Tag Archives: PRISM

GCHQ surveillance: TEMPORA program

As you may have noticed, the technology side of this blog hasn’t been updated recently. The reason for this is because as part of my work at the Cybercrime Studies center at John Jay, I have been working on analysing the UK position in regards to intelligence matters. It took a long time and effort to pull it all together so I hope you enjoy. The article below was first published on the Cybercrime studies center at John Jay on July 12, 2013:
 

———-
On June 21, 2013, it was reported by The Guardian that the UK Government Communications Headquarters (GCHQ), the equivalent of the American NSA, has been conducting a major surveillance operation. Codenamed “TEMPORA”, the program reportedly allows GCHQ the ability to create an “Internet buffer,” which one could think of as a temporary storage area that security analysts have access to, and thus store telephone conversation and Internet content for 3 days and metadata for 30 days.

Collecting and sharing intercepted data

The vast amounts of data are reportedly collected by tapping into the fibre optic cables that transport telephone and Internet traffic between the US and Europe with many of the lines connected via the UK. There is also tapping into the fibre optic cables connecting telecommunications and Internet traffic between the UK and Europe. This acquisition of data is supposedly achieved with the help of commercial companies who own the fibre optic cables, whom GCHQ has nicknamed “intercept partners”. Currently we are unable to ascertain whether this help from the intercept partners is voluntary or forced. The data is shared with many thousands of NSA workers and contractors, who play a leading role in defining and conducting searches, and is reportedly “the biggest internet access” of any member of the Five Eyes group.

Five Eyes

The Five Eyes group consists of the UK, US, Canada, Australia and New Zealand. In 1946, the UKUSA Signals Intelligence Program established cooperation in signals intelligence between the US and the UK that was later expanded to include Canada, followed by Australia and New Zealand. The Technical Cooperation Program, which implements the acquisition, searching, and sharing of Internet and telecommunications data within the Five Eyes Group, is described as “an international organization that collaborates in defence scientific and technical information exchange; program harmonization and alignment; and shared research activities for the five nations”.

How does it work?

According to The Guardian, GCHQ is able to “survey about 1,500 of the 1,600 or so high-capacity cables in and out of the UK at any one time”. The document seen by The Guardian reportedly shows that as of 2012, GCHQ was capable of extracting and collecting information from 200 of those cables at a time.  GCHQ’s goal is to double that capability to 400 cables at a time.  Each cable allegedly can transport 10Gb of data per second, in other words, more than the storage capacity of a dual-layer DVD every second.

The documents seen by The Guardian also allegedly show that in collecting data from the cables, GCHQ attempts to filter out UK-to-UK communications.  However, since UK-to-UK communications may take place on websites hosted outside the UK, GCHQ’s filtering system is highly unlikely to screen out all UK-to-UK traffic. For example, UK citizens who use Gmail might have their data stored on American servers and thus it would be very difficult to distinguish UK-to-UK email communications as it would appear to be UK-to-foreign.

As discussed in another posting on the Cybercrime studies center website, the claim that the contents, but not the metadata, of telecommunications, are protected by the Fourth Amendment of the United States Constitution underlies the NSA’s dragnet collection of telephony metadata.  Similarly, GCHQ documents seen by The Guardian state that “there are extremely stringent legal and policy constraints on what we can do with content, but we are much freer in how we can store metadata”.  GCHQ’s interpretation of the distinction between the contents and metadata is questionable, however.  One document allegedly declares that in making the distinction, GCHQ “lean[s] on legal and policy interpretations that are not always intuitive” and that passwords are sometimes regarded as metadata.  The collection and storage of passwords would, of course, enormously increase the government’s ability to access the contents of Internet accounts and would, therefore hugely increase the risk of unwarranted intrusions on privacy.

A more fundamental question is whether the GHCQ’s policy of according less protection to metadata than contents contravenes the decision of the European Court of Human Rights in 2007 in Copland v. United Kingdom, 45 Eur. Ct. H,R. 253, Sec. 43. There, the Court held that “information relating to the date and length of telephone conversations and in particular the numbers dialled . . . constitutes an “integral element of the communications made by telephone” that the right to privacy of Article 8, Section 1 of the European Convention on Human Rights (“ECHR”) protects, and extended that principle to email and other Internet communications.

 

Relevant Legislation – Regulation of Investigatory Powers Act (RIPA)

The legislation that governs the reported surveillance activities is the Regulation of Investigatory Powers Act (RIPA).  Enacted in 2000, RIPA gives powers to intercept communications to the security services and police.  In addition, RIPA authorizes local authorities, such as county councils and district, borough or city councils, to intercept communications when needed “to prevent or detect criminal offences that are either punishable, whether on summary conviction or indictment, by a maximum term of at least 6 months’ imprisonment or are related to the underage sale of alcohol and tobacco”.

A major distinction between the powers of local authorities, on the one hand, and security services and police, on the other, was established by the enactment of the Protection of Freedoms Act 2012.  Under that Act, local authorities are required to obtain a warrant from a Justice of the Peace (JP), more commonly known as a magistrate, before carrying out any interceptions.  By contrast, security services and police remain free under RIPA to engage in interceptions without obtaining judicially authorized warrants. Different types of surveillance require different levels of authorization. Warrants that deal with the interception of communications such as a wiretap need to be signed by the Home Secretary.

Under RIPA Sections 8(1) and 8(2), an interception warrant needs to be specifically targeted.  According to RIPA Section 8 (1), the warrant must “name or describe either one person as the interception subject or a single set of premises as the premises in relation to which the interception to which the warrant relates is to take place”. Section 8 (2) follows up with requiring specifics “that are to be used for identifying the communications that may be or are to be intercepted

The possibility of mass surveillance arises, however, because Sections 8 (1) and (2) are not applicable when, pursuant to Section 8 (4) and 8(5), a warrant is allowed to be issued for the interception of “external communications.” An external communication “means a communication sent or received outside the British Islands,” according to Section 20 of RIPA.  Under Section 8(4), a warrant may be issued only if it is accompanied by a certification by the Secretary of State that the warrant is necessary for one of the three purposes delineated in Section 5(3): “in the interests of national security,” “for the purpose of preventing or detecting serious crime,” or “for the purpose of safeguarding the economic well-being of the United Kingdom”. Under Sections 9(2) and 9(6),  certifications have to be renewed by the Secretary of State every 6 months.

The interpretation of the words “considered necessary” in RIPA Section 8(4) is crucial to whether and when that Section can be used to allow external communications to be intercepted without the protection of the specific targeting required by Sections 8(1) and 8(2). What the intelligence services and the Secretary of State, whose responsibilities include keeping the country safe and secure, consider necessary could be far different from what an ordinary member of the public and/or the judicial authorities would deem necessary.

An additional major interpretative issue arises in regard to the requirement in RIPA Section 5 (2) (b) that a warrant only be issued by the Secretary of State if “the conduct authorised by the warrant is proportionate to what is sought to be achieved by that conduct”.  As with “necessity,” the surveillance that the Secretary of State might consider proportional to a threat could be far different from what an ordinary member of the public and/or the judicial authorities would consider proportional.

 

Has RIPA Been Violated by TEMPORA’s Mass Surveillance?

Whilst it is unlikely that the legislators who enacted RIPA foresaw the massive surveillance that has occurred under TEMPORA, it is not clear whether TEMPORA contravenes RIPA’s requirements.  The UK charity group Privacy International has filed a claim in the Investigatory Powers Tribunal (IPT), the group set up to oversee any abuses of RIPA, challenging both the UK TEMPORA program and GCHQ’s utilization of data acquired by the NSA under the PRISM program, whose surveillance of the contents of Internet communications will be described in further posts on this website. .According to Privacy International, TEMPORA’s acquisition, storage and use of Internet and telecommunications data fails to satisfy RIPA’s requirements of “proportionality” and “necessity.”

A claim against the British Intelligence Services has also been issued by Liberty, a UK civil liberties group which is similar to the ACLU.  Liberty has asked the IPT to decide “whether the British Intelligence Services have used PRISM and/or TEMPORA to bypass the formal UK legal process which regulates the accessing of personal material”.

GCHQ, however, firmly believes that they are acting within the law and boundaries of UK legislation. A spokesman for GCHQ stated that, “GCHQ takes its obligations under the law very seriously. Our work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Intelligence and Security Committee”.

