General Warrants to Hack Computers Unlawful: Privacy International v IPT

1 February 2021 by

Supreme court grants FBI massive expansion of powers to hack computers |  Data and computer security | The Guardian
Credit: The Guardian

In Privacy International v Investigatory Powers Tribunal, the Divisional Court held that s.5 Intelligence Services Act 1994 does not permit the government to issue general warrants to engage in computer network exploitation (“CNE”) – more commonly known as computer hacking. The court also offered valuable guidance on warrants and what is required to make them lawful.

The Issues

There were three issues:

1.     Does s.5 Intelligence Services Act 1994 (“the 1994 Act”) permit the Secretary of State to issue ‘thematic’ or ‘general’ warrants to hack computers? General warrants are those which purportedly authorise acts in respect of an entire class of people or an entire class of acts (e.g. ‘all mobile phones in London’).

2.     Should the court allow the claim to be amended to include a complaint that, prior to February 2015, the s.5 regime did not comply with Articles 8 and 10 of the European Convention on Human Rights?

3.     If permission is given to amend the claim, should the new ground succeed?

History

            Investigatory Powers Tribunal

This case arose from a challenge brought by Privacy International in the Investigatory Powers Tribunal (a body which hears complaints about state surveillance). The Tribunal was asked, among other matters, to decide on the lawfulness of computer hacking under the 1994 Act.

As readers may be aware, the Tribunal ruled that it is lawful to issue general warrants to hack computers. It stated:

Eighteenth century abhorrence of general warrants issued without express statutory sanction is not in our judgment a useful or permissible aid to construction of an express statutory power given to a Service [37].

It is not in our judgment necessary for a Secretary of State to exercise judgment in relation to a warrant for it to be limited to a named or identified individual or list of individuals. The property should be so defined, whether by reference to persons or a group or category of persons, that the extent of the reasonably foreseeable interference caused by the authorisation of CNE in relation to the actions and property specified in the warrant can be addressed [38].

The full judgment is available here.

            Ouster Clause?

Privacy International sought to judicially review the Tribunal’s decision. However, it faced an argument that the High Court had no jurisdiction over the matter. This was because s.67(8) Regulation of Investigatory Powers Act 2000 (“RIPA”) provided:

Except to such extent as the Secretary of State may by order otherwise provide, determinations, awards, orders and other decisions of the Tribunal (including decisions as to whether they have jurisdiction) shall not be subject to appeal or be liable to be questioned in any court.

A 4-3 majority in the Supreme Court ruled in 2019 that s.67(8) did not ‘oust’ (exclude) the High Court’s jurisdiction. This meant Privacy International’s judicial review could proceed.

The Principles

The key parts of s.5 of the 1994 Act are as follows:

(1) No entry on or interference with property or with wireless telegraphy shall be unlawful if it is authorised by a warrant issued by the Secretary of State under this section.

(2) The Secretary of State may, on an application made by . . . GCHQ, issue a warrant under this section authorising the taking, subject to subsection (3) below, of such action as is specified in the warrant in respect of any property so specified or in respect of wireless telegraphy so specified if the Secretary of State [my emphasis].

(a) thinks it necessary for the action to be taken for the purpose of assisting

(iii) GCHQ in carrying out any function which falls within section 3(J)(a) above; and

(b) is satisfied that the taking of the action is proportionate to what the action seeks to achieve;

(2A) The matters to be taken into account in considering whether the requirements of subsection (2)(a) and (b) are satisfied in the case of any warrant shall include whether what it is thought necessary to achieve by the conduct authorised by the warrant could reasonably be achieved by other means.

It was recognised that CNE is a valuable tool in tackling national security threats such as terrorism and serious and organised crime.

Interpretation of Section 5

Unlike the Tribunal, the Divisional Court relied heavily on the eighteenth century warrant cases. It emphasised the common law’s aversion to general warrants, which give significant discretion to the persons executing them (e.g. GCHQ). The case law indicated that there is a fundamental common law right not to have one’s property searched without legal authority.

The court also relied upon the common law principle of legality (as expressed in cases such as R v Secretary of State for the Home Department, ex parte Simms [2000] 2 A.C. 115). This states that, unless there are clear words to the contrary, courts should assume Parliament did not intend to override fundamental common law rights. In the view of the Divisional Court, section 5 lacked the unambiguous words required to overturn this presumption.

The national security context did not change the court’s assessment. Its role was to interpret the meaning of individual words read in the context of the enactment, rather than being moved by the Intelligence Agencies’ opinion of the powers they regard as necessary.

            Examples of Lawful s.5 Warrants

The court then considered how specific a warrant must be in order to comply with s.5. It drew a contrast with the wording of s.7, which authorises warrants on subjects outside the British Isles where the act/ person is “of a description so specified”, and s.5, which permits ‘such action as is specified in the warrant in respect of any property so specified’. [My emphasis.] It reasoned that the words ‘description’ and ‘specified’ do not mean the same thing, and the former is broader than the latter.

Therefore, any s.5 warrant must be “sufficiently specific to indicate to individual officers at GCHQ […] whose property, or which property, can be interfered with, rather than leaving it to their discretion” [57]. Examples of lawful warrants include ‘any device used by persons who are on the FCDO Syrian diplomatic list’, or devices used at particular premises (including entire streets). A warrant could hypothetically permit the use of computer hacking across a geographical area, such as Birmingham, but whether such a warrant would be necessary and proportionate was a difficult matter which did not arise. Warrants needn’t be limited to factual situations in existence when they are issued.

