Legalised hacking in the UK now allows a third party to take control remotely of a phone’s camera or microphone and record video and conversations taking place, the Guardian’s Alan Travis reported this week. What’s the point of Apple trying to encrypt its iPhones if the spooks can switch them on remotely and monitor what we are doing?
Until recently, the security services have gone to great lengths not to disclose their operational capabilities. If the bad guys know how their communications can be monitored, they’ll look for other ways of exchanging information.
So it’s something of a surprise to see how open the agencies have now become. Ciaran Martin, director of cybersecurity at GCHQ, gave evidence recently to the investigatory powers tribunal about what’s now called “equipment interference”. If the new investigatory powers bill becomes law, warrants permitting interference with equipment will be issued by a secretary of state and approved by a judicial commissioner. Under clause 88, this would include “observing or listening to a person’s communications or other activities”.
In evidence to the tribunal, Martin explained that equipment interference might involve installing an implant into a laptop or mobile, perhaps by persuading a user to click on a link.
A simple implant would transmit information over the internet. But others “might monitor the activity of the user of the target device or take control of the computer”. This presumably includes switching on a device’s camera and microphone, even when it’s not being used to make calls. Martin accepted that such operations could be “highly intrusive”. But so is someone hiding a camera in your bedroom, which will not require prior judicial authorisation.
We can see how this works from a case study published by the Home Office in its response to the bill’s pre-legislative scrutiny. It refers to intelligence that several suspects were at large after being involved in an attempted murder.
“Equipment interference and other intelligence-gathering techniques were used to identify and locate the suspects, leading to their arrest before further offences could be committed,” it says.
“Without the use of equipment interference, it would not have been possible to arrest the suspects simultaneously, which was critical to preserving the evidence.”
It seems clear from this example that investigators managed, at the very least, to activate the suspects’ phones or computers remotely without their knowledge.
Many more examples, real or hypothetical, are given in the government’s 83-page draft code of practice for equipment interference, with the caveat that they should “not be taken as confirmation that any particular … agency undertakes the activity described”.
Agencies are advised to consider carefully whether they should conduct equipment interference against a person who is not of direct intelligence interest in order to enable surveillance through that person’s device of a wanted associate – given that this surveillance would inevitably pick up private information about the original person’s innocent family.
Other examples deal with cases in which an agency might want to acquire private information from a computer as well as intercepting a live video call. A combined warrant would be needed. There is also guidance on how analysts can use their knowledge of a particular software package commonly used by terrorist groups in the Middle East to retrieve the communications of a “Daesh [Isis]-inspired cell”.
More examples of how equipment interference can be used are to be found in the government’s operational case for “bulk powers”, which enable the collection of vast amounts of data. These are said to be real examples, although edited to avoid “handing an advantage to those who mean us harm”. Classified details have been given to parliament’s intelligence and security committee.
We can be sure that GCHQ officials debated long and hard before allowing examples such as these to be published. They tell us the ways in which the agencies seek to use their powers, the nature of their targets and the limits the agencies impose to avoid “collateral intrusion” (the unintentional gathering of material such as a background conversation). Whether we believe them or not is for us to decide, but at least we have something to go on.
Do these revelations damage the agencies’ operational capabilities? The assumption must be that their targets have a pretty good idea of what they can do already. Sometimes it suits the agencies to make people think that their techniques are more effective than they actually are, especially if it persuades targets to switch from a secure method of communication to one that the agencies have already penetrated.
And is it a good idea to take a chainsaw to your computer or incinerate your iPhone? Certainly, if you have something illegal to hide – although doing so will inevitably limit your ability to commit more crimes. For the rest of us, it all depends on whether we value our personal privacy more highly than the convenience of using modern communications – and whether we think the agencies are on our side.