Monday, July 01, 2019

From Alan Turing to the mass surveillance machine that is the internet

I gave a talk, on Saturday last, at the 9th Tensions of Europe Conference in Luxembourg. Draft of my remarks below. They are relatively brief and as a result somewhat over-simplified.

From Alan Turing to the mass surveillance machine that is the internet

In November 1942, English code breaker, Alan Turing, arrived in the US on a four-month intelligence sharing visit. He was met by three immigration officers and very nearly denied entry and dispatched to Ellis Island immigration detention centre, due to anomalies in his documentation. Two of the three eventually agreed he should be admitted.

There followed an intense period of work with the US Navy’s intelligence service in Washington DC and Bell Labs in New York. This was partially hampered by bureaucratic issues with his security clearances, and Turing’s unofficial instructions from British intelligence to reveal as little as possible to their US counterparts. The British were distrustful of the US government and vice versa.[i]

It became clear that the absence of trust and cooperation was impairing the war effort and shortly after Turning’s visit, US Intelligence officials Colonel Alfred McCormack, Lieutenant Colonel Telford Taylor, and Lieutenant Colonel William Friedman travelled to Britain to work with the head of Bletchley Park, Edward Travis. Friedman played a key role in the cracking of the Japanese Purple code and Taylor went on to become the chief US prosecutor at the Nuremberg trials. The parlay between Travis and the US delegation led to the 1943 BRUSA Agreement (Britain–United States of America agreement) to share intelligence.

BRUSA in turn spawned the UKUSA Agreement in 1946 to share signals intelligence (sigint) and communications security (comsec, the security of the processes, infrastructure and products of that sigint).

By 1956 Canada, Australia and New Zealand became parties to the agreement and it became known as the Five Eyes (FVEY). This FVEY agreement (or now collection of agreements) forms the basis of intelligence cooperation between these countries to this day.

[Norway, Denmark, and West Germany became secondary associates in the 1950s.]

At this point I’m going to have to fast forward through decades and significant parts of the story.*
To the FYEV intelligence & security services in the 1990s. The Cold war was supposedly over. They were suffering what they considered to be underinvestment and lack of appreciation. The Internet & WWW were going global and there were serious concerns in the agencies about keeping up.

ECHELON, the satellite centred surveillance system, developed by FVEY in the late 60s to early 70s, intended to collect communications of Soviet leaders, military personnel and diplomats, had already been turned to spying on FVEY allies like Germany and France; and the surveillance of individuals and commerce, facilitating industrial espionage.

That’s not my conclusion btw, that comes from a 2001European Parliament report on ECHELON at a time when the FVEY alliance was refusing to confirm or deny ECHELON officially existed. The report said there was no longer any doubt – it exists but all the EU could do is ask the FYEY, nicely, to stop spying on us. Some members of the committee disavowed the report as too soft and declaring that the deployment of ECHELON constituted a blatant breach of European law and the EU Charter of Fundamental Rights. It did conclude, however,

“However extensive the resources and capabilities for the interception of communications may be, the extremely high volume of traffic makes exhaustive, detailed monitoring of all communications impossible in practice.”

So even those who were deeply critical of the surveillance activities of FVEY accepted that these organisations were being snowed under with electronic data.

9/11 to 7/7

When the September 11, 2001 attacks on the US happened with the tragic loss of thousands of lives, everything changed. The US & UK now had a new demon to replace the Soviet Union – terrorism. So began the US orchestrated war on terror and huge resources were poured into recruitment and mass surveillance technology. Much of it was wasted e.g. Trailblazer and, if we take the word of NSA whistleblowers such as Thomas Drake or William Binney, fraudulently so.

Military action in Afghanistan began within weeks and followed in Iraq about 18 months later.[ii]

The action in Iraq & Afghanistan stretched GCHQ operationally.

On 11/3/2004 the Madrid train bombings, the biggest terrorist attack in Spain in history, killed 191 and injured more than 2000 people.

The following year. The 7/7/2005 London attacks led to 56 deaths and nearly 800 were injured.

The Data retention directive, an intimate part of the mass surveillance story in Europe

In the wake of the 2005 London attacks there was a reinforced urgency in government about doing something about terrorism. In the UK the Blair government obsessively pursued mass data retention and all manner of other privacy decimating policies, regulations and processes, culminating in the EU Data Retention Directive 2006. Government ministers were drilled to chant the poisonous & deceitful but powerful ‘nothing to hide, nothing to fear’ sound bite, at every conceivable opportunity.  One of the things, incidentally, UK governments are going to miss after Brexit is the policy laundering they pursued so successfully through the EU.

Mass communications data retention was later found unlawful in multiple high courts around Europe - Romania (2009), Germany (2010), Bulgaria (2010), the Czech Republic (2011) and Cyprus (2011) have all declared the data retention directive unconstitutional and/or a disproportionate unjustified interference with the fundamental right to privacy, free speech and confidentiality of communications.

In 2006 GCHQ began their ‘SIGMod Initiative’ (signals intelligence modernisation programme) on gathering, processing, analysing, assessing, storing, distributing and sharing communications data. The government proposed an Intercept Modernisation Programme (IMP) 2008 involving the spending of £12 Billion + passing a proposed new law, the Communications Data Bill. A small number of NGOs, notably the Open Rights Group, Liberty and Privacy International, managed to get the attention of the media and a few politicians, noting the proposals were a terrible idea and labelling the whole thing a‘Snoopers’ charter.’ And with the financial crash of 2007/’08 and an election imminent it was officially shelved but the government and security & intelligence services implemented it in secret anyway.
Snowden 2013

Meanwhile stateside, an insider at the NSA, Edward Snowden, decided that the activities of the FVEY had reached the point of unchecked intrusion into the lives of ordinary people to a degree that was unconscionable and indefensible. In June 2013 Snowden chose to smuggledocumentary evidence of these activities to Hong Kong where he handed them over to journalists Glenn Greenwald, Laura Poitras and Ewan MacAskill.[iii]

What was revealed was a spectacular array of FVEY resources, technical capabilities and activities, with a very limited degree of legal or political oversight, checks or balances. Mass surveillance was not only being conducted by the commercial behemoths of Silicon Valley and every economic actor with a Web presence but by governments of the FVEY alliance. And these security services, like Silicon Valley, had their processes and technologies[iv] targeted at entire populations.

One of the surprises for informed security and intelligence analysts that came out of the Snowden revelations was that GCHQ and the NSA had got these large-scale systems working. The history of government deployments of large-scale information age IT projects had not previously been promising.

Circumventing & breaking law

According to the Snowden documents, one of the effects of the FVEY agreement was that NSA shared intelligence with GCHQ to circumvent UK law and vice versa. The documents quote US intelligence services staff considering that their UK equivalents had no real legal restrictions to abide by. The UK end of the operation likewise talked of their light regulatory regime as being a ‘selling point’ in soliciting funds from the NSA, amounting to $100 million between 2010 and 2013. So, if there were technical legal restrictions on the NSA’s activities – e.g. not being permitted to target US citizens, they could just get the British to do the surveillance for them. Officially this was denied. 

Even where to request the information would be a technical legal breach, it could be circumvented by the transatlantic sharing of information, under FVEY, without the need for a formal request.

Snowden changed things in Europe, if not the UK. EU allies were angry at the scale and reach of FVEY surveillance resources, targeted at their populations, policymakers (including tapping Angela Merkel’s phone) and economic actors. The European Court of Human Rights and the Court of Justice of the European Union became sensitised to mass surveillance and issued a series of decisions declaring the activities unlawful.

The European Court of Justice in the Digital Rights Ireland case in 2014 declared the data retention directive so bad it should never have existed and abolished it.

DRIPA 2014 – the UK’s let’s pretend the data retention directive didn’t get abolished Act.

The UK government decided to ignore the ruling. UK chief police officers issued an edict to their police forces to continue retaining data. When the government couldn't ignore it any more because they were being sued and the press were about to start paying attention to it, they passed a new law, the Data Retention and Investigatory Powers Act 2014.

This contained 8 sections and was rushed through parliament in record time with no scrutiny, by means of a very rarely used parliamentary process, just as MPs were about to go on their summer holidays. [The party briefings instructing MPs what to say about this law in public were longer than the law and both the parties of the coalition government - the Tories and Lib Dems - and the Labour party were all in favour.]

UK Investigatory Powers Act 2016 [v]

Far from reigning in surveillance and other activities revealed by Snowden in 2013, and those previously known and found by high courts all round Europe to be in breach of fundamental human rights, the UK passed the Investigatory Powers Act 2016, to legalise them. Whereas the US made some effort to be seen to be engaging in at least cosmetic reforms to that nation’s surveillance laws, the UK government denied there was an issue, trotted out tropes about national security and “nothing to hide, nothing to fear”, issued gagging orders, ritually destroyed the Guardian’s computers and reinforced and expanded the scope of intelligence gathering activities permitted.  Providing this legal infrastructure, with extraterritorial reach, to enable and facilitate the exploitation of modern digital technologies and networks, nominally for security and intelligence purposes and, with arguably limited checks and balances, has profound implications for democracy, all around Europe.

It remains also, however, the long standing FYEY intelligence sharing operation between the US, UK, Canada, Australia and New Zealand, that now deploys the considerable resources made available by the respective governments to exploit the infrastructure of the internet to engage in mass surveillance around the globe. This is not about FYEY being old and dated. The UN Declaration of Human Rights and the European Convention on Human Rights both stem from the same period and stand strong; as do multiple other historic documents like the US Constitution and Bill of Rights. However, the FVEY sigint agreement, as an arrangement emerging from the devastation of WWII and the ‘Second Red Scare’ and designed primarily to facilitate the collection of intelligence on the Soviet Union, China and their allies, in the modern context now reaches deeply into the lives and homes of ordinary people.

Liberty and others have taken the battle over the Investigatory Powers Act 2016 bulk surveillance provisions back to the courts. In April 2018 the UK High Court ruled that the data retention elements of the Act were unlawful.[vi] On 11 June 2019 it emerged that, even with the extra permissions of the Act, MI5 had been acting so far outside the scope of the legislation, in relation to their data management practices, that documents compelled to be revealed to the court showed that the independent ‘Investigatory Powers Commissioner’ (IPC) declared the agency’s bulk surveillance data management practices “undoubtedly unlawful”.[vii] [The Investigatory Powers Commissioner was a new office, set up under the Investigatory Powers Act, charged with dual oversight, along with the relevant Secretary of State, of the activities subject to the Act.] 

MI5 had effectively been caught out unlawfully retaining innocent people’s data for years, failing to give the IPCO (IPC's Office) accurate information about repeated breaches of its duty to delete bulk surveillance data, and mishandling sensitive legally privileged material. Even if this can be chalked up to normal bureaucratic failings on the part of a government service, this must be concerning.

The reality of FVEY is significantly more complex than I have the time to cover here. It has not, in practice, facilitated blanket, open, totally frictionless sharing of intelligence between the US, UK and other FYEY partners. Just because they agreed to share intelligence and not spy on each other, did not mean they stuck to that agreement or collection of agreements. Intelligence and security services, even within national boundaries, tend to be complex Faustian ecologies of competing institutions, individuals, agendas, bureaucracy and politics, wrapped up in an evolutionary internecine game of the survival of the fittest, surfing on the cause of protecting national security.

We should take infinitely more care in building and continuing to expand the legal, technical & organisational infrastructure of mass surveillance. Such complex systems fail naturally - systems fail, people make mistakes, staff under pressure circumvent the systems to get the job done and the temptation to hide those failures is organisationally irresistible. It will always be so & that's before you start factoring in malign actors because complex systems can also be made to fail by internal and external attackers with nefarious intent. Create these systems and the failures will come. We know this because they have failed and there is not a computer scientist or security specialist anywhere in the world who can secure them and make them water-tightly safe in practice.

The internet has become a huge surveillance machine.

It is possible, as the Net is an entirely artificially designed and constructed entity, to wrestle/retrofit it into something useful that is not a mass surveillance machine. However, it will be difficult to do, in practice, as all the most powerful governmental and commercial economic actors, as well as us the masses of the bread & circuses distracted unwashed users, caught in the headlights of seductive surveillance, are addicted to that architecture of surveillance. 

The critical question is how. How do we cultivate, energise, harness, direct and sustain sufficiently powerful socio-economic, political, commercial, cultural, environmental, social and technical forces to transforming the internet into something with a human rights respecting architecture, at an individual, community, district, national, transnational and global level?

As Carl Sagan said, science and technology heap a new and awesome responsibility on the shoulders of scientists, technologists, policymakers and Jo Public, to pay more attention to the hazards and long-term consequences of advances, from individual, communities, regional, global & multi-generational perspectives, avoiding appeals to simplistic claptrap and the nationalism, chauvinism and hate mongering so prevalent in modern politics & media.

