Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)

UK Quietly Rewrote Hacking Law

Prosecution Exemption Now Applies to Police, Spies
UK Quietly Rewrote Hacking Law

The British government rewrote the country's computer abuse law in March to shield law enforcement and intelligence agencies from being prosecuted for hacking.

See Also: EMA Zero Trust Networking Research Summary

But the action wasn't disclosed until May 14, when the government informed the civil rights group Privacy International - and seven Internet and communications service providers - about the revised hacking law in response to a hacking-related legal claim these organizations filed against a U.K. intelligence agency.

The legal claim was filed in February against the Government Communications Headquarters, or GCHQ. "The claimants asserted that GCHQ's actions were both unlawful under the Computer Misuse Act (CMA), which criminalizes hacking, and that there was not sufficiently detailed legal authority to make GCHQ's hacking 'in accordance with law,' as any violation of privacy is required to be by Article 8 of the European Convention on Human Rights," Privacy International says in a statement.

Hacking by law enforcement and intelligence agencies was decriminalized via an amendment to the 1990 Computer Misuse Act that was included in the Serious Crime Bill 2015, which was passed March 3 and become effective on May 3.

But some privacy experts are now slamming the government for the "undemocratic" manner in which it quietly updated the country's anti-hacking law, apparently in reaction to the civil lawsuit filed against GCHQ. They say the move parallels Britain's then-coalition government in 2014 rushing controversial surveillance legislation known as the Data Retention and Investigatory Powers Bill into law, without allowing the measure to be debated.

A government fact sheet released with the Serious Crime Bill's passage did not offer details on revisions to the computer abuse laws to shield law enforcement and intelligence agencies from being prosecuted for hacking. Privacy International says that there appears to have been no public debate about the move, and that only the Ministry of Justice, Crown Prosecution Service, Scotland Office, Northern Ireland Office, GCHQ, police and National Crime Agency appear to have been consulted in advance of the revisions to the law.

"Hacking is one of the most intrusive surveillance capabilities available to any intelligence agency, and its use and safeguards surrounding it should be the subject of proper debate," Eric King, deputy director of Privacy International, says in a statement. "Instead, the government is continuing to neither confirm nor deny the existence of a capability it is clear they have, while changing the law under the radar, without proper parliamentary debate."

Update: Computer Misuse Act

The revised law, however, begs the question of why such protections were not already in place, given that police and spies may at times need to hack into PCs.

"One of the earliest amendments to the 1990 Computer Misuse Act was to give protection to police officers accessing a computer without the permission of the owner - otherwise the police and others would have been guilty of the basic hacking offence under section one of CMA," data forensics expert Peter Sommer, professor of cybersecurity and digital evidence at de Montfort and the Open Universities, tells Information Security Media Group. But he says that update envisioned cases in which police officers would physically access a computer, as opposed to accessing it remotely via the Internet, for example, by planting a Trojan on the system, which is a criminal offense under section 3 of the CMA. "Hence the need for this 'clarification,' which appears in section 44 of the Serious Crime Act 2015," he says.

But the update to the Computer Misuse Act, while decriminalizing hacking done by police and spies, does not appear to issue clear legal guidelines about exactly what is - or is not - allowed. "Few of us would object to the principle of police and intelligence agency powers to hack - provided there is a clear formal authorization procedure as there is for interception and communications data," Sommer says. "But this does not appear to exist."

Missing: Clear Guidelines

In addition, without a clear code of practice - a set of written rules that detail how one should behave - it is also possible that law enforcement and intelligence agencies may not be gathering digital evidence in a manner that ensures that they do not violate the integrity of that evidence, Sommer says. And defendants can challenge sloppy evidence handling and "chain of custody" practices in court.

"Once it is known that a suspect's computer has been hacked, defendants are highly likely to claim that 'unfortunate' material found on that computer had been placed there by the police or 'spooks'," he says, using the widely used slang term for spies. "Police and spooks would be well advised to be able to produce a robust audit trial for their activities. I would prefer to see all of this in a published code of practice."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.