Increasingly, governments around the world are using hacking to facilitate their surveillance activities, without any clear legal basis. Some may assume that this is acceptable as they would only engage in this type of activity to catch the bad guys, but does this hacking present a threat to our privacy and security?
Privacy International believes that hacking as a form of surveillance is often incompatible with international human rights law, and has proposed 10 key safeguards that can help parties concerned by this potential threat.
What is hacking?
Privacy International defines hacking as follows:
Hacking is an act or series of acts, which interfere with a system, causing it to act in a manner unintended or unforeseen by the manufacturer, user or owner of that system. System refers both to any combination of hardware and software or a component thereof.
It is essentially an attempt to understand a system better than it understands itself, and then nudging it to do what the hacker wants.
Government hacking capabilities can be developed ‘in house’ or they can be purchased from surveillance technology companies.
The government wouldn’t hack without a legitimate reason, right?
Governments don’t always use hacking for legitimate surveillance activities. Evidence shows that companies have sold hacking capabilities to repressive regimes with a poor human rights record. These states have used hacking to target human rights defenders, journalists, political opponents and protesters.
Are there specific laws to govern hacking?
Very few countries have explicitly legislated for government hacking for surveillance purposes and those that have are largely concentrated in Europe. In some instances, governments have interpreted existing surveillance legislation to authorise hacking. But government hacking powers, if they are to be authorised, must be subject to a regulatory framework tailored to its unique privacy and security implications, which the Hacking Safeguards seek to address.
What are the 10 Hacking Safeguards?
Below is a summary of the 10 Hacking Safeguards proposed by Privacy International:
Hacking Safeguard 1: Legality
Government hacking powers must be explicitly prescribed by law, and only used where there is a legitimate aim. The law needs to be clear and transparent, available to the public and subject to periodic review.
Hacking Safeguard 2: Security and Integrity of Systems
Prior to engaging in hacking activity, governments must assess the potential risks and damage to the security and integrity of systems and data (both of the target and in general), as well as how these will be mitigated. Government authorities must not compel hardware or software manufacturers or service providers to facilitate government hacking, including by compromising the security and integrity of their products and services.
Hacking Safeguard 3: Necessity and Proportionality
Prior to carrying out a hacking measure, government authorities must, at a minimum, establish:
- A high degree of probability that:
- A serious crime or threat to national security has been or will be carried out
- Systems used to facilitate these acts contain evidence relevant to the alleged crime/threat
- This evidence will be obtained by hacking the target system
- To the greatest extent possible, the identity of the suspect and unique identifying details of the target system
- All less intrusive methods have been exhausted or would be futile
- The method, extent and duration of the proposed hacking measure
- Only material relevant to the crime or national security threat will be collected
- Data will only be accessed and collected by the specified authority and only used and shared for the purpose and duration for which authorisation is given
Hacking Safeguard 4: Judicial Authorisation
Prior to carrying out a hacking measure, government authorities must make an application, setting forth the necessity and proportionality of the proposed measure to an impartial and independent judicial authority, who shall determine whether to approve such measure and oversee its implementation. The judicial authority must be able to consult persons with relevant technological expertise, as well as expertise in privacy and human rights, to fully understand the potential impacts of the proposed measures.
Hacking Safeguard 5: Integrity of Information
Government authorities must not add, alter or delete data on the target system, except to the extent technically necessary to carry out the authorised hacking measure. They must maintain an independently verifiable audit trail to record their hacking activities, including any necessary additions, alterations or deletions.
Hacking Safeguard 6: Notification
Governments must notify parties whose systems have been subject to interference pursuant to an authorised hacking measure, as well as notifying affected software and hardware manufacturers and service providers.
Hacking Safeguard 7: Destruction and Return of Data
Any irrelevant data obtained must immediately be destroyed, and this destruction recorded in the audit trail. Once relevant data obtained has been used for the authorised purpose, it must be returned to the target, and any other copies destroyed.
Hacking Safeguard 8: Oversight and Transparency
Government authorities must be transparent about the scope and use of their hacking powers and activities, subjecting them to independent oversight. They should regularly publish information on the number of applications to authorise hacking approved and rejected; the identity of the applying government authorities; the offences specified and the method, extent and duration of authorised hacking measures.
Hacking Safeguard 9: Extraterritoriality
When conducting an extraterritorial hacking measure, government authorities must always comply with their international legal obligations. Government authorities must not use hacking to circumvent other legal mechanisms such as mutual legal assistance for obtaining data located outside their territory.
Hacking Safeguard 10: Effective Remedy
Persons who have been subject to unlawful government hacking, regardless of where they reside, must have access to an effective remedy.
What are some global examples of these safeguards in practice?
In 2015, leaks from Italian spyware company ‘Hacking Team’ revealed that the Investigations Police of Chile (PDI) had purchased hacking systems. In defence, the PDI referred to existing legal frameworks, interpreting them in a way that could be perceived to authorise hacking. As per Hacking Safeguard 1, government hacking powers must be “explicitly prescribed by law”, rather than just based on interpretation of existing frameworks.
Additionally, using prior laws relating to other crimes to authorise hacking means the government was not required to assess potential risks to system and data security and integrity, as per Hacking Safeguard 2. This type of assessment is necessary for governments to meet the principles of necessity and proportionality when hacking, as outlined in Hacking Safeguard 3.
In 2017, investigations revealed that the Mexican government used spyware to target various parties including a journalist investigating official corruption, lawyers investigating the mass disappearance of students, and two journalists representing victims of sexual abuse by the police.
In June 2017, Privacy International and the Mexican civil society group R3D wrote to the President of Mexico asking him to bring transparency to the issue (Hacking Safeguard 8) and clarify the legal basis for hacking activities (Hacking Safeguard 1). To date, the government has failed to inform the public under which conditions hacking techniques may be used, for what purposes, by which entity and the legal basis of their deployment.
The government of Ethiopia has a long history of purchasing spyware, and deploying it against civil society, both in Ethiopia and outside the country. There are concerns regarding the extraterritorial implications of Ethiopia’s hacking. Hacking Safeguard 9 states that “Government authorities must not use hacking to circumvent other legal mechanisms—such as mutual legal assistance treaties”, and Ethiopia appears to not be in compliance with this.
In 2014, a legal challenge in the USA was presented on behalf of an American citizen born in Ethiopia, whose laptop was infected with spyware. The allegation was that the Ethiopian government violated the US Wiretap Act. The court dismissed the case in 2016.
This all adds up to a lack of access to an effective remedy, as required under international human rights law and articulated in Hacking Safeguard 10.
Nyman Gibson Miralis provides expert advice and representation in complex international cybercrime investigations.
Contact us if you require assistance.