When the GCHQ agency (Britain’s equivalent of the National Security Agency) reportedly decided to infiltrate the IT network of Belgian telecommunications firm Belgacom, it relied on a sophisticated version of a man-in-the-middle attack.
Once the agency identified its human targets, according to German publication Der Spiegel, it performed a QUANTUMINSERT, directing their computers to fake, malware-laden versions of Slashdot and LinkedIn. Once the malware was downloaded, the GCHQ then siphoned out information related to OPEC and other sensitive topics. (Der Spiegel derived its information from top-secret documents provided by government whistleblower Edward Snowden.)
In an email to Slashdot, the GCHQ said it had “no comment to make on this particular story” and that its work “is carried out in accordance with a strict legal and policy framework which ensure that our activities are authorised, necessary and proportionate,” with “rigorous oversight” from the British government.
Those assurances aside, the GCHQ’s alleged actions raise some hard questions. For example, if someone were to capture and analyze the network traffic associated with the QUANTUMINSERT, and from there draw a definitive link to British Intelligence (much easier said than done, of course), would the latter be legally culpable in the same way as a black-hat hacker? And if the attack could be proven without a doubt, would the GCHQ—or any similar spy agency engaging in the same sort of behavior—be liable for violating trademarks or copyrights, since a key part of its attack would necessitate the appropriation of intellectual property such as logos and content?
Complicating matters is the fact that a cyber-attack can cross multiple state and continental boundaries—if your attacker is located in London, and your victim in Belgium, and it’s a U.S. company that owns the IP “borrowed” for the assault, then how does one even begin to establish legal jurisdiction?
According to the Electronic Frontier Foundation, a watchdog group dedicated to defending individual rights online, there’s precious little any organization can do against something like a government-directed QUANTUMINSERT, at least from a legal standpoint.
“From a trademark perspective, if a company uses another company’s marks/logos to deceive, there may be a trademark claim,” Corynne McSherry, the EFF’s Intellectual Property Director, wrote in an email to Slashdot. “But it’s complicated a bit by two problems: (1) the fact that while there may be confusion, it’s not necessarily related to the actual purchase of any goods and services; and (2) multiple TM laws are in play here—for example UK trademark law may have different exceptions and limitations.”
And that’s not all: “Add on to that the fact that we are talking about government entities, which have walls of protection from lawsuits that don’t apply to private actors.” Even if a company initiated a copyright claim, government entities are often protected from liability under the doctrine of sovereign immunity. “There may be ways around this,” McSherry added, “but it’s a pretty significant challenge.”
That prospect of blanket immunity raises still another question: despite all the protests in the wake of Edward Snowden’s revelations, do governments engaging in widespread surveillance activities face any real penalties if they overstep their bounds? Or will current protests end in no corrective action whatsoever?