Out-Law News | 18 May 2015 | 5:11 pm | 2 min. read
Privacy International said the legal changes, which came into force on 3 May, were "underhand" and "undemocratic". The changes were introduced by the Serious Crime Act and "grants UK law enforcement new leeway to potentially conduct cyber attacks within the UK", it said.
However, a Home Office spokesperson said that reforms to the Computer Misuse Act made effective by the Serious Crime Act do not "increase or expand the ability of the intelligence agencies to carry out lawful cyber crime investigation".
Privacy International said: "It appears no regulators, commissioners responsible for overseeing the intelligence agencies, the Information Commissioner's Office, industry, NGOs or the public were notified or consulted about the proposed legislative changes. There was no published Privacy Impact Assessment. Only the Ministry of Justice, Crown Prosecution Service, Scotland Office, Northern Ireland Office, GCHQ, Police and National Crime Agency were consulted as stakeholders. There was no public debate."
Privacy International filed legal papers against the UK government in which it has challenged the right of UK intelligence services to engage in computer hacking activity. It has accused GCHQ of hacking computers in breach of the Computer Misuse Act and said the violations of privacy are not justified under the European Convention on Human Rights.
The government has refused to confirm or deny that GCHQ engages in hacking, Privacy International said.
Eric King, deputy director of Privacy International, said: "The underhand and undemocratic manner in which the government is seeking to make lawful GCHQ's hacking operations is disgraceful. Hacking is one of the most intrusive surveillance capabilities available to any intelligence agency, and its use and safeguards surrounding it should be the subject of proper debate. Instead, the government is continuing to neither confirm nor deny the existence of a capability it is clear they have, while changing the law under the radar, without proper parliamentary debate."
Under the Computer Misuse Act, a person is guilty of an offence if they cause, or create a significant risk of, "serious damage of a material kind" in relation to a computer where the activity is unauthorised, where the person knew at the "time of doing the act" that their actions are unauthorised and they either intended to cause serious damage of a material kind or is "reckless as to whether such damage is caused".
Damage of a 'material kind' is defined as damage done to either human welfare in any place; the environment of any place; the economy of any country; or the national security of any country.
A person can be said to have done damage to human welfare if their unauthorised actions cause loss to human life; human illness or injury; disruption of a supply of money, food, water, energy or fuel; disruption of a system of communication; disruption of facilities for transport; or disruption of services relating to health.
If their actions cause or create a significant risk of loss to human life or illness or injury, or serious damage to national security they can be sentenced to life imprisonment.