British signals intelligence agency GCHQ has a new foe — a lawsuit from an international group of Internet Service Providers (ISPs).
The lawsuit has been filed by UK-based Privacy International and ISPs from the U.S. (Riseup and May First/People Link), Netherlands (Greenhost), Zimbabwe (Mango), Germany (the Chaos Computer Club), and South Korea (Jinbonet), as well as from the UK (GreenNet). GCHQ stands for Government Communication Headquarters and is the UK equivalent of the U.S. National Security Agency (NSA).
The allegations behind the suit are based on reports in German magazine Der Spiegel, the Washington Post, the Intercept and elsewhere, and on revelations in classified documents made public by ex-NSA contractor Edward Snowden, about efforts by GCHQ to compromise the infrastructure of the providers so it could spy on customers.
“GCHQ’s attacking of Internet infrastructure is being done without clear lawful authority,” Privacy International Deputy Director Eric King told VentureBeat. He added that this suit is “the first of its kind against GCHQ.”
“The spy agency has relied on a cloak of secrecy to ensure its actions remain unchallenged,” King said. “The Snowden revelations have allowed these challenges for the first time, and today Internet service and communications providers are standing up for their customers, members, and users and fighting back.”
The specific providers in the lawsuit were not mentioned in Snowden’s revelations, but in a statement on its website, Privacy International presents the reasons why the GCHQ actions have affected the providers:
“The seven providers assert that GCHQ attacks on internet service and network providers are not only illegal, they are destructive, undermining the goodwill the companies and groups rely on, and the trust in security and privacy that makes the internet such a crucial tool of communication and empowerment. Each of these organisations are committed to the privacy, freedom of expression and security of their users, and a free and open internet. Together, they are demanding an end to GCHQ exploitation of internet services, the targeting of their systems administrators and protections for their customers and users whose rights may have been infringed.”
The suit includes charges that:
• A Belgian telecomm agency was infected with malware by GCHQ to gain surreptitious access.
• GCHQ used an automated system called Turbine to aid its massive tapping.
• There were efforts to spy on all Net traffic going through German exchange nodes.
• GCHQ collaborated with the NSA to covertly target large data streams of users.
The plaintiffs say that GCHQ violated specific sections of British law and the European Convention of Human Rights, and they are seeking a declaration that GCHQ’s actions were illegal, an order to destroy any “unlawfully obtained material,” and an injunction against similar conduct.
Privacy International, which investigates government surveillance and assisting companies, has filed two other legal cases involving mass surveillance. In the U.S., lawsuits against the NSA include one filed by the Electronic Frontier Foundation on behalf of AT&T customers.