A coalition of ISPs and communication providers from around the world filed a legal complaint against the U.K. Government Communications Headquarters (GCHQ), calling for an end to its alleged attacking and exploitation of network infrastructure to gain access to potentially millions of people's private communications.
The complaint was lodged on Wednesday with the U.K.'s Investigatory Powers Tribunal (IPT), a court that can investigate complaints about any alleged conduct by, or on behalf of, the British intelligence services.
The case was filed by U.S. campaigning organizations Riseup and May First/People Link, as well as by U.K. ISP GreenNet, Dutch hosting service Greenhost, Mango from Zimbabwe, the South-Korean Jinbonet, along with the German Chaos Computer Club and Privacy International who said exploiting network infrastructure to gather information is unlawful.
Their complaint draws on the revelations in a series of articles published by German news magazine Der Spiegel and investigative website The Intercept, based on documents provided by former NSA-contractor Edward Snowden.
Der Spiegel for instance reported in September that GCHQ had targeted the employees of the Belgian telecommunication company Belgacom to gain access to important network infrastructure using a malware attack.
"While the claimants were not directly named in the Snowden documents, the type of surveillance being carried out allows them to challenge the practices in the IPT because they and their users are at threat of being targeted," the organizations said.
Belgacom reported the attacks on its infrastructure to Belgian police. Privacy International spokesman Mike Rispoli could not say whether the company was invited to join the U.K. legal action. Due to the interconnectedness of the Internet, the surveillance described in the articles could be carried out against any ISP or communications provider, he added.
Another report by The Intercept based on documents provided by Snowden showed in March that the U.S. National Security Agency (NSA) has been working on expanding its ability to infect computers with surveillance malware and creating a command-and-control infrastructure capable of managing millions of compromised systems at a time. GCHQ appears to have played an integral role in developing this, according to the publication.
In their lawsuit, the communications providers claim that by allegedly interfering with network assets and computers belonging to the network providers, GCHQ has contravened the U.K. Computer Misuse Act and the European Convention of Human Rights (ECHR), which guarantees the individual's peaceful enjoyment of their possessions, they said.
Furthermore, conducting surveillance of the network providers' employees is in contravention of article 8 of the ECHR which covers the right to respect for private and family life, and article 10, which covers freedom of expression, they said. Surveillance of the network providers' users that is made possible by exploitation of their Internet infrastructure is also in contravention of those articles, the complainants said.
Moreover, by diluting the network providers' goodwill and relationship with their users, GCHQ could also have violated the ECHR, they added.
Privacy International already filed two other complaints with the Tribunal over the Snowden revelations. The first one was filed last July and concerns alleged mass surveillance on U.K. citizens via GCHQ's Tempora and the NSA's Prism program. A week-long public hearing for that case is set to begin on July 14, Rispoli said.
A second case was filed in May over GCHQ's and NSA's alleged ability to infect computers and mobile devices with malware, giving them control over the devices to switch on users' microphones or cameras, listen to phone calls and track locations. That case is still pending, Rispoli said.
Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to firstname.lastname@example.org