GCHQ spying revelations
Privacy International is alleging that the UK government changed the law to exempt GCHQ and the police from being prosecuted for hacking and mass surveillance Getty Images

A privacy body suing GCHQ and the foreign office for illegal surveillance is accusing the UK government of rewriting hacking laws in order to make spies and the police exempt from being prosecuted, just before the court case began.

Privacy International alleges that the amendments to the Computer Misuse Act 1990 have paved the way for intelligence agencies to conduct cyberattacks in the UK, and that the GCHQ's hacking activities were not legal under Article 8 of the European Convention on Human Rights.

Edward Snowden turned whistleblower in 2013 when he leaked multiple documents revealing that the NSA and its UK cousin GCHQ had been spying on the internet communications of millions of people around the world, as well as monitoring phone conversations in the US and tapping the phones of foreign politicians.

In May 2014, privacy rights charity Privacy International teamed up with seven other independent internet, telecommunications and web service providers from around the world to sue the government, filing complaints with the Investigatory Powers Tribunal (IPT) regarding GCHQ's hacking activities.

Amending the Computer Misuse Act

The Computer Misuse Act previously determined that all computer hacking was considered to be a criminal activity, but on 14 May, the day before the first court date for the case, Privacy International says it was informed by the UK government that amendments had been made to the Computer Misuse Act that provide a new exception for law enforcement and GCHQ to hack without criminal liability.

The legal documents received by Privacy International state that the UK government included this amendment in the Serious Crime Bill 2015 that was introduced into parliament for debate in June 2014 and came into law in March 2015.

The Serious Crime Bill 2015 focuses on assessing how long someone goes to prison for and how serious a sentence should be, and Privacy International claims that a line about rewriting the Computer Misuse Act was quietly added into this bill, but never discussed or publicly debated.

"We have been corresponding with the Treasury Solicitors (TSOL), who will represent the GCHQ and the foreign office from May 2014 until now, and this is the first we've heard of this," Privacy International's deputy director Eric King told IBTimes UK.

"The point we were arguing was no longer relevant as the law had been changed. The government didn't notify us that they had introduced new legislation, in fact they didn't seem to inform any policy makers, NGOs or the public."

No public consultation or debate over mass surveillance

King says his organisation has been over all the documents released by the government whenever they introduce new legislation, such as the impact assessment, the fact sheet, explanatory notes given to parliament and Hansard, the official parliamentary debate transcripts, but nowhere in any of these documents is the relaxing of prosecution against GCHQ or the police for hacking offences mentioned.

"With that, we ask, how was anyone meant to know? This is just one point among many other legal points where we feel the government is acting unlawfully," he said.

"It doesn't change the fact that until the government changed the law, they were still acting criminally. We're requesting that the government end its action immediately and a declaration that the GCHQ's actions have been unlawful."

The UK Home Office stressed to IBTimes UK that the Computer Misuse Act 1990 pre-dates many of the modern powers that law enforcement uses to conduct its investigations.

The Home Office said that the Serious Crime Act 2014 was "simply clarifying" how the powers in the 1990 legislation can be used by law enforcement today to investigate cybercrime, but was not intended to "extend those powers, confer additional powers, or create new defences for the police, security and intelligence services".

A Home Office spokesperson said: "There have been no changes made to the Computer Misuse Act 1990 by the Serious Crime Act 2015 that increase or expand the ability of the intelligence agencies to carry out lawful cybercrime investigation. It would be inappropriate to comment further while proceedings are ongoing."