Leaked Intelligence Document Calls For More, Not Less Encryption To Protect Companies And Citizens From Cybercriminals

from the and-yet,-everyone-seems-to-be-calling-for-less dept

Everyone from FBI Director James Comey to UK Prime Minister David Cameron is calling for an end to encryption. The FBI is afraid it won't be able to catch criminals if it can't immediately access content and communications. David Cameron is afraid it will be nothing but constant terrorist attacks from here on out if authorities don't have access to "every means of communication."

Considering many of these voices decrying encryption presumably have access to top secret briefings and documents otherwise unseen by the general public, it's rather surprising they've ignored previous advice from intelligence officials to the contrary.

A secret US cybersecurity report warned that government and private computers were being left vulnerable to online attacks from Russia, China and criminal gangs because encryption technologies were not being implemented fast enough.

[...]

The document from the US National Intelligence Council, which reports directly to the US director of national intelligence, made clear that encryption was the “best defence” for computer users to protect private data.

This document comes from The Guardian's stash of Snowden leaks. What it says runs completely contrary to the panicked assertions of officials. It even runs contrary to the NSA's own actions, like its active attempts to weaken NIST standards. The report recommends strong encryption, coupled with multi-factor authentication, which would make data and communications wholly inaccessible to the NSA (and GCHQ, its steady surveillance partner).

But this recommendation doesn't come from an outside source. It's an intelligence council that reports directly to the head of national intelligence. And yet, the word didn't spread very far. The NSA isn't thrilled with encryption because it keeps what it wants out of reach. Law enforcement has the same "problem." Both have actively worked to undermine encryption for their own aims and both are perfectly willing to open up citizens and companies to outside attacks in order to preserve the status quo.

And it's not just American agencies that have ignored these recommendations. The GCHQ is engaged in the same cognitive dissonance.

Another newly discovered document shows GCHQ acting in a similarly conflicted manner, despite the agencies’ private acknowledgement that encryption is an essential part of protecting citizens against cyber-attacks.

The 2008 memo was addressed to the then foreign secretary, David Miliband, and classified with one of the UK’s very highest restrictive markings: “TOP SECRET STRAP 2 EYES ONLY”....

The memo requested a renewal of the legal warrant allowing GCHQ to “modify” commercial software in violation of licensing agreements. The document cites examples of software the agency had hacked, including commonly used software to run web forums, and website administration tools. Such software are widely used by companies and individuals around the world.

The document also said the agency had developed “capability against Cisco routers”, which would “allow us to re-route selected traffic across international links towards GCHQ’s passive collection systems”.

GCHQ had also been working to “exploit” the anti-virus software Kaspersky, the document said. The report contained no information on the nature of the vulnerabilities found by the agency.

Again we see agencies charged with protecting nations walking away from this responsibility in order to pursue their own ends. Sure, some safety may have resulted from the collection of unencrypted communications, but both agencies are willing to compromise corporate hardware and consumer software in order to grab just a little more hay for the haystacks.

You can't make a nation safer by destroying its safety features. There's a bigger picture that these agencies refuse to see -- even when internal guidance puts it front and center. If you weaken protections, seek legislation to prevent encryption, collect and stash exploits and install backdoors in hardware and software, you make the nation's cybersecurity that much harder to maintain. The NSA and FBI both want a piece of the cyberwar action but they want to leave everyone that isn't them defenseless. Over on the other side of the pond, the GCHQ is doing the same thing and it has the support of a Prime Minister who feels no communication should be able to escape the agency's notice.

And behind it all, there are documents touting the protective powers of encryption. But that makes intelligence gathering and law enforcement too difficult, so I guess we'll all have to do without.

Filed Under: cybersecurity, encryption, fbi, gchq, nsa, privacy

How The NSA Works Hard To Break Encryption Any Way It Can

from the brute-force dept

Spiegel has published a detailed article, relying mostly on documents that Ed Snowden leaked, looking at the many ways in which the NSA breaks encryption (and the few situations where it still has not been able to do so). As we've seen from previous leaks, the NSA stupidly treats encryption as a "threat." And, sure, it is a "threat" to the way in which the NSA snoops on everything, but for the vast majority of users, it's a way to protect their privacy from snooping eyes. The report does reveal that certain encryption standards appear to still cause problems for the NSA, including PGP (which you already use for email, right?), OTR (used in some secure chat systems) and VoIP cryptography system ZRTP. Phil Zimmermann, who helped develop both PGP and ZRTP should be pretty damn proud of his achievements here.

As the report notes, the NSA has the most trouble around open source programs, because it's much more difficult to insert helpful backdoors:

Experts agree it is far more difficult for intelligence agencies to manipulate open source software programs than many of the closed systems developed by companies like Apple and Microsoft. Since anyone can view free and open source software, it becomes difficult to insert secret back doors without it being noticed. Transcripts of intercepted chats using OTR encryption handed over to the intelligence agency by a partner in Prism -- an NSA program that accesses data from at least nine American internet companies such as Google, Facebook and Apple -- show that the NSA's efforts appear to have been thwarted in these cases: "No decrypt available for this OTR message." This shows that OTR at least sometimes makes communications impossible to read for the NSA.

When it comes to non-open source systems, well, there the NSA has its ways in. In fact, the NSA seems rather proud of the fact that it can make "cryptographic modifications to commercial or indigenous cryptographic information security devices or systems in order to make them exploitable." The report also shows that VPNs are targeted by the NSA, and it has had a fair bit of luck in breaking many of them (especially those that rely on PPTP -- which has long been recognized as being insecure, but is still widely used by some VPN providers). However, it also shows that the NSA has been able to crack IPsec VPN connections as well. In short: your VPN probably isn't secure from the NSA if it wants in.

The NSA also has apparently been able to crack HTTPS connections, and does so regularly:

The NSA and its allies routinely intercept such connections -- by the millions. According to an NSA document, the agency intended to crack 10 million intercepted https connections a day by late 2012. The intelligence services are particularly interested in the moment when a user types his or her password. By the end of 2012, the system was supposed to be able to "detect the presence of at least 100 password based encryption applications" in each instance some 20,000 times a month.

HTTPS is still a lot more secure against non-NSA-level hackers, but it certainly shows that it's not a perfect solution.

Another big reveal: the NSA has the ability (at least some of the time) to decrypt SSH (Secure Shell) which many of us use to access computers/servers remotely.

There's lots more in the article and in the many, many included documents (just a few of which are shown below). It's well worth reading.

However, the key point is that the NSA is working very, very hard to undermine key encryption systems used around the internet to keep people safe. And rather than sharing when those systems are cracked and helping to make them stronger, the NSA is exploiting those cracks to its own advantage. That may not be a surprise, but for years the NSA has insisted that it is helping to make encryption stronger to better protect the public. The revelations from this article suggest that isn't even remotely close to true.

Filed Under: encryption, gchq, nsa, otr, pgp, ssh, ssl, surveillance, zrtp

The Snowden Effect: 750 Million People Have Taken Steps to Avoid Surveillance

from the peak-indifference dept

Compared to the initial flood of astonishing revelations provided by Edward Snowden in the summer of 2013, things have gone relatively quiet on the NSA/GCHQ leaks front. So an interesting question is: what impact have all these had on ordinary people? That's one of the areas that the CIGI-Ipsos Global Survey on Internet Security and Trust explored. Here's what it found:

Of those aware of Edward Snowden, 39% have taken steps to protect their online privacy and security as a result of his revelations

In a perceptive blog post on the survey, Bruce Schneier notes that the "press is mostly spinning this as evidence that Snowden has not had an effect":

I disagree with the "Edward Snowden Revelations Not Having Much Impact on Internet Users" headline. He's having an enormous impact. I ran the actual numbers country by country, combining data on Internet penetration with data from this survey. Multiplying everything out, I calculate that 706 million people have changed their behavior on the Internet because of what the NSA and GCHQ are doing.

In fact, he calculates that there are probably another 46 million in countries not covered by the survey, bringing the total number who have "taken steps" to around 750 million. He goes on:

It's probably true that most of those people took steps that didn't make any appreciable difference against an NSA level of surveillance, and probably not even against the even more pervasive corporate variety of surveillance. It's probably even true that some of those people didn't take steps at all, and just wish they did or wish they knew what to do. But it is absolutely extraordinary that 750 million people are disturbed enough about their online privacy that they will represent to a survey taker that they did something about it.

And he concludes on a hopeful note:

we have reached "peak indifference to surveillance." From now on, this issue is going to matter more and more, and policymakers around the world need to start paying attention.

Let's hope he's right.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: ed snowden, encryption, gchq, nsa, privacy, snowden effect, surveillance

GCHQ Follows NSA Into Paranoia -- Just As Julian Assange Predicted

from the cognitive-decline dept

One of the knock-on effects of Snowden's leaks is that the NSA is terrified there might be more whistleblowers, and has taken extreme action in an attempt to reduce the risk of that happening by stripping 100,000 people of their security clearances. In other words, it no longer trusts huge swathes of the people it works with -- hardly a healthy situation. Now it seems that GCHQ has succumbed to a similar paranoia about its employees:

GCHQ is sponsoring ways of identifying disgruntled employees and those who might go on to be a security threat through their use of language in things like office emails.

The article in the Gloucestershire Echo -- the English county where GCHQ is located -- explains how potential whistleblowers will be identified:

"research will investigate the use of techniques from the field of natural language processing to detect the early indicators of an insider’s threat."

That means changes in the way a person communicates can give a clue that they are unhappy and perhaps prepared to do something to harm the organisation.

Of course, what this also means is that people working at GCHQ will become more self-conscious, start to watch their words, and probably think much more carefully about how they share their insights and analyses. That will inevitably lead to a loss of spontaneity, and of efficiency; the more GCHQ starts hunting down potential whistleblowers, the more it is likely to diminish its own effectiveness.

What's interesting about this development on both sides of the Atlantic is that it was predicted as far back as 2006:

The more secretive or unjust an organization is, the more leaks induce fear and paranoia in its leadership and planning coterie. This must result in minimization of efficient internal communications mechanisms (an increase in cognitive "secrecy tax") and consequent system-wide cognitive decline resulting in decreased ability to hold onto power as the environment demands adaption.

Those words were written by a certain Julian Assange before he became (in)famous. Say what you will about him, you have to given him credit for being spot-on here -- and well ahead of his time.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: gchq, julian assange, nsa, paranoia, snitching

Secretive UK Court That Approves Of GCHQ Surveillance Says That GCHQ Surveillance Doesn't Violate Human Rights

from the because-to-say-otherwise-would-implicate-itself dept

For a while now, we've been covering various legal challenges in Europe related to the GCHQ's surveillance activities. One of the main cases, brought by Amnesty International and Privacy International, argued that the surveillance violated the European Convention on Human Rights (specifically article 8, on right to privacy, and article 10, on freedom of expression). While it was always expected that the case would eventually go to the European Court of Human Rights, the first step was the Investigatory Powers Tribunal in the UK -- a secretive court that reviews complaints about surveillance, but (as with nearly all "secretive courts" charged with "oversight" on the intelligence community) almost always sides with the intelligence community. Between 2000 and 2012 the IPT only sided against the intelligence community 10 times out of 1468 cases brought (about half of one percent of all cases). In other words, this is a court that (in secret) regularly okays GCHQ's surveillance efforts on UK citizens.

So take a wild guess what happened when it was asked to determine if such surveillance violated human rights? It said of course no human rights were violated when the GCHQ spied on people. This is not a surprise. Anything else would have been a surprise. To put it simply, if the IPT had ruled in favor of these groups, it would have been implicating itself, effectively admitting that its own approvals of GCHQ activity enabled the violation of human rights. And that wasn't going to happen. But that's not how surveillance state defenders are discussing this result:

A government security source told the BBC: "We are delighted that a third independent body has confirmed that GCHQ does not seek to carry out mass surveillance."

Independent body? Right. It's the "independent" body that has a history of saying the very actions now being scrutinized are perfectly fine. It may be "independent" of the GCHQ itself, but it's not "independent" of the surveillance GCHQ carried out.

The groups who brought this case say that they'll appeal to the European Court of Human Rights, which is what everyone expected to happen in the first place. This little rubber stamping by the IPT was just a procedural issue that had to be taken in the first place.

Filed Under: gchq, human rights, investigatory powers tribunal, ipt, surveillance, uk
Companies: amnesty international, privacy international

The Repeated Failure Of The US And UK Governments' 'Add More Hay' Approach To Surveillance

from the sipping-from-a-firehose dept

Recently we wrote about a UK Parliamentary report absolving the UK spy agencies of any responsibility for the failure to stop the killing of a British soldier last year. Significantly, one explanation given for the fact that the UK's MI5 undervalued the threat, despite investigating the men responsible several times, was that it has several thousand suspects under surveillance at any one time, and so it was beyond its capabilities to follow all leads thoroughly.

Of course, that is a consequence of the "needle in a haystack" approach that the US and UK agencies have adopted: collect as much information as possible in the hope that somehow it will be possible to sift through all the irrelevant hay to find the needle. But as an important piece by Coleen Rowley in the Guardian points out, this is not the first time that a "failure to connect the dots" from information to hand resulted in missed opportunities to stop attacks:

as an FBI whistleblower and witness for several US official inquiries into 9/11 intelligence failures, I fear that terrorists will succeed in carrying out future attacks -- not despite the massive collect-it-all, dragnet approach to intelligence implemented since 9/11, but because of it. This approach has made terrorist activity more difficult to spot and prevent.

She reminds us:

The common refrain back then was that, pre 9/11, intelligence had been flowing so fast and furiously, it was like a fire hose, "and you can’t get a sip from a fire hose". Intelligence such as the Phoenix memo -- which warned in July 2001 that terrorist suspects had been in flight schools and urgently requested further investigation -- went unread.

She details other instances of recent intelligence failures where having too much information meant that key leads were buried, and opportunities to stop attacks lost. In other words, US and UK agencies have over ten years of bad experiences with the "collect it all" and "needle in a haystack" approach to intelligence gathering, and yet it remains their principal response to successive attacks and continuing failures. Rowley concludes:

After Edward Snowden described just how massive and irrelevant the US and UK monitoring had become, people started to grasp the significance of the saying: "If you’re looking for a needle in a haystack, how does it help to add hay?"

Of course, she's not the first person to make this observation -- for example, Techdirt pointed this out over a year ago. But as someone who has worked for the FBI, and been privy to many secret details of surveillance operations, Rowley speaks with a special authority. Her article in the Guardian is well-worth reading -- especially by all those who continue to advocate the disproportionate and ineffective "add more hay" approach to keeping the public safe.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: gchq, haystacks, information overload, needles, nsa, surveillance

GCHQ/NSA Data-Grabbing Malware Disguised Itself As Microsoft Drivers, Was Served Via Fake LinkedIn Pages

from the im-in-ur-internet-stealing-ur-files dept

Some nasty malware with a decade of history behind it has been uncovered and it has the fingerprints of two governments all over it.

Complex malware known as Regin is the suspected technology behind sophisticated cyberattacks conducted by U.S. and British intelligence agencies on the European Union and a Belgian telecommunications company, according to security industry sources and technical analysis conducted by The Intercept.

Behind the malware -- which disguised itself as Microsoft drivers and was served via malicious, fake LinkedIn pages -- lies a cooperative effort between the NSA and GCHQ. Belgacom has long since ousted the intruding software and is now working with a federal prosecutor to pursue a criminal investigation. Belgacom's subversion by this malware -- comparable in sophistication to the infamous Stuxnet, according to Symantec (which published its findings last Sunday) -- led to the breach of EU offices.

Spying on foreign governments is what intelligence agencies are expected to do. But dumping malware into the operating systems of a communications provider generally isn't. Belgacom's infection is the only verified incident so far, but there are likely many, many more considering the Regin malware traces back nearly ten years.

