We shouldn’t be surprised by the tactics a desperate political class use to retain control, courtesy of advances in technology and the creation of discursive threats (traitors, communists, drug cartels, terrorists, foreigners, workshy). Tantalising insights have always surfaced intermittently around surveillance in the US and the UK. Yet people were shocked as they watched the Snowden leaks unravel in the Guardian. The commentariat was waiting for a huge story to try to put surveillance culture in context, and they received it. After the first set of disclosures washed over us (PRISM and Tempora), further revelations sprung to life in the form of the BULLRUN project.
These revelations illustrate more than violations of the human rights framework ‘democratic’ states dispense to their populations. It’s about identity and principle. We are increasingly producing and bleeding our subjectivities through communication networks in a constant feedback loop. The way we live now is through a networked society where data is omnipotent and necessary, but we should never forget the words of information theorist Claude Shannon: “The enemy knows the system”.
In May 2013, Edward Snowden, a former employee of NSA contractor Booz Allen Hamilton, uncovered a series of programs – notably the telephone interception of metadata and details of the NSA’s MAINWAY call database, as well as a variety of internet surveillance initiatives. The Guardian obtained and broke the story describing a Foreign Intelligence Surveillance Court (FISC) order requiring Verizon to hand over all call data. Officials defended these actions by claiming that only metadata was sought and not the audio content, but suspicions over interception and wiretapping grew regardless – proof for which was already exposed in 2006 by former AT&T technician Mark Klein.
The legality of all this is difficult to judge because it’s execution is, by its nature, conducted in secrecy. Greater transparency was called for by Senators and many campaigning groups, but given the scope of legal provisions for data collection by government (routinely justified by invoking the usual tropes of ‘national security’ and ‘public safety’) transparency is entirely at odds with intelligence services’ raison d’être.
Under s.215 of the Patriot Act 2001, used by the US government in the Verizon case, if a request for business records is approved by the FISC, companies are obliged to hand them over. This provision permits government a very wide interpretation and, as the FISC has stated, there is very little oversight by the court. In light of PRISM, in which the NSA search email and internet traffic data supplied by ISPs for foreign intelligence purposes, the government cited s.702 of the FISA in support of its program. With the introduction of the FISA Amendments Act in 2008, large scale surveillance programs were fully authorised, but on the condition that they would ‘only’ make targets of persons overseas. The problem again, however, is that the provisions are open to broad interpretation without any meaningful supervision.
The UK authorities, although slightly more adept at keeping their practices quiet, are also embroiled in surveillance tactics. A 2008 report by Sir Paul Kennedy, the former Interception of Communications Commissioner, revealed that councils, police and intelligence services are tapping and intercepting the phone calls, emails and letters of hundreds of thousands of people every year. Despite this revelation, the mainstream media was reticent.
The Tempora program allows the GCHQ to collect personal data and share it with the NSA. Why the main focus has been on the NSA is questionable because Snowden himself referred to GCHQ as being far worse, with fewer safeguards in place to restrict its activities. The general attitude of the GCHQ also compounded people’s ire. Masters of the internet? Indeed. The UK government was keen to gloss over the consternation that such dragnet surveillance elicited. David Cameron told us that we had nothing to fear: ‘We have intelligence agencies that do a fantastic job to keep us safe and operate within the law’, whilst William Hague disdainfully rebuffed the reasonable claim that the GCHQ uses its relationship with the NSA to get around British law as “baseless”.
The Regulation of Investigatory Powers Act 2000 (RIPA) regulates the activities of the intelligence services and provides for communication interception and public authority powers for investigation and surveillance. Under the RIPA, UK government agencies can intercept, record and monitor communications with authorisation (usually from a senior member of the authority in question or via a warrant from the Home Secretary where intrusive surveillance, such as bugging and intercepts, are requested for specific targets).
The law also permits the GCHQ to phish for broad categories of information on the condition that one end of the communication is outside the UK. The problem though, which emphasises just how out of touch (or cunning) the authorities are, is that massive amounts of UK traffic leaves the UK and comes back in again, meaning that large swathes of UK traffic is being monitored (a similar problem under s.702 of the FISA). By signing certificates under s.8 of the RIPA, the Foreign Secretary effectively overcomes the restriction that only foreign communications can be intercepted, arguing that there is no way of distinguishing which messages taken from the cables are domestic.
Naturally, the parliamentary Intelligence and Security Committee, an MP ‘oversight committee’ created by the Intelligence Services Act 1994, found that the GCHQ has not circumvented UK law by using the NSA’s Prism program, but relying on the state to investigate it’s own strategies is always questionable. And, assuming government agencies do not bypass the formal British legal process, major issues undoubtedly arise under the Data Protection Act 1998 (DPA) and the Human Rights Act 1998.
Before the leaks, the First Tier Tribunal in Southampton City Council v The Information Commissioner, decided that the council’s decision to equip its licensed taxis with digital cameras was in breach of the DPA and disproportionate under Article 8 of the ECHR. An additional concern stemmed from ‘function creep’ in that the use of the information for other purposes (perhaps improper) by, for example, the police, could not be ruled out. This is an important decision for surveillance activities carried out by public bodies, but as we have witnessed, the theory and practice rarely correspond, and the surveillance practices of the GCHQ are very much a law unto themselves.
The BULLRUN project, a subsequent revelation in September 2013, revealed three important things: secret methods by the NSA over controlling and setting international encryption standards; the use of ‘supercomputers’ to break encryption; and collaboration between government agencies, software companies and ISPs to insert backdoors.
The collaboration point is potentially most significant because there is, so far, little evidence that the NSA (or GCHQ) has in fact successfully broken cryptographic protocols designed to provide security over the internet at the algorithm level. There is, however, documentation to show that the NSA can influence developers for a backdoor: Microsoft’s cooperation with the NSA to circumvent encryption on the Outlook.com services. It is interesting to note that Microsoft and Google are now suing the US government because they feel that it has illegally hindered the release of more details about communications surveillance activities (they wish to publish data relating to FISA orders) which inevitably puts the companies in a bad light.
The GCHQ is particularly invested in decryption as its Tempora project was likely to fail as more and more internet companies encrypted their traffic in line with pressure by the public for them to guarantee their privacy. But inserting backdoors is fundamentally opposed to good security, so it is unlikely that public confidence in the main service providers (Google, Facebook, Yahoo! and Hotmail) will ever be the same again.
Something which is indubitable is that American and UK citizens can expect agencies to continue their practices of data mining and profiling, despite the new Bills currently inundating congress, and calls to overhaul surveillance laws back in the UK. After all, the operations of the intelligence services are so covert, the legal gateways so broad, and sentiment towards these concepts so misguided, that they will continue to offer governments the ammunition they need to continue doing what they like.
The assault on our digital communications is not new. The Snowden leaks simply gave mainstream media the story and the face it needed to construct its Hollywoodesque novella. But, we must be careful not to allow Snowden to become the main character. It is the substance and reach of surveillance, the vast collection of data which relates to individual identities, and the collaboration of the intelligence agencies with private enterprise which matter most. Our surveillance and big data culture, fuelled by state paranoia, has theoretically made anonymity difficult, and although we cannot directly see the effect such initiatives have on our everyday lives, we should be conscious that privacy is a distorted and elusive concept.
By Sarah Osbourne | @CamCateron