My Device Is Me. GCHQ – Stop Hacking Me.

Published on
by
Privacy International

My Device Is Me. GCHQ – Stop Hacking Me.

Spy agencies have long sought to turn the technologies that improve all our lives against us. From some of the very first forms of remote communications such as telegraph cables, to modern-day means like Skype: if the spies can exploit it, they will.

And, as we’ve learnt over the last few months, the computer and mobile devices that millions of us own and carry around with us every day are no exception to this rule.

Our smart phones and laptops, devices that have changed how we communicate and interact, remember and record, and express and relate in the modern world, have become prime targets of GCHQ and the NSA. These intelligence agencies have developed hacking techniques they call “Active SIGINT” (signals intelligence), which NSA documents explain “offers a more aggressive approach to SIGINT. We retrieve data through intervention in our targets’ computers or network devices. Extract data from machine.” These new capabilities to infect our devices with intrusive malware have allowed GCHQ to “exploit any phone, anywhere, any time”; the spies boast “if it’s on the phone, we can get it”.

With all the debate around the mass surveillance programs revealed by Edward Snowden, there has been little debate around the legitimacy of State-sponsored hacking. Given there exists no clear legal authority to justify such intrusion, Privacy International has today filed a legal complaint demanding an end to the unlawful hacking being carried out by GCHQ.

Eyes, ears and skin

For an increasing majority of people, personal digital devices contain the most private information stored anywhere. Computers and mobile devices have replaced and consolidated our filing cabinets, photo albums, video archives, personal diaries and journals, address books, and correspondence. They are slowly replacing our formal identification documents, our bank and credit cards. They store information that may not have ever been communicated anywhere else.

"Targeted intrusion into the devices we carry around with us daily, potentially on a grand scale, has only been allowed to occur because it has been done under the cover of secrecy and in the absence of public debate."

But far from being simply passive storage devices, smart phones are portable sensors that monitor the world around them. Vic Gundotra, Google’s Vice President of Social on Android explains, “A mobile phone has eyes, ears, a skin, and knows your location. Eyes, because you never see one that doesn’t have a camera. Ears, because they all have microphones. Skin because a lot of these devices are touch screens. And GPS allows you to know your location."

Hacking that phone gives governments total control, including over those sensors. That means the camera, microphone, or keyboard, may be utilized, manipulated and turned against the user of the device.

This is exactly what GCHQ is doing. Internal documents explain that they are interested in "[n]ot just collecting voice and SMS and geo-locating phone, but getting intelligence from all the extra functionality that iPhones and BlackBerrys offer." Further documents explain that GCHQ can now obtain “any content from phone, e.g. SMS, MMS, e-mails, web history, call records, videos, photos, address book, notes, calendar.”

GCHQ’s ability to do so relies on a malware toolkit named, oddly, after characters in the TV series The Smurfs. An ability to make both iPhone and Android phones’ microphones 'hot', in order to remotely switch on the microphone and listen in to conversations is named "Nosey Smurf". High-precision geolocation is called "Tracker Smurf". Covertly switching on a phone is codenamed "Dreamy Smurf" while the malware’s concealment capabilities are codenamed "Paranoid Smurf".

Disproportionate interference

This completely unchecked deployment of government malware amounts to some of the most intrusive forms of surveillance any government has conducted.

In allowing GCHQ to extract a huge amount of information, and to turn an individual’s own devices against them by co-opting the devices as instruments of video and audio surveillance, it is at least as intrusive as searching a person’s house and installing bugs so as to enable continued monitoring. In fact, it is more intrusive, because of the amount of information now generated and stored by computers and mobile devices, the speed, ease and surreptitiousness with which surveillance can be conducted, and because it allows the ongoing surveillance to continue wherever the affected person may be.

In these circumstances any justification would have to be extremely specific and compelling in order to render that activity proportionate. Regrettably, no such consideration has been given to this in public debate. Secret action, on the basis of secret policy, is the order of the day.  

Millions of devices

Far from this tactic being deployed only in exceptional circumstances, the NSA has aggressively developed these tools to infect potentially millions of computers and phones worldwide, according to The Intercept. GCHQ plays an integral role. Using tools like TURBINE, designed to “relieve the user from needing to know/care about the details” the NSA is now able to conduct “industrial-scale exploitation”.

That technique involves covert installation of software onto the user’s computer through one of a number of means, such as tricking the user into clicking a malicious link, or injecting their malicious code into the network transmission that individuals receive when browsing websites like Facebook or LinkedIn so as to transfer the malware as part of the computer’s ordinary downloading of data.

The Intercept explains that at this point “[a]n implant plug-in named CAPTIVATEDAUDIENCE, for example, is used to take over a targeted computer’s microphone and record conversations taking place near the device. Another, GUMFISH, can covertly take over a computer’s webcam and snap photographs. FOGGYBOTTOM records logs of Internet browsing histories and collects login details and passwords used to access websites and email accounts. GROK is used to log keystrokes. And SALVAGERABBIT exfiltrates data from removable flash drives that connect to an infected computer.”

As we are learning, the unmatched co-operation between NSA and GCHQ within the Five Eyes alliance has meant these aggressively scaled malware deployments are being launched from secret bases around the world, including Britain’s Menwith Hill.

Fighting back

Targeted intrusion into the devices we carry around with us daily, potentially on a grand scale, has only been allowed to occur because it has been done under the cover of secrecy and in the absence of public debate. Concerns about national security are only partially the reason government has been trying so hard to stop the Snowden disclosures; it’s also because they are scared of the public finding out – and contesting – what is being done in our name and for our “protection”.

Our devices are increasingly becoming an extension of who we are as individuals; they are mediums in which we remember things, express ourselves, create and maintain relationships, and interact in the modern world. To the likes of GCHQ and other intelligence agencies, however, our devices are merely a means of turning us into “targets”, dehumanising us and those we connect with. It is this hacking that deeply intrudes on our private lives, which are increasingly lived on our phones and computers.

This contempt is exemplified in one NSA document published by Der Spiegel, in which the agency jeers, “Who knew in 1984 that this [smart phones] would be Big Brother and the zombies would be paying customers?".

At Privacy International, we don’t believe our smart phones should be hijacked to serve Big Brother and we’re not zombies.

We’re citizens with rights, and we’re fighting back.

Eric King

Eric King is the Deputy Director at Privacy International.

Share This Article