A five judge tribunal of UK’s Investigatory Powers Tribunal has ruled that the hacking operations carried out by GCHQ in the UK and abroad on computers, networks and smartphones does not violate human rights.
The court dismissed the case filed by privacy campaign group Privacy International and seven other internet service providers.
In its ruling, the tribunal clarified that legal framework under which GCHQ carries out Equipment Interference (EI), also known as Computer Network Exploitation (CNE), does not violate human rights law.
Following the verdict, UK Foreign Secretary Philip Hammond said: "I welcome the IPT ruling and its judgment that a proper balance is being struck between the need to keep Britain safe and the protection of individuals’ privacy.
"The ability to exploit computer networks plays a crucial part in our ability to protect the British public.
"Once again, the law and practice around our Intelligence and Security Agencies’ capabilities and procedures have been scrutinised by an independent body and been confirmed to be lawful and proportionate.
"The draft Investigatory Powers Bill will further strengthen the safeguards for the Agencies’ use of these powers, including a new double-lock authorisation process. It will provide our intelligence and security agencies with the powers they need to deal with the serious threats our country faces, subject to strict safeguards and world-leading oversight arrangements."
Privacy International and seven other internet service providers had challenged the programme after US whistleblower Edward Snowden revealed the operations carried out by the UK and US.
The internet service providers who had challenged the programme include Media Jumpstart, Riseup, Mango, Jinbonet, Chaos Computer Club, Greenhost and GreenNet.
Privacy International and the service providers had challenged ten aspects of GCHQ’s EI work, questioning the compatibility of the legal framework with the European Convention on Human Rights.
Before giving its verdict, the IPT examined the legal regime both before and after the publication in February 2015 of the Equipment Interference Code of Practice.
During the hearing last year, GCHQ admitted its hacking operations in the country and abroad. It had admitted that some of the operations have already been closed and some are secretly carried out.
Privacy International legal officer Scarlet Kim said: "We are disappointed by the IPT’s judgment today, which has found Government hacking lawful based on a broad interpretation of a law dating back to 1994, when the internet and mobile phone technology were in their infancy."
"Until we brought this case, GCHQ would neither confirm nor deny that it was they were engaging in mass hacking of computers, mobile devices and entire computer networks.
"During the course of the proceedings the Government sought to create law ‘on the hoof’, changing anti-hacking laws (the Computer Misuse Act 1984) through an addition to the Serious Crime Act 2015 and producing a Code of Practice for hacking."
"This case exposed not only these secret practices but also the undemocratic manner in which the Government sought to backdate powers to do this under the radar. Just because the Government magically produces guidelines for hacking should not legitimise this practice."
The UK Home Office has already published a code of practice for hacking to give more legal power under its Investigatory Powers Bill.
The bill is expected to be signed into law later this year.
Privacy International intends to challenge the verdict saying that it will undermine fundamental human rights. It added that a warrant should be issued in order to identify a specific property or person.
Privacy International added: "The IPT has decided that GCHQ can use ‘thematic warrants’, which means GCHQ can hack an entire class of property or persons, such as ‘all phones in Birmingham’. In doing so, it has upended a longstanding English common law principle that such general warrants are unlawful.
"Its decision is also contrary to the finding of the Joint Committee on the draft Investigatory Powers Bill, which recommended that hacking warrants should not be "used as a way to issue thematic warrants concerning a very large number of people."
"Allowing Governments to hack places the security and stability of the internet and the information we exchange on it at stake."