In a document published by NBC here, whistle-blower Edward Snowden has revealed in his latest leak that the UK’s NSA counterpart GCHQ had used one of Anonymous’ own illegal tactics against them and performed a Denial Of Service Attack against their IRC server in 2011.
GCHQ agents infiltrated various hacktivist groups who were baited into disclosing information over IRC on various cyber attacks they had performed. This information was later used against them aiding prosecution. But what is of further significance is the DDOS attacks the GCHQ performed against the hacktivists’ servers.
As you can see, a planned DDOS attack was carried out against the servers and resulted in a downtime of at least 30 hours. No matter which way you look at it, this action by GCHQ is illegal, and it would have risked disruption to other services with no connection to Anonymous or its allies.
Dr Steven Murdoch, a security researcher at the University of Cambridge, said:
It’s quite possible that the server was used for other purposes which would have been entirely unrelated to Anonymous.
It’s also likely that most of the chat that was going on about Anonymous was not to do with hacking because the people who join Anonymous are fairly wide-ranging in what they think it is legitimate to do.
Some have gone into criminality but many others just go out and organise protests, letter-writing campaigns and other things that are not criminal.
But what of the legal implications?
Eric King, head of research at Privacy International commented:
There is no legislation that clearly authorises GCHQ to conduct cyber-attacks, so, in the absence of any democratic mechanisms, it appears GCHQ has granted itself the power to carry out the very same offensive attacks politicians have criticised other states for conducting.
The UK government’s Cyber Security Strategy document, (here) says officials should take “proactive measures to disrupt threats to our information security”, but also notes that any such action should be consistent with freedom of expression and privacy rights.
It seems evident to me that GCHQ are in clear violation of laws concerning freedom of expression and privacy, let alone the Computer Misuse Act 1990 which states:
Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc.
(1)A person is guilty of an offence if—
(a)he does any unauthorised act in relation to a computer;
(b)at the time when he does the act he knows that it is unauthorised; and
(c)either subsection (2) or subsection (3) below applies.
(2)This subsection applies if the person intends by doing the act—
(a)to impair the operation of any computer;
(b)to prevent or hinder access to any program or data held in any computer;
(c)to impair the operation of any such program or the reliability of any such data; or
(d)to enable any of the things mentioned in paragraphs (a) to (c) above to be done.
(3)This subsection applies if the person is reckless as to whether the act will do any of the things mentioned in paragraphs (a) to (d) of subsection (2) above.
(4)The intention referred to in subsection (2) above, or the recklessness referred to in subsection (3) above, need not relate to—
(a)any particular computer;
(b)any particular program or data; or
(c)a program or data of any particular kind.
(5)In this section—
(a)a reference to doing an act includes a reference to causing an act to be done;
(b)“act” includes a series of acts;
(c)a reference to impairing, preventing or hindering something includes a reference to doing so temporarily.
(6)A person guilty of an offence under this section shall be liable—
(a)on summary conviction in England and Wales, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum or to both;
(b)on summary conviction in Scotland, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both;
(c)on conviction on indictment, to imprisonment for a term not exceeding ten years or to a fine or to both.F1]
I wonder if GCHQ are going to receive the same treatment that LulzSec did for carrying out DDOS attacks. Somehow I doubt it.
UPDATE: Quakenet have released a statement here