GCHQ is within UK law when it hacks into computers and smart phones, a security tribunal has ruled.
Campaigners Privacy International have lost a legal challenge claiming the spying post’s hacking operations are too intrusive and break European law.
The case was launched after revelations by US whistleblower Edward Snowden about the extent of US and UK spying.
GCHQ admitted its agents hack devices, in the UK and abroad, for the first time during the hearings.
Its previous policy had been to “neither confirm nor deny” the existence of such operations.
Hackers can remotely activate cameras and microphones on devices, without the owner’s knowledge, log keystrokes, install malware, copy documents and track locations among other things, the Investigatory Powers Tribunal (IPT) was told.
The Home Office has now published a code of practice for hacking, or “equipment interference” as it is also known, and aims to put it on a firmer legal footing in its Investigatory Powers Bill, which is due to become law later this year.
The Investigatory Powers Tribunal, a panel of senior judges, said in its ruling that the code struck the right balance between the “urgent need of the Intelligence Agencies to safeguard the public and the protection of an individual’s privacy and/or freedom of expression”.
But the judges were “satisfied” the agency was already operating in a lawful and proportionate way, whatever the outcome of Parliament’s scrutiny of the Investigatory Powers
Privacy International, which launched the legal challenge with seven internet service providers, said it was “disappointed” by the ruling and would continue to challenge “state-sponsored hacking,” which it said was “incompatible with democratic principles and human rights standards”.
Scarlet Kim, Privacy International’s legal officer, said: “Hacking is one of the most intrusive surveillance capabilities available to intelligence agencies.
“This case exposed not only these secret practices but also the undemocratic manner in which the government sought to backdate powers to do this under the radar.
“Just because the government magically produces guidelines for hacking should not legitimise this practice.”
She added that hacking “fundamentally weakens the security of computers and the internet” by exploiting the “weaknesses in software and hardware used by millions of people”.
“It is akin to unlocking a person’s window without their knowledge and leaving it open for any attacker – whether GCHQ, another country’s intelligence agency or a cyber criminal – to access.”