However, a warrant which referred to the property of anyone engaged in an activity (for example, “the mobile phone of any person conspiring to commit acts of terrorism”) would be insufficiently specific. This is because it leaves significant discretion to the individual exercising the warrant. The court left open the question of whether a warrant which referred to anyone suspected of being a member of an organisation would be sufficiently specific, but a highly relevant factor would be whether a person’s membership of the group was objectively ascertainable.

Application for Article 8 & 10 Claim Rejected

The Divisional Court refused permission to amend the claim to include a complaint that Articles 8 and 10 had been breached. The allegation had only been raised 4 years after the alleged unlawfulness. As a result, the relevant aspect of the scheme had been partially replaced by the Investigatory Powers Act 2016. The court took into account the Supreme Court’s comment that any application to judicially review the Tribunal’s decision should raise a point of general significance. The historical nature of the challenge meant this test was not met.

Comment

This case may appear somewhat technical, but it concerns a very real problem. A 2014 report by the Rt Hon Sir Mark Waller, the former Intelligence Services Commissioner and Court of Appeal judge, reached a similar conclusion to the Divisional Court. His findings led to one of the agencies withdrawing a thematic property warrant, and raised questions about how national security could be protected.

Privacy campaigners will understandably welcome this judgment. In truth, however, the potential scope of any s.5 warrant remains significant. The court refused to rule out the possibility that a warrant could lawfully allow all computers in Birmingham to be hacked. It explicitly endorsed the idea that all devices in an Internet Café could be captured, regardless of how many innocent individuals may be present (though questions of necessity and proportionality would inevitably arise).

The case also points towards wider issues within public law. It is worth remembering that the judicial review could never have been brought if the Supreme Court had upheld the purported ouster clause in s.67(8) RIPA. Given the lingering possibility that the UK will seek to derogate or withdraw from the ECHR, either by replacing it with a so-called ‘British Bill of Rights’ or using some other mechanism, the Divisional Court’s reliance on fundamental common law rights is especially significant.

The deadline for any appeal is 4pm on 1st February 2021.

Conor Monighan is a pupil at 5 Essex Court


Welcome to the UKHRB


This blog is run by 1 Crown Office Row barristers' chambers. Subscribe for free updates here. The blog's editorial team is:
Commissioning Editor: Jonathan Metzer
Editorial Team: Rosalind English
Angus McCullough QC David Hart QC
Martin Downs
Jim Duffy

Free email updates


Enter your email address to subscribe to this blog for free and receive weekly notifications of new posts by email.

Subscribe

Categories


Disclaimer


This blog is maintained for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such. Blog posts reflect the views and opinions of their individual authors, not of chambers as a whole.

Our privacy policy can be found on our ‘subscribe’ page or by clicking here.

Tags


Aarhus Abortion Abu Qatada Abuse Access to justice adoption ALBA Al Qaeda animal rights anonymity Article 1 Protocol 1 Article 2 article 3 Article 4 article 5 Article 6 Article 8 Article 9 article 10 Article 11 article 13 Article 14 Artificial Intelligence Asbestos assisted suicide asylum Australia autism benefits Bill of Rights biotechnology blogging Bloody Sunday brexit Bribery Catholicism Chagos Islanders Children children's rights China christianity citizenship civil liberties campaigners climate change clinical negligence Coercion common law confidentiality consent conservation constitution contempt of court Control orders Copyright coronavirus costs Court of Protection crime Cybersecurity Damages data protection death penalty defamation deportation deprivation of liberty Detention disability disclosure Discrimination disease divorce DNA domestic violence duty of care ECHR ECtHR Education election Employment Environment Equality Act Ethiopia EU EU Charter of Fundamental Rights EU costs EU law European Court of Justice evidence extradition extraordinary rendition Family Fertility FGM Finance foreign criminals foreign office France freedom of assembly Freedom of Expression freedom of information freedom of speech Gay marriage Gaza genetics Germany Google Grenfell Health HIV home office Housing HRLA human rights Human Rights Act human rights news Huntington's Disease immigration India Indonesia injunction Inquests international law internet Inuit Iran Iraq Ireland Islam Israel Italy IVF Japan Judaism judicial review jury trial JUSTICE Justice and Security Bill Law Pod UK legal aid Leveson Inquiry LGBTQ Rights liability Libel Liberty Libya Lithuania local authorities marriage mental capacity Mental Health military Ministry of Justice modern slavery music Muslim nationality national security NHS Northern Ireland nuclear challenges Obituary ouster clauses parental rights parliamentary expenses scandal patents Pensions Personal Injury Piracy Plagiarism planning Poland Police Politics pollution press Prisoners Prisons privacy Professional Discipline Property proportionality Protection of Freedoms Bill Protest Public/Private public access public authorities public inquiries rehabilitation Reith Lectures Religion RightsInfo right to die right to family life Right to Privacy right to swim riots Roma Romania Round Up Royals Russia Saudi Arabia Scotland secrecy secret justice sexual offence Sikhism Smoking social media South Africa Spain special advocates Sports Standing statelessness stop and search Strasbourg Supreme Court Supreme Court of Canada surrogacy surveillance Syria Tax technology Terrorism tort Torture travel treaty TTIP Turkey UK Ukraine USA US Supreme Court vicarious liability Wales War Crimes Wars Welfare Western Sahara Whistleblowing Wikileaks wind farms WomenInLaw YearInReview Zimbabwe
%d bloggers like this: