Privacy International’s state hacking case

Data Rights (in the name of its funder, Lori Roussey) was admitted to intervene before the European Court of Human Rights (ECtHR) on intelligence services hacking powers to provide the court with legal, political and comparative law arguments. This intervention also evokes the sharing of hacking tools between States.

Context: This case is a direct consequence of the Snowden revelations, where we can see that GCHQ could, inter alia activate a device’s microphone or webcam, identify the location of a device with high-precision, log keystrokes entered into a device, collect login details and passwords for websites and record Internet browsing histories on a device and hide malware installed on a device, with little to no oversight. In 2014, Privacy International (PI) and five Internet Service Providers (ISPs) therefore brought a government hacking case before the Investigatory Powers Tribunal (the UK’s jurisdiction on matters of intelligence powers). In 2016, PI brought the case to the European Court of Human Rights.

In 2019 we could intervene. As we had already been closely analysing how the French 2015 intelligence reform had shaped French State hacking powers, together with our extensive experience of French litigation, we were able to draw practical implications for citizens' and companies' rights. In particular the right to effective remedy. The right to effective remedy is paramount in the context of State hacking as it is crucial to have access to fair trials and reparations of the damages experienced (see examples in the intervention, attached below).

Unfortunately the case has been closed by the ECtHR for procedural reasons. Yet, in its 2020 decision the ECtHR indicated that state hacking is “particularly intrusive and that there is a need for safeguards in this domain”.

More generally, what we treasure with cases about hacking is that stakes are intrinsically at the crossroad of what is technically possible and what are the consequences for people’s rights and democracies. We feel this is well illustrated by the UN Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression. In his 2013 report, he denounced that “[o]ffensive intrusion software such as Trojans, or mass interception capabilities, constitut[ing] such serious challenges to traditional notions of surveillance that they cannot be reconciled with existing laws on surveillance and access to private information. There are not just new methods for conducting surveillance; they are new forms of surveillance. From a human rights perspective, the use of such technologies is extremely disturbing. Trojans, for example, not only enable a State to access devices, but also enable them to alter – inadvertently or purposefully – the information contained therein. This threatens not only the right to privacy but also procedural fairness rights with respect to the use of such evidence in legal proceedings.”

• See Privacy International’s post about the context of this case against GCHQ
• See Privacy International’s 2020 post about the ECtHR’s 2020 decision