Seven ISPs from around the world filed a legal complaint on Wednesday against GCHQ for its alleged unauthorized infiltration of target networks to carry out mass surveillance.
The complaint, lodged with the UK’s Investigatory Powers Tribunal, is the first time service providers have taken action against perceived network exploitation by the British spy agency.
Their claims arise from reports published in Der Spiegel last year that GCHQ deliberately targeted network admins working for Belgacom in order to listen in to customers’ communications on a mass scale.
That particular attack was known as a “Quantum Insert”, which reportedly redirected the victims without their knowledge to an infected site which downloaded malware, enabling UK spooks to control their PCs.
Der Spiegel also reported that this was not an isolated case, and that GCHQ was working with the NSA to monitor three German internet exchange points to identify “important customers”.
The ISPs complained that these acts and others like them break the UK’s Computer Misuse Act by altering computers and networks without the provider’s consent, and could even break the European Convention on Human Rights (ECHR) by damaging the service provider’s property.
They argued that the surveillance of ISP employees and their customers also contravenes the ECHR, and that such actions threaten “to damage or destroy the goodwill” between customer and provider.
The ISPs in question join rights group Privacy International in challenging what they claim to be GCHQ’s unlawful hacking activities.
Deputy director, Eric King, said they must come to an end immediately.
“These widespread attacks on providers and collectives undermine the trust we all place on the internet and greatly endangers the world’s most powerful tool for democracy and free expression,” he added, in a statement. “It completely cripples our confidence in the internet economy and threatens the rights of all those who use it.”
Dwayne Melancon, CTO of Tripwire, argued that although the legal action may not get the desired result, it will at least get the issue out into the public eye.
“Much of the existing guidance and policy was created to deal with physical incursions, not logical ones. I believe we're in the 'messy front end' with regard to policies, protocols, and even multinational discussion of issues like this,” he added.
“Until the lines get clearer, it is likely we will have to rely on ‘incident driven’ policy, similar to the recent conversations between president Obama and chancellor Merkel regarding surveillance.”
The service providers in question are Riseup (US), GreenNet (UK), Greenhost (Netherlands), Mango (Zimbabwe), Jinbonet (Korea), May First/People Link (US), and the Chaos Computer Club (Germany).