Privacy Groups Decry UK Surveillance

British Government Claims Right to Spy On Social Media
Privacy Groups Decry UK Surveillance
Charles Blandford Farr of the U.K. Office for Security and Counter Terrorism

Privacy experts are continuing their press for an overhaul of the U.K. government's online surveillance programs, as part of a case triggered by Edward Snowden's leaks. In particular, they've criticized the government's previously secret legal justification - released this week - for spying en masse on British residents' online communications, including Google searches, Facebook posts and Webmail messages.

See Also: 2016 IAM Research: Where Financial Institutions' PAM Programs Are Falling Short

Legally, the British government says it's authorized to intercept any "external" online communications - Google searches, Webmail access, YouTube viewing or Facebook posts - that involve communicating with a server that's physically located outside of the United Kingdom.

Accordingly, any use of the Internet - "such as a Google search, a search of YouTube for a video, a 'tweet' on Twitter, or the posting of a message on Facebook" - can be monitored if at any point packets related to that request are handled by a server located outside of the United Kingdom, said Charles Blandford Farr, director general of the U.K. Office for Security and Counter Terrorism, in a new 48-page witness statement.

Farr is set to represent the U.K.'s intelligence services - comprising the Security Service, or MI5; Secret Intelligence Service, MI6; and Government Communications Headquarters, GCHQ - next month in a hearing before the country's Investigatory Powers Tribunal. The tribunal is an independent judicial body appointed by the Queen and empowered to investigate complaints pertaining to government surveillance, as well as the only organization in the United Kingdom legally able to investigate the conduct of the country's intelligence services.

The tribunal hearing, scheduled for July 14 to 18, was sparked when a coalition of privacy and civil rights groups - including Privacy International, Amnesty International, the American Civil Liberties Union and the Pakistani organization Byes for All - filed a lawsuit last year challenging the legality of the U.K. government's surveillance programs. The group also called on the government to stop participating in the U.S. National Security Agency's Prism metadata collection program.

Government Claims Broad Powers

Privacy rights groups have seized on Farr's statement, which marks the first time that a U.K. government official has commented on any legal justifications pertaining to potential U.K. mass surveillance programs involving British residents.

"The distinction between 'internal' and 'external' communications is crucial," says privacy rights group Privacy International. "Under the Regulation of Investigatory Powers Act, which regulates the surveillance powers of public bodies, 'internal' communications may only be intercepted under a warrant which relates to a specific individual or address. These warrants should only be granted where there is some suspicion of unlawful activity. However, an individual's 'external communications' may be intercepted indiscriminately, even where there are no grounds to suspect any wrongdoing."

The government's reading of RIPA gives it the legal authority to intercept virtually any online communication, although it's not clear how often this authority might be used. For example, Farr said that "a computer user in the British Islands searching for a video posted on YouTube will in effect send a communication to YouTube's website to ask it to give him the results of a particular search - which means that he communicates with a YouTube Web server; and the Web server, in turn, communicates back to him the results of the search that he has made. Whether or not those communications are 'external' will depend upon where the Web server used by YouTube is located."

Privacy Groups Cry Foul

Many legal and privacy experts have criticized the government's reasoning. James Welch, legal director of U.K. civil rights group Liberty, accuses the security services of operating "in a legal and ethical vacuum," and calls on Parliament to give the country's "snooping laws ... a radical overhaul."

Meanwhile, Ian Brown, a senior research fellow at the Oxford Internet Institute, said in a witness statement that the government's interpretation of RIPA was "an artificial construction" that "is not ... supported by the Interception of Communications Code of Practice, case law of the Court of Justice of the European Union, or ministerial statements in the House of Lords during the passage of the Act."

Snowden's Leaks Triggered Case

The privacy groups launched their legal challenge following former NSA contractor Edward Snowden's leaks, which - beginning last year - offered a never-before-seen look at the scale of automated surveillance programs being undertaken by the United States and its "Five Eyes" alliance, which also includes Australia, Canada, New Zealand and the United Kingdom.

Snowden's leaks also detailed a close working relationship between British, German, French, Spanish and Swedish intelligence agencies, which included British officials advising other countries about how to circumvent laws designed to restrict their domestic intelligence agencies' ability to conduct mass surveillance of cross-border communications, the Guardian reported.

The information leaked by Snowden also revealed the existence of a program, code-named Tempora, which taps into 200 transatlantic fiber-optic cables carrying data from telephone exchanges and Internet servers from North America to Britain, before the data flows to western Europe.

According to the Guardian, which first published related details, Tempora was first tested in 2008 and then rolled out in 2011, backed by warrants that compelled commercial companies - a.k.a. "intercept partners" - to participate in the British program, as well as keep their participation secret. Tempora has access to an estimated 21 petabytes of data per day.

The program, according to Snowden, was designed to collect massive quantities of private data. "Tempora is the signals intelligence community's first 'full-take' Internet buffer that doesn't care about content type and pays only marginal attention to the Human Rights Act," he told German publication der Spiegel in a July 2013 interview. "It snarfs everything, in a rolling buffer to allow retroactive investigation without missing a single bit. Right now the buffer can hold three days of traffic, but that's being improved."

Farr Defends Authority

Farr, who's in charge of the British government body that coordinates the country's counterterrorism strategy - and reportedly is on a shortlist of people being considered to helm GCHQ - in his witness statement didn't confirm or deny the existence of the "alleged Tempora interception operation." But he said any program that automatically intercepted large amounts of information would be legal - and not amount to an unlawful intrusion under EU human rights law into people's privacy - provided it was automated, and only reviewed based on suspicion of unlawful activity. "Intrusion ... into the privacy of innocent persons would require sentient examination of individuals' communications," he argued.

But privacy rights groups say Farr's statement shows that the U.K. government believes it has a legal right to spy not just on foreigners, but any U.K. resident's online communications. "Such an action by U.K. intelligence agencies is [a] sheer violation of people's privacy, security, freedom of expression, and assembly," says Shahzad Ahmad, country director for Pakistan privacy rights group Bytes for All. "Such attempts by established democracies are setting extremely worrisome precedents for repressive regimes all over the world."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Around the Network