[i] The British worried about the rivalry between US navy and army potentially leading to leaks. The US were equally distrustful of the British and frustrated, given the 500+ US ships sunk by U-boats in the previous year, that they were so unwilling to share information.
[ii] {Katherine Gun GCHQ whistleblower case – UN second resolution, NSA memo 31 Jan 2003 requiring UK to spy on world leaders in the hope of blackmailing them into supporting war. This came about a week after GCHQ staff, deeply concerned about the legitimacy of the impending conflict, had been officially assured they would not be required to engage in illegal activity. Gun, a 28-year-old analyst, admitted passing the NSA memo to the Observer newspaper which printed it in full on its front page in early March, having spent a month confirming its provenance. AG equivocal legal advice on war led to Gun’s prosecution being dropped in February 2004}
 [iii] Unlike Wikileaks who tended to put everything openly on the internet, Snowden decided the documents should be curated by respected news organisations, like The Guardian and The Washington Post newspapers, with revelations to be made public selected purely based on the public interest and the avoidance of exposure of intelligence services personnel to risk.
[iv] [of what the UK end of the business now calls “bulk” interception, acquisition, equipment interference and personal dataset warrants]
My evidence to Joint Committee on Investigatory Powers Bill
‘S253 Technical capability notices
(1)     The Secretary of State may give a relevant operator a technical capability notice…’
Operators have multiple dutes to assist with implementation of IPAct measures.
[vi] [Since ministers were empowered by the Act to issue data retention orders without independent review and authorisation – and for reasons which have nothing to do with investigating serious crime – it was a breach of fundamental rights.] 
[vii] [He also said that he has effectively put them in special measures after discovering they were misleading the Investigatory Powers Commissioner’s Office (IPCO).
“Without seeking to be emotive, I consider that MI5’s use of warranted data... is currently, in effect, in ‘special measures’ and the historical lack of compliance... is of such gravity that IPCO will need to be satisfied to a greater degree than usual that it is ‘fit for purpose'".]
*Including the cold war & evolution of sigint processes and technology, establishment of Menwith Hill and other sigint infrastructure, the Korean war, the development of the ARPANET, ECHELON, the emergence of the WWII sigint story, the Pentagon papers, Watergate, Nixon, the FISA court, the ABC trials, the accidental but happy coincidence of technology and regulation that enabled the early internet to be built on the back of telephone networks, with an end to end architecture – the ‘intelligence’ was not built into the network but rather the devices that connected to it – enabling anyone to innovate, Reagan’s Executive Order 12333, Duncan Campbell’s 1988 revelation of ECHELON (it was an extension of the UKUSA Agreement; He also detailed how Echelon worked), Tim Berners Lee’s creation of the WWW protocols, the WWW & Net going mainstream, the cryptowars, the internet’s midwifery of today’s big 5 tech giants, the West’s military adventures, RIPA, 9/11, the US Patriot Act, the ‘war on terror’, Total Information Awareness, Trailblazer, NSA whistleblowers Bill Binney (ThinThread) & Thomas Drake, National Security Letters, Blair government architects of the data retention directive 2006 and national identity cards and a blizzard of serious crime and anti-terrorism regulations expanding powers of law enforcement, intelligence & security services, US FISA Amendment Act 2008 Act – guilty of being a foreigner – Caspar Bowden & Microsoft, NSA violation of FISA court orders, Bush & Blair establishment and Obama and Con-Dem coalition consolidation and expansion of architecture and resources of mass surveillance conducted by FYEY. Some of Snowden's revelations
PRISM – targeted intelligence, this had some justification and defensible due process overseen by the FISA Court
Tempora – GCHQ hardwire tap of UK backbone cables (UK connected to 57 countries by fibre optic cables; US is connected to 63)
Upstream - BLARNEY, FAIRVIEW, OAKSTAR and STORMBREW NSA interception tools
Boundless Informant – metadata engine, data analysis and data visualisation tool
Blanket open-ended court orders for Verizon phone records
XKeyscore – the NSA’s Google, for collection of "almost anything done on the internet" (Snowden claimed he could wiretap anyone anywhere with it and indeed Angela Merkle’s and other world leaders’ phones were tapped; Angela Merkel's phone communications were monitored by the Special Collection Service, part of the STATEROOM program)
Mainway - NSA mass phone tapping
Bullrun (NSA) & EdgeHill (GCHQ) to crack encryption
MUSCULAR (mainly GCHQ run) secretly tapped Yahoo! & Google data centres
NSA black budget to pay commercial organisations for secret access to their networks
Spied on gaming sites, charities, commercial enterprises like Brazil’s biggest oil company, dozens of world leaders including Merkle
TURBINE – malware
Tailored Access Operations (TAO) – NSA’s cyberwar sigint operation
QUANTUM suite of attacking facilities e.g. compromising routers, interception, duplication & compromising of traffic
Tapping phones of world leaders including Germany’s Angela Merkel
GCHQ’s Smurf Suite for hacking mobile phones
NSA & GCHQ tapping fibre optic cables to Google and Yahoo data hubs
NSA allowed to surveillance connections three hops from identified targets
UK operating a surveillance system where “anything goes”
If you want to know how some of this data collection and processing works one of the single most useful Snowden documents is the “HIMR Data Mining Research Problem Book
And even that lot is a wholly incomplete OTTOMH list but then there has been a lot of activity in this arena since WWII.

No comments: