It's perfectly legal for us to rummage in your cloud data, states UK's top spy boss

Profile picture for user slauchlan By Stuart Lauchlan June 17, 2014
Summary:
Anything the NSA can do, GCHQ can do better. By classifying social networks as ‘external’ communications, UK spooks argue they are essentially licensed to do whatever they please when spying on cloud communications.

snooping-divorce
In our post Snowden world, we’re all too used to  European Union officials getting on their high horses to deliver ‘holier than thou’ lectures to the US over the NSA online spying program.

Next time that happens, the US authorities may well be tempted to point to the UK where it’s been officially confirmed by the government for the first time that snooping on the likes of Facebook and Google is OK if their data is defined as ‘external communications’.

Now of course there have been rational voices pointing out for months and months that nation states within Europe all have their dark secrets to hide when it comes to state-sanctioned-snooping and that the main difference between the NSA in the US and, for example, the German equivalent is that the US version got caught!

But a legal statement from Charles Farr, the UK government’s Director General of the Office for Security and Counter Terrorism, lets the proverbial cat out of the bag once and for all.

Screen Shot 2014-06-18 at 11.30.41
Charles Farr

Farr's statement was filed as part of a legal challenge against the UK government’s electronic surveillance program, Tempora, which collects data by tapping fiber optic cables. Its existence came to light in documents leaked by former NSA contractor Edward Snowden.

Farr posits that due to the:

significant and enduring threat from terrorism, serious and organised crime and other national security threats there is a pressing need for the Intelligence Services and law enforcement agencies to be able to secure valuable intelligence in order to pursue their statutory objectives.

From the point of view of the privacy interests of those individuals who are subject to investigative measures…I do not consider that intelligence in the form of (or that is derived from) communications and communications data is in some general sense more personal or private than…other forms of intelligence.

A question of semantics

The key word in his statement  is ‘external’ as in external communications. Under section 8(1)  of the UK's Regulation of Investigatory Powers Act 2000 (RIPA), internal communications between UK residents located within the UK, may only be monitored if the authorites obtain a specific warrant.

However, ‘external communications’ can be monitored indiscriminately under a ‘general warrant’.

1000px-National_Security_Agency.svg_
Farr argues that interception of UK residents’ Facebook and Google communications would be permitted under law because they are defined as ‘external communications’ due to the fact that they use web servers based in the US:

Google’s data centres, containing its servers, are located around the world but the largest centres are in the United States and its largest European centres are outside the British Islands. So a Google search by an individual located in the UK may well involve a communication from the searcher’s computer to a Google web server, which is received outside the British Islands; and a communication from Google to the searcher’s computer, which is sent outside the British Islands. In such a case, the search would correspondingly involved two “external communications”.

It’s the same with Facebook and Twitter, he adds:

A user located in the British Islands posting a message on Facebook will communicate with a Facebook web server, located in a Facebook data centre. If the Facebook data centre is outisde the British Islands, then the message will be an “external communicaitons.

Similarly a user located in the British Islands posting a message on Twitter will communicate with a Twitter web server forming part of Twitter’s data centre infrastructure. That data centre infrastructure is largely based in the United States: so the communication may well be external for the purposes of RIPA.

Farr concludes:

Once travelling over the internet, the route whereby an electronic message reaches its intended recipient can be almost infiniately varied. The nature of the internet is that messages will be routed by the most efficient route available at the time. That route will not necessarily be the route that is geographically the shortest. It will be determined by a number of factors including the cost of transmission via a specific route; the number of links between the start point and end point for the message; and the volume of traffic passing over particular parts of the internet at particular times of day.

Taking these considerations in the round, it will be apparent that the only practical way in whch the Government can ensure that it is able to obtain at least a fraction of the type of communication in which is interested, is to provide for the interception of a large volume of communications, and the subsequent selection of a small fraction of these communications for examination by the application of relevant selectors.

Legal challenge

The stark admissions were forced into the public domain as a result of a legal challenge brought by various civil liberties groups, including Privacy International, Liberty, Amnesty International and the American Civil Liberties Union.

James Welch, Legal Director of Liberty said:

The security services consider that they’re entitled to read, listen and analyse all our communications on Facebook, Google and other US-based platforms. If there was any remaining doubt that our snooping laws need a radical overhaul there can be no longer. The Agencies now operate in a legal and ethical vacuum; why the deafening silence from our elected representatives?”

In his statement, Farr also touches on the US government’s PRISM program, saying that he accepts the existence of the spying initiative and the US ‘upstream collection’ program because various US officials have confirmed it.

gchq-logo
But as for Tempora - or as Farr refers to it “the alleged Tempora operation’ - he cites the standard UK government  ‘can neither confirm nor deny’ response. Noting that journalists have obtained official documents which refer to Tempora being run out of the GCHQ spy headquarters in Cheltenham, Farr insists this shouldn’t mean a deviation from the party line:

I do not consider that this allegation places the present case in any different category from that of any other leak.

I am not aware of any exceptional circumstances which would justify a departure from the neither confirm nor deny principle in relation to the alleged Tempora interception operation.

Farr goes so far as to add a variant on the old ‘you only need to be worried if you’ve something to hide’ argument when he suggests:

The analyst, being only human and having a job to do, will have forgotten (if he or she ever took it in) what the irrelevant communication contained.

But as Eric King, deputy director of Privacy International, notes:

The suggestion that violations of the right to privacy are meaningless if the violator subsequently forgets about it not only offends the fundamental, inalienable nature of human rights, but patronises the British people, who will not accept such a meagre excuse for the loss of their civil liberties.

My Take

OK, we knew it was going on anyway, but it's  still a stark admission, a horribly dangerous precedent and a cynically opportunistic use of semantics to justify a course of actions.

By classifying social networks as ‘external’ the UK government essentially empowers its spies to do whatever pleases them when it comes to online surveillance.

And of course if other European countries take a similar stand - maybe they already do? -  then it’s open season on privacy, whatever the political posturings of some in authority across the continent. Certainly in light of the UK admission, there might be some interesting questions to be asked of the likes of France and Germany.

Let’s just bear that in mind the next time European Union commissioners such as Neelie Kroes or Vivian Reding start self-righteously lecturing the US over PRISM and issuing demands.

What this does do, of course, is further make the case for social media and cloud firms to have in-country data centers so that communications become ‘internal’.

But while that might work on paper as a purely theoretical idea, it is of course completely impractical in economic terms.