The brilliant Hawktalk blog has demonstrated how the UK government has airbrushed the Data Protection Act out of ‘national security’ issues. This leaves GCHQ free to conduct mass surveillance of British citizens (and who cares about foreigners anyway?) without any effective legal oversight — merely a nod and a wink from the government of the day.
The conclusion comes from an analysis of a data protection exemption certificate obtained under freedom of information laws and dating back to 2005 — now probably out of date but equally probably indicative of what is happening today (born out by similarities between an old TfL exemption certificate and a recent one issued by Theresa May).
There are eight data protection principles underpinning the Data Protection Act. Summarized by the Information Commissioners Office (the UK’s data protection regulator), these are that personal data should be:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Not transferred to other countries without adequate protection
In the certificate analysed by Hawktalk, principles 1, 2, and 8 are exempted. Furthermore, principles 3 and 5 are effectively nullified by the exemption to principle 8 — the data can simply be transferred to NSA databases outside of the ICO’s jurisdiction.
Hawktalk’s argument is that these principles are automatically suspended for any statutory body pursuing its statutory purposes. The implication of a certificate specifically issued to completely exempt that body (GCHQ) from any of the principles is that it (GCHQ) wishes to pursue the processing of personal data beyond its (GCHQ’s) statutory purpose — it simply does not need an additional exemption if it sticks to what it was designed to do (ie, national security). In other words, GCHQ wishes to collect and process personal data to an extent that is both beyond its legal remit and the strictures of national law.
GCHQ has become, quite literally, a law unto itself.
I see that Krebs is reporting a story titled, Bug Exposes IP Cameras, Baby Monitors. He writes,
The issue came to light on the company’s support forum after camera experts discovered that the Web interface for many Foscam cameras can be accessed simply by pressing “OK” in the dialog box when prompted for a username and password.
It reminded me of a true, personal experience. Some years ago my young son had two action-man-like toys that could communicate with each other. One morning he turned them on – but instead of me talking to man #1 via man #2, we both heard a baby crying.
It was surprising, and not a little worrying, until we heard a second voice; the soothing tones of a young lady comforting the baby. We recognized that second voice as belonging to a neighbour with a new baby living on the other side of the street.
The neighbours were both police officers. The temptation to listen into this covert communications surveillance was just a little offset by the distressing nature of a baby crying (parents will know what I mean), and perhaps a degree of moral rectitude. Still, I must admit I have often wondered what I might have learnt about local policing and local villains had I not crossed the road and told our neighbours about their new baby monitor.
President Obama has delivered his response to the independent review of NSA surveillance. It has been met with cautious approval. It should have been met with downright dismay.
At the heart of the issue is the NSA’s mass indiscriminate collection of telephone metadata. That should be prevented by the Fourth Amendment to the constitution, which prohibits ‘unreasonable search and seizure of personal property’. If Obama doesn’t put an end to this — and he hasn’t — then everything else he says or does is just, as the Americans say, lipstick on a pig.
Let’s look at the Fourth and the collection of metadata.
Is my metadata my ‘personal property’? Of course it is. I create it; therefore I own it. I have automatic copyright over it.
Is the NSA action ‘unreasonable‘? Of course it is. A reasoned search and seizure would involve judicial oversight; that is, a warrant for each individual action.
Does it involve ‘seizure‘? Well, obviously.
Does it involve ‘search‘? Ah, well…
This is the crux. It’s indiscriminate collection, so they’re not searching. And just storing the data doesn’t involve searching it. And the NSA says it always gets a warrant or at least judicial approval for any search of the collected data.
So the NSA’s description of its action — given tacit approval by Obama’s failure to disapprove — is that the war against terror is reasonable, and therefore the seizure of what isn’t personal data (the organization argues that it belongs to the telcos) is reasonable, and that searches of the seized data is only done within reason.
It’s semantics that flies in the face of the intention of the Fourth Amendment. And it’s an interesting and big discussion.
I’m British, so my opinion is irrelevant to the Americans. And if I was American I would be very glad that I wasn’t British. Because at least the Americans are having this discussion. In Britain we are simply told that GCHQ obeys the law. That is more than questionable; but we are not being allowed to question it. And even when GCHQ is within the law, it is a pernicious law that isn’t understood by the people and needs to be repealed. But arrogant, disingenuous politicians, led by Cameron and Hague, simply dismiss or ignore all attempts at public disclosure.
GCHQ has access to NSA metadata on UK citizens. Hague says this is legal. If it were legal, why did he want to change the existing law that makes it legal and introduce the Communications Act to make it legal?
I’ve always had my suspicions that the New York Times is actually a branch office of the NSA; but now we know.
This is an NSA slide leaked by Edward Snowden. It shows how the NSA joins up the dots between known terrorists and possible terrorists.
But it’s the bit at the bottom left that gives the game away…
Even if you can’t get off the pot, at least you can decide which side of the fence you wish to pee. Bruce Schneier, precariously positioned as the CTO of one of the ISPs known to have helped GCHQ tap the world’s fibre cables, and simultaneously a director of the EFF, has decided on the direction of his stream of anger.
I have resisted saying this up to now, and I am saddened to say it, but the US has proved to be an unethical steward of the internet. The UK is no better.
(Actually, the UK would be far worse if GCHQ had half the money that the NSA commands.)
But what to do? Schneier offers three suggestions: expose, design and influence governance.
Expose means to subject bad things to the disinfectant of sunlight. We need whistleblowers, says Schneier.
I already have five stories from people like you, and I’ve just started collecting. I want 50. There’s safety in numbers, and this form of civil disobedience is the moral thing to do.
Design is to redesign the internet and its software and hardware components in a manner that is resistant to government subversion.
In particular, we need open protocols, open implementations, open systems – these will be harder for the NSA to subvert.
And governance requires influencing the future governance of the internet.
We need to figure out new means of internet governance, ones that makes it harder for powerful tech countries to monitor everything. For example, we need to demand transparency, oversight, and accountability from our governments and corporations.
But he accepts that it won’t be easy or overnight.
Has any country that engaged in mass surveillance of its own citizens voluntarily given up that capability? Has any mass surveillance country avoided becoming totalitarian?
What we need now is for all the internet and security luminaries of the world to come out and stand with Schneier, and to say to government in a voice that cannot be ignored: Enough. You don’t get security by spying on everyone. And you don’t have secret projects hidden from your own people. You are our servants. You are not our masters.
If ever the term ‘secret services’ frightened you, stop worrying. Or maybe start worrying. Either way, BUGGER by Adam Curtis will give you a good laugh. It lays bare the fallacy that the spies we employ through our taxes and who spend more time spying on us than anyone else, know what they’re doing. Or are competent enough to do what they think they are doing.
It’s a series of stories about MI5, “and the very strange people who worked there. They are often funny, sometimes rather sad – but always very odd.”
It all started more than 100 years ago when a Franco/Brit called Le Queux wrote a fiction about a German invasion. I’m guessing it didn’t sell too well, because he took it to the Daily Mail. Lord Northcliffe ran the story as “‘The Invasion of 1910′ and it described how the Germans landed in East Anglia and marched on London.”
Thousands of Daily Mail readers wrote in, saying they had seen suspicious people – obviously German spies. Instantly, well rapidly, Britain’s spy service of one man and two assistants morphed into MI5, “created in large part by the dreams of a socially excluded novelist, and the paranoid imaginings of the readers of the Daily Mail.”
In other words, MI5 was born on the back of a lie (probably standing on the backs of four elephants on a turtle – pure comic fantasy). But it has carried on lying ever since. One such lie is the apprehension of a huge German spy ring in 1914. Historian Nicholas Hiley says,
One of the most famous successes of the British Security Service was its great spy round-up of August 1914. The event is still celebrated by MI5, but a careful study of the recently-opened records show it to be a complete fabrication – MI5 created and perpetuated this remarkable lie.
The great spy round-up of August 1914 never took place – as it was a complete fabrication designed to protect MO5(G) from the interference of politicians or bureaucrats.
The claim made next day that all but one had been arrested was false, and its constant repetition by Kell and Holt-Wilson [director and deputy director) was a lie.
And MI5 hasn’t stopped lying. Perhaps the biggest continuing lie is that it catches spies. “The terrible truth,” writes Curtis, “truth that began to dawn in the 1980s was that MI5 – whose job it was to catch spies that threatened Britain – had never by its own devices caught a spy in its entire history.”
There was one spy called Geoffrey Prime. He actually worked for GCHQ and sold secrets to the Russians. And he was caught – not by MI5 or GCHQ, but by the Cheltenham police.
And so it goes on. WMD in Iraq anyone? The whole war on terror, perhaps? It’s certainly true that after the end of the Cold War with Russia, MI5 should have contracted. It didn’t though, because along came the war on terror that forced it, for the sake of national security, to expand and expand and expand.
So why do we need to worry about such ineptitude? It is simply this: MI5 and GCHQ are spying on all of us, and are pressuring the government to give them even greater surveillance powers. The phrase that it and the government always throw out is, “if you haven’t done anything wrong you have nothing to worry about.”
Really? With this lot? It seems to me, on the basis of Adam Curtis’ potted history, if you haven’t done anything wrong you’ve got everything to worry about. It’s only by being a genuine threat that you will avoid the myopic gaze of the British intelligence services.
BUGGER, by Adam Curtis. Go read. Go laugh. Go cry.
One of the first rules of security is that you never use a product that employs any form of proprietary cryptography. And if a security guy then says ‘be careful’, you’d best be very very careful — no matter how many magazines or newspapers say the product is the real deal.
That’s what happened with Cryptocat which is a secure chat product that “could save your life and help overthrow your government,” according to Wired — it could “save lives, subvert governments and frustrate marketers.” Forbes said that it “establishes a secure, encrypted chat session that is not subject to commercial or government surveillance.” Sounds good.
But security folk weren’t so sure. “Since Cryptocat was first released,” warned Christopher Soghoian in July 2012, “security experts have criticized the web-based app, which is vulnerable to several attacks, some possible using automated tools.”
Patrick Ball expanded in August 2012:
CryptoCat is one of a whole class of applications that rely on what’s called “host-based security”… Unfortunately, these tools are subject to a well-known attack… but the short version is if you use one of these applications, your security depends entirely the security of the host. This means that in practice, CryptoCat is no more secure than Yahoo chat, and Hushmail is no more secure than Gmail. More generally, your security in a host-based encryption system is no better than having no crypto at all.
When It Comes to Human Rights, There Are No Online Security Shortcuts
Security professionals, then, were not surprised when last week Steve Thomas wrote about his DecryptoCat — which does what it says on the can: it cracks the keys that let you read the messages.
If you used group chat in Cryptocat from October 17th, 2011 to June 15th, 2013 assume your messages were compromised. Also if you or the person you are talking to has a version from that time span, then assume your messages are being compromised. Lastly I think everyone involved with Cryptocat are incompetent.
This is a big deal, because Cryptocat has been marketed towards dissidents operating in repressive regimes. As Soghoian wrote:
We also engage in risk compensation with security software. When we think our communications are secure, we are probably more likely to say things that we wouldn’t if our calls were going over a telephone like or via Facebook. However, if the security software people are using is in fact insecure, then the users of the software are put in danger.
Tech journalists: Stop hyping unproven security tools
Add to that the current revelations on the NSA/GCHQ mass surveillance, and our understanding from last week’s Snowden revelations that the NSA automatically and indefinitely retains encrypted messages, then we can say with pretty near certainty that if you have been using Cryptocat, at least the US and UK governments are aware of everything you said.
So Britain, disingenuous towards its people all the way, and Sweden (Obama’s other European bitch), have vetoed EU/US talks about espionage. All they can talk about is privacy.
Slowly and quietly, NSA and GCHQ spying on innocent people as part of dragnet data gathering and hoarding is being buried. What will emerge is that the two agencies simply gather targeted meta data — and that’s not so bad, is it?
The European super state, which makes the laws by which we live, is not apparently competent to discuss the surveillance by which we are monitored. This is nothing short of technical legal chicanery by the same European partnership that is colluding to deliver Assange to Obama.
Personally I am fed up with being lied to and misled by the politicians we all pay to protect us. Consider this: if government used the same risk-based security that everyone else uses, all anti-terror surveillance would be abandoned and the money diverted to road safety and better designed kitchens.
If we now listen to and believe this duplicity from the British and Swedish governments, then we are colluding in the establishment of an Orwellian police super state. We are being lied to and deceived.
A partial transcript of Glenn Greenwald’s talk at the Socialism Conference in Chicago last Friday is available on The Dissenter. It should be required reading for all aspiring journalists and part of any school of journalism’s syllabus. For anyone just emerging from a long coma, Greenwald is the Guardian journalist who published the Edward Snowden revelations about the NSA and GCHQ secret surveillance programmes.
For me there are two big takeaways: that the Snowden revelations have exposed as much corruption within the mainstream media as they have within the intelligence services; and there is much more to come from Snowden.
Let’s take the former first. Governments cannot deny the revelations, so they are left with two options: downplay the effect and discredit the sources. So we get politicians saying loss of privacy is a small price to pay for security; if you don’t do anything wrong you have nothing to fear; we operate strictly within the law and uphold the rule of law. All of these are false, misleading arguments; but are rarely challenged by the media.
We also get a steady stream of suggestions and innuendo that denigrate both Snowden and Greenwald. Snowden is a fame whore traitor who has endangered the life of NSA agents and put the public at greater risk of terrorist attack; and he was probably in the pay of the Chinese government anyway. None of this is supported by any serious argument or fact. Greenwald, of course, is as much a traitor and should be prosecuted for espionage for doing his job as a journalist – that very job that most other journalists shy away from.
For the latter — that there is more to come — Greenwald said of one coming soon, “It talks about how a brand new technology enables the National Security Agency to redirect into its repositories one billion cell phone calls every single day, one billion cell phone calls every single day.”
Verbatim from the transcript, Greenwald added:
What we are really talking about here is a globalized system that prevents any form of electronic communication from taking place without its being stored and monitored by the National Security Agency. It doesn’t mean they’re listening to every call. It means they’re storing every call and have the capability to listen to them at any time and it does mean that they’re collecting millions upon million upon millions of our phone and email records. It is a globalized system designed to destroy all privacy and what’s incredibly menacing about it is it is all taking place in the dark, with no accountability and virtually no safeguards and the purpose of our story and the purpose of Edward Snowden’s whistleblowing is not singularly or unilaterally to destroy those systems. The purpose is to say that if you the United States government and the governments around the world want to create a globalized surveillance system in which we no longer have any privacy in our individual lives or on the internet you at least ought to have us know about it, have you do it in the sunlight so that we can decide democratically whether that’s the kind of system and the kind of world which we want to live.
It is probably knowledge of that to come rather than that already revealed that has persuaded the US government to block access to the Guardian for US soldiers. After all, they have all sworn an oath to defend the US Constitution; and the real enemy of the Constitution is now a moot point.