Thursday, July 2, 2015


If you're trying to get to grips with what Snowden revealed, what intelligence agencies have confirmed about their surveillance activities, and whether intelligence agencies are sufficiently accountable, this post might help.

What data are collected?
Snowden’s leaks showed that through PRISM, internet and telecommunications companies are secretly compelled by intelligence agencies in the USA, UK and other liberal democracies, to collect and hand over citizens’ digital communications. This is complemented by ‘Upstream’ collection where intelligence agencies secretly tap into underwater fibre-optic cable networks that carry telephone and internet data into and out of the country.
The published Snowden leaks claim that the data that are bulk collected includes the content of communications (eg email and instant messages, the search term in a Google search, full web browsing histories, and content-derived information such as the accent of the person speaking); file transfers; and what is called ‘communications data’ (in the UK) and ‘metadata’ (in the USA) (eg who the internet and telephony communications is from and to whom; when it was sent and duration of the contact; from where it was sent, and to where; the record of web domains visited; and mobile phone location data).
In terms of communication content, the UK’s Intelligence and Security Committee has confirmed that UK intelligence agencies can look at such data, but only with a warrant – with different types of warrants if the communication is between two people in the UK (which requires RIPA Section 8(1), that names the individual, organization, association, or combination of persons surveilled), or if the communication is bulk collected, which can be done if at least one of these people is based outside the UK (RIPA Section 8(4)). In the USA, The Privacy and Civil Liberties Oversight Board (2014) confirmed that its intelligence agencies can look at such communications content only if at least one end of the communications is based outside the USA. If the communications have one US end, they must be targeted (ie comprising individuals, corporations, associations and entities) rather than bulk collected, and is regulated by FISA Section 702 (The Privacy and Civil Liberties Oversight Board 2014). If the communications have no US end, they are governed under Executive Order 12333 with oversight from Attorney-General-approved procedures, inspectors general, oversight boards, general counsels, compliance and privacy officers (Simcox 2015).
In terms of internet and telephony communications data, the UK’s ISC has confirmed that this is collected and acknowledges concerns that such data is highly intrusive given that the volume of this data enables a rich picture to be built about an individual. In terms of metadata, in the USA between October 2001 – 2011, the NSA could acquire, retain and store content and metadata from internet and telephony communications if there was probable cause to believe that at least one end was abroad or the communicant was preparing or engaged in acts of international terrorism. From 2011- 1 June 2015, only telephony meta-data was collected (date and time of the call, duration, calling number, number that has been dialed – but not content of call, subscriber information or geographical location of caller). In May 2015, a US appeals court ruled this collection as illegal because it exceeded the scope of what Congress authorised.

How long are the data stored?
In the USA, PRISM data is stored for five years and Upstream data stored for two years (Simcox 2015). Reportedly, in the UK, the content of communications is stored for three days and metadata for up to thirty days. (The ISC (2015) has redacted how long GCHQ stores data, so this has not been independently confirmed.)  Such data storage allows the discovery of new, unknown threats, as past information may help connect needed ‘identifiers’ (eg telephone numbers or email addresses) and reveal new surveillance targets.

How are the data analysed?
Intelligence agencies state that they require a complete data set to uncover unknown threats, and that this leads to a ‘collect everything’ mentality  (Simcox 2015, ISC 2015). The US and UK intelligence agencies argue that their bulk data collection does not constitute indiscriminate mass surveillance because they use selectors (eg telephone numbers of email addresses) to collect the material (ISC 2015, Privacy and Civil Liberties Oversight Board 2014). For instance, the ISC states that using filters and selection criteria means that only a ‘small proportion’ (ISC 2015: 28) of bearers are chosen from which a ‘certain amount’ (ISC 2015: 28) of material is bulk collected by using ‘specific selectors, related to individual targets’ (ISC 2015: 28), and then further ‘targeted searches ensure that only those items believed to be of the highest intelligence value are ever presented for analysts to examine: therefore only a tiny fraction of those collected are ever seen by human eyes’ (ISC 2015: 2). This targeting of an individual’s communications requires authorization naming that individual, signed by a Secretary of State. 
The UK intelligence agencies say little on the specifics of their analytics of such data, other than to say that ‘automated and bespoke searches’ and ‘complex searches combining a number of criteria’ are conducted on these communications to reduce the odds of a ‘false positive’ (ISC 2015: 4); and that UK intelligence agencies construct Bulk Personal Datasets, namely large databases ranging from hundreds to millions of records ‘containing personal information about a wide range of people’ (ISC 2015: 55), to identify targets, establish links between people and verify information. However, the Snowden leaks detail the programs that intelligence agencies possess to help them select and analyse this collected content. For instance, PRINTAURA automatically organises data collected by PRISM; FASCIA allows the NSA to track the movements of mobile phones by collecting location data as people move around, with almost 5 billion mobile phone location records logged per day: this data is garnered as mobile phones broadcast their locations even when not being used to place calls or send text messages; CO-TRAVELER looks for unknown associates of known intelligence targets by tracking people whose movements intersect; PREFER analyses text messages to extract information from missed call alerts and electronic business cards (to work out someone’s social network) and roaming charges (to work out border crossings); XKeyscore is an NSA program allowing analysts to search databases covering nearly everything a typical user does on the internet, as well as engaging in real-time interception of an individual's internet activity; and DEEP DIVE XKEYSCORE promotes to TEMPORA data ingested into XKEYSCORE with “potential intelligence value”. (For a complete list of programs revealed by Snowden, see The Snowden Digital Surveillance Archive.)

