General Warrants to Hack Computers Unlawful: Privacy International v IPT

1 February 2021 by

Supreme court grants FBI massive expansion of powers to hack computers |  Data and computer security | The Guardian
Credit: The Guardian

In Privacy International v Investigatory Powers Tribunal, the Divisional Court held that s.5 Intelligence Services Act 1994 does not permit the government to issue general warrants to engage in computer network exploitation (“CNE”) – more commonly known as computer hacking. The court also offered valuable guidance on warrants and what is required to make them lawful.

The Issues

There were three issues:

1.     Does s.5 Intelligence Services Act 1994 (“the 1994 Act”) permit the Secretary of State to issue ‘thematic’ or ‘general’ warrants to hack computers? General warrants are those which purportedly authorise acts in respect of an entire class of people or an entire class of acts (e.g. ‘all mobile phones in London’).

2.     Should the court allow the claim to be amended to include a complaint that, prior to February 2015, the s.5 regime did not comply with Articles 8 and 10 of the European Convention on Human Rights?

3.     If permission is given to amend the claim, should the new ground succeed?


            Investigatory Powers Tribunal

This case arose from a challenge brought by Privacy International in the Investigatory Powers Tribunal (a body which hears complaints about state surveillance). The Tribunal was asked, among other matters, to decide on the lawfulness of computer hacking under the 1994 Act.

As readers may be aware, the Tribunal ruled that it is lawful to issue general warrants to hack computers. It stated:

Eighteenth century abhorrence of general warrants issued without express statutory sanction is not in our judgment a useful or permissible aid to construction of an express statutory power given to a Service [37].

It is not in our judgment necessary for a Secretary of State to exercise judgment in relation to a warrant for it to be limited to a named or identified individual or list of individuals. The property should be so defined, whether by reference to persons or a group or category of persons, that the extent of the reasonably foreseeable interference caused by the authorisation of CNE in relation to the actions and property specified in the warrant can be addressed [38].

The full judgment is available here.

            Ouster Clause?

Privacy International sought to judicially review the Tribunal’s decision. However, it faced an argument that the High Court had no jurisdiction over the matter. This was because s.67(8) Regulation of Investigatory Powers Act 2000 (“RIPA”) provided:

Except to such extent as the Secretary of State may by order otherwise provide, determinations, awards, orders and other decisions of the Tribunal (including decisions as to whether they have jurisdiction) shall not be subject to appeal or be liable to be questioned in any court.

A 4-3 majority in the Supreme Court ruled in 2019 that s.67(8) did not ‘oust’ (exclude) the High Court’s jurisdiction. This meant Privacy International’s judicial review could proceed.

The Principles

The key parts of s.5 of the 1994 Act are as follows:

(1) No entry on or interference with property or with wireless telegraphy shall be unlawful if it is authorised by a warrant issued by the Secretary of State under this section.

(2) The Secretary of State may, on an application made by . . . GCHQ, issue a warrant under this section authorising the taking, subject to subsection (3) below, of such action as is specified in the warrant in respect of any property so specified or in respect of wireless telegraphy so specified if the Secretary of State [my emphasis].

(a) thinks it necessary for the action to be taken for the purpose of assisting

(iii) GCHQ in carrying out any function which falls within section 3(J)(a) above; and

(b) is satisfied that the taking of the action is proportionate to what the action seeks to achieve;

(2A) The matters to be taken into account in considering whether the requirements of subsection (2)(a) and (b) are satisfied in the case of any warrant shall include whether what it is thought necessary to achieve by the conduct authorised by the warrant could reasonably be achieved by other means.

It was recognised that CNE is a valuable tool in tackling national security threats such as terrorism and serious and organised crime.

Interpretation of Section 5

Unlike the Tribunal, the Divisional Court relied heavily on the eighteenth century warrant cases. It emphasised the common law’s aversion to general warrants, which give significant discretion to the persons executing them (e.g. GCHQ). The case law indicated that there is a fundamental common law right not to have one’s property searched without legal authority.

