GCHQ has legal immunity to reverse-engineer Kaspersky antivirus, crypto
Newly-published documents from the Snowden trove show GCHQ asking for and obtaining special permission to infringe on the copyright of software programs that it wished to reverse-engineer for the purpose of compromising them. GCHQ wanted a warrant that would give it indemnity against legal action from the companies owning the software in the unlikely event that they ever found out.
The legal justification for this permission is dubious. As the new report in The Intercept explains: “GCHQ obtained its warrant under section 5 of the 1994 Intelligence Services Act [ISA], which covers interference with property and ‘wireless telegraphy’ by the Security Service (MI5), Secret Intelligence Service (MI6) and GCHQ.” Significantly, Section 5 of the ISA does not mention interference in abstractions like copyright, but in 2005 the intelligence services commissioner approved the activity anyway.
The Intercept story provides details of the software that GCHQ wanted to compromise: online bulletin board systems, commercial encryption software, and anti-virus programs. It needed to prevent the last of these from revealing the presence of other GCHQ malware that was used for spying: “Personal security products such as the Russian anti-virus software Kaspersky continue to pose a challenge to GCHQ’s CNE [computer network exploitation] capability and SRE [software reverse engineering] is essential in order to be able to exploit such software and to prevent detection of our activities.”
Another company mentioned is Cisco. Reverse-engineering the software in its routers allowed GCHQ “not only to access ‘almost any user of the internet’ inside the entire country of Pakistan—but also ‘to re-route selective traffic across international links toward GCHQ’s passive collection systems’,” The Intercept says.
The other key revelation in the latest batch of documents is how GCHQ “cozied up to staff in the Foreign and Commonwealth Office, or FCO, to get warrants approved,” which suggests that the organisation is perilously close to subverting UK government departments. When asked about these new claims, GCHQ “refused to comment on the record about any of these matters, instead providing its boilerplate response about how it complies with the law.”
An increasing number of formal challenges to GCHQ’s activities have shown that isn’t true. Indeed, just today the Investigatory Powers Tribunal ruled that GCHQ’s covert surveillance of two international human rights groups was illegal—making the standard claim that GCHQ “complies with the law” increasingly ridiculous.