UK Plans To Bring In Life Sentences For 'Serious Cyberattacks'

from the because-terrorism dept

At the official State Opening of the UK Parliament, the Queen makes a speech in which she lays out what the UK government hopes to achieve in the new legislative session. It's one of the quainter British ceremonies -- BuzzFeed has a good summary of just how quaint -- but the one-line statements of intent can mask some very far-reaching plans. This year, for example, the Queen's Speech contained the following item :

A serious crime Bill will be brought forward to tackle child neglect, disrupt serious organised crime and strengthen powers to seize the proceeds of crime.

The Guardian has more details of one particular measure the serious crime Bill will contain:

Any hackers that manage to carry out "cyberattacks which result in loss of life, serious illness or injury or serious damage to national security, or a significant risk thereof" would face the full life sentence, according to the serious crime bill proposed in Wednesday's Queen's speech.

As well as targeting cyberterrorists, the new offence in the proposed update to the Computer Misuse Act [CMA] 1990 would also hand harsher sentences to those hackers carrying out industrial espionage, believed to be a growing menace affecting UK business.

The law would have a maximum sentence of 14 years for attacks that create "a significant risk of severe economic or environmental damage or social disruption". Currently, the section of the CMA covering such an offence carries a 10-year sentence.

Much of this is the kind of activity carried out in the form of attacks sponsored by governments outside the UK -- or, as in the case of the NSA, directly by those governments. Despite the recent grandstanding by the US when it filed criminal charges against members of the Chinese military whom it accuses of espionage, there is little hope of ever persuading the main players to hand over their citizens for trial, so the new UK law will be largely ineffectual against the most serious threats.

But there is a real danger in the "or significant risk, thereof" part, since that gives the UK authorities huge scope to claim -- as they have in other contexts -- that some online action "risked" some terrible outcome, even though nothing actually happened. Things are made worse by the fact that there is no public interest defense or exemption for research. As the Guardian notes:

The government has also not addressed complaints over the application of current computer crime law, which some in the security industry claim actually makes the internet less safe.

This is because certain kinds of research could be deemed illegal. Experts known as penetration testers, who look for weaknesses in internet infrastructure, often carry out similar actions to real cybercriminals in their attempts to improve the security of the web, such as scanning for vulnerabilities.

But such research is punishable under British law, even if it is carried out for altruistic ends, leaving potential weaknesses unresolved, critics of the CMA said.

What this means is that while it will fail to tackle the most serious online attacks, and chill research into security flaws, the proposed Bill will conveniently allow the UK government to target groups like Anonymous who carry out high-profile but relatively harmless actions over the Net. This section of the proposed Bill is really about the UK government bolstering its already disproportionate powers to throttle online protests by characterizing them as "serious cyberattacks", and threatening to impose life sentences on anyone involved.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: cfaa, computer misuse act, cyberattacks, cybersecurity, hacking, sentencing, uk

Privacy Rights Group Files Legal Challenge To GCHQ's Extensive Hacking Activities

from the one-of-the-better-uses-of-normally-useless-anti-hacking-laws dept

Indispensable organization Privacy International has filed a legal challenge against GCHQ's hacking of computers and devices, seeking to use the UK government's own Computer Misuse Act against its national security agency.

Much like the (frequently maligned) CFAA (Computer Fraud and Abuse Act) here in the US, the CMA prohibits unauthorized access of computers as well as knowingly impairing computers and devices with malicious software. Privacy International argues that GCHQ (in conjunction with the NSA in many cases) has done both -- multiple times.

The extent of GCHQ's capabilities was revealed by the Snowden documents, which detail how GCHQ and NSA are using malware to conduct surveillance that is potentially far more intrusive than any other current surveillance technique, including the interception of communications. GCHQ's hacking capabilities are so advanced that they are able to surreptitiously:

• take over a device's microphone and record conversations taking place near the device (NOSEY SMURF);
• take over a device's webcam and snap photographs (GUMFISH);
• record Internet browsing histories and collect login details and passwords used to access websites and email accounts (FOGGYBOTTOM);
• log keystrokes entered into a device (GROK);
• extract data from removable flash drives that connect to an infected computer (SALVAGERABBIT);
• identify the geographic whereabouts of the user (TRACKER SMURF); and
• retrieve any content from a phone, including text messages, e-mails, web history, call records, videos, photos, address books, notes, and calendars.

Because the leaks have made these programs public knowledge, there's very little GCHQ can do to deny the claims. Instead, it will most likely invoke its "legal authority" to perform these acts, granted to it (albeit not in those specific words) by the UK's Intelligence Services Act of 1994, as PI's Caroline Wilson explains.

Section 5(1) of the ISA provides: “No entry on or interference with property or with wireless telegraphy [by GCHQ] shall be unlawful if it is authorised by a warrant issued by the Secretary of State under this section." In other words, so long as GCHQ is acting under a warrant then its interference with computer and mobile devices may be authorised under Section 5, even if its otherwise against the law.

This assertion rests on the presumption that these acts are always carried out under a warrant. And even if not, the broad reading of the law has allowed GCHQ to declare its operations are completely legal. The CMA itself also provides another loophole for GCHQ, nullifying the stipulations of Section 1 of the act if performed under government authority.

This may not look all that promising for Privacy International, but the UK can't rely solely on its own laws to protect GCHQ from this legal action. It also has to answer to the European Union.

[T]he law authorizing GCHQ's hacking must at the least set out the nature of the offenses that might lead GCHQ to intrude on our personal devices, define that categories of people who might be affected, limit the duration and extent of any intrusion, set out the procedure for examining, using and storing any information obtained, prescribe how that information will be secured and shared with other parties, and define when the data collected will be erased or destroyed. The ISA's bare bones authorisation most certainly does not meet these basic requirements.

[GCHQ's] hacking is so intrusive, giving GCHQ unlimited control over any target device, that it is hard to imagine how it could made proportionate [...] This intrusion is only compounded when it is indiscriminately deployed to potentially millions of devices.

Privacy International argues that it is the breadth of GCHQ's activities that make it run afoul of both UK and EU law. Leaked documents have shown several programs instituted under the title of anti-terrorism that have failed to prohibit abusive use or even hold the agency to a reasonable definition of "relevant." Much like the NSA, the capabilities have outstripped the narrowly-defined goal, providing the agencies with unprecedented levels of intrusion.

Privacy International has filed its complaint with the UK's Investigatory Powers Tribune, the only body with the power to hear challenges of GCHQ's activities. The legal authority GCHQ claims gives it the permission to sabotage and infiltrate computers on a widespread basis is far from clear. Much of what's been granted to the agency has been done in complete secrecy and, as the leaks have been unleashed, its oversight has been exposed as completely worthless.

This legal battle (joining others filed by citizens and Amnesty International) will also likely end up being fought in the dark, obscured by cries of "national security." But at least one of the combatants will be making an effort to publicize every detail of the fight.

Filed Under: cma, computer misuse act, gchq, lawsuit, surveillance, uk
Companies: privacy international