First it was Prism, now it’s Project Tempora: The evolution of a secret intelligence programme to capture vast amounts of web and phone data from fibre optic cables
By Roger Annis, June 23, 2013–Today’s news is reporting that former NSA employee Edward Snowden has left Hong Kong and arrived in Moscow. He is en route to an as yet unknown destination where he will live in exile from his home country of the United States.
Snowden was accompanied to Moscow by representatives of Wikileaks. Julian Assange, founder of Wikileaks, issued a statement yesterday calling on the world to step forward and stand with Edward Snowden. Assange has been living for nearly one year under diplomatic protection in Ecuador’s embassy in London. Like Assange, Snowden is being sought by U.S. authorities for a judicial lynching.
Snowden is an intelligence analyst and former employee at the U.S. National Security Administration (NSA). Earlier this month, journalist Glenn Greenwald and The Guardian newspaper began to report exclusively on Snowden’s decision to tell the world of the vast spying program of private information on the internet led by Britain and the United States.
Revelations of the scale of the internet spy operations of the ‘Five Eyes’ countries of the UK, U.S., Canada, Australia and New Zealand has grown exponentially in recent days. The Guardian devoted a large part of its edition of June 22 to the story. In Canada, the story is hardly being reported.
Below is a dossier of six of the most recent news articles from The Guardian/The Observer. The dates of publication refer to the print editions. The main page of The Guardian’s sensational coverage of this story is here.
1. US accused of hacking China as Snowden spy row grows
By Toby Helm, Daniel Boffey and Nick Hopkins, The Observer [Guardian on Sunday], Sunday, June 23, 2013
Edward Snowden, the former CIA technician who blew the whistle on global surveillance operations, opened a new front against the US authorities yesterday, claiming they hacked into Chinese mobile phone companies to access millions of private text messages. His latest claims came as some Hong Kong politicians called for Snowden to be protected from extradition to the US after the justice department in Washington filed criminal charges against him late on Friday.
The latest developments will raise fears that the US’s action may have pushed Snowden into the hands of the Chinese, triggering what could be a prolonged diplomatic and legal wrangle between the world’s two superpowers.
Snowden, whose whereabouts have not been publicly known since he checked out of a Hong Kong hotel on 10 June, was reported by the Chinese media yesterday to be in a “safe place” in the former British colony. The 30-year-old intelligence analyst has over the past three weeks leaked a series of documents to the Guardian revealing how US and UK secret services gain access to huge amounts of phone and internet data, raising serious questions about privacy in the internet age.
On Friday, based on documents from Snowden, the Guardian reported that Britain’s spy agency GCHQ has secretly gained access to the network of cables carrying the world’s phone calls and internet traffic, without the authorities having made this known to the public. It was also reported that GCHQ is processing vast streams of sensitive information which it is sharing with its US partner, the National Security Agency.
Yesterday the former British foreign secretary Sir Malcolm Rifkind, who now chairs the intelligence and security committee, said the committee would launch an investigation into the latest revelations. The committee will receive an official report from GCHQ about the story within days and will then decide whether to call witnesses to give oral evidence. If it is then thought necessary, the committee can require GCHQ to submit relevant data.
Within hours of news breaking that the US had filed charges against Snowden, the South China Morning Post reported that the whistle-blower had handed over a series of documents to the paper detailing how the US had targeted Chinese phone companies as part of a widespread attempt to get its hands on a mass of data. Text messaging is the most popular form of communication in mainland China where more than 900bn SMS messages were exchanged in 2012.
Snowden reportedly told the paper: “The NSA does all kinds of things like hack Chinese cellphone companies to steal all of your SMS data.”
As Snowden made his latest disclosures, he appeared to be gaining support from politicians in Hong Kong who said China should support him against any extradition application from the US. The US has charged Snowden with theft of government property, unauthorised communication of national defence information and wilful communication of classified communications intelligence to an unauthorised person. The latter two charges are part of the US Espionage Act.
One legislator, Leung Kwok-hung, said Beijing should instruct Hong Kong to protect Snowden from extradition before his case was dragged through the courts. Leung urged the Hong Kong people to “take to the streets to protect Snowden”.
In response to the Guardian’s latest revelations regarding the surveillance activities of GCHQ, politicians and freedom of information campaigners last night raised concerns about the lack of oversight and up-to- date laws with which to monitor and regulate the activities of the secret services.
Former shadow home secretary and Foreign Office minister David Davis MP said documents containing an admission by GCHQ lawyers that UK oversight was “light” compared with that in the US was worrying. “This reinforces the view that the oversight structure is wholly inadequate. Really what is needed is a fullscale independent judicial oversight that reports to parliament.”
Shami Chakrabarti, the director of Liberty, said: “It’s possible to be shocked but not surprised at this blanket surveillance on a breathtaking scale. The authorities appear to be kidding themselves with a very generous interpretation of the law that cannot stand with article 8 of the European convention on human rights.
2. A new special relationship: US and Britain team up on mass surveillance
By Peter Beaumont, Foreign Affairs Editor, The Observer, June 23, 2013
Twelve years ago, in an almost forgotten report, the European parliament completed its investigations into a long-suspected western intelligence partnership dedicated to global signals interception on a vast scale. Evidence had been taken from spies and politicians, telecommunications experts and journalists. In stark terms the report detailed a decades-old arrangement which had seen the US and the UK at first – later joined by Canada, New Zealand and Australia to make up the so-called “Five Eyes” – collaborating to access satellites, transatlantic fibre-optic cables and radio signals on a vast scale.
This secretive ( and consistently denied) co- operation was itself the product of a mutual agreement stretching back to the first world war, expanded in the second, and finally ratified in 1948 in the so-called UKUSA agreement.
The problem for the authors of the Brussels report was that it had based its analysis on scattered clues and inferences. “It is only natural,” its authors asserted ruefully, “that secret services do not disclose details of their work … The existence of such a system thus needs to be proved by gathering as many clues as possible, thereby building up a convincing body of evidence.”