Based on an analysis of the malware samples, Regin appears to have been developed over the course of more than a decade; The Intercept has identified traces of its components dating back as far as 2003. Regin was mentioned at a recent Hack.lu conference in Luxembourg, and Symantec’s report on Sunday said the firm had identified Regin on infected systems operated by private companies, government entities, and research institutes in countries such as Russia, Saudi Arabia, Mexico, Ireland, Belgium, and Iran.

GCHQ has issued boilerplate in response to The Intercept's request for a comment. The NSA, on the other hand, apparently isn't going to dignify this story with a non-denial denial, opting instead for something much more brusque:

“We are not going to comment on The Intercept’s speculation.”

What's currently out there in the wild may not be as effective anymore. Belgacom discovered its infection around June 21, 2013, about a week before Der Spiegel published Snowden documents pointing to the digital infiltration of EU offices. The Intercept has made the malware available for download and states the following in its article.

Given that that it has been over a year since the Belgacom operation was publicly outed, The Intercept considers it likely that the GCHQ/NSA has replaced their toolkit and no current operations will be affected by the publication of these samples.

If so, then the two agencies involved have likely moved on to something better and less detectable. Being outed is no reason to stop spying, especially in other nations where legal protections range from "thin" to "nonexistent."

Filed Under: gchq, malware, nsa, surveillance
Companies: belgacom, linkedin, microsoft

New GCHQ Boss Blames Tech Industry For 'Facilitating Murder' And Being Terrorists' 'Command-And-Control' Center

from the say-what-now? dept

So, we weren't too impressed with previous GCHQ (the UK equivalent of the NSA) boss, Sir Iain Lobban, who insisted that GCHQ didn't do "mass surveillance" so long as you defined "mass" and "surveillance" the way he does (and not the way the English language does). This statement was made just days before it was revealed that the GCHQ (contrary to its own claims) gets access to NSA data without a warrant.

New GCHQ boss Robert Hannigan has taken to the potentially pay-walled pages of the Financial Times to convince the world that he's a complete nutjob in charge of one of the most powerful spy agencies in the world. His message: basically "terrorists use technology, and because you hate terrorists, we should all be happy to have tech companies share all your private data with us to catch terrorists." Or something like that. Hannigan honestly seems to believe that the public is really on the government's side against the tech companies they use every day. That seems like rather large miscalculation of his audience.

Hannigan's pitch relies on (of course) spreading as much FUD as possible, starting with ISIS:

Terrorists have long made use of the internet. But Isis’s approach is different in two important areas. Where al-Qaeda and its affiliates saw the internet as a place to disseminate material anonymously or meet in “dark spaces”, Isis has embraced the web as a noisy channel in which to promote itself, intimidate people, and radicalise new recruits.

The extremists of Isis use messaging and social media services such as Twitter, Facebook and WhatsApp, and a language their peers understand. The videos they post of themselves attacking towns, firing weapons or detonating explosives have a self-conscious online gaming quality. Their use of the World Cup and Ebola hashtags to insert the Isis message into a wider news feed, and their ability to send 40,000 tweets a day during the advance on Mosul without triggering spam controls, illustrates their ease with new media. There is no need for today’s would-be jihadis to seek out restricted websites with secret passwords: they can follow other young people posting their adventures in Syria as they would anywhere else.

Got it? Terrorists use the same services you and I do, and they're really, really mean. So, why is the public so upset that GCHQ wants to snoop on what everyone's doing on those services? For bonus points, he also tosses in some child porn fears as well.

GCHQ and its sister agencies, MI5 and the Secret Intelligence Service, cannot tackle these challenges at scale without greater support from the private sector, including the largest US technology companies which dominate the web. I understand why they have an uneasy relationship with governments. They aspire to be neutral conduits of data and to sit outside or above politics. But increasingly their services not only host the material of violent extremism or child exploitation, but are the routes for the facilitation of crime and terrorism. However much they may dislike it, they have become the command-and-control networks of choice for terrorists and criminals, who find their services as transformational as the rest of us. If they are to meet this challenge, it means coming up with better arrangements for facilitating lawful investigation by security and law enforcement agencies than we have now.