The court also relied upon the common law principle of legality (as expressed in cases such as R v Secretary of State for the Home Department, ex parte Simms [2000] 2 A.C. 115). This states that, unless there are clear words to the contrary, courts should assume Parliament did not intend to override fundamental common law rights. In the view of the Divisional Court, section 5 lacked the unambiguous words required to overturn this presumption.

The national security context did not change the court’s assessment. Its role was to interpret the meaning of individual words read in the context of the enactment, rather than being moved by the Intelligence Agencies’ opinion of the powers they regard as necessary.

            Examples of Lawful s.5 Warrants

The court then considered how specific a warrant must be in order to comply with s.5. It drew a contrast with the wording of s.7, which authorises warrants on subjects outside the British Isles where the act/ person is “of a description so specified”, and s.5, which permits ‘such action as is specified in the warrant in respect of any property so specified’. [My emphasis.] It reasoned that the words ‘description’ and ‘specified’ do not mean the same thing, and the former is broader than the latter.

Therefore, any s.5 warrant must be “sufficiently specific to indicate to individual officers at GCHQ […] whose property, or which property, can be interfered with, rather than leaving it to their discretion” [57]. Examples of lawful warrants include ‘any device used by persons who are on the FCDO Syrian diplomatic list’, or devices used at particular premises (including entire streets). A warrant could hypothetically permit the use of computer hacking across a geographical area, such as Birmingham, but whether such a warrant would be necessary and proportionate was a difficult matter which did not arise. Warrants needn’t be limited to factual situations in existence when they are issued.

However, a warrant which referred to the property of anyone engaged in an activity (for example, “the mobile phone of any person conspiring to commit acts of terrorism”) would be insufficiently specific. This is because it leaves significant discretion to the individual exercising the warrant. The court left open the question of whether a warrant which referred to anyone suspected of being a member of an organisation would be sufficiently specific, but a highly relevant factor would be whether a person’s membership of the group was objectively ascertainable.

Application for Article 8 & 10 Claim Rejected

The Divisional Court refused permission to amend the claim to include a complaint that Articles 8 and 10 had been breached. The allegation had only been raised 4 years after the alleged unlawfulness. As a result, the relevant aspect of the scheme had been partially replaced by the Investigatory Powers Act 2016. The court took into account the Supreme Court’s comment that any application to judicially review the Tribunal’s decision should raise a point of general significance. The historical nature of the challenge meant this test was not met.


This case may appear somewhat technical, but it concerns a very real problem. A 2014 report by the Rt Hon Sir Mark Waller, the former Intelligence Services Commissioner and Court of Appeal judge, reached a similar conclusion to the Divisional Court. His findings led to one of the agencies withdrawing a thematic property warrant, and raised questions about how national security could be protected.

Privacy campaigners will understandably welcome this judgment. In truth, however, the potential scope of any s.5 warrant remains significant. The court refused to rule out the possibility that a warrant could lawfully allow all computers in Birmingham to be hacked. It explicitly endorsed the idea that all devices in an Internet Café could be captured, regardless of how many innocent individuals may be present (though questions of necessity and proportionality would inevitably arise).

The case also points towards wider issues within public law. It is worth remembering that the judicial review could never have been brought if the Supreme Court had upheld the purported ouster clause in s.67(8) RIPA. Given the lingering possibility that the UK will seek to derogate or withdraw from the ECHR, either by replacing it with a so-called ‘British Bill of Rights’ or using some other mechanism, the Divisional Court’s reliance on fundamental common law rights is especially significant.

The deadline for any appeal is 4pm on 1st February 2021.

Conor Monighan is a pupil at 5 Essex Court

Welcome to the UKHRB

This blog is run by 1 Crown Office Row barristers' chambers. Subscribe for free updates here. The blog's editorial team is:
Commissioning Editor: Jonathan Metzer
Editorial Team: Rosalind English
Angus McCullough QC David Hart QC
Martin Downs
Jim Duffy

Free email updates

Enter your email address to subscribe to this blog for free and receive weekly notifications of new posts by email.




