UK: Threats to Internet Privacy


London, 27 June 2013

Information on the Prism programme, leaked by whistleblower Edward Snowden, revealed that the US systematically collected data on both Americans and non-Americans regardless of whether they were suspected of any wrongdoing. The Prism scandal has unleashed diplomatic tensions between the EU and US; but the systematic surveillance of non-US citizens has been happening, legally, for several decades.

PEN International attended a packed Commons meeting organised by the Open Rights Group on Prism, the US surveillance programme, and the UK surveillance programme Tempora. The revelations have been of great concern to PEN International, who recently issued a statement on the matter.

Legality of US data collection on non-Americans

“Allies have always spied on allies,” said surveillance expert Caspar Bowden, a former chief privacy adviser to Microsoft. Bowden co-authored a European Parliament report in October 2012 , summarised in this article, which highlighted the huge amount of surveillance that the US can legally carry out on EU citizens. The report concerns the US Foreign Intelligence Surveillance Amendments Act (FISAA), which was passed after allegations in 2005 of “warrantless wiretapping” affecting US citizens, in violation of their constitutional and statutory rights. There followed a test case at the Foreign Intelligence Surveillance Court of Review, which held definitively that the Fourth Amendment (which guards against unreasonable searches and seizures) does not apply to non-US residents.

This opened the door for Congress to redefine “foreign intelligence information” in FISAA to cover any communication information “with respect to a foreign territory that relates to the conduct of the foreign affairs of the United States”. This incredibly wide definition essentially authorised mass surveillance of foreigners outside US territory, whose data was within range of US jurisdiction. This was the first law to legalise purely political surveillance, without the need to prove any criminality or national security concerns relating to the subject of the surveillance.

According to Bowden, the most significant change escaped any comment or public debate altogether. The scope of surveillance was extended beyond interception of communications, to include any data in public Cloud computing as well. This change occurred merely by incorporating “remote computing services” into the definition of an “electronic communication service provider”.

FISAA has strong implications for EU data sovereignty and the protection of its citizens’ rights. Within the EU, data is protected by the European Convention on Human Rights unless there is suspicion of criminality or national security concerns. However, EU data outside the EU – such as that stored on US-based Cloud systems – is not protected at all. It is lawful in the US to conduct surveillance on foreigners’ supposedly secure data accessible in US Clouds.

US mass surveillance over foreign data in Clouds has been lawful since 2008, yet the US has avoided admitting this to EU policymakers. US Ambassador Kennard’s gave a speech in December 2012, several years after FISAA was enacted, and stated that, “Electronic data stored in the United States—including the data of foreign nationals—receives protections from access by criminal investigators equal to or greater than the protections provided within the European Union.” He neglected to explain that FISAAA eliminated these restrictions in non-criminal cases, and redefined “foreign intelligence information” to include any foreign communications at all linked to the US.

Remarkably, it does not appear that the EU Commission, national Data Protection Authorities, or the European Parliament had any awareness of the significance of FISAA until mid-2011. Bowden commented that, when the Prism story broke, the immediate questions in the UK were whether GCHQ were making use of the data gathered by Prism. “But isn’t this besides the point? Isn’t the US surveillance of UK data as, if not more, worrying?”

What surveillance is the UK government carrying out and how?

Edward Snowden’s revelations also concerned Tempora , a programme which allowed the Government Communications Headquarters (GCHQ) access to vast amounts of data on internet users in the UK, and those communicating with the UK from other countries. Data interceptors have been placed on fibre-optic cables that carry internet data in and out of the UK. These include transatlantic cables that carry internet traffic between the US and Europe; this means that GCHQ is able to directly access large amounts of global internet data. For example, an email sent using Gmail within the EU would be likely to pass through American servers. The interception appears to have been done with the secret co-operation, voluntary or forced, of the companies that operate the cables.

It was first trialled in 2008 and by the summer of 2011 GCHQ had placed interceptors on over 200 fibre optic cables. By late 2011, the Tempora programme had been fully launched and shared with the American NSA.

Senior Conservative MP David Davis and Deputy Chair of the Labour Party Tom Watson MP, speaking at the meeting, emphasised that they were as shocked as the public by the Tempora programme. Davis commented that it is possible the UK and US intelligence agencies co-operated in order to bypass domestic restrictions on intelligence gathering – the NSA is not bound by UK restrictions on surveillance of UK citizens and GCHQ is not bound by US restrictions on surveillance of US citizens. GCHQ’s relationship with the American secret services has always rested on exchange; Davis hypothesised that either the Tempora data was used to demonstrate the UK’s value to the US, or perhaps GCHQ is getting something in exchange – which could be EU data collected by the US under Prism. (It would be against the European Convention on Human Rights for the UK to collect this data themselves.)

