The British spy-agency targeted anti-virus software and other common applications in reverse-engineering projects aimed at discovering and weaponizing defects in the code.
A newly published memo from the Snowden trove details the way that the agency discovered bugs in software that is widely used by UK businesses, individuals and government agencies, but did not take steps to get these defects fixed. Rather, they squirreled them away in secret, turning them into weapons that could be used to attack their adversaries — and leaving everyone else (including Britons) at risk of being hacked via the same bugs by foreign spies, criminals and stalkers.
The agency circulated an internal memo warning that reverse-engineering was illegal under UK and foreign laws (for example the US Digital Millennium Copyright Act), suggesting that they could face copyright liability if their activities came to light.
Section 1201 of the DMCA prohibits breaking digital locks that restrict access to copyrighted works. Since the bill's passage in 1998, security researchers have warned that it created a chilling effect on legit research, because researchers who discovered vulnerabilities and went public with them — warning users that the tools they relied on weren't fit for purpose — could face fines and even jail for weakening the lock's efficacy.
Every three years, the US Copyright Office entertains petitions for exemptions to 1201, and this year, there were many proposals related to security research in which researchers attested that their work was slowed, suppressed or stopped because of 1201 jeopardy. From voting machines to cars to medical implants to general software to categories so fraught the petitioners didn't even want to hint at them, some of the world's top security experts told the Copyright Office that 1201 gets in the way of security research.
It's darkly ironic to learn that GCHQ's top researchers could have easily signed their names to any of the filings in the docket.
"In 2008, there was no real authority on this issue in the EU or the U.K.," says Indra Bhattacharya, a U.K. solicitor with the firm Jones Day who specializes in intellectual property law. A 2012 EU court ruling and a related 2013 U.K. court ruling allow greater latitude toward specific reverse engineering practices as long as there is no copying of code, he explains, but case law is "very fact-specific" and "deals mostly with commercial situations," making it difficult to determine how it might apply to a government agency and whether it would obviate the need for GCHQ's warrant.
But at the time of the warrant renewal application, GCHQ was clear on its legal position. "Reverse engineering of commercial products needs to be warranted in order to be lawful," one agency memo states. "There is a risk that in the unlikely event of a challenge by the copyright owner or licensor, the courts would, in the absence of a legal authorisation, hold that such activity was unlawful." Even if warrants shielded GCHQ from domestic law, the agency believed the warrant would not protect it under international law, noting that such warrant-based immunity would be "limited," given that "it only covers us under U.K. law."
GCHQ obtained its warrant under section 5 of the 1994 Intelligence Services Act, which covers interference with property and "wireless telegraphy" by the Security Service (MI5), Secret Intelligence Service (MI6) and GCHQ. Section 5 of the ISA does not mention interference in intellectual property, which the intelligence agency believed was necessary to reverse engineer software, but a top-secret memo states that the intelligence services commissioner approved such use in 2005.
Spies Hacked Computers Thanks to Sweeping Secret Warrants, Aggressively Stretching U.K. Law [Andrew Fishman and Glenn Greenwald/The Intercept]
(Icon: GCHQ / Always listening, George Rex, CC-BY-SA)