Aarhus Abortion Abu Qatada Abuse Access to justice adoption AI air pollution air travel ALBA Allergy Al Qaeda Amnesty International animal rights Animals Anne Sacoolas anonymity Article 1 Protocol 1 Article 2 article 3 Article 4 article 5 Article 6 Article 8 Article 9 article 10 Article 11 article 13 Article 14 article 263 TFEU Artificial Intelligence Asbestos Assange assisted suicide asylum asylum seekers Australia autism badgers benefits Bill of Rights biotechnology blogging Bloody Sunday brexit Bribery British Waterways Board care homes Catholic Church Catholicism Chagos Islanders Charter of Fundamental Rights child protection Children children's rights China christianity citizenship civil liberties campaigners civil partnerships climate change clinical negligence closed material procedure Coercion Commission on a Bill of Rights common law communications competition confidentiality consent conservation constitution contact order contact tracing contempt of court Control orders Copyright coronavirus costs costs budgets Court of Protection crime criminal law Cybersecurity Damages data protection death penalty defamation DEFRA deportation deprivation of liberty derogations Detention Dignitas diplomacy diplomatic relations disability disclosure Discrimination disease divorce DNA domestic violence duty of care ECHR ECtHR Education election Employment Environment Equality Act Equality Act 2010 Ethiopia EU EU Charter of Fundamental Rights EU costs EU law European Convention on Human Rights European Court of Human Rights European Court of Justice evidence extradition extraordinary rendition Facebook Facial Recognition Family Fatal Accidents Fertility FGM Finance foreign criminals foreign office foreign policy France freedom of assembly Freedom of Expression freedom of information freedom of speech Gay marriage gay rights Gaza Gender genetics Germany Google Grenfell Gun Control hague convention Harry Dunn Health HIV home office Housing HRLA human rights Human Rights Act human rights news Human Rights Watch Huntington's Disease immigration India Indonesia injunction Inquests insurance international law internet inuit Iran Iraq Ireland islam Israel Italy IVF ivory ban Japan joint enterprise judaism judicial review Judicial Review reform Julian Assange jury trial JUSTICE Justice and Security Bill Law Pod UK legal aid legal aid cuts Leveson Inquiry lgbtq liability Libel Liberty Libya lisbon treaty Lithuania local authorities marriage Media and Censorship mental capacity Mental Capacity Act Mental Health military Ministry of Justice modern slavery morocco murder music Muslim nationality national security naturism neuroscience NHS Northern Ireland nuclear challenges nuisance Obituary ouster clauses parental rights parliamentary expenses scandal patents Pensions Personal Injury physician assisted death Piracy Plagiarism planning planning system Poland Police Politics Pope press prison Prisoners prisoner votes Prisons privacy procurement Professional Discipline Property proportionality prosecutions prostituton Protection of Freedoms Bill Protest Public/Private public access public authorities public inquiries quarantine Radicalisation refugee rehabilitation Reith Lectures Religion RightsInfo right to die right to family life Right to Privacy right to swim riots Roma Romania round-up Round Up Royals Russia saudi arabia Scotland secrecy secret justice Secret trials sexual offence shamima begum Sikhism Smoking social media social workers South Africa Spain special advocates Sports Standing starvation statelessness stem cells stop and search Strasbourg super injunctions Supreme Court Supreme Court of Canada surrogacy surveillance sweatshops Syria Tax technology Terrorism The Round Up tort Torture travel treason treaty accession trial by jury TTIP Turkey Twitter UK Ukraine universal credit universal jurisdiction unlawful detention USA US Supreme Court vicarious liability Wales War Crimes Wars Weekly Round-up Welfare Western Sahara Whistleblowing Wikileaks wildlife wind farms WomenInLaw Worboys wrongful birth YearInReview Zimbabwe


This blog is maintained for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such. Blog posts reflect the views and opinions of their individual authors, not of chambers as a whole.

Our privacy policy can be found on our ‘subscribe’ page or by clicking here.

%d bloggers like this: