From Alan Turing to the mass surveillance machine that is the internet
In November 1942, English code breaker, Alan Turing, arrived in the US on a four-month intelligence sharing visit. He was met by three immigration officers and very nearly denied entry and dispatched to Ellis Island immigration detention centre, due to anomalies in his documentation. Two of the three eventually agreed he should be admitted.
There followed an intense period of work with the
US Navy’s intelligence service in Washington DC and Bell Labs in New York. This
was partially hampered by bureaucratic issues with his security clearances, and
Turing’s unofficial instructions from British intelligence to reveal as little
as possible to their US counterparts. The British were distrustful of the US
government and vice versa.[i]
It became clear that the absence of trust and
cooperation was impairing the war effort and shortly after Turning’s visit, US
Intelligence officials Colonel Alfred McCormack, Lieutenant Colonel Telford
Taylor, and Lieutenant Colonel William Friedman travelled to Britain to work
with the head of Bletchley Park, Edward Travis. Friedman played a key role in
the cracking of the Japanese Purple code and Taylor went on to become the chief
US prosecutor at the Nuremberg trials. The parlay between Travis and the US
delegation led to the 1943 BRUSA Agreement (Britain–United States of America
agreement) to share intelligence.
BRUSA in turn spawned the UKUSA Agreement in 1946 to share signals intelligence (sigint) and communications security (comsec, the
security of the processes, infrastructure and products of that sigint).
By 1956 Canada, Australia and New Zealand became parties to the agreement and it became known as the Five Eyes (FVEY). This FVEY
agreement (or now collection of agreements) forms the basis of intelligence
cooperation between these countries to this day.
[Norway, Denmark, and West Germany became secondary associates in the 1950s.]
At this point I’m going to have to fast forward
through decades and significant parts of the story.*
To the FYEV intelligence & security services in
the 1990s. The Cold war was supposedly over. They were suffering what they
considered to be underinvestment and lack of appreciation. The Internet &
WWW were going global and there were serious concerns in the agencies about
keeping up.
ECHELON, the satellite centred surveillance system,
developed by FVEY in the late 60s to early 70s, intended to collect
communications of Soviet leaders, military personnel and diplomats, had already
been turned to spying on FVEY allies like Germany and France; and the surveillance
of individuals and commerce, facilitating industrial espionage.
That’s not my conclusion btw, that comes from a 2001European Parliament report on ECHELON at a time when the FVEY alliance was
refusing to confirm or deny ECHELON officially existed. The report said there
was no longer any doubt – it exists but all the EU could do is ask the FYEY,
nicely, to stop spying on us. Some members of the committee disavowed the
report as too soft and declaring that the deployment of ECHELON constituted a
blatant breach of European law and the EU Charter of Fundamental Rights. It did
conclude, however,
“However extensive the
resources and capabilities for the interception of communications may be, the
extremely high volume of traffic makes exhaustive, detailed monitoring of all
communications impossible in practice.”
So even those who were deeply critical of the surveillance activities of FVEY accepted that these organisations were being snowed under with electronic data.
9/11
to 7/7
When the September 11, 2001 attacks on the US
happened with the tragic loss of thousands of lives, everything changed. The US
& UK now had a new demon to replace the Soviet Union – terrorism. So began
the US orchestrated war on terror and huge resources were poured into
recruitment and mass surveillance technology. Much of it was wasted e.g.
Trailblazer and, if we take the word of NSA whistleblowers such as Thomas Drake
or William Binney, fraudulently so.
Military action in Afghanistan began within weeks
and followed in Iraq about 18 months later.[ii]
The action in Iraq & Afghanistan stretched GCHQ
operationally.
On 11/3/2004 the Madrid train bombings, the biggest terrorist attack in Spain in history, killed 191 and injured more than 2000 people.
The following year. The 7/7/2005 London attacks led to 56 deaths and nearly 800
were injured.
