As part of the tribunal's case, GCHQ admitted that it carries out compute and network exploitation hacking "within and outside the UK," and that about one-fifth of the agency's intelligence reports contained information derived from its hacking efforts.
Those efforts would allow GCHQ to tap into almost any device that contained vulnerabilities or flaws, such as webcams, computers, firewalls, and even smart devices -- items that are considered part of the Internet of Things, like toys and thermostats.
In its ruling published Friday, the Investigatory Powers Tribunal (IPT) said that the agency's now avowed hacking efforts "raised a number of serious questions," but, citing evidence, concluded that a "proper balance" has been struck between the intelligence agency's needs and public safeguards.
Scarlet Kim, legal officer at London-based Privacy International, which brought the case, said the group was "disappointed" and that it will appeal the decision.
"Allowing Governments to hack places the security and stability of the internet and the information we exchange on it at stake," said Kim in a statement.
She added: "This case exposed not only these secret practices but also the undemocratic manner in which the Government sought to backdate powers to do this under the radar. Just because the Government magically produces guidelines for hacking should not legitimize this practice."
British foreign secretary Philip Hammond, whose office oversees GCHQ, welcomed the ruling, adding that the ability to exploit computer networks "plays a crucial part in our ability to protect the British public," he told the BBC News.