Some new details about UK government thinking regarding mass surveillance of domestic Internet users have emerged today, in a witness statement made by Charles Blandford Farr, Director General of the UK Office for Security and Counter-Terrorism.
The statement was made in response to a legal challenge made by a group of privacy rights organisations, including Privacy International, Liberty, Amnesty International and the American Civil Liberties Union. That challenge was made in the wake of revelations about the US Prism program, revealed by NSA whistleblower Edward Snowden, and the UK’s own Tempora data collection program.
In the witness statement, Farr reveals that UK spy agencies could legally justify the mass harvesting of UK Internet users’ Facebook missives, tweets, YouTube and Google searches because those type of communications can be defined as ‘external comms’ if the servers of the hosted content are located outside the UK.
External comms do not require a warrant to be intercepted under the UK’s Regulation of Investigatory Powers Act (RIPA), unlike internal comms which do require a warrant.
Which means that Brits using US-based Internet platforms should be aware that their communications could be subject to routine capture and scanning by domestic spy agencies — as a matter of course. Although Farr did not go so far as to confirm the existence of such a mass surveillance program, rather he was detailing how the UK government would be able to justify one, should such a program exist.
Farr also said that in the process of mass harvesting data for external comms’ surveillance purposes, UK intelligence agencies would likely end up capturing internal comms data as well — such as, for instance, an email sent from one person living in the UK to another — because interception of comms data would be taking place in a non-targeted way; specifically: “at the level of communications cables, rather than at the level of individual communications”.
(We’ve heard claims of how UK spy agencies tap transatlantic cables before, of course.)
Farr argues that hovering up large amounts of data and then applying selective filtering on that data mountain in an attempt to turn a haystack into a few interesting needles is “the only practical way” the UK government can get access to the type of digital comms it is interested in.
“While this approach may lead to the interception of some communications that are not external, section 8(4) [warrant] operations are conducted in a way that keeps this to the minimum necessary to achieve the objective of intercepting wanted external communications,” he adds.
So, in other words, a proportion of internal comms being harvested by UK spy agencies would be necessary — and legal — collateral damage to the greater good of snooping on potential terrorist chatter, according to GCHQ. Even though UK law requires public agencies to have a warrant to intercept internal comms.
So, basically, so long as you’re shoveling up masses and masses of digital data with the stated aim of searching for particular needles then, according to the UK government, that’s not a privacy infringement on all the individuals whose comms gets scooped up in the process. Instead, it’s just a process.
Privacy rights groups obviously take a different view.
In a statement, Amnesty said: “British citizens will be alarmed to see their government justifying industrial-scale intrusion into their communications. The public should demand an end to this wholesale violation of their right to privacy.”
While Liberty added: “The security services consider that they’re entitled to read, listen and analyse all our communications on Facebook, Google and other US-based platforms. If there was any remaining doubt that our snooping laws need a radical overhaul there can be no longer. The Agencies now operate in a legal and ethical vacuum; why the deafening silence from our elected representatives?”
In the statement Farr refuses to confirm or deny the factual basis of a Liberty assertion that a “high proportion of communications that are not external communications” are captured by a catch-all modus operandi. But does add that “it is not at all unusual for internal communications to be routed over international links”.
“Internal and external communications will be carried together over communications links and it is not at all unusual for internal communications to be routed over international links,” he writes. “While it is a straightforward matter to distinguish between external and internal communications in the case of fixed-line telephony, this is considerably more difficult when it comes to mobile telephony, and in particular Internet communications.”
Elsewhere in the document he cites a report by the Interception of Communications Commissioner which asserts that intelligence agency analysts who happen to take in some “irrelevant communication” in the course of their day-to-day mass surveillance activities, will, in any case, soon enough forget what they read.
So, in other words, the sophisticated privacy protection ‘procedure’ applied by UK spies to protect UK citizen’s rights is plain old human forgetfulness. You really couldn’t make that up.
“The suggestion that violations of the right to privacy are meaningless if the violator subsequently forgets about it not only offends the fundamental, inalienable nature of human rights, but patronises the British people, who will not accept such a meagre excuse for the loss of their civil liberties,” Privacy International added in its own statement.
Farr’s witness statement has been published in full on Privacy International’s website — and can be viewed here.