Then, finally, he blames the tech companies for not recognizing that by spying on everyone, GCHQ is just trying to protect the free and open society we all love, and assumes that the public is really on his side:

To those of us who have to tackle the depressing end of human behaviour on the internet, it can seem that some technology companies are in denial about its misuse. I suspect most ordinary users of the internet are ahead of them: they have strong views on the ethics of companies, whether on taxation, child protection or privacy; they do not want the media platforms they use with their friends and families to facilitate murder or child abuse. They know the internet grew out of the values of western democracy, not vice versa. I think those customers would be comfortable with a better, more sustainable relationship between the agencies and the technology companies.

There are lots of things that facilitate murder and child abuse that plenty of people are still fine using. I drive a car. Cars kill lots of people. I use a camera. Cameras are often key to child porn. Phones are frequently used in crimes. Yet, I'm not so ridiculous as to blame any of these tools for the scummy people who use them for bad purposes. And it bothers me that the head of the UK's technology spying effort doesn't seem to understand that distinction. Actually, it doesn't just bother me, it frightens me.

As we celebrate the 25th anniversary of the spectacular creation that is the world wide web, we need a new deal between democratic governments and the technology companies in the area of protecting our citizens. It should be a deal rooted in the democratic values we share. That means addressing some uncomfortable truths. Better to do it now than in the aftermath of greater violence.

Note what Hannigan left out: what's wrong with the existing deal? What's wrong with making a specific case for why you need specific information to a court and then getting a warrant? Why do we need a "new deal" that involves giving a government increasingly broad access to all that data -- especially when the very same intelligence community that has that data has a rather long history of abusing it, violating human rights, stifling free speech and criticism and harassing those who oppose it?

In a companion article, the Financial Times notes that, with US tech companies hardening their networks against the intelligence community, the UK has been locked out from the easy access it used to have, which explains some of Hannigan's exasperation. I'm sure it must suck when you used to be able to sift broadly through a variety of private information without everyone realizing it. And having that treasure trove of private data ripped away must not be much fun. But privacy is, in fact, a democratic ideal, contrary to Hannigan's belief that the public is willing to give it up just to stave off some bad guys thousands of miles away. Besides, as the article notes, when the UK government demands access, where should US companies draw the line:

One senior executive at a US tech group said any agreement to circumvent the current process, which requires law-enforcement groups to seek a court order before a company hands over data, would be “eliminating due process and that could be a dangerous situation”.

“What should we do if the Saudi or Russian government also demanded information be handed over on the spot?” he said.

It seems that the intelligence community and the surveillance state has gotten somewhat fat and lazy in the last few years, with so much access to so much data. Back in the old days, they had other ways to get what they needed without violating everyone else's privacy. It's time they learned how to get back to that sort of system that fits much better with our basic ideals of democracy and freedom than this desire to have access to absolutely everything does.

Filed Under: gchq, iain lobban, privacy, robert hannigan, surveillance, tech companies

UK's GCHQ Can Get Warrantless Access To Bulk NSA Data

from the keeping-your-hands-clean dept

Last week, we learned that the GCHQ certainly isn't engaged in mass surveillance -- provided you redefine the meaning of "mass" and "surveillance" in unconventional ways. Now we discover that maybe it doesn't really need to, since it can just ask the NSA and other secret services for access to their raw data without even needing a warrant, as a group of human rights organizations have discovered:

Details of previously unknown internal policies, which GCHQ was forced to reveal during legal proceedings challenging their surveillance practices in the wake of the Snowden revelations, reveal that intelligence agencies can gain access to bulk data collected from US cables or through US corporate partnerships without having to obtain a warrant from the [UK's] Secretary of State. This position seems to conflict with reassurances by the Intelligence Services Committee in July 2013 that whenever GCHQ seeks information from the US a warrant is in place.