The Data retention
directive, an intimate part of the mass surveillance story in Europe
In the wake of the 2005 London attacks there was a
reinforced urgency in government about doing something about terrorism. In the
UK the Blair government obsessively pursued mass data retention
and all manner of other privacy decimating policies, regulations and processes,
culminating in the EU Data Retention Directive 2006. Government ministers were
drilled to chant the poisonous & deceitful but powerful ‘nothing to hide,
nothing to fear’ sound bite, at every conceivable opportunity. One of the things, incidentally, UK
governments are going to miss after Brexit is the policy laundering they
pursued so successfully through the EU.
Mass communications data retention was later found unlawful
in multiple high courts around Europe - Romania (2009), Germany (2010),
Bulgaria (2010), the Czech Republic (2011) and Cyprus (2011) have all
declared the data retention directive unconstitutional and/or a
disproportionate unjustified interference with the fundamental right to
privacy, free speech and confidentiality of communications.
In 2006 GCHQ began their ‘SIGMod Initiative’ (signals
intelligence modernisation programme) on gathering, processing, analysing,
assessing, storing, distributing and sharing communications data. The
government proposed an Intercept Modernisation Programme (IMP) 2008 involving the spending of £12
Billion + passing a proposed new law, the Communications Data Bill. A small number of NGOs, notably the Open Rights Group, Liberty and Privacy International, managed to get the attention of the media and a few politicians, noting the proposals were a
terrible idea and labelling the whole thing a‘Snoopers’ charter.’ And with the financial crash of 2007/’08
and an election imminent it was officially shelved but the government and security & intelligence services
implemented it in secret anyway.
Snowden
2013
Meanwhile stateside, an insider at the NSA, Edward
Snowden, decided that the activities of the FVEY had reached the point of
unchecked intrusion into the lives of ordinary people to a degree that was
unconscionable and indefensible. In June 2013 Snowden chose to smuggledocumentary evidence of these activities to Hong Kong where he handed them over
to journalists Glenn Greenwald, Laura Poitras and Ewan MacAskill.[iii]
What was revealed was a spectacular array of FVEY
resources, technical capabilities and activities, with a very
limited degree of legal or political oversight, checks or balances. Mass
surveillance was not only being conducted by the commercial behemoths of
Silicon Valley and every economic actor with a Web presence but by governments
of the FVEY alliance. And these security services, like Silicon Valley, had
their processes and technologies[iv]
targeted at entire populations.
One of the surprises for informed security and
intelligence analysts that came out of the Snowden revelations was that GCHQ
and the NSA had got these large-scale systems working. The history of
government deployments of large-scale information age IT projects had not previously
been promising.
Circumventing &
breaking law
According to the Snowden documents, one of the effects of
the FVEY agreement was that NSA shared intelligence with GCHQ to circumvent UK
law and vice versa. The documents quote US intelligence services staff
considering that their UK equivalents had no real legal restrictions to abide
by. The UK end of the operation likewise talked of their light regulatory
regime as being a ‘selling point’ in soliciting funds from the NSA, amounting
to $100 million between 2010 and 2013. So, if there were technical legal
restrictions on the NSA’s activities – e.g. not being permitted to target US
citizens, they could just get the British to do the surveillance for them. Officially this was denied.
Even where to request the information would be a technical
legal breach, it could be circumvented by the transatlantic sharing of
information, under FVEY, without the need for a formal request.
Snowden changed things in Europe, if not the UK. EU allies
were angry at the scale and reach of FVEY surveillance resources, targeted at
their populations, policymakers (including tapping Angela Merkel’s phone) and
economic actors. The European Court of Human Rights and the Court of Justice of
the European Union became sensitised to mass surveillance and issued a series
of decisions declaring the activities unlawful.
The European Court of Justice in the Digital Rights Ireland case in 2014 declared the data
retention directive so bad it should never have existed and abolished it.
DRIPA 2014 – the UK’s
let’s pretend the data retention directive didn’t get abolished Act.
The UK government decided to ignore the ruling. UK chief police officers issued an edict to their police forces to continue retaining data. When the government couldn't ignore it any more because they were being sued and the press were about to start paying attention to it, they passed a new law, the Data Retention and Investigatory Powers Act 2014.
The UK government decided to ignore the ruling. UK chief police officers issued an edict to their police forces to continue retaining data. When the government couldn't ignore it any more because they were being sued and the press were about to start paying attention to it, they passed a new law, the Data Retention and Investigatory Powers Act 2014.
This contained 8 sections and was rushed through parliament in record time with no
scrutiny, by means of a very rarely used parliamentary process, just as MPs were about to go on their summer holidays. [The party briefings
instructing MPs what to say about this law in public were longer than the law and both the parties of the coalition government - the Tories and Lib Dems - and the Labour party were all in favour.]
UK Investigatory
Powers Act 2016 [v]
Far from reigning in surveillance and other activities
revealed by Snowden in 2013, and those previously known and found by high
courts all round Europe to be in breach of fundamental human rights, the UK passed
the Investigatory Powers Act 2016, to legalise them. Whereas the US made some
effort to be seen to be engaging in at least cosmetic reforms to that nation’s
surveillance laws, the UK government denied there was an issue, trotted out
tropes about national security and “nothing to hide, nothing to fear”, issued
gagging orders, ritually destroyed the Guardian’s computers and reinforced and
expanded the scope of intelligence gathering activities permitted. Providing this legal infrastructure, with
extraterritorial reach, to enable and facilitate the exploitation of modern
digital technologies and networks, nominally for security and intelligence
purposes and, with arguably limited checks and balances, has profound
implications for democracy, all around Europe.
It remains also, however, the long standing FYEY
intelligence sharing operation between the US, UK, Canada, Australia and New
Zealand, that now deploys the considerable resources made available by the
respective governments to exploit the infrastructure of the internet to engage
in mass surveillance around the globe. This is not about FYEY being old and
dated. The UN Declaration of Human Rights and the European Convention on Human
Rights both stem from the same period and stand strong; as do multiple other
historic documents like the US Constitution and Bill of Rights. However, the FVEY sigint agreement, as an arrangement emerging from the devastation of WWII and the ‘Second
Red Scare’ and designed primarily to facilitate the collection of intelligence
on the Soviet Union, China and their allies, in the modern context now reaches
deeply into the lives and homes of ordinary people.
Liberty and others have taken the battle over the
Investigatory Powers Act 2016 bulk surveillance provisions back to the courts. In April 2018 the UK High Court ruled that the data retention elements of the Act were unlawful.[vi]
On 11 June 2019 it emerged that, even with the extra permissions of the Act,
MI5 had been acting so far outside the scope of the legislation, in relation to
their data management practices, that documents compelled to be revealed to the
court showed that the independent ‘Investigatory Powers Commissioner’ (IPC) declared
the agency’s bulk surveillance data management practices “undoubtedly unlawful”.[vii] [The Investigatory Powers Commissioner was a new office, set up under the Investigatory Powers Act, charged with dual oversight, along with the relevant Secretary of State, of the activities subject to the Act.]
MI5 had effectively been caught out unlawfully
retaining innocent people’s data for years, failing to give the IPCO (IPC's Office) accurate
information about repeated breaches of its duty to delete bulk surveillance
data, and mishandling sensitive legally privileged material. Even if this can
be chalked up to normal bureaucratic failings on the part of a government
service, this must be concerning.
The reality of FVEY is significantly more complex than I
have the time to cover here. It has not, in practice, facilitated blanket,
open, totally frictionless sharing of intelligence between the US, UK and other
FYEY partners. Just because they agreed to share intelligence and not spy on
each other, did not mean they stuck to that agreement or collection of
agreements. Intelligence and security services, even within national
boundaries, tend to be complex Faustian ecologies of competing institutions,
individuals, agendas, bureaucracy and politics, wrapped up in an evolutionary internecine
game of the survival of the fittest, surfing on the cause of protecting
national security.
We should take infinitely more care in building and
continuing to expand the legal, technical & organisational infrastructure
of mass surveillance. Such complex systems fail naturally - systems fail, people
make mistakes, staff under pressure circumvent the systems to get the job done
and the temptation to hide those failures is organisationally irresistible. It
will always be so & that's before you start factoring in malign actors
because complex systems can also be made to fail by internal and external
attackers with nefarious intent. Create these systems and the failures will
come. We know this because they have failed and there is not a computer scientist or security specialist anywhere in the
world who can secure them and make them water-tightly safe in practice.
The internet has become a huge surveillance
machine.
It is possible, as the Net is an entirely
artificially designed and constructed entity, to wrestle/retrofit it
into
something useful that is not a mass surveillance machine. However, it
will be
difficult to do, in practice, as all the most powerful governmental and
commercial economic actors, as well as us the masses of the bread &
circuses
distracted unwashed users, caught in the headlights of seductive
surveillance, are addicted to that architecture of surveillance.
The critical question is how. How do we cultivate,
energise, harness, direct and sustain sufficiently powerful socio-economic,
political, commercial, cultural, environmental, social and technical forces to
transforming the internet into something with a human rights respecting
architecture, at an individual, community, district, national, transnational
and global level?
As Carl Sagan said, science and technology heap a
new and awesome responsibility on the shoulders of scientists, technologists,
policymakers and Jo Public, to pay more attention to the hazards and long-term
consequences of advances, from individual, communities, regional, global &
multi-generational perspectives, avoiding appeals to simplistic claptrap and
the nationalism, chauvinism and hate mongering so prevalent in modern politics
& media.
[i] The British worried about the
rivalry between US navy and army potentially leading to leaks. The US were
equally distrustful of the British and frustrated, given the 500+ US ships sunk
by U-boats in the previous year, that they were so unwilling to share
information.
[ii] {Katherine Gun GCHQ whistleblower case – UN second
resolution, NSA memo 31 Jan 2003 requiring UK to spy on world leaders in the
hope of blackmailing them into supporting war. This came about a week after
GCHQ staff, deeply concerned about the legitimacy of the impending conflict,
had been officially assured they would not be required to engage in illegal
activity. Gun, a 28-year-old analyst, admitted passing the NSA memo to the
Observer newspaper which printed it in full on its front page in early March,
having spent a month confirming its provenance. AG equivocal legal advice on
war led to Gun’s prosecution being dropped in February 2004}
[iii] Unlike Wikileaks who
tended to put everything openly on the internet, Snowden decided the documents
should be curated by respected news organisations, like The Guardian and The
Washington Post newspapers, with revelations to be made public selected purely
based on the public interest and the avoidance of exposure of intelligence
services personnel to risk.
[iv] [of what the UK end of
the business now calls “bulk” interception, acquisition, equipment interference
and personal dataset warrants]
My evidence to Joint Committee on Investigatory Powers
Bill https://b2fxxx.blogspot.com/2016/01/evidence-to-joint-committee-on.html
‘S253 Technical capability notices
(1) The
Secretary of State may give a relevant operator a technical capability notice…’
Operators have multiple dutes to assist with
implementation of IPAct measures.
[vi] [Since ministers were empowered by the Act
to issue data retention orders without independent review and authorisation –
and for reasons which have nothing to do with investigating serious crime – it
was a breach of fundamental rights.]
[vii] [He also said that he
has effectively put them in special measures after discovering they were
misleading the Investigatory Powers Commissioner’s Office (IPCO).
“Without seeking to be emotive, I consider that MI5’s
use of warranted data... is currently, in effect, in ‘special measures’ and the
historical lack of compliance... is of such gravity that IPCO will need to be
satisfied to a greater degree than usual that it is ‘fit for purpose'".]
*Including the cold war & evolution of sigint processes and technology, establishment of Menwith Hill and other sigint infrastructure, the Korean war, the development of the ARPANET, ECHELON, the emergence of the WWII sigint story, the Pentagon papers, Watergate, Nixon, the FISA court, the ABC trials, the accidental but happy coincidence of technology and regulation that enabled the early internet to be built on the back of telephone networks, with an end to end architecture – the ‘intelligence’ was not built into the network but rather the devices that connected to it – enabling anyone to innovate, Reagan’s Executive Order 12333, Duncan Campbell’s 1988 revelation of ECHELON (it was an extension of the UKUSA Agreement; He also detailed how Echelon worked), Tim Berners Lee’s creation of the WWW protocols, the WWW & Net going mainstream, the cryptowars, the internet’s midwifery of today’s big 5 tech giants, the West’s military adventures, RIPA, 9/11, the US Patriot Act, the ‘war on terror’, Total Information Awareness, Trailblazer, NSA whistleblowers Bill Binney (ThinThread) & Thomas Drake, National Security Letters, Blair government architects of the data retention directive 2006 and national identity cards and a blizzard of serious crime and anti-terrorism regulations expanding powers of law enforcement, intelligence & security services, US FISA Amendment Act 2008 Act – guilty of being a foreigner – Caspar Bowden & Microsoft, NSA violation of FISA court orders, Bush & Blair establishment and Obama and Con-Dem coalition consolidation and expansion of architecture and resources of mass surveillance conducted by FYEY. Some of Snowden's revelations
And even that lot is a wholly incomplete OTTOMH list but then there has been a lot of activity in this arena since WWII.