Despite the limitations of such detective work, the parliamentarians came to a deeply troubling conclusion: the “Five Eyes” were accessing the fibre- optic cables running under the Atlantic.
Not only that, the report concluded tentatively, but it was the UK specifically among the five partners – and GCHQ in particular – which it suspected had been given primary responsibility for intercepting that traffic. “The practical implication,” the report surmised, “is that communications can be intercepted at acceptable cost only at the terminals of the underwater cables which land on their territory.
“Essentially they can only tap incoming or outgoing cable communications. In other words, their access to cable communications in Europe is restricted to the territory of the United Kingdom.”
That GCHQ was at the very heart of secret efforts to tap into the internet and cable-carried telephony was finally confirmed in the most dramatic terms on Friday by the latest batch of documents to be leaked by former US National Security Agency contractor Edward Snowden, who is now being sought by the US government for alleged theft and breaches of the Espionage Act.
Those documents, published by the Guardian, not only describe the UK’s lead role in tapping the cables carrying global internet traffic – enjoying the “biggest internet access” of the Five Eyes – but its efforts to suck up ever-larger amounts of global data to share with its partners, and principally with the US. From a handful of cables at the beginning, the UK is now able, according to the documents, to access some 200 on a daily basis and store the information contained within for up to 30 days for analysis, including up to 600m “telephone events” each day.
GCHQ’s own excitement at the scope of its reach is evident in the documents, in which there is an excited reference to an ability to collect “massive amount of data!” and to “producing larger amounts of metadata (the basic information on who has been contacting whom, without detailing the content) than NSA”.
Up to the late 1980s, in excess of 90% of all international voice-and- data traffic, including diplomatic cables, was being carried by satellite and microwave networks. That began to change rapidly in 1988 when AT&T finished laying the first undersea fibre- optic fibre cable from New Jersey to the UK. Even before that project was completed, the NSA was already experimenting how to gain access to the cables, efforts that would lead to the US making its first attempts to bug one in the mid1990s with an underwater vehicle.
Now, the documents seem to suggest, access is achieved through some degree of co- operation – voluntary or otherwise – from the companies operating the cables or the stations at which they come into the country. And in addition to confirming details of how the partnership functions, the latest disclosures from Snowden also describe in detail what appears to be one of its latest iterations – Project Tempora, initiated some four years ago.
The direct descendent of earlier UKUSA treaty programmes, Project Tempora’s purpose remains the hoovering up of the largest amount of signals intelligence, principally in the form of metadata. Then, as now, it appears the priorities are not only related to national security but also economic advantage – interventions which can be justified under UK law by reference to the ill-defined notion of “economic wellbeing”.
In one sense, GCHQ is simply trying to keep up with the dizzying pace of technological development over recent decades. As the most recent batch of leaked documents has made clear – interception – like drugs-testing in sport – has tended to lag one step behind technology. “It is becoming increasingly difficult for GCHQ,” the authors of one memo write, “to acquire the rich sources of traffic needed to enable our support to partners within HMG [Her Majesty’s government], the armed forces, and overseas.”
But the dangers lie in the various legal and ethical thresholds being crossed in the race to catch up with the proliferating forms of communication. According to the leaked Snowden documents, the latest attempts to improve interception of internet communications began in earnest in 2007. The first experimental project was run at GCHQ’s outpost at Bude in Cornwall. Within two years it would be judged enough of a success to allow analysts from the NSA to have access to the new project, which by 2011 would be capturing and producing more intelligence data in the UK than the NSA did in the US.
Other documents underline how the decades- old intelligence arrangement has worked, not least how within the UKUSA treaty different roles have been subcontracted to partners – for both practical and regulatory reasons. Such potential subcontracting has long been at the heart of international legal concerns over how surveillance material is shared between the Five Eyes. The suspicion is that individual states within the agreement can produce material for partners that might be illegal to gather in the other collaborating states, including the US.
Shami Chakrabarti, the director of Liberty, said yesterday: “The big point we should recognise is that states tend to have a broader licence to snoop abroad and a tighter one at home. What we are seeing is states’ ability to subcontract their dirty work to others.”
Then there is the question of oversight. The UK government claims that the interception in such a broad fashion is authorised by ministers under at least 100 certificates issued under section 8(4) of the Regulation of Investigatory Powers (Ripa) which allows sweeping an indiscriminate trawls of data. But Alex Bailin QC, an expert on surveillance at the Matrix Chambers, is sceptical. “We are told there is proper oversight but the question is whether ministers simply sign these certificates. But I wasn’t even aware section 8(4) existed until Friday.”
Like Chakrabarti, Bailin suspects that intelligence agencies are subcontracting out surveillance to foreign partners. “The reality is that Ripa is incredibly complex and full of legal loopholes that permit this kind of thing.”
The European parliament’s thesis has been confirmed by the Guardian’s revelations. Now the legal and ethical scrutiny can begin in earnest.
3. How GCHQ [UK spy agency] watches your every move
Internet traffic and calls tapped from fibre optic cables Information shared with American spy agency
By reporting team, The Guardian, June 22, 2013
Britain’s spy agency GCHQ [Government Communications Headquarters] has secretly gained access to the network of cables which carry the world’s phone calls and internet traffic and has started to process vast streams of sensitive personal information which it is sharing with its American partner, the National Security Agency (NSA).
The sheer scale of the agency’s ambition is reflected in the titles of its two principal components: Mastering the Internet and Global Telecoms Exploitation, aimed at scooping up as much online and telephone traffic as possible. This is all being carried out without any form of public acknowledgement or debate.
One key innovation has been GCHQ’s ability to tap into and store huge volumes of data drawn from fibre-optic cables for up to 30 days so that it can be sifted and analysed. That operation, codenamed Tempora, has been running for some 18 months.
GCHQ and the NSA are consequently able to access and process vast quantities of communications between entirely innocent people, as well as targeted suspects. This includes recordings of phone calls, the content of email messages, entries on Facebook and the history of any internet user’s access to websites – all of which is deemed legal, even though the warrant system was supposed to limit interception to a specified range of targets.
