PIC: Creative Commons

A (25 Nov) provides unprecedented official acknowledgment of the major spying apparatus used by UK security services and discloses that they have ‘direct collection techniques’ and access to comms data as they ‘traverse the internet’.

The paper – part of a Parliamentary inquiry analysing the circumstances around the murder of Fusilier Lee Rigby in 2013 – was published by the Intelligence and Security Committee and details the government reach (and limitations) of legislation including the Regulation of Investigatory Powers Act (RIPA) as well as the interactions between MI5, MI6 and the Government Communications Headquarters (GCHQ).

“GCHQ also has access to communications as they move over the internet via the major internet cables”

The oversight committee’s analysis surrounding the cases of Michael Adebolajo and Michael Adebowale, who are both currently serving life sentences for the murder of Mr Rigby, asks whether enough was done by the security services running up to the tragic event. Redacted in parts, due to national security reasons, the report still discloses more information than we are used to getting through official channels regarding the UK Government’s spying abilities.

“GCHQ also has access to communications as they move over the internet via the major internet cables. This provides the capability to intercept a small proportion of internet traffic: in theory, GCHQ can access around ***% of global internet traffic451 and approximately ***% of internet traffic entering or leaving the UK. However, the resources required to process the vast quantity of data involved mean that, at any one time, GCHQ can only process approximately *** of what they can access.”

A significant focus of the report is on the limitations of UK law in accessing foreign comms data with the committee noting that “most CSPs [Communication Service Providers] based outside the UK do not accept that the UK legislation applies to them”.

“RIPA lacks explicit extraterritorial jurisdiction and cannot be argued to place any obligations onto CSPs based outside of the UK”

This effectively means that many companies based outside of the UK are not obligated to hand over user data. Indeed, the report finds that “internet services such as Skype, Gmail and Facebook, and conversations using huge numbers of smartphone applications (for example, Whatsapp, BlackBerry Messenger and Instagram) – the majority of these communications services and applications are owned by companies based overseas, primarily in the US.”

Companies in the States, for example, at times cannot fully comply with requests for information by UK security services as it conflicts with the US ‘Wiretap Act’ legislation.

“…none of the major US Communications Service Providers (CSPs) regard themselves as compelled to comply with UK warrants obtained under the Regulation of Investigatory Powers Act 2000 (RIPA). As a result, even had MI5 had reason to seek information under a RIPA warrant, the company concerned might not have responded.”

“The oversight committee has attacked this company by alleging they could be providing a ‘safe haven for terrorists’ as they do not actively monitor messaging services.”

This can, it seems, be circumvented on occasion – with the report stating that “GCHQ can potentially access external internet communications (i.e. one or both ends outside the UK) via their intelligence capabilities. This includes their ability to access the material travelling through the fibre-optic cables carrying information to and from the UK.”

The report makes a number of references to working with third parties and agency partners as well as information requests to social media and tech companies including Facebook, Twitter and Google. One interesting example provided in the report is of an unnamed organisations messaging service, which was used by Mr Adebowale during an exchange with an individual (codenamed FOXTROT for the purposes of the report) in which he proclaimed “Let’s kill a soldier”.

The oversight committee has attacked this company by alleging they could be providing a ‘safe haven for terrorists’ as they do not actively monitor their messaging services.

“This company does not appear to regard itself as under any obligation to ensure that its systems identify such exchanges, or to take action or notify the authorities when its communications services appear to be used by terrorists. There is therefore a risk that, however unintentionally, it provides a safe haven for terrorists to communicate within.”

Another gripe that the UK security services currently have is with the increasing levels of built-in encryption that tech companies are providing their customers.

“Encryption is also becoming a market differentiator, particularly after the NSA leaks, as individuals have become more concerned about the privacy of their communications.489 ***. MI5 said:

one of the effects of the Snowden disclosures has been to accelerate the use of default encryption by the internet companies… which was coming anyway, but I think that’s why I’m underlining the word “accelerate”… ***.490

Despite having access to service cables directly, and even excluding the various snooping programs highlighted by the NSA leaks of whistleblower Edward Snowden, the UK government wants to expand its reach – focusing on CSP’s [Communications Service Providers], ISP’s [Internet Service Providers] and ASP’s [Applications Service Providers].

“…any changes to US legislation are unlikely in the short term, particularly in the climate created by the NSA leaks”

The report says that “there is now a worrying capability gap in the Agencies’ ability to access the content of communications from CSPs based overseas” and calls for increased work with the United States to help ease the flow of communication information.

However, a result may not come any time soon, as the report states that “the US Government is aware that changes to US law might help to resolve the situation. While discussions with the US are important, and may in time provide a solution, any changes to US legislation are unlikely in the short term, particularly in the climate created by the NSA leaks.”

The release of this report was long-awaited in some circles. It provides an official timeline of events from the perspective of the security services. However, some of these actions should come under heavy scrutiny in the coming weeks and now serious questions need to be asked – including how effective the current strategy of mass surveillance really is. When the ‘needle in the haystack’ is simply transformed into the ‘single binary conversation in an unlimited storage space of unchecked metadata’ – perhaps the system is broken.

Jason Murdock | |

Image: