GCHQ explains why it may want to hack every computing device in your town

Counter-terrorism demands the power to hack devices almost indiscriminately, reveals IP Bill

The Home Office has made the case for GCHQ's new powers of bulk collection and hacking under the Investigatory Powers Bill, which will become law once it passes its third reading in the House of Lords, in a new document released this week.

"The draft Investigatory Powers Bill... seeks to update the law to reflect technological change, ensuring that these powers - including those relating to sensitive capabilities available to the security and intelligence agencies - are set out transparently and consistently, with robust safeguards and world leading oversight," claims the document.

It cites threats including terrorism, serious crime, "the resurgence of state-based threats", and cyber attacks. It suggest that the growth of the internet and use of encryption has made it harder for police and security services to track and respond to these threats.

It goes on to claim that analysis of bulk data has played a major part in every major counter-terrorism investigation over the past decade - implying that the security services have deployed these powers regardless of the law. Indeed, it claims to have used them "in each of the seven terrorist attack plots disrupted since November 2014".

It also claims that they have also been used in 90 per cent of the UK's targeted military operations in south Afghanistan, and in identifying 95 per cent of the cyber attacks on people and businesses in the UK "discovered by the security and intelligence agencies of the last six months". And, it has been used to identify serious criminals "seeking to evade detection online" and "who cannot be pursued by conventional means".

The document makes its case with a series of examples to back up the case for the powers contained within the Bill.

These powers include:

• The bulk interception of communications - intercepting international communications as they travel across networks in the UK. "It is often one of the only ways of obtaining intelligence on threats emanating from overseas, frequently in places where the UK Government has a very limited presence;"
• "Bulk equipment interference" or hacking. "Equipment interference may be the only option for obtaining crucial intelligence. As with bulk interception this is an overseas collection capability;"
• Bulk communications data obtained from service providers - predominantly internet service providers and mobile operators; and,
• Bulk personal datasets. This involves the use of datasets such as travel data or the many various government databases.

The document supports the mass, almost indiscriminate hacking of electronic devices using wide-ranging powers. These would enable security services to, for example, hack into all electronic devices in a particular town, or to target groups of people. The document cites a group of suspected terrorists congregating at a training camp, whose devices GCHQ have hacked into.

"The security and intelligence agencies... know that they are planning an attack on western tourists in a major town in the same country, but not when the attack is planned for," explains the document.

If all the devices go dead or silent at the same time, the security services would conclude that they have switched devices - probably in advance of carrying out their attack. The document suggests that under such circumstances, the security services ought to have the power to use "bulk hacking techniques" on all devices in the town "in order to try to identify the new devices that are being used by the group".

Earlier this month, the Metropolitan Police also made its case for wide-ranging access to communications metadata, arguing that often access to such data helped to "prove people innocent".