The existence of the programme has been disclosed in documents shown to the Guardian by the NSA whistleblower Edward Snowden as part of his attempt to expose what he has called “the largest programme of suspicionless surveillance in human history”. “It’s not just a US problem. The UK has a huge dog in this fight,” Snowden told the Guardian. “They [GCHQ] are worse than the US.”
However, last night a source with knowledge of intelligence argued that the data was collected legally under a system of safeguards, and had provided material that had led to significant breakthroughs in detecting and preventing serious crime.
Britain’s technical capacity to tap into the cables that carry the world’s communications – referred to in the documents as special source exploitation – has made GCHQ an intelligence superpower. By 2010, two years after the project was first trialed, it was able to boast it had the “biggest internet access” of any member of the Five Eyes electronic eavesdropping alliance, comprising the US, UK, Canada, Australia and New Zealand.
UK officials could also claim GCHQ “produces larger amounts of metadata than NSA”. (Metadata describes basic information on who has been contacting whom, without detailing the content.)
By May last year, 300 analysts from GCHQ, and 250 from the NSA, had been assigned to sift through the flood of data. The Americans were given guidelines for its use, but were told in legal briefings by GCHQ lawyers: “We have a light oversight regime compared with the US.”
When it came to judging the necessity and proportionality of what they were allowed to look for, would-be American users were told it was “your call”.
The Guardian understands that a total of 850,000 NSA employees and US private contractors with top secret clearance had access to GCHQ databases. The documents reveal that by last year GCHQ was handling 600m “telephone events” each day, had tapped more than 200 fibre-optic cables and was able to process data from at least 46 of them at a time.
Each of the cables carries data at a rate of 10 gigabits per second, so the tapped cables had the capacity, in theory, to deliver more than 21 petabytes a day – equivalent to sending all the information in all the books in the British Library 192 times every 24 hours. And the scale of the programme is constantly increasing as more cables are tapped and GCHQ data storage facilities in the UK and abroad are expanded with the aim of processing terabits (thousands of gigabits) of data at a time.
For the 2 billion users of the world wide web, Tempora represents a window on to their everyday lives, sucking up every form of communication from the fibreoptic cables that ring the world.
The NSA has meanwhile opened a second window, in the form of the Prism operation, revealed earlier this month by the Guardian, from which it secured access to the internal systems of global companies that service the internet.
The GCHQ mass tapping operation has been built up over five years by attaching intercept probes to transatlantic fibreoptic cables where they land on British shores carrying data to western Europe from telephone exchanges and internet servers in North America. This was done under secret agreements with commercial companies, described in one document as “intercept partners”.
The papers seen by the Guardian suggest some companies have been paid for the cost of their co-operation and GCHQ went to great lengths to keep their names secret. They were assigned “sensitive relationship teams” and staff were urged in one internal guidance paper to disguise the origin of “special source” material in their reports for fear that the role of the companies as intercept partners would cause “high-level political fallout”.
The source with knowledge of intelligence said last night the companies were obliged to co- operate in this operation. They are forbidden from revealing the existence of warrants compelling them to allow GCHQ access to the cables. “There’s an overarching condition of the licensing of the companies that they have to co- operate in this. Should they decline, we can compel them to do so. They have no choice.”
The source said that although GCHQ was collecting a “vast haystack of data” what they were looking for was “needles”.
“Essentially, we have a process that allows us to select a small number of needles in a haystack. We are not looking at every piece of straw.
“There are certain triggers that allow you to discard or not examine a lot of data so you are just looking at needles. If you had the impression we are reading millions of emails, we are not.
“There is no intention in this whole programme to use it for looking at UK domestic traffic – British people talking to each other,” the source said.
He explained that when such “needles” were found a log was made and the interception commissioner could see that log. “The criteria are security, terror, organised crime. And economic well- being. There’s an auditing process to go back through the logs and see if it was justified or not.
“The vast majority of the data is discarded without being looked at … we simply don’t have the resources.”
However, the legitimacy of the operation is in doubt. According to GCHQ’s legal advice, it was given the go-ahead by applying old law to new technology. The 2000 Regulation of Investigatory Powers Act (RIPA) requires the tapping of defined targets to be authorised by a warrant signed by the home secretary or foreign secretary. An obscure clause allows the foreign secretary to sign a certificate for the interception of broad categories of material, as long as one end of the monitored communications is abroad. But the nature of modern fibre-optic communications means that a proportion of internal UK traffic is relayed abroad and then returns through the cables.
Parliament passed the RIPA law to allow GCHQ to trawl for information, but it did so 13 years ago with no inkling of the scale on which GCHQ would attempt to exploit the certificates, enabling it to gather and process data regardless of whether it belongs to identified targets. The categories of material have included fraud, drug trafficking and terrorism, but the criteria at any one time are secret and are not subject to any public debate. GCHQ’s compliance with the certificates is audited by the agency itself, but the results of those audits are also secret.
An indication of how broad the dragnet can be was laid bare in advice from GCHQ’s lawyers, who said it would be impossible to list the total number of people targeted because “this would be an infinite list which we couldn’t manage”.
There is an investigatory powers tribunal to look into complaints that the data gathered by GCHQ has been improperly used, but the agency reassured NSA analysts in the early days of the programme, in 2009: “So far they have always found in our favour”.
Historically, the spy agencies have intercepted international communications by focusing on microwave towers and satellites. The NSA’s intercept station at Menwith Hill in North Yorkshire played a leading role in this.
One internal document quotes the head of the NSA, Lieutenant General Keith Alexander, on a visit to Menwith Hill in June 2008, asking: “Why can’t we collect all the signals all the time? Sounds like a good summer project for Menwith.” By then, however, satellite interception accounted for only a small part of the network traffic. Most of it now travels on fibre-optic cables, and the UK’s position on the western edge of Europe gave it natural access to cables emerging from the Atlantic.
The data collected provides a powerful tool in the hands of the security agencies, enabling them to sift for evidence of serious crime. According to the source, it has allowed them to discover new techniques used by terrorists to avoid security checks and to identify terrorists planning atrocities. It has also been used against child exploitation networks and in the field of cyberdefence.
It was claimed last night that it directly led to the arrest and imprisonment of a cell in the Midlands who were planning co-ordinated attacks; to the arrest of five Luton-based individuals preparing acts of terror, and to the arrest of three London-based people planning attacks prior to the Olympics.
As the probes began to generate data, GCHQ set up a three-year trial at the GCHQ station in Bude, Cornwall. By the summer of 2011, GCHQ had probes attached to more than 200 internet links, each carrying data at 10 gigabits a second. “This is a massive amount of data!” as one internal slideshow put it.
That summer, it brought NSA analysts into the Bude trials. In the autumn of 2011, it launched Tempora as a mainstream programme, shared with the Americans.
The intercept probes on the transatlantic cables gave GCHQ access to its special source exploitation. Tempora allowed the agency to set up internet buffers so it could not simply watch the data live but also store it – for three days in the case of content and 30 days for metadata.
“Internet buffers represent an exciting opportunity to get direct access to enormous amounts of GCHQ’s special source data,” one document explained.
The processing centres apply a series of sophisticated computer programmes in order to filter the material through what is known as MVR – massive volume reduction. The first filter immediately rejects high-volume, low-value traffic, such as peer-to-peer downloads, which reduces the volume by about 30%.
Others pull out packets of information relating to “selectors” – search terms including subjects, phone numbers and email addresses of interest. Some 40,000 of these were chosen by GCHQ and 31,000 by the NSA.
Most of the information extracted is “content”, such as recordings of phone calls or the substance of email messages. The rest is metadata.
The GCHQ documents that the Guardian has seen illustrate a constant effort to build up storage capacity at the stations at Cheltenham, Bude and at one overseas location, as well a search for ways to maintain the agency’s comparative advantage as the world’s leading communications companies increasingly route their cables through Asia to cut costs.
Meanwhile, technical work is ongoing to expand GCHQ’s capacity to ingest data from new super cables carrying data at 100 gigabits a second. As one training slide told new users: “You are in an enviable position – have fun and make the most of it.”
4. ‘We are starting to master the internet. And our capability is impressive’
Project Tempora: The evolution of a secret intelligence programme to capture vast amounts of web and phone data from fibre optic cables
By reporting team, The Guardian, June 22, 2013
The memo was finished at 9.32am on Tuesday 19 May 2009, and was written jointly by the director in charge of GCHQ’s top-secret Mastering the Internet (MTI) project and a senior member of the agency’s cyber-defence team.
The internal email, seen by the Guardian, was a “prioritisation and tasking initiative” to another senior member of staff about the problems facing GCHQ during a period when technology seemed to be racing ahead of the intelligence community. The authors wanted new ideas – and fast.
“It is becoming increasingly difficult for GCHQ to acquire the rich sources of traffic needed to enable our support to partners within HMG [Her Majesty’s government], the armed forces, and overseas,” they wrote.
“The rapid development of different technologies, types of traffic, service providers and networks, and the growth in sheer volumes that accompany particularly the expansion and use of the internet, present an unprecedented challenge to the success of GCHQ’s mission. Critically we are not currently able to prioritise and task the increasing range and scale of our accesses at the pace, or with the coherence demanded of the internet age: potentially available data is not accessed, potential benefit for HMG is not delivered.”
The memo continued: “We would like you to lead a small team to fully define this shortfall in tasking capability [and] identify all the necessary changes needed to rectify it.” The two chiefs said they wanted an initial report within a month, and every month thereafter, on what one of them described as “potential quick-win solutions not currently within existing programme plans”.
Though this document only offers a snapshot, at the time it was written four years ago some senior officials at GCHQ were clearly anxious about the future, and casting around for ideas among senior colleagues about how to address a variety of problems.
According to the papers leaked by the US National Security Agency (NSA) whistleblower Edward Snowden, Cheltenham’s overarching project to “master the internet” was under way, but one of its core programmes, Tempora, was still being tested and developed, and the agency’s principal customers, the government, MI5 and MI6, remained hungry for more and better-quality information.
There was America’s NSA to consider too. The Americans had been pushing GCHQ to provide better intelligence to support Nato’s military effort in Afghanistan; a reflection, perhaps, of wider US frustration that information sharing between the US and the UK had become too lopsided over the past 20 years.
In the joint instruction from 2009, the director had twice mentioned the necessity to fulfil GCHQ’s “mission”, but the academics and commentators who follow Britain’s intelligence agencies are unsure exactly what this means, and politicians rarely try to define it in any detail.
The “mission” has certainly changed and the agency, currently run by Sir Iain Lobban, may be under more pressure now than it has ever been. The issues, and the enemies, have become more complex, and are quite different from the comparatively simple world into which Britain’s secret services were born in 1909.
At the time, concern about German spies living in the UK led to the establishment of a Secret Service Bureau and, at the start of the first world war, two embryonic security organisations began to focus on “signals intelligence” ( Sigint), which remains at heart of GCHQ’s work.
The codebreakers of Bletchley Park became heroes of the second world war as they mastered the encryption systems used by the Nazis. And the priority during the cold war was Moscow.
During these periods GCHQ’s focus was clear, and the priorities of the “mission” easier to establish. There was no parliamentary scrutiny of its work so the agency, which moved from Milton Keynes to Cheltenham in the early 1950s, existed in a peculiar limbo.
That changed, and with it the boundaries of its work, with the 1994 Intelligence Services Act (Isa), which gave a legal underpinning to the agency for the first time. The act kept the powers and objectives of GCHQ broad and vague. The agency was tasked with working “in the interests of national security, with particular reference to the defence and foreign policies of Her Majesty’s government; in the interests of the economic wellbeing of the United Kingdom; and in support of the prevention and the detection of serious crime”.
Reviewing the legislation at the time, the human rights lawyer John Wadham, then legal director of Liberty, highlighted the ambiguities of the expressions used, and warned that the lack of clarity would cause problems and concern. “National security is used without further definition. It is true the courts themselves have found it impossible to decide what is or what is not in the interests of national security. The reality is that ‘national security’ can mean whatever the government of the day chooses it to mean.” The same could be said for the clause referring to “economic wellbeing”.
Arguably, GCHQ’s responsibilities have broadened even further over the past decade: it has become the UK’s lead agency for cyber-security — identifying the hackers, criminal gangs and state actors who are stealing ideas, information and blueprints from British firms.
Alarmed by the increase in these cyberattacks, and faced with billions of pounds’ worth of intellectual property being stolen every year, the government made the issue a tier-one priority in the 2010 strategic defence and security review. In a time of cuts across Whitehall, the coalition found an extra £650m for cyber-security initiatives, and more than half was given to GCHQ. It has left the agency with a vast array of responsibilities, which were set out in a pithy internal GCHQ memo dated October 2011: “[Our] targets boil down to diplomatic/military/commercial targets/terrorists/organised criminals and e-crime/cyber actors”.
All this has taken place during an era in which it has become harder, the intelligence community claims, for analysts to access the information they believe they need. The exponential growth in the number of mobile phone users during the noughties, and the rise of a new breed of independent- minded internet service providers, conspired to make their work more difficult, particularly as many of the new firms were based abroad, outside the jurisdiction of British law.
Struggling to cope with increased demands, a more complex environment, and working within laws that critics say are hopelessly outdated, GCHQ starting casting around for new, innovative ideas. Tempora was one of them.
Though the documents are not explicit, it seems the Mastering the Internet programme began life in early 2007 and, a year later, work began on an experimental research project, run out of GCHQ’s outpost at Bude in Cornwall. Its aim was to establish the practical uses of an “internet buffer”, the first of which was referred to as CPC, or Cheltenham Processing Centre.
By March 2010, analysts from the NSA had been allowed some preliminary access to the project, which, at the time, appears to have been codenamed TINT, and was being referred to in official documents as a “joint GCHQ/NSA research initiative”. TINT, the documents explain, “uniquely allows retrospective analysis for attribution” – a storage system of sorts, which allowed analysts to capture traffic on the internet and then review it.
The papers seen by the Guardian make clear that at some point – it is not clear when – GCHQ began to plug into the cables that carry internet traffic into and out of the country, and garner material in a process repeatedly referred to as SSE. This is thought to mean special source exploitation.
The capability, which was authorised by legal warrants, gave GCHQ access to a vast amount of raw information, and the TINT programme a potential way of being able to store it.
A year after the plaintive email asking for new ideas, GCHQ reported significant progress on a number of fronts. One document described how there were 2 billion users of the internet worldwide, how Facebook had more than 400 million regular users and how there had been a 600% growth in mobile internet traffic the year before. “But we are starting to ‘master’ the internet,” the author claimed. “And our current capability is quite impressive.”
The report said the UK now had the “biggest internet access in Five Eyes” – the group of intelligence organisations from the US, UK, Canada, New Zealand and Australia. “We are in the golden age,” the report added.
There were caveats. The paper warned that American internet service providers were moving to Malaysia and India, and the NSA was “buying up real estate in these places”.
“We won’t see this traffic crossing the UK. Oh dear,” the author said. He suggested Britain should do the same and play the “US at [their] own game … and buy facilities overseas”.
GCHQ’s mid- year 2010- 11 review revealed another startling fact about Mastering the Internet. “MTI delivered the next big step in the access, processing and storage journey, hitting a new high of more than 39bn events in a 24-hour period, dramatically increasing our capability to produce unique intelligence from our targets’ use of the internet and made major contributions to recent operations.”
This appears to suggest GCHQ had managed to record 39bn separate pieces of information during a single day. The report noted there had been “encouraging innovation across all of GCHQ”.
The NSA remarked on the success of GCHQ in a “Joint Collaboration Activity” report in February 2011. In a startling admission, it said Cheltenham now “produces larger amounts of metadata collection than the NSA”, metadata being the bare details of calls made and messages sent rather than the content within them.
The close working relationship between the two agencies was underlined later in the document, with a suggestion that this was a necessity to process such a vast amount of raw information.
“GCHQ analysts effectively exploit NSA metadata for intelligence production, target development/discovery purposes,” the report explained. “NSA analysts effectively exploit GCHQ metadata for intelligence production, target development/discovery purposes. GCHQ and NSA avoid processing the same data twice and proactively seek to converge technical solutions and processing architectures.”
The documents appear to suggest the two agencies had come to rely on each other; with Tempora’s “buffering capability”, and Britain’s access to the cables that carry internet traffic in and out of the country, GCHQ has been able to collect and store a huge amount of information.
The NSA, however, had provided GCHQ with the tools necessary to sift through the data and get value from it.
By May last year, the volume of information available to them grew again, with GCHQ reporting that it now had “internet buffering” capability running from its headquarters in Cheltenham, its station in Bude, and a location abroad, which the Guardian will not identify. The programme was now capable of collecting, a memo explained with excited understatement, “a lot of data!”
Referring to Tempora’s “deep dive capability”, it explained: “It builds upon the success of the TINT experiment and will provide a vital unique capability.
“This gives over 300 GCHQ and 250 NSA analysts access to huge amounts of data to support the target discovery mission. The MTI programme would like to say a big thanks to everyone who has made this possible … a true collaborative effort!”
Tempora, the document said, had shown that “every area of ops can get real benefit from this capability, especially for target discovery and target development”.
But while the ingenuity of the Tempora programme is not in doubt, its existence may trouble anyone who sends and receives an email, or makes an internet phone call, or posts a message on a social media site, and expects the communication to remain private. Campaigners and human rights lawyers will doubtless want to know how Britain’s laws have been applied to allow this vast collection of data. They will ask questions about the oversight of the programme by ministers, MPs and the intelligence interception commissioner, none of whom have spoken in public about it.
5. Internet providers: ‘They have to co-operate. If they decline, we can compel them’
Checks and balances Law gives commercial companies no ability to refuse demands from GCHQ
By reporting team, The Guardian, June 22, 2013
William Hague was adamant when he addressed MPs on Monday last week. In an emergency statement forced by the Guardian‘s disclosures about GCHQ involvement with the Prism programme, the foreign secretary insisted the agency operated within a “strong framework of democratic accountability and oversight”.
The laws governing the intelligence agencies provide “the strongest systems of checks and balances for secret intelligence anywhere in the world”, he said.
Leaked documents seen by the Guardian give the impression some high-ranking officials at GCHQ have a different view. In confidential briefings, one of Cheltenham’s senior legal advisers, whom the Guardian will not name, made a note to tell his guests: “We have a light oversight regime compared with the US”.
The parliamentary intelligence and security committee, which scrutinises the work of the agencies, was sympathetic to the agencies’ difficulties, he suggested. “They have always been exceptionally good at understanding the need to keep our work secret,” the legal adviser said.
Complaints against the agencies, undertaken by the interception commissioner, are conducted under “the veil of secrecy”. And the investigatory powers tribunal, which assesses complaints against the agencies, has “so far always found in our favour”.
The briefings offer important glimpses into the GCHQ’s view of itself, the legal framework in which it works, and, it would seem, the necessity for reassuring the UK’s most important intelligence partner, the United States, that sensitive information can be shared without raising anxiety in Washington.
None of the documents advocates law-breaking – quite the opposite. But critics will say they highlight the limitations of the three pieces of legislation that underpin the activities of GCHQ, MI5 and MI6 – which were repeatedly mentioned by Hague as pillars of the regulatory and oversight regime during his statement to the Commons.
The foreign secretary said GCHQ “complied fully” with the Regulation of Investigatory Powers Act (Ripa), the Human Rights Act ( HRA) and the Intelligence Services Act (Isa).
Privacy campaigners argue the laws have one important thing in common: they were drafted in the last century, and nobody involved in writing them, or passing them, could possibly have envisaged the exponential growth of traffic from telecoms and internet service providers over the past decade.
Nor could they have imagined that GCHQ could have found a way of storing and analysing so much of that information as part of its overarching Mastering the Internet project. The Tempora programme appears to have given Britain’s spymasters that resource, with documents seen by the Guardian showing Britain can retain for up to 30 days an astronomical amount of unfiltered data garnered from cables carrying internet traffic.
This raises a number of questions about the way GCHQ officials and ministers have legitimised the programme.
The briefings, which are entitled UK Operational Legalities, stress that GCHQ “is an organisation with a highly responsible approach to compliance with the law”.
GCHQ also has a well staffed legal team, known as OPP-LEG, to help staff navigate their way through the complexities of the law.
But there appears to be some nervousness about Tempora. In a paper written for National Security Agency (NSA) analysts entitled A Guide to Using Internet Buffers at GCHQ, the author notes: “[Tempora] represents an exciting opportunity to get direct access to enormous amounts of GCHQ’s special source data.
“As large-scale buffering of metadata and content represent a new concept for GCHQ’s exploitation of the internet, GCHQ’s legal and policy officers are understandably taking a careful approach to their access and use.”
So how did GCHQ secure the legal authority for setting up Tempora, and what safeguards are in place for sharing the intelligence with the Americans? According to the documents, the British government used Ripa to get taps on to the fibre-optic cables.
These cables carry internet traffic in and out of the country and contain details of millions of emails and web searches. The information from these cables went straight into the Tempora storage programme.
In one presentation, which appeared to be for US analysts from the NSA, GCHQ explained: “Direct access to large volumes of unselected SSE data [is] collected under a Ripa warrant.”
The precise arrangement between the firms is unclear, as are the legal justifications put before ministers. Isa gives GCHQ some powers for the “passive collection” of data, including from computer networks. But it appears GCHQ has relied on paragraph four of section 8 of Ripa to gain “external warrants” for its programmes. They allow the agency to intercept external communications where, for instance, one of the people being targeted is outside Britain.
In most Ripa cases, a minister has to be told the name of an individual or company being targeted before a warrant is granted. But section 8 permits GCHQ to perform more sweeping and indiscriminate trawls of external data if a minister issues a “certificate” along with the warrant.
According to the documents, the certificate authorises GCHQ to search for material under a number of themes, including: intelligence on the political intentions of foreign governments; military postures of foreign countries; terrorism, international drug trafficking and fraud. The briefing document says such sweeping certificates, which have to be signed off by a minister, “cover the entire range of GCHQ’s intelligence production”.
“The certificate is issued with the warrant and signed by the secretary of state and sets out [the] class of work we can do under it … cannot list numbers or individuals as this would be an infinite list which we couldn’t manage.”
Lawyers at GCHQ speak of having 10 basic certificates, including a “global” one that covers the agency’s support station at Bude in Cornwall, Menwith Hill in North Yorkshire, and Cyprus.
Other certificates have been used for “special source accesses” – a reference, perhaps, to the cables carrying web traffic. All certificates have to be renewed by the foreign secretary every six months.
A source with knowledge of intelligence confirmed: “Overall exercise of collection and analysis [is] done under a broad, overall legal authority which has to be renewed at intervals, and is signed off at a senior political level.”
The source said the interception commissioner was able to “conclude that [the process] was not appropriate”, and that the companies involved were not giving up the information voluntarily.
“We have overriding authority to compel [them] to do this,” the source said. “There’s an overarching condition of the licensing of the companies that they have to co-operate in this.
“Should they decline, we can compel them to do so. They have no choice. They can’t talk about the warrant, they can’t reveal the existence of it.”
GCHQ says it can also seek a sensitive targeting authority (STA), which allows it snoop on any Briton “anywhere in the world” or any foreign national located in the UK. It is unclear how the STA system works, and who has authority over it.
