ISPs sue UK spies over network attacks

A group of seven internet providers from around the world have filed a legal complaint against Britain's main signals intelligence agency over what they call the "targeting, attacking and exploitation" of communications networks.

This is the first legal action taken against the UK Government Communications Headquarters (GCHQ). 

Along with UK-based privacy not-for-profit Privacy International, the providers from the US, UK, Germany, Netherlands, Korea and Zimbabwe alleged [PDF] that GCHQ's "attacks on providers" were illegal and destructive, and demanded a cessation.

The GCHQ's dragnet surveillance takes away all citizens' privacy rights indiscriminately. Thus, not only lawyers, doctors, journalists, and many more people are robbed of their working basis, but everybody is stripped of his or her ability to object to their government's opinion without fear of retribution.

Monitoring all communications secretively and without any effective control nor checks and balances breaks the foundations on which our modern democracies are based. We are heading towards a police state and the only way to stop this is to bring mass surveillance to an end."

- Jan Girlich of the Chaos Computer Club, Germany, one of the parties suing the GCHQ.

The legal action stems from media reports in The Intercept and Der Spiegel following further classified documents leaks from former United States National Security Agency (NSA) contractor Edward Snowden.

These reports outlined secret mass surveillance of users at German internet peering exchanges by GCHQ and the NSA.

Further, the documents alleged the UK spy agency conducted an attack on employees of Belgian telco Belgacom, infecting their computers with malware to gain access to network infrastructure.

The documents - which were shared with Australian and New Zealand intelligence agencies under the "Five-Eyes" collaboration agreement - also spoke of an automated system code-named TURBINE.

Through TURBINE, the NSA planned to infect millions of computers worldwide with several different types of malware such as GUMFISH which could control webcams and take pictures, and SALVAGERABBIT which could remotely copy data from flash memory drives and sticks.

TURBINE is an active project for the NSA. While the exact numbers have not been disclosed, the Washington Post reported last year that up to 100,000 computers worldwide had already been infected under TURBINE.

TURBINE is part of the agency's Owning the Net program for which it sought US$67.6 (A$71.6) million in funding in last year's "Black Budget". 

NSA also hit with lawsuit

Separately, digital rights group the Electronic Frontier Foundation (EFF) said yesterday it has sued the NSA and the US Office of the Director of National Intelligence to obtain access to documents showing how spy agencies decide whether or not to disclose zero-day security holes.

The EFF is seeking clarity around an April report by Bloomberg which alleged that the NSA knew about the serious "Heartbleed" flaw in the OpenSSL cryptographic library used to secure data communications, and exploited it for two years before it was public.

NSA and the US government denied the allegations and said it had a "vulnerability equities process" for deciding when to share vulnerabilities with the public and companies.

However, the EFF claimed the principles behind the process have not been disclosed even after the digital rights group filed Freedom of Information requests for the documents, and is now suing the government spy agency for access.