Since revelations about government surveillance began coming out last year, many of the related conversations have been ideological and political and have centered on the abstract implications for privacy. These are important topics and debates, but there's another good question: Is it legal? The advocacy group Privacy International thinks that the U.K.’s government surveillance agency GCHQ did at least one thing that was illegal by planting malware in computer microphones and webcams that allowed the agency to secretly surveil citizens.
Through the initiative, GCHQ was able to collect extensive information about citizens who had no idea they were being watched. Privacy International questions the legality of a number of GCHQ projects discussed in documents released by Edward Snowden. For example, through NOSEY SMURF the agency could use compromised device microphones to record conversations. Through GUMFISH the agency could take photos with webcams. Through GROK the agency could record a user's keystrokes. Through FOGGYBOTTOM the agency could record a user's browsing history and usernames/passwords. And it goes on from there.
Privacy International filed its legal complaint with the U.K.’s Investigatory Powers Tribunal, the court that deals with legal action against U.K. intelligence agencies. Privacy International’s complaint raises a number of concerns by asserting that extensive surveillance of this nature "is incompatible with democratic principles and human rights standards." The group also notes that if an individual citizen performed similar hacks to surveil another citizen, their action would be considered unlawful and a criminal offense. Privacy International said in a statement:
The use of malicious software to hack into a computer or mobile device is equivalent to covert, complete, real-time physical and electronic surveillance, as well as historical surveillance, of everything that person does, sees and says.
Privacy International argues that the use of such capabilities is a clear violation of Article 8 (the right to privacy) and Article 10 (right to freedom of expression) of the European Convention on Human Rights, and must end immediately.
There are other legal complaints pending against the NSA and GCHQ, but Privacy International claims that this is the first legal action in the U.K. specifically protesting GCHQ's hacking tools aka malware.
Maybe it's just me, but if your project code name is "NOSEY SMURF" it kind of seems like you know that you're doing something sketchy.