The intelligence agencies also have to take note of the HRA, which demands any interception is “necessary and proportionate”. But the documents show GCHQ believes these terms are open to interpretation – which “creates flexibility”. When Tempora became fully functional in around 2011, GCHQ gave the NSA access to the programme on a three-month trial – and the NSA was keen to impress.
The US agency sent a briefing to some of its analysts urging them to show they could behave responsibly with the data. Under a heading – “The need to be successful!” – the author wrote: “As the first NSA users to receive operational access [to Tempora], we’re depending on you to provide the business case required to justify expanded access. Most importantly we need to prove that NSA users can utilise the internet buffers in ways that are consistent with GCHQ’s legal and policy rules.
“In addition, we need to prove that NSA’s access … is necessary to prosecute our mission and will greatly enhance the production of the intelligence … success of this three-month trial will determine expanded NSA access to internet buffers in the future.”
The NSA appears to have made a successful case. In May last year, an internal GCHQ memo said it had 300 analysts working on intelligence from Tempora, and the NSA had 250. The teams were supporting “the target discovery mission”.
But the safeguards for the sharing of this information are unclear. Though GCHQ says it only keeps the content of messages for three working days, and the metadata for up to 30 days, privacy campaigners here and in the US will want to know if the NSA is adhering to the same self-imposed rules. One concern for privacy campaigners is that GCHQ and the NSA could conduct intercepts for each other, and then offer to share the information – a manoeuvre that could bypass the domestic rules they have to abide by.
This was raised by MPs during last week’s statement, with the former Labour home secretary David Blunkett calling for clarification on this potential loophole.
Last week, the Guardian sent a series of questions to the Foreign Office about this issue, but the department said it would not be drawn on it. “It is a longstanding policy not to comment on intelligence matters; this includes our intelligence co- operation with the United States.
“The intelligence and security committee is looking into this, which is the proper channel for such matters.”
6. How GCHQ trawls for information online
By reporting team, The Guardian, June 22, 2013
What is an internet buffer?
In essence, an internet buffer is a little like Sky+, but on an almost unimaginably large scale. GCHQ, assisted by the NSA, intercepts and collects a large fraction of internet traffic coming into and out of the UK. This is then filtered to get rid of uninteresting content, and what remains is stored for a period of time – three days for content and 30 days for metadata.
The result is that GCHQ and NSA analysts have a vast pool of material to look back on if they are not watching a particular person in real time – just as you can use TV catch-up services to miss a programme you hadn’t heard about.
How is it done?
GCHQ appears to have intercepts placed on most of the fibre-optic communications cables in and out of the country. This seems to involve some degree of co-operation – voluntary or otherwise – from companies operating either the cables or the stations at which they come into the country.
These agreements, and the exact identities of the companies that have signed up, are regarded as extremely sensitive, and classified as top secret. Staff are instructed to be very careful about sharing information that could reveal which companies are “special source” providers, for fear of “highlevel political fallout”. In one document, the companies are described as “intercept partners”.
How does it operate?
The system seems to operate by allowing GCHQ to survey internet traffic flowing through different cables at regular intervals, and then automatically detecting which are most interesting, and harvesting the information from those.
The documents suggest GCHQ was able to survey about 1,500 of the 1,600 or so high-capacity cables in and out of the UK at any one time, and aspired to harvest information from 400 or so at once – a quarter of all traffic.
As of last year, the agency had gone halfway, attaching probes to 200 fibreoptic cables, each with a capacity of 10 gigabits per second. In theory, that gave GCHQ access to a flow of 21.6 petabytes in a day, equivalent to 192 times the British Library’s entire book collection.
GCHQ documents say efforts are made to automatically filter out UK-to-UK communications, but it is unclear how this would be defined, or whether it would even be possible in many cases.
For example, an email sent using Gmail or Yahoo from one UK citizen to another would be very likely to travel through servers outside the UK. Distinguishing these from communications between people in the UK and outside would be a difficult task.
What does this let GCHQ do?
GCHQ and NSA analysts, who share direct access to the system, are repeatedly told they need a justification to look for information on targets in the system and can’t simply go on fishing trips – under the Human Rights Act, searches must be necessary and proportionate. However, when they do search the data, they have lots of specialist tools that let them obtain a huge amount of information from it: details of email addresses, IP addresses, who people communicate with, and what search terms they use.
What’s the difference between content and metadata?
The simple analogy for content and metadata is that content is a letter, and metadata is the envelope. However, internet metadata can reveal much more than that: where you are, what you are searching for, who you are messaging and more.
One of the documents seen by the Guardian sets out how GCHQ defines metadata in detail, noting that “we lean on legal and policy interpretations that are not always intuitive”. It notes that in an email, the “to”, “from” and “cc” fields are metadata, but the subject line is content. The document also sets out how, in some circumstances, even passwords can be regarded as metadata.
The distinction is a very important one to GCHQ with regard to the law, the document explains: “There are extremely stringent legal and policy constraints on what we can do with content, but we are much freer in how we can store metadata. Moreover, there is obviously a much higher volume of content than metadata.
“For these reasons, metadata feeds will usually be unselected – we pull everything we see; on the other hand, we generally only process content that we have a good reason to target.”
7. ‘Burn’ phones, metal-lined wallets and no internet
Zoe Williams [Guardian columnist] calls on the experts as she tries to erase her digital fingerprint and go ‘off the grid’
The Guardian, 22 June 2013
Oh, the naivety … On Tuesday night, I thought the first step to going off-grid, erasing my digital fingerprint, becoming undetectable to a government agency or anyone else, was to take the sim card out of my phone. Get a new sim. Insert in old phone. Bingo; big brother might have his eye on me, but he no longer knows in which direction to swivel it.
Idiot! My phone has an IMEI number, whereby it can be traced anywhere in the world. I had to stop using the phone. Twitter told me that, before I had to stop using Twitter.
But that’s not enough; I also had to stop carrying the phone, or if I had to carry it, to do so in a metal-lined wallet. Documentally (his online persona), aka Christian Payne (his real-life name), is a professional surveillance-avoider who offers calm advice that will leave you paranoid, but with a completely foundationless faith in your capabilities: “I got an RSID wallet so that my passport details couldn’t be stolen remotely …” (The design of passports has been changed, so details can be read from a distance). “It’s meant to be for border crossings, but it’s leaking information all over the place. So I use the wallet with a metal lining, and if I put my phone in there, it remains completely off-grid.”
