A guide to state surveillance, the ‘snoopers’ charter’ and government hacking

David Cameron at a 2014 press conference on security threat levels by Number 10/Flickr

A major row between the political parties is brewing over demands by David Cameron and the intelligence services for even more surveillance powers in the wake of the terrorist atrocities in Paris last week.

David Cameron has promised new legislation so that terrorists no longer have “safe spaces” to communicate.

Pointing out that in the old days, intelligence agencies  were able to open letters and eavesdrop on phone calls, the PM asked in a speech yesterday: “In our country, do we want to allow a means of communication between people which […] we cannot read?”

But today deputy PM Nick Clegg said such a response would be disproportionate and would “cross a line”.

The issue centres on the fact that technology is changing so fast that the laws on which security officials rely to give them access to communications are becoming obsolete almost as soon as they are written.

Here the Bureau explains why new legislation passed last summer is said to be already inadequate to keep Britons safe, what the government could do next and why the public debate must take account of GCHQ’s most realistic option – hacking.

What are the problems?

The Data Retention and Investigatory Powers Act (DRIPA) was only passed last summer, having been fast-tracked through Parliament.

The new law extended the reach of the Regulation of Investigatory Powers Act (RIPA) which gives authorities interception powers.

Under DRIPA telecoms companies can also be required to keep billing data – information on who contacts whom, when and for how long on mobile networks but not the content of these messages – for up to 12 months and allow security officials to access it on production of a warrant.

This “meta-data” held by the companies is helpful in identifying associates of known terrorists or criminals. Law enforcement and security officials can use evidence of contact between parties to justify directly surveilling individuals and accessing the content of their communications.

But the law is already said to be becoming obsolete.

There are three main reasons for this:

1) People aren’t calling each other over mobile networks as often as they used to

Terrorists and serious criminals, like the general public, are using the internet to communicate instead, speaking to each other via social media sites, instant messaging services – including those provided by online games – and chat rooms.

Billing data doesn’t capture these exchanges.

2) Encryption

Intelligence agencies are increasingly finding that even when they have located the particular messages they want, the content is encrypted.

3) The data isn’t collected by UK telcos

Companies operating fixed line and mobile infrastructure such as BT and Vodafone may simply transport data to and from another company – such as Facebook or Twitter – to the customer with little or no data retained about the communication.

4) Some of the communications the spies want access to are held by service providers that are not based in the UK

Under DRIPA, interception warrants issued by UK authorities can be applied to overseas firms. As Liberty pointed out, the UK’s Home Secretary could serve Gmail with a warrant in California, requiring it to intercept all communications between subscribers in two specified countries or all communications leaving or entering the UK.

However many legal experts have questioned the validity of this extra-territorial effect, not least because the legislation could require companies to breach their own nation’s laws in complying with a UK warrant – a warrant whose existence they could not reveal without breaking UK law.

A recent Telegraph report quoted an anonymous security official complaining that these companies would not assist GCHQ enquires by passing on evidence about serious criminals unless there was an imminent threat of harm.

What can be done about it?

1) Get heavy with the tech companies

Media reports have suggested Whatsapp, Snapcat and Apple’s iMessage, which offer an encrypted instant messaging services could be banned from the UK.

Companies that offer encrypted email services could also be banned or required to hand over their encryption “keys”, either to the security services or to network operators.

Operators could then be required by law to decrypt the data.

As Privacy International points out, proposals to outlaw encrypted communications “not only threaten the very rights they’re said to be designed to protect, but begin from a fundamentally flawed premise – that such measures are even possible.”

It added: “The UK simply can not command foreign manufacturers and providers of services such as Whatsapp to modify their services to accommodate the desires of British spies.”

Any attempted move in this direction would antagonise some very powerful opponents – Google, for example, which recently proposed that websites that do not encrypt their traffic be marked as “insecure” by default.

The company is a major advocate for “end-to-end encryption“, which encrypts data leaving a user’s browser until it is decrypted by the recipient. The tech giant has previously publicly announced support for anti-surveillance campaigners.

In 2010 the Indian government threatened to ban Blackberry for refusing to allow the country’s security officials access to its messages. The dispute ran for several years before ending in a compromise, with the company agreeing to allow more limited access – to meta-data – than had originally been requested.

A battle between the UK and Google or Apple would be a different matter altogether.

2) Revival of the “Snoopers’ Charter”

The Conservatives are pushing for a revival of the Communications Data draft Bill, known as the “Snoopers’ Charter”, which was abandoned in 2013 after opposition from the Liberal Democrats.

This would have required all internet service providers to retain, for 12 months, in a common format data on their customers’ communications via the internet as well as via the mobile networks.

Data stored would include visits to websites and social media activities.

These databases could then be searched by a Government data-mining device called a “request filter”.

As well as major concerns about the threat to privacy this would entail, it is questionable whether the national security benefits would justify the expense of building and maintaining the data storage centers necessary to retain this huge amount of information, particularly if the encryption problem has not been solved.

Companies that have no commercial imperative to collect the information would have to be compensated if they were compelled to do so. The bill could run into hundreds of millions of pounds given the volume and complexity of data involved.

3) Hack!

The third prong in the intelligence agencies’ communications surveillance trident is its ability to break encryption by hacking.

GCHQ’s capabilities in this and any other regard are never discussed officially as a matter of policy.

But without understanding this capability – and how, if at all, it is constrained by the law – it is difficult to know just how hampered the security services are.

Documents leaked in 2013 by National Security Agency (NSA)  whistleblower Edward Snowden revealed that US and UK intelligence agencies have been pouring their efforts into cracking encryption codes for many years.

Guardian report that year quoted a 2010 NSA presentation as stating that “for the past decade, NSA has led an aggressive, multipronged effort to break widely used internet encryption technologies.”

A more recent report in German newspaper Der Spiegel based on a set of Snowden files dated 2012 showed that the NSA considered monitoring Facebook chat “a minor task”. On the other hand a protocol called Off-the-Record (OTR) for encrypting instant messaging seemed to be causing the NSA major problems.

Facebook has improved its security since 2012 but it’s likely that intelligence agencies’ hacking powers have improved in tandem.

GCHQ hacking may also explain why the government wants companies to store data that is currently unreadable due to encryption.

As yet another Snowden file says: “Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.”

Once an encrypted system has been hacked into, intelligence agencies can re-examine stored data to find information that was previously hidden – a powerful motive for retaining data.

The Snowden documents also revealed that NSA and its “Five Eyes” partners including the UK had adopted covert measures to ensure control over setting of international encryption standards, the use of supercomputers to break encryption with “brute force”.

Through covert partnerships with internet service providers and tech companies, the agencies had also inserted secret vulnerabilities known as backdoors into commercial encryption software.

“These design changes make the systems in question exploitable … to the consumer and other adversaries, however, the systems’ security remains intact,” one document says.

Since this was made public, the companies concerned may have become less willing to enter into these collaborations.

Related story: Thatcher and Blair Cabinet Secretary: Intelligence committee has “helped” public by confirming GCHQ’s internet tap “Tempora” powers

Comments