How bulk EI works
2.58.
In the words of the 2016 draft Code:
“Equipment interference warrants authorise all actions necessary for the
obtaining of communications, equipment data or other information from
equipment.
…
Equipment interference can be carried out either remotely or by physically
interacting with the equipment. At the lower end of the scale, an equipment
interference agency may covertly download data from a subject’s mobile
device when it is left unattended, or an agency may use someone’s login
credentials to gain access to data held on a computer. More complex
equipment interference operations may involve exploiting existing
vulnerabilities in software in order to gain control of devices or networks to
remotely extract material or monitor the user of the device.”97
2.59.
In a judgment of February 2016, the IPT recorded a number of avowals (or
admissions) by the Government concerning the use of EI, then referred to as
CNE, including the following:
(a) GCHQ carries out CNE within and outside the UK.
(b) In 2013 about 20% of GCHQ’s intelligence reports contained information
derived from CNE.
(c) GCHQ undertakes both “persistent” and “non-persistent” CNE operations,
namely both where an implant expires at the end of a user’s internet session
and where it “resides” on a computer for an extended period.
(d) CNE operations undertaken by GCHQ can be against a specific device or a
computer network.98
2.60.
It was further agreed that CNE/EI might be used by GCHQ so as to involve the
following:
(a) the obtaining of information from a particular device, server or network;
(b) the creation, modification or deletion of information on a device, server or
network;
(c) the carrying out of intrusive surveillance;
97
98
Equipment Interference Draft Code of Practice, March 2016, 2.1, 2.4.
Privacy International v Secretary of State for Foreign and Commonwealth Affairs and GCHQ
[2016] UKIPTrib 14_85-CH, para 5.
38