As an aside, to illustrate how easy it is to find you via your phone, he adds: “I’ve got old iPhones that I use for tracking devices. I’ve got one in my car. This technology is on a consumer level. For a brief period I was running a little private investigations company. I could leave a Nokia on a table and it would become a bugging device for that room.”
Huh. Anyway, back to me. What I need is a burner phone – in the US, you can buy them from the website www. burnerphone.us and they arrive, fully charged, sim at the ready, no questions asked. “How do you pay for it?” you’re asking. Almost all conundrums end with this question: if you have a long time to plan going underground, my number one tip is that you save a lot of cash, or get really good at stealing.
The best way to pay for things on the internet without identifying yourself is by Bitcoin (an anonymous digital crypto currency). But you could also go to Tesco and just buy a phone, for a tenner, with a pay-as-you-go sim already in it.
“But who are you going to call?” Documentally asks pleasantly. If I call any known associates, their phones will be tracked anyway, and a strange mobile number will show up. Even in my wider circle, calling three of them would join enough dots to come back to me. It’s possible I could call a switchboard and get away with it, so that leaves me with a) work and b) British Gas. If I wanted to speak to one of my friends, I’d have to post them a letter, tell them my new number and get them to call me from a payphone. Or I’d have to buy them a burner and drop it off at their house. “You have to think in terms of not seeing or speaking to anyone you know for three years,” Documentally clarified.
At this point, 10pm on a Tuesday, I am still thinking of a hypothetical person or agency chasing me. Not yet realising how absurdly unrealistic that was, I spoke to David Bond, who made a documentary about this quest three years ago, called Erasing David. During the film, he met Frank Aherne, “an expert at disappearing people in the States. I didn’t put him in the film because it sounded way too paranoid, but he told me the CIA had a backdoor into Google and Facebook. He said they have a start-up fund, and they put money into Facebook and things like it, to get in on the ground floor. I love that story. I wish I’d put him in.”
Social media notwithstanding, the “leakiest bit is physical. The best thing you can do is wear a hi-vis jacket and carry a bin bag with something heavy in it, and you keep your head down. No one looks at you, everyone ignores you; you’re the lowest of the low.”
That’s how to avoid the human eye; CCTV is a completely different thing. Documentally developed a prototype, an infrared LED in the brim of a baseball cap that messes with the signal. The problem is that it creates a big flash, so even if they can’t see your face, it draws attention to your presence. But there are things you can do to confuse facial recognition algorithms: mainly, obscure your nose-brow bridge and disturb the ocular area. The first you can do with a directional scenester fringe. I don’t have one of those. The second you can do with makeup on your cheeks – if you create a blusher look that could, by a computer, be mistaken for an eye socket, that will mess with the reading.
I went for a cycling mask, which is fine in one way – I have to cycle anyway, even if you swap Oyster cards with a stranger (you should swap regularly with friends regardless, to mess with the data collection). That isn’t the problematic bit; cycling in a mask, with a longer fringe, might work. But if there is any agency looking for you, you have to get out of the city.
Documentally counsels: “There are maps online showing the lowest concentration of CCTV cameras. Camping’s good. People ask very few questions at campsites. But no technology, because there’s usually only one road in, and once they’ve found you, you’re found.” He paused. “Good luck,” he said. “If you check my twitter feed, you can see where I am. If you get into any trouble, come there. I don’t know you well enough to let you into my room, but I can find you a safe house.” I am tickled pink that he thinks I’m going to start roaming about the country. But I can’t do that: I’ve got two children; and also, tickets to see the Breeders. I scale down my ambition: I merely want to live my life and leave no digital fingerprint. If I were pursuing a course of action that I thought might one day interest the authorities – joining a protest group, establishing a guerrilla army for the protection of bees – could I do so without leaving a yellow brick road directly to my house?
So, I couldn’t use a phone in the regular way, but I could Gibberbot (on an Android) or Chatsecure (on an iPhone). I could use Jitsi instead of Skype. For emails, I’d get a laptop that is stripped off – if you use your own, even not using your own email address, your identity screams off it like a siren the minute you connect to the internet. But you can use an encrypted channel in a Virtual Private Network. “With a VPN and Jitsi you’d be anonymous but your friends who you were talking to would need a Jabber account. But that wouldn’t be too difficult. You’d just post them a letter, telling them to open one.”
My life at this point had become so pared down, such a simple process of cycling around, giving words written in internet cafes, on memory sticks, to people, scaring them with my sweaty face – that the only emails I need a Jabber account for are my mum and one friend. I don’t really want to ask my mum to open a Jabber account, since the last time I looked at her computer, she was trying to download the whole of Arabic. She’s probably already on a watchlist. Then I remember I’m seeing her at Pilates; nobody would look for me there, it’s so 2001. When I run into her, she says: “Have you tried DuckDuckGo? It’s like an uncorruptible Google.” I think: “Jesus, woman, no wonder you’re probably on a watchlist.” I solve the friend problem by just turning up at her house. She looks at me like I’ve taken a crap in a bag of sugar. People in London hate it when you do this.
It is such full-time work just avoiding email and phones that I can’t say I missed them. I did go to the Breeders, they scanned the barcode on the tickets, but hah! I didn’t buy them (my boyfriend did. It is a relatively easy trail, from him to me, I imagine).
Consuming, belonging, conforming – they are so intertwined, to reject one is to reject all three, to reject all three is just impossibly large. To do it, you’d need to have already done it. But the alternative, this supine acceptance of whatever information whoever wants it has, that’s not great either. As Documentally says: “If, for example, our government takes a turn for the even worse and wants to get any bit of dirt on you, all they have to do is amplify the things that they found in your inbox. It doesn’t take much to embarrass you or blackmail you.”