The concerns that have been raised are being looked into by the Intelligence and Security Committee (ISC), who have the ability to look at classified material, as all members are subject to Section 1 (1) (b) of the Official Secrets Act 1989. The chairman of the group, Sir Malcolm Rifkind MP, stated: “The Intelligence and Security Committee is aware of the allegations surrounding data obtained by GCHQ via the US Prism programme. The ISC will be receiving a full report from GCHQ very shortly and will decide what further action needs to be taken as soon as it receives that information”. As of now, there has been no further comment from the Committee.

 

EU Data Protection Directive / UK Data Protection Act

Another consideration is whether the TEMPORA surveillance violates the EU Data Protection Directive (the “Directive”), which the UK enacted into legislation in the Data Protection Act 1998 .  Although the Directive does not regulate government “processing operations concerning public security, defence, State security…and the activities of the State in areas of criminal law,” Article 4 of the Directive puts protections in place against private companies.  The question is whether the activities of the private companies that are GHCQ’s “intercept partners” in TEMPORA conform to the requirement in Article 4 sub section 1. (a) “that the data controller on the territory of a member state… must take the necessary measures to ensure that each of those establishments complies with the obligations laid down by the national applicable law”.

The principal problem with arguing that Article 4 sub section 1. (a) is violated is that the “national applicable law,” the Data Protection Act 1998, includes a very broad national security exception. Section 28 (1) of the Act notes that “personal data are exempt from any of the provisions of the data protection principles if the exemption from that provision is required for the purpose of safeguarding national security”.  Once again, whether TEMPORA’s massive, general surveillance contravenes legislation hinges on the interpretation of what “is required for the purpose of safeguarding national security.” Ultimately, it will be up to the courts to decide this question.

 

Human Rights concerns

Articles 8 of both the ECHR and the legislation that incorporates the ECHR into UK law, the Human Rights Act of 1998, both establish a right to respect for one’s private and family life and one’s home and correspondence.  There is to be no interference with such rights by a public authority, “except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others”.

Privacy International has claimed before the IPT that there are not “sufficient safeguards” to render [TEMPORA’s interference with private and family life and the privacy of correspondence] in accordance with the law, as required by Section 8 of the ECHR.  Liberty has also claimed that the group’s rights under Article 8 of the Human Rights Act 1998 have been breached.

 

It remains to be seen what will happen, but it is likely that the Intelligence Services will use the national security exemption to claim that their activities under TEMPORA were perfectly legal. It is also now clear that it will be up to the IPT and, possibly, the courts to interpret ambiguous language and decide on the relative protections that UK statutes and the ECHR accord to private life and national security.

 

I would like to place on record my thanks to Adina Schwartz who took the time to provide valuable feedback and contributed to the editing of this piece.

This article was first published on the Cybercrime studies center at John Jay on July 12, 2013

Weekly summary of the controversies of PRISM

Trying to write up a summary of the weeks events relating to PRISM is not easy. As I started writing this an email came in from a friend telling me about another revelation in today’s Guardian newspaper and that brings me nicely onto my first point.

More classified material to come…

We don’t know when this will end. It is obvious that there are still some more very revealing stories to be told yet and the Guardian are going to do a trip feed approach. You can hardly blame them for this. The question is what on earth could there be? Well it appears that GCHQ (the equivalent of America’s NSA) were spying on foreign dignitaries during the G20 summit in London back in 2009. I don’t intend on going into much detail about this as it deserves its own piece but it shows that the PRISM and related programs are very far reaching.

Snowden has also spoke about how the US has been hacking certain Chinese institutions and launching cyber attacks there. This is obviously going to be yet another embarrassment to the White House especially given the recent summit between President Obama and his Chinese counterpart in California. One thing is clear – China has gone from being indifferent to the scandal to very interested indeed. It also brings into question though what Snowdens intentions are? This moves away from the philosophical idea that it was purely to spark a debate on citizens liberty, privacy and freedoms and more into the realm of politics.

Declassified information by NSA

What I have found interesting, and it is a stark difference to the past, is how the intelligence services have declassified information so that they can provide further details to back up their claims. I cannot remember a time in the past when this has been the case. The cynic would have you believe that they are only providing the information they want you to know and the rest will remain “classified” to “protect national security” which therefore alleviates the ability to have a full and open debate on the issue that the White House says is keen to see. Furthermore there was a closed doors briefing given to the entire Senate last week. Very few details have emerged from it though other than some senators obviously feeling that the NSA are right in their actions.

Snowden unable to enter the UK

Another telling sign that the British government are worried is that an alert has been issued by the Risk and Liaison Overseas Network at the UK Border Agency which is ultimately governed by the Home Office. This procedure is normally used when a person already has clearance to enter the country either by already holding a valid visa or not needing a visa due to an agreement between the UK and the citizens country. The alert stated that airlines would be liable to a £2,000 charge which is in the form of a fine. On top of that the airline responsible would be liable for the costs of the persons detention and removal. This is valid under Section 40 of the Immigration and Asylum Act 1999.

The apparent justification for the alert is because Snowden is apparently “highly likely to be denied entry to the UK“, although they do not state why. I would assume, having looked through the immigration rules, specifically part 9 that deals with refusing entry, that the reason would fall under the following category:

(6) where the Secretary of State has personally directed that the exclusion of a person from the United Kingdom is conducive to the public good;

I have to reiterate though that this is only an assumption and a personal opinion as nobody knows the reason behind it given that it’s not been disclosed. You can also find out more information about it here.

Disclosures from Technology companies on requests

Finally we have the disclosures from the various different technology companies stating how many requests they had received. The government have not given them permission to break it down into sub categories so currently they are unable to say how many relate to FISA requests. Google are fighting this saying:

We have always believed that it’s important to differentiate between different types of government requests. Lumping the two categories together would be a step back for users.

and they have the support of Twitter as well with their Legal Director, Benjamin Lee tweeting

We agree with @Google: It’s important to be able to publish numbers of national security requests—including FISA disclosures—separately.

But in the meantime we know the following:

  • Facebook said it received between 9,000 and 10,000 requests covering between 18,000 and 19,000 accounts.
  • Microsoft said it received between 6,000 and 7,000 requests from US government agencies affecting between 31,000 and 32,000 customer accounts.
  • Apple said it received requests for information linked to between 9,000 and 10,000 accounts or devices between December and the end of May.

Whilst that may be a sizable chuck, it’s not as bad as I was expecting to be honest. I hope that it can be broken down into more specific categories so we can gain a better understand.

I wonder what this week will bring…

Why PRISM is not Obama’s greatest moment but there’s still hope

Coming from someone who is a staunch Democrat and a strong liberal, it saddens me to see the position that President Obama has taken regarding the NSA leaks. Over the past four years I have defended him constantly when people have thrown shots at him but now I find myself in the precarious position of agreeing with his detractors. I’ve gone from a supporter to question what on earth he is doing and what damage has been done?

I feel angry at his broken promises, barefaced lies and downright foolish behavior. My anger probably stems from the statement attributed to the NSA whistleblower Edward Snowden when he said

the election of Barack Obama in 2008 gave hope that there would be real reforms.

When these reforms were not forthcoming Snowden got disillusioned and he

watched as Obama advanced the very policies that I thought would be reined in.

It was with this in mind that he made the decision to go ahead and make, very publicly, the knowledge that he had knowing full well what might happen to him. For anyone who hasn’t read the article where he discusses and justifies his actions then I encourage you to do so. It can be found here.

Snowden is currently in Hong Kong waiting to see what his fate may be. Personally I hope that he is classed as a whistleblower and offered the protections that I think he deserves. The overreach of this surveillance program goes against the very fabric of American society and its values. He was right to make this public and yet now he has the most powerful government in the world after him. I’m glad I’m not in his situation but I will say he is brave and unlike Obama seems to practice what he preaches. There is already an internet movement to back him with a petition being created offering him a full and frank pardon by the White House.

How can Obama get up in a morning, look at himself in the mirror and say he is being true to himself and to his party? He is right when he says that you cannot have 100% security and 100% privacy and of course there should be compromise but he is gravely mistaken if he believes that he has reacted that balance with his actions.

I am not of the belief that his presidency is over though. He has always been a man of great strength, character and reason. Now is the time to show it by admitting you made a mistake, having a real open and honest debate and shaping the future with the American people included. After all Mr President you work on behalf of the people!

Day 2 of revelations: This time it’s the Internet that’s under surveillance

“Stunned, Angry. Fighting back against the NSA.”

That was the subject line of an email I received today from the EFF following on from yesterdays disclosure that the NSA is grabbing all the telephony data of Verizon and more than likely others as well. Today it doesn’t get better for those of you who have privacy concerns and were outraged by the revelations, in fact it gets considerably worse. Both the Washington Post and the Guardian have reported on another Top Secret program called PRISM which allows the NSA to monitor all internet communications IN REAL TIME.

Justification

The director of National Intelligence, James R. Clapper had this to say:

“The unauthorized disclosure of information about this important and entirely legal program is reprehensible and risks important protections for the security of Americans”.

He then goes on to say that the reports “contain numerous inaccuracies” without expanding on the point which is a little pointless as it’s all supposed to be Top Secret so there is no chance of the public knowing what those inaccuracies are thus making it a moot point.

To Mr Clapper I have this to say, if it’s entirely legal then why hide it? The reporting of this practice is “reprehensible” and yet the White House and the Foreign Intelligence Surveillance Court deem it necessary to withhold such information from the public? I’d say that’s more reprehensible.

Of course it is all about protecting citizens, whilst single-handedly doing away with any privacy that they had and so it should be allowed (*sarcasm*). There is so much wrong with his quote that it angers me. The contempt that is shown is rather profound in my opinion and it just comes across as “we know best”, insulting the intelligence of millions of people. Now the caveat is I am sure there are many different threats that need to be stopped and I do not envy the security services but there are ways and means and secret programs is not it.

Non-US citizens only – what it means for the rest of the world

The justification gets better later on in the statement. As a way to try and stop the inevitable outrage and rather strong criticisms Clapper states:

“They involve extensive procedures, specifically approved by the court, to ensure that only non-U.S. persons outside the U.S. are targeted, and that minimize the acquisition, retention and dissemination of incidentally acquired information about U.S. persons”.

Great! So now it’s only the rest of the world who is being monitored by US intelligence agencies, not Americans themselves so that’s fine. Oh wait…it’s not! If the report is true and I have no reason to believe it’s not, then it implies the following companies are involved: Facebook, Google, Yahoo, Microsoft, Apple. Let’s be realistic here, which country are you aware of that doesn’t use those services on a daily basis? So any other citizen of the world is supposed to just accept this overreaching surveillance program? Arguably the biggest in the world? I sure hope not. It is important to note here, for reasons of accuracy and fairness, that all of the aforementioned companies refute the suggestion that they are going along with this and disclose such information voluntarily.

The statement is also carefully worded with such words as “minimize” and “incidentally acquired”. In short… US citizens are going to be caught up in this as well whether they like it or not, they’ll just do they best not to retain and use it. What about US citizens abroad, does this mean they are fair game? And unless I am missing something what about the homegrown threats that have occurred since 9/11?

Legal?

Whilst the practice might be legal it is done by entities such as the executive, a secret court that rarely publicly publishes its findings and a part of congress which is held in closed session. So much power seems to be concentrated with very little oversight.

What’s next?

My sincere hope is that there is such an outcry and uproar over this news that citizens demand action and there is an unveiling of secrecy around the entire program. There is talk that members of congress intend on putting forward a bill to try and prevent this or at least reduce and curb the power of Section 702 of the Foreign Intelligence Surveillance Act. I think it is vital that we let the powers that be that this is not ok. I am not saying that there can’t be compromise but do it in the right way and you might actually have support for the final solution.

Finally how does it affect me?

Well not that I am surprised but any communications that I send back home or that are sent to me are more than likely to have been intercepted by the NSA. My Skype calls will all have been monitored though it’s still not clear if that means the entire content of the call but alas it doesn’t appear that right now there is anything I can do about it but suck it up. I am hopeful that others will for me though – the EFF and ACLU will be heavily involved in fighting this on a national level. Oh and after writing this article I think the idea that I could work for the government or intelligence services are pretty slim! Corporate world for me it is afterall.

Once again…let us know your thoughts and if and how you intend to respond.