The "arrangements", as they are called by Government, also suggest that intercept material received from foreign intelligence agencies is not subject to the already weak safeguards that are applied to communications that are intercepted by the UK's Tempora programme. On the face of the descriptions provided to the claimants, the British intelligence agencies can trawl through foreign intelligence material without meaningful restrictions and can keep such material, which includes both communications content and metadata, for up to two years.

Once again, we see evidence that intelligence agencies are happy to do the dirty work for each other so that they can all claim to have clean hands -- just as the outgoing head of the GCHQ claimed when he said that people there would "walk out the door" rather than be involved in anything so sordid as mass surveillance. It also shows how even the weak safeguards and ineffectual oversight of spy agencies can be circumvented by this kind of mutual help, something pointed out by the organizations behind the latest information:

The disclosed "arrangements" bring into sharp relief the minimal safeguards and weak restrictions on raw intelligence sharing with foreign governments, including between the UK and the United States. The fact that GCHQ can request and receive large quantities of "unanalysed" raw bulk data from foreign intelligence agencies without a warrant in place, simply because it would "not be technically feasible" to obtain it in the UK, shows the inadequacies in [the UK's Regulation of Investigatory Powers Act 2000] to deal with intelligence agency co-operation. Under these "arrangements", there is a clear risk that agencies can sidestep British legal restrictions to obtain access to vast amounts of data.

There is a minor silver lining to these latest revelations that the situation in the UK is even worse than previously believed. It's the fact that a legal action against GCHQ's mass surveillance has, unexpectedly, forced the UK government to admit to even more unsavory practices. Here's how that came about:

Descriptions of the policies were disclosed to the parties after a secret hearing at the Investigatory Powers Tribunal, which is currently considering a challenge to GCHQ's surveillance practices that has been brought by human rights organisations including Privacy International, Liberty and Amnesty International. A public hearing of the case was held in July, but these “arrangements" were revealed to the Tribunal in a closed hearing that the claimants were barred from attending. Some details about the policies are now disclosed in order for the claimants to provide comment.

That's a useful reminder that no matter how hopeless these actions might seem, they are not only pretty much the only avenue open to human rights organizations who wish to challenge mass surveillance by governments, but they sometimes yield valuable new information that bolsters the case for greater oversight and tighter regulation of spy agencies.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: bulk surveillance, gchq, nsa, privacy, surveillance, warrants

Departing GCHQ Boss Insists GCHQ Isn't Engaged In Mass Surveillance... If You Define 'Mass' And 'Surveillance' The Way He Does

from the but-not-the-way-the-rest-of-us-do dept

With the UN declaring mass surveillance a violation of human rights, the proper thing for the world's biggest intelligence agencies -- who regularly engage in mass surveillance -- to do, might be to cut back on the practice and go back to targeted surveillance projects that most people find acceptable. Or, you know, they can do what the outgoing head of the GCHQ (the UK's equivalent of the NSA), Sir Iain Lobban, did and just redefine the English language. That's easier.

“The people who work at GCHQ would sooner walk out the door than be involved in anything remotely resembling ‘mass surveillance,”

Of course, this basically contradicts everything that we've learned about the GCHQ recently. In fact, it's abundantly clear that the GCHQ regularly engages in programs of mass surveillance. It has a whole program, called TEMPORA, that is entirely focused on tapping into fiber optic cables and snarfing up pretty much everything that goes over them.

Just like the folks at the NSA, the GCHQ likes to have its own dictionary on these things. To them, it's not "surveillance" if no one actually looks at the data or if they don't store it all in a particular database (but rather keep it in another database). The NSA and GCHQ insist that they're just doing all of this for safekeeping, and the surveillance part doesn't start until someone actually looks at the data collected. And, it's not "mass" surveillance, even though it collects data on everyone, because they only think the people who someone took the time to directly snoop on count in the equation.

The end result, though, is that for everyone else, we recognize that the GCHQ is one of the leaders in mass surveillance, and having Lobban pretend otherwise doesn't make anyone feel safer. It just makes them think that there's another liar in charge of an intelligence agency.

Filed Under: gchq, iain lobban, mass surveillance, surveillance