General Warrants to Hack Computers Unlawful: Privacy International v IPT
1 February 2021
In Privacy International v Investigatory Powers Tribunal, the Divisional Court held that s.5 Intelligence Services Act 1994 does not permit the government to issue general warrants to engage in computer network exploitation (“CNE”) – more commonly known as computer hacking. The court also offered valuable guidance on warrants and what is required to make them lawful.
There were three issues:
1. Does s.5 Intelligence Services Act 1994 (“the 1994 Act”) permit the Secretary of State to issue ‘thematic’ or ‘general’ warrants to hack computers? General warrants are those which purportedly authorise acts in respect of an entire class of people or an entire class of acts (e.g. ‘all mobile phones in London’).
2. Should the court allow the claim to be amended to include a complaint that, prior to February 2015, the s.5 regime did not comply with Articles 8 and 10 of the European Convention on Human Rights?
3. If permission is given to amend the claim, should the new ground succeed?
Investigatory Powers Tribunal
This case arose from a challenge brought by Privacy International in the Investigatory Powers Tribunal (a body which hears complaints about state surveillance). The Tribunal was asked, among other matters, to decide on the lawfulness of computer hacking under the 1994 Act.
As readers may be aware, the Tribunal ruled that it is lawful to issue general warrants to hack computers. It stated:
Eighteenth century abhorrence of general warrants issued without express statutory sanction is not in our judgment a useful or permissible aid to construction of an express statutory power given to a Service .
It is not in our judgment necessary for a Secretary of State to exercise judgment in relation to a warrant for it to be limited to a named or identified individual or list of individuals. The property should be so defined, whether by reference to persons or a group or category of persons, that the extent of the reasonably foreseeable interference caused by the authorisation of CNE in relation to the actions and property specified in the warrant can be addressed .
The full judgment is available here.
Privacy International sought to judicially review the Tribunal’s decision. However, it faced an argument that the High Court had no jurisdiction over the matter. This was because s.67(8) Regulation of Investigatory Powers Act 2000 (“RIPA”) provided:
Except to such extent as the Secretary of State may by order otherwise provide, determinations, awards, orders and other decisions of the Tribunal (including decisions as to whether they have jurisdiction) shall not be subject to appeal or be liable to be questioned in any court.
A 4-3 majority in the Supreme Court ruled in 2019 that s.67(8) did not ‘oust’ (exclude) the High Court’s jurisdiction. This meant Privacy International’s judicial review could proceed.
The key parts of s.5 of the 1994 Act are as follows:
(1) No entry on or interference with property or with wireless telegraphy shall be unlawful if it is authorised by a warrant issued by the Secretary of State under this section.
(2) The Secretary of State may, on an application made by . . . GCHQ, issue a warrant under this section authorising the taking, subject to subsection (3) below, of such action as is specified in the warrant in respect of any property so specified or in respect of wireless telegraphy so specified if the Secretary of State [my emphasis].
(a) thinks it necessary for the action to be taken for the purpose of assisting
(iii) GCHQ in carrying out any function which falls within section 3(J)(a) above; and
(b) is satisfied that the taking of the action is proportionate to what the action seeks to achieve;
(2A) The matters to be taken into account in considering whether the requirements of subsection (2)(a) and (b) are satisfied in the case of any warrant shall include whether what it is thought necessary to achieve by the conduct authorised by the warrant could reasonably be achieved by other means.
It was recognised that CNE is a valuable tool in tackling national security threats such as terrorism and serious and organised crime.
Interpretation of Section 5
Unlike the Tribunal, the Divisional Court relied heavily on the eighteenth century warrant cases. It emphasised the common law’s aversion to general warrants, which give significant discretion to the persons executing them (e.g. GCHQ). The case law indicated that there is a fundamental common law right not to have one’s property searched without legal authority.
The court also relied upon the common law principle of legality (as expressed in cases such as R v Secretary of State for the Home Department, ex parte Simms  2 A.C. 115). This states that, unless there are clear words to the contrary, courts should assume Parliament did not intend to override fundamental common law rights. In the view of the Divisional Court, section 5 lacked the unambiguous words required to overturn this presumption.
The national security context did not change the court’s assessment. Its role was to interpret the meaning of individual words read in the context of the enactment, rather than being moved by the Intelligence Agencies’ opinion of the powers they regard as necessary.
Examples of Lawful s.5 Warrants
The court then considered how specific a warrant must be in order to comply with s.5. It drew a contrast with the wording of s.7, which authorises warrants on subjects outside the British Isles where the act/ person is “of a description so specified”, and s.5, which permits ‘such action as is specified in the warrant in respect of any property so specified’. [My emphasis.] It reasoned that the words ‘description’ and ‘specified’ do not mean the same thing, and the former is broader than the latter.
Therefore, any s.5 warrant must be “sufficiently specific to indicate to individual officers at GCHQ […] whose property, or which property, can be interfered with, rather than leaving it to their discretion” . Examples of lawful warrants include ‘any device used by persons who are on the FCDO Syrian diplomatic list’, or devices used at particular premises (including entire streets). A warrant could hypothetically permit the use of computer hacking across a geographical area, such as Birmingham, but whether such a warrant would be necessary and proportionate was a difficult matter which did not arise. Warrants needn’t be limited to factual situations in existence when they are issued.
However, a warrant which referred to the property of anyone engaged in an activity (for example, “the mobile phone of any person conspiring to commit acts of terrorism”) would be insufficiently specific. This is because it leaves significant discretion to the individual exercising the warrant. The court left open the question of whether a warrant which referred to anyone suspected of being a member of an organisation would be sufficiently specific, but a highly relevant factor would be whether a person’s membership of the group was objectively ascertainable.
Application for Article 8 & 10 Claim Rejected
The Divisional Court refused permission to amend the claim to include a complaint that Articles 8 and 10 had been breached. The allegation had only been raised 4 years after the alleged unlawfulness. As a result, the relevant aspect of the scheme had been partially replaced by the Investigatory Powers Act 2016. The court took into account the Supreme Court’s comment that any application to judicially review the Tribunal’s decision should raise a point of general significance. The historical nature of the challenge meant this test was not met.
This case may appear somewhat technical, but it concerns a very real problem. A 2014 report by the Rt Hon Sir Mark Waller, the former Intelligence Services Commissioner and Court of Appeal judge, reached a similar conclusion to the Divisional Court. His findings led to one of the agencies withdrawing a thematic property warrant, and raised questions about how national security could be protected.
Privacy campaigners will understandably welcome this judgment. In truth, however, the potential scope of any s.5 warrant remains significant. The court refused to rule out the possibility that a warrant could lawfully allow all computers in Birmingham to be hacked. It explicitly endorsed the idea that all devices in an Internet Café could be captured, regardless of how many innocent individuals may be present (though questions of necessity and proportionality would inevitably arise).
The case also points towards wider issues within public law. It is worth remembering that the judicial review could never have been brought if the Supreme Court had upheld the purported ouster clause in s.67(8) RIPA. Given the lingering possibility that the UK will seek to derogate or withdraw from the ECHR, either by replacing it with a so-called ‘British Bill of Rights’ or using some other mechanism, the Divisional Court’s reliance on fundamental common law rights is especially significant.
The deadline for any appeal is 4pm on 1st February 2021.
Conor Monighan is a pupil at 5 Essex Court