*Including the cold war & evolution of sigint processes and technology, establishment of Menwith Hill and other sigint infrastructure, the Korean war, the development of the ARPANET, ECHELON, the emergence of the WWII sigint story, the Pentagon papers, Watergate, Nixon, the FISA court, the ABC trials, the accidental but happy coincidence of technology and regulation that enabled the early internet to be built on the back of telephone networks, with an end to end architecture – the ‘intelligence’ was not built into the network but rather the devices that connected to it – enabling anyone to innovate, Reagan’s Executive Order 12333, Duncan Campbell’s 1988 revelation of ECHELON (it was an extension of the UKUSA Agreement; He also detailed how Echelon worked), Tim Berners Lee’s creation of the WWW protocols, the WWW & Net going mainstream, the cryptowars, the internet’s midwifery of today’s big 5 tech giants, the West’s military adventures, RIPA, 9/11, the US Patriot Act, the ‘war on terror’, Total Information Awareness, Trailblazer, NSA whistleblowers Bill Binney (ThinThread) & Thomas Drake, National Security Letters, Blair government architects of the data retention directive 2006 and national identity cards and a blizzard of serious crime and anti-terrorism regulations expanding powers of law enforcement, intelligence & security services, US FISA Amendment Act 2008 Act – guilty of being a foreigner – Caspar Bowden & Microsoft, NSA violation of FISA court orders, Bush & Blair establishment and Obama and Con-Dem coalition consolidation and expansion of architecture and resources of mass surveillance conducted by FYEY. Some of Snowden's revelations
PRISM – targeted intelligence,
this had some justification and defensible due process overseen by the FISA
Court
Tempora – GCHQ hardwire tap of UK
backbone cables (UK connected to 57 countries by fibre optic cables; US is
connected to 63)
Upstream - BLARNEY, FAIRVIEW,
OAKSTAR and STORMBREW NSA interception tools
Boundless Informant – metadata
engine, data analysis and data visualisation tool
Blanket open-ended court orders
for Verizon phone records
XKeyscore – the NSA’s Google, for
collection of "almost anything done on the internet" (Snowden claimed
he could wiretap anyone anywhere with it and indeed Angela Merkle’s and other
world leaders’ phones were tapped; Angela Merkel's phone communications were
monitored by the Special Collection Service, part of the STATEROOM program)
OpticNerve
Mainway - NSA mass phone tapping
Bullrun (NSA) & EdgeHill
(GCHQ) to crack encryption
MUSCULAR (mainly GCHQ run)
secretly tapped Yahoo! & Google data centres
NSA black budget to pay
commercial organisations for secret access to their networks
Spied on gaming sites, charities,
commercial enterprises like Brazil’s biggest oil company, dozens of world
leaders including Merkle
TURBINE – malware
Tailored Access Operations (TAO)
– NSA’s cyberwar sigint operation
QUANTUM suite of attacking
facilities e.g. compromising routers, interception, duplication &
compromising of traffic
Tapping phones of world leaders
including Germany’s Angela Merkel
GCHQ’s Smurf Suite for hacking
mobile phones
NSA & GCHQ tapping fibre
optic cables to Google and Yahoo data hubs
NSA allowed to surveillance
connections three hops from identified targets
UK operating a surveillance
system where “anything goes”
And even that lot is a wholly incomplete OTTOMH list but then there has been a lot of activity in this arena since WWII.
No comments:
Post a Comment