On Friday 13 October, the annual Belgian Big Brother Awards – a negative prize for the worst privacy abuser of the year – took place in Brussels. The jury awarded the European trend of state hacking, European Digital Right’s (EDRi) nomination, the title of the ultimate privacy villain. The public voted Automatic number-plate recognition (ANPR) cameras as their “favourite”.

State hacking has rapidly become a very powerful tool for intelligence services in recent years. Europe’s governments have been expanding the possibilities of states spying on their own citizens and pushed the fashion of “insecurity by design”. In 2017, the Belgian government followed this trend and adopted legislation that gives law enforcement authorities permission to access computers and other devices remotely. It adopted a text modifying the law on “security and intelligence services” granting the authorities new broad surveillance powers. To put it simply, it legalised the most intrusive form of government hacking.

“Government hacking affects people’s privacy rights and freedom of expression in new and deeply invasive ways – it also means an undermining of the security of the internet. Governments engaged in such activities have systematically failed to implement minimum safeguards for human rights”, said Kirsten Fiedler, Managing Director of EDRi.

“The WannaCry attack has highlighted that there are serious repercussions when known vulnerabilities are not immediately reported and fixed. Current practices of the intelligence services are damaging not only for the security of European citizens, but also for businesses, public administrations and critical infrastructures – like hospitals, schools and public transport”, she added.

What is state or government hacking?

Hacking means the manipulation of software, data, computer systems, networks, or other electronic devices without the permission of the person or organisation responsible. For instance, malicious software developed by a government, often relying on software flaws that are not publicly known. This means that the software flaws remain open and available for criminals to exploit. Governments hack devices with the aim to monitor computer activities and get access to sensitive data.

In 2014, it was revealed that the British intelligence service, the Government Communications Headquarters (GCHQ), had hacking capacities to activate a device’s microphone or webcam, to identify the location of a device, to collect login details and passwords for websites and record internet browsing histories on a device. The German intelligence service developed similar software, which was discovered in 2011 by EDRi-member Chaos Computer Club (CCC). Now, in March 2017, the Belgian government has given its services the power to remotely access its citizens’ devices and install malware (see Art. 38, Law modifying the law from 30 November 1998 governing the intelligence and security services).

Why is government hacking a problem?

Giving intelligence services such powers makes it difficult for individuals to protect their personal data and companies to protect their trade secrets from these kinds of attacks. Moreover, it allows foreign intelligence services to more effortlessly spy on state secrets, and it opens pandora’s box for third parties to access and control critical infrastructures – this could for example plunge hospitals into chaos. It gives governments an incentive not to report software vulnerabilities that it is aware of, facilitating crime in the name of fighting crime.

EDRi’s paper “Encryption Workarounds – A digital rights perspective” (pages 9-11) includes proposals for safeguards that need to be met to provide adequate protection of fundamental rights in cases of government hacking.

The Big Brother Awards are based on a concept created by EDRi member Privacy International. The goal is to draw attention to violations of privacy. The Belgian Big Brother Awards is organised by EDRi member Liga Voor Mensenrechten in collaboration with PROGRESS Lawyers Network (PLN), Datapanik.org, La Ligue des droits de l’Homme (LDH) and European Digital Rights (EDRi).

Belgian Big Brother Awards 2017

https://bigbrotherawards.be/en/

Encryption Workarounds – A digital rights perspective

https://edri.org/files/encryption/workarounds_edriposition_20170912.pdf

Big Brother Awards Belgium: Facebook is the privacy villain of the year (06.10.2016)

https://edri.org/bba-belgium-2016/