GCHQ's Cheltenham headquarters Getty Images

Computer and smartphone hacking by spying agency GCHQ is legal, the UK's Investigatory Powers Tribunal has said.

Senior judges ruled that they are "satisfied" that the agency's ability to force its way into devices to obtain intelligence is striking a "proper balance" between privacy of individuals and the need to investigate crimes.


During the case, bought by civil liberties group Privacy International, GCHQ admitted for the first time that it conducted hacking, officially known as computer network exploitation (CNE) as one of its tactics. Devices hacked have been both in the UK and abroad and the campaign group said the practice still remained "intrusive" and that it was "disappointed".

GCHQ's hacking was first revealed in documents published by NSA whistleblower Edward Snowden. Despite the judges saying the intrusive abilities had raised "a number of serious questions" they said the current practices were legal.

Equipment allowed to be hacked includes -- but is not limited too -- computers, servers, routers, laptops, mobile phones and more. The tribunal was told that it is possible for cameras to be remotely turned on as well as microphone, every key pressed on a keyboard logged, malware being installed, the tracking of locations and the remote copying of documents from equipment.

Interference powers are currently guided by a code of practice, which was published ahead of the government's draft Investigatory Powers Bill. For hacks to take place a warrant must be issued.


The judges said the code had the right balance between the "urgent need of the Intelligence Agencies to safeguard the public and the protection of an individual's privacy and/or freedom of expression".

They continued to say that whatever the outcome of the re-drafting of the IP Bill and its eventual passing into law the current use of hacking powers under the code of practice is acceptable. Hacking and mass hacking provisions exist in the planned surveillance law.

Privacy International had claimed there was no clear lawful authority to conduct the hacking when the legal complaint was initially lodged.