Shutterstock

We now know a lot more about GCHQ's hacking operations -- and the details haven't come from Edward Snowden. New documents released by the government and privacy advocates have given us the first official glimpse of how GCHQ operates, with its hacking and encryption weakening operations confirmed for the first time.

The details come from three new documents:


The Intelligence and Security Committee's (ISC) report into the UK's security services

The government's open response to the ISC report

Documents from secret court proceedings released by Privacy International

But what does all this new information mean? Below we answer the key questions.

What hacking powers does GCHQ have?

The spy agency has the power to hack into phones, computers and communications networks and is legally justified to hack anyone, according to privacy experts. GCHQ can also hack anyone, anywhere in the world, even if they are not suspected of any crime.

Read next You can now make encrypted video calls with Signal You can now make encrypted video calls with Signal

Court documents released by Privacy International show GCHQ can carry out hacking on "individuals who are not intelligence targets in their own right". The privacy charity, which has launched legal action against the UK government and GCHQ, claims this allows GCHQ to hack people who are not targets.

The ISC report also shows for the first time that GCHQ uses security vulnerabilities, including zero-days -- which use previously unknown weaknesses to attack software -- for its operations.


What does GCHQ have to say about this?

The spy agency says Privacy International's claims that its operations are unregulated are "simply untrue". A spokesperson for the spy agency said its operations were subject to "rigorous oversight", adding that its "operational processes rigorously support this position". GCHQ was unable to respond to individual issues raised due to its policy of not commenting on intelligence matters.

Is there a difference between what GCHQ does in the UK and abroad?

Yes, there's a big difference. When carrying out hacking overseas, GCHQ's operations are a "general power" afforded to it with "no additional ministerial authorisation", according to the ISC's report. In the UK it requires individual warrants for its hacking operations.

As of October 2014 GCHQ relies on five "class-based authorisations", or warrants, which cover all of its hacking operations outside the UK. These powers are detailed in the draft Equipment Interference Code, which was published in February.

Read next WIRED Awake: 10 must-read articles for February 13 WIRED Awake: 10 must-read articles for February 13

While these broad warrants are issued by the secretary of state, the intelligence service is seemingly not required to obtain individual warrants for specific activities. According to Caroline Wilson Palow, legal officer at Privacy International, this means GCHQ is operating with "few safeguards and little oversight".


She described the warrants as sanctioning "a whole class of operations in one go". Quoting from the draft Equipment Interference Code that it operates under, GCHQ said there were "satisfactory arrangements" to ensure oversight was in place.

What about in the UK?

There are issues here too. When hacking someone in the UK, GCHQ is required to obtain a warrant for each and every operation. In the government's open response to the ISC report it explains that such warrants only need to include the identity of the target "where known" and details of any offence, suspected or committed, need only be included "where relevant".

The ISC said the current law governing surveillance is "unnecessarily complicated" and "lacks transparency". In its report it called for a new, single piece of legislation to be created that encompasses all UK intelligence agencies.

But if there's oversight, what's the problem?

GCHQ itself admits that the Foreign and Commonwealth Office, whose remit its overseas hacking falls under, is "not well placed to assess the complex technical risk" of its hacking operations. Jim Killock, executive director of civil liberties organisation Open Rights Group, said it was "shocking" that the FCO lacked the skills to provide adequate oversight.

No similar concerns have been raised about oversight of GCHQ's hacking operations in the UK. Given the very complex nature of its operations it is essential that the people providing oversight are able to understand what GCHQ is doing.

Broadly speaking, the ISC has called for an increase in oversight of all the UK's security agencies.


What is GCHQ doing to weaken encryption?

GCHQ's efforts to break encryption are detailed for the first time in the ISC report. As this isn't an attack against a specific company or person but rather against encryption, it appears no oversight is required. Privacy International's Wilson Palow argued that oversight of GCHQ's encryption operations appeared "nonexistent".

The agency's Edgehill decryption program, revealed in documents released by Edward Snowden, revealed ambitions to crack encryption used by 15 major internet companies and 300 virtual private networks (VPNs) by 2015. Cryptography experts have warned that such operations risked weakening online security for everyone.

GCHQ has a dual-remit of going after threats and ensuring the security of the internet, but its efforts to weaken encryption creates a conflict of interests, according to Eerke Boiten, senior lecturer in computer science at the University of Kent. "These goals clash and whenever they do [the] ISC is now telling us that GCHQ resolves the conflict unilaterally and without specific legislation, oversight, or accountability," he explained.