If, however, the court declares it illegal, then there will (or may be, assuming its not all swept under the rug/pardoned) repurcussions on GCHQ.
And relying on the government, the instigators, hell, the cheerleaders and enablers of this activity, to be the ones to bring it up before the courts in criminal proceedings is not just naive, its f*cking stupid. It's the attitute of someone who believes the phrase "I'm from the government, I'm here to help you." You may care to abdicate yourself from your civil duty of always questioning the government's actions and motivations, of being coddled and accepting the government can do no wrong, but others don't.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
For example, you cannot sue somebody for defaming you in the future because they haven't defamed you in the past or present. Simply filing a lawsuit against somebody for something they haven't done yet will get laughed out of court so fast it would make your head spin.
For example, you cannot be sued today for downloading the fifth Avengers movie in the future, simply because it hasn't happened yet. For any court to allow anyone to sue another person for conduct that has not even been committed yet would open the floodgates of every judicial system on this planet and it would create massive problems for the courts, no matter what country you are in.
[ link to this | view in chronology ]
Re:
For example, you cannot be sued today for downloading the fifth Avengers movie in the future, simply because it hasn't happened yet.
On the contrary. If a Governmental body is abusing its power you don't have to wait till the abuse reaches you to question their behavior in the courts.
[ link to this | view in chronology ]
Re: Re:
Not right at all. You need some example, some specific case, some specific action - and you generally have to be party to it. Making vague "we think they are looking over our shoulders and might have seen something" claims doesn't stand up in court at all. Otherwise, I could say that I think you have been spying on me, that you might have seen something I wrote, so I can sue you for "one meeeeeellion dollars" (apply pinkie finger here).
Oh, that last part is for guys like Rick Falkvinge who don't seem to understand that you can share culture without sending the whole movie to someone.
[ link to this | view in chronology ]
Re: Re: Re:
Yes but even if that action does not affect you you can question it in the courts. See EFF, ACLU etc.
Making vague "we think they are looking over our shoulders and might have seen something" claims doesn't stand up in court at all.
They are not claims, there's factual evidence backing up those "claims".
Oh, that last part is for guys like Rick Falkvinge who don't seem to understand that you can share culture without sending the whole movie to someone.
As always, you miss the entire point. Like the 6 second clips. Those are not the entire movie/match/whatever and they are still taken down. Pirating a full work is just the extreme example. And even then it is right when the copyright holders (notice I'm not talking about the creators) do not make that content available for purchase or the price is at extortion levels.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Rather telling actually. He/She might make a fair crystal ball for future excuses of federal shenanigans.
Turn the shill into something useful. :)
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
ISDS?
[ link to this | view in chronology ]
Re: ISDS?
[ link to this | view in chronology ]
gchq
IPT is a fraud
Datamining, Computer intrusion, Interception E/O/W communications is done by telecomm OBC systems, Artificial intelligence, and noting gchq website- Signals processing by wireless.
I tech used is a violation of Human rights
YOUR INFO including ID/IP stolen by wireless (theft of services) disseminated to other agencies by gchq.
Including brain mapping, biometric
Can y dig it?
Rock on activists!!
[ link to this | view in chronology ]
gchq
IPT is a fraud
Datamining, Computer intrusion, Interception E/O/W communications is done by telecomm OBC systems, Artificial intelligence, and noting gchq website- Signals processing by wireless.
I tech used is a violation of Human rights
YOUR INFO including ID/IP stolen by wireless (theft of services) disseminated to other agencies by gchq.
Including brain mapping, biometric
Can y dig it?
ghstdtnee@yahoo.com
Rock on activists!!
[ link to this | view in chronology ]