CHAPTER 7: PRACTICE
7.64.
(b)
obtaining information concerning the ownership, nature and use of equipment
in pursuit of intelligence requirements;
(c)
locating and examining, removing, modifying or substituting equipment,
hardware or software which is capable of yielding information of the type
described in a) and b); and
(d)
enabling and facilitating surveillance activity by means of the equipment.
Some insight into the use of CNE was given by the Government in February 2015, in
its open response to a case lodged at the IPT by Privacy International:
“CNE operations vary in complexity. At the lower end of the scale, an individual
may use someone’s login credentials to gain access to information. More
complex operations may involve exploiting vulnerabilities in software in order
to gain control of devices or networks to remotely extract information, monitor
the user of the device or take control of the device or network. These types of
operations can be carried out illegally by hackers or criminals. In limited and
carefully controlled circumstances, and for legitimate purposes, these types of
operations may also be carried out lawfully by certain public authorities.”
7.65.
Privacy International (no doubt inspired by allegations in the Snowden Documents:
see further at Annex 7 to this Report) had alleged in the same case that:
“GCHQ has developed technology to infect individual devices, and in
conjunction with the [NSA], has the capability to deploy that technology to
potentially millions of computers by using malicious software (“malware”)”,
and described the use of such techniques as “potentially far more intrusive than any
other current surveillance technique, including the interception of communications”.47
Intelligence sharing
7.66.
47
48
49
The international nature of the threats facing the UK mean that sharing intelligence
with allies – including but not limited to its Five Eyes partners – is a fundamental part
of the security and intelligence agencies’ work.48 The obtaining and disclosure of
information by the security and intelligence agencies is governed by:
(a)
SSA 1989 and ISA 1994,49 which require the agencies to ensure that
information is obtained and shared only in pursuit of their functions; and
(b)
HRA 1998, which requires them to operate in conformity with ECHR rights
including in particular Article 8.
Privacy International v Secretary of State for Foreign and Commonwealth Affairs and GCHQ and others,
Case No. IPT/14/85/CH [PI IPT Case] Statement of Grounds, paras 3 and 4.
ISC Privacy and Security Report, para 242.
Each agency relies upon a different statutory basis: SSA 1989 s2(2)(a) (for MI5), ISA 1994 s2(2)(a)
(MI6), and ISA 1994 s4(2)(a) (GCHQ).
138