GCHQ spies given enhanced hacking powers — what are they and should we be worried?

British spies at GCHQ, MI5 and MI6 have effectively been given the green light to continue their mass spying operations around the world after a fresh independent review into bulk surveillance powers found 'no viable alternative' to the current regime.

Compiled by David Anderson QC, the hefty 200-plus page report was commissioned by Prime Minister Theresa May while in her previous role of home secretary.

It looked specifically at the somewhat controversial aspects of bulk interception, bulk acquisition and bulk personal datasets – many of which were first exposed by former NSA analyst-turned-whistleblower Edward Snowden back in 2013.

Despite support for many of the current spying practices used by the Security and intelligence agencies (SIAs), the main criticism – or concern – in the report appears to centre around so-called 'bulk equipment interference', which is more commonly known as computer hacking.

Previously dubbed 'computer network exploitation' (CNE), this is the one aspect of UK spying apparatus without a proven operational basis. In theory, it's the one majorly enhanced power the upcoming Investigatory Powers Bill, also known as the Snoopers' Charter, will grant UK spooks.

What is equipment interference (EI)?

In its most basic premise, equipment interference is government-sanctioned hacking. Of course, in practice, it's more complicated than that. It is used by GCHQ to inject malware into targeted computers, copy data directly from networks or to exploit known software vulnerabilities to gain remote access to a device.

It can be used both in the UK and on foreign targets. GCHQ officials have said that hacking currently "contributes to some 20% of GCHQ's intelligence reports, and more than a third of higher grade intelligence".

The government's hacking techniques, as outlined in the report, are split into two distinct descriptions – targeted [or thematic] and bulk. The first can be used in the UK and does not need to involve national security. The second is more tightly controlled, must have a foreign focus and will reportedly only be used in serious crime investigations.

However, the term 'targeted' does not necessarily mean smaller in scope. The report notes that targeted EI warrants "may be very broad in their scope". In many cases, GCHQ will use bulk hacking as a method of combating the rise of end-to-end encryption and is billed as "a fast-developing alternative to bulk interception".

Anderson stated: "The bulk EI power is not currently authorised and has never been used, though targeted EI is seen as an important capability across the full range of threats to the UK, driven by increasing use of encryption and diversity of communications methods."

He continued: "Bulk EI is likely to be only sparingly used, and [like thematic EI] will require particularly rigorous and technically-informed oversight. But I have concluded that there is a distinct – if not yet proven – operational case for bulk EI in relation to counter-terrorism, counter-proliferation and cyber-defence."

However, Anderson also acknowledged the many criticisms levelled at the idea of introducing enhanced spying powers. He quotes Eric King of campaigning group Privacy International, who previously gave scathing evidence to the UK government on the scope of its surveillance regime.

King said: "[Hacking] gives intelligence agencies access to the most personal and sensitive information about an individual's life – information that can directly or indirectly reveal an individual's location, age, gender, marital status, finances, health details, ethnicity, sexual orientation, education, family relationships, private communications and, potentially, their most intimate thoughts.

"Furthermore, the logging of keystrokes, tracking of locations, covert photography and video recording of the user and those around them enables intelligence agencies to conduct real-time surveillance, while access to stored data enables analysis of a user's movements for a lengthy period prior to the search."

The rise in 'unexpected incidents'

Despite the report noting that hacking is lawful "in principle", Anderson was able to disclose a number of times GCHQ has made mistakes during its hacking-enhanced operations. The agency labels these as 'shortcomings'.

"We always suspected that teething trouble and wrong turns were likely to be experienced with new EI techniques," Anderson stated. "The Review team was provided with examples of a number of incidents in which CNE work had caused unintended consequences to targeted computers."

"In most of these examples, a computer failure obvious to the user had occurred, although the user would probably not have been aware of the cause. In one case, the 'impact' was believed to be imperceptible to the user. The documents indicated that there had, in recent years, been an increase in the number of 'unexpected incidents'."

Should you be worried? That depends on how much you trust intelligence agencies and law enforcement to use these powers ethically. GCHQ has attempted to downplay any notion of overreach in the report.

"[Hacking] can be a critical tool in investigations into the full range of threats to the UK from terrorism, serious and organised crime and other national security threats," it states, adding that bulk hacking will be used to obtain intelligence on terror attacks, kidnapping and "serious organised criminality".

After publication of the report, Theresa May said: "Mr Anderson's report demonstrates how the bulk powers contained in the Investigatory Powers Bill are of crucial importance to our security and intelligence agencies.

"These powers often provide the only means by which our agencies are able to protect the British public from the most serious threats that we face. It is vital that we retain them, while ensuring their use is subject to robust safeguards and world-leading oversight which are enshrined in the IP Bill."

However, not everyone was convinced. Bella Sankey, policy director at campaign group Liberty, slammed the report's conclusions, telling the BBC: "Liberty called for an impartial, independent and expert inquiry into these intrusive powers - yet sadly this rushed review failed on all three counts."

She added: "This was an opportunity to properly consider the range of targeted methods that could be used as effective alternatives to indiscriminate and potentially unlawful powers. That chance has been wasted."