Simon McKay, solicitor advocate and expert in criminal and human rights law, explained that the Director General of GCHQ has a duty to ensure no data is obtained unnecessarily, or, that data obtained unintentionally is not disclosed unnecessarily. Where the information is handed over by another country, there is no restriction. Therefore data belonging to UK citizens could be given to the UK secret services by the US, and GCHQ would still be “acting in accordance with the law”, as the Prime Minister David Cameron stated. Using data from Prism is not illegal, because we have no law providing for that scenario.

Tempora itself may be theoretically “in accordance with the law”, due to Parliamentary failure to include proper checks. Under the Regulation of Investigatory Powers Act 2000 (RIPA), defined targets can be tapped if there is a warrant signed by the Home or Foreign Secretary. However, RIPA also allows the Foreign Secretary to issue a certificate for broad interception of categories of material relating to terrorism or organised crime, for example. It appears that GCHQ is using that clause to justify the broad interception of web traffic.

Around 300 GCHQ and 250 NSA operatives are tasked with sifting through the data collected by Tempora. They use specific searches, which can relate to trigger words, email addresses of interest, or targeted persons and phone numbers. GCHQ and the NSA have identified 40,000 and 30,000 triggers respectively.

McKay noted that there had been very little parliamentary scrutiny of the powers bestowed by RIPA. The wording of the Act gives it a far wider scope than it seems to have on initial inspection. Section 80 RIPA states that it is not unlawful to do anything not explicitly made unlawful by RIPA itself; the practical effect of this provision reduces RIPA’s oversight provisions to essentially a “voluntary code”.

The judicial oversight for the secret service’s powers is neither transparent nor, apparently, effective. The Investigatory Powers Tribunal manages oversight for MI5, MI6, and the GCHQ. It is exempt from the Freedom of Information Act, so it is not obliged to share information about its activities. Between 2001 and 2010, the IPT received 1,121 complaints, of which it has upheld only ten.

McKay said it was time for the government to reassess how much had to be kept secret. “Secrecy on the grounds of national security is a veil behind which the State can often hide a multitude of sins. Greater transparency brings with it greater responsibility.”

Future concerns

The main concerns for the future are the expansion of Cloud computing. “Business use will be far more significant than personal use,” said Bowden, as corporations will store huge amounts of data on Cloud systems, much of which is housed in the US. Cloud computing is taking off as it can be 50% cheaper than physical storage, but “the Cloud has no technical defence,” he emphasised.

The primary problem is that once data is transferred into a Cloud, sovereignty is surrendered. Encryption can only protect data travelling to or from the Cloud, whereas under FISA, NSA have ‘lawful’ access inside the Cloud. The EU Parliament report, mentioned above, stated that “It is hard to avoid the conclusion that the EU is not addressing properly an irrevocable loss of data sovereignty”.

Bowden said that there was a real danger now that Britain would be left in an exposed position, with the rest of Europe not willing to allow their data to pass through the UK. All of the speakers believed that greater EU co-operation is key to ensuring privacy in the age of Cloud storage. “Keep your Cloudbase close and local and keep it in your jurisdiction,” said Bowden.

One of the recommendations of Bowden’s report was for EU citizens to receive “prominent warnings” that their data could be vulnerable to U.S. political surveillance; for example, a warning box that states, “Your data will now be accessible to a foreign government who can access or store it, do you wish to continue?” He believes it has to be something this explicit as most internet users currently have little idea when their data is secure and when it is not.

Davis said that the revelations may give Parliament a chance to review the whole of RIPA. Both David Davis MP and Tom Watson MP believe that the chances of the Data Communications Bill (the ‘Snooper’s Charter’) being passed have been severely damaged. The Joint Committee tasked with scrutinising the Bill were apparently livid with the lack of disclosure they were given surrounding intelligence sources. The justifications made by Theresa May at the time, that the Bill was needed on the basis of terrorism and serious crime, do not now look well founded.

McKay concluded by criticising the Foreign Secretary, William Hague, who said that in relation to government surveillance, “If you’re doing nothing wrong, you have nothing to worry about.”

“I imagine the family and friends of Stephen Lawrence would strongly disagree,” said McKay.

Open Rights Group stated that they are happy to be contacted for information on digital privacy issues, at info@openrightsgroup.org.

For further information on PEN’s Policy and Advocacy work, please contact Sarah Clarke at sarah.clarke@pen-international.org.