Are intelligence agencies’ surveillance practices sufficiently accountable?
Since Snowden’s revelations, demands for greater accountability of intelligence agencies’ surveillance activities have emanated from citizens, the press, NGOs, legislatures and intelligence oversight boards. For instance, a study of 2000 citizens from nine European countries regarding security-oriented surveillance technologies (smart Closed Circuit Television, smartphone location tracking, and deep packet inspection - which can access communication content) shows similar public concerns about state surveillance. Specifically, it finds that this public does not accept blanket mass surveillance; that it tends to reject security-oriented surveillance technologies where they are perceived to negatively impact non-conformist behaviour; and that it demands enforced and increased accountability, liability and transparency of private and state surveillant entities (Pavone et al. 2015). Meanwhile, the European Committee on Civil Liberties, Justice and Home Affairs (2014: Finding 14) warns that ‘infrastructure for the mass collection and processing of data could be misused in cases of change of political regime’.
While seeking to preserve bulk data collection as vital to security, more specific accountability demands come from intelligence oversight bodies. The Privacy and Civil Liberties Oversight Board (2014) concluded that NSA collection of telephone metadata was of minimal value, illegal, and should be ended). Accordingly, in the USA, on 2 June 2015, the USA Freedom Act was passed, restricting the bulk collection of telephone metadata of American citizens. The UK’s Intelligence and Security Committee recommended that UK intelligence agencies should have an interception warrant in place before seeking communications from a foreign country, more clarity given to the exchange of raw intercept material with international partners; and a consideration for the statutory protection of sensitive professions such as journalists and lawyers (ISC 2015). The Anderson Report (2015: ) is more critical, calling existing UK laws that regulate how public authorities may collect and analyse people’s communications, or records of their communications as incomprehensible and confusing, and concluding: ‘This state of affairs is undemocratic, unnecessary and – in the long run – intolerable.’ Anderson calls for a single, unified Bill to cover surveillance powers in the UK regardless of which organisation is using them; and recommends that specific interception warrants, combined warrants, bulk interception warrants and bulk communications data warrants should be signed off by a Judicial Commissioner rather than the current system of being signed off by a Secretary of State. On transparency, Anderson (2015: 8) concludes:

Whilst the operation of covert powers is and must remain secret, public authorities, ISIC [Independent Surveillance and Intelligence Commission – a new body proposed by Anderson] and the IPT [Investigatory Powers Tribunal] should all be as open as possible in their work. Intrusive capabilities should be avowed. Public authorities should consider how they can better inform Parliament and the public about why they need their powers, how they interpret those powers, the broad way in which those powers are used and why additional capabilities may be required.

Anderson, D. (2015). A Question of Trust: Report of the Investigatory Powers Review. June.
 Presented to the Prime Minister pursuant to section 7 of the Data Retention and Investigatory Powers Act 2014. OGL.
Clapper, J. 2013. Welcome to IC on the Record. Office of the Director of National Intelligence.
European Committee on Civil Liberties, Justice and Home Affairs. 2014. On the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs. 2013/2188(INI).
Greenwald, G. and MacAskill, E. (2013, June 6). NSA Prism Program Taps in to User Data of Apple, Google and Others. The Guardian.
ISC. 2015. Privacy and Security: A Modern and Transparent Legal Framework. House of Commons [12 March]. Intelligence and Security Committee.
Laney, D. 2001. 3-D Data Management:  Controlling Data Volume, Variety and Velocity. Application Delivery Strategies. Meta Group.
MacAskill,E., Borger, J., Hopkins,N., Davies,N. and Ball,J. (2013, June 21). GCHQ Taps Fibre-Optic Cables for Secret Access to World's Communication. The Guardian.
Pavone, V. et al. 2015. D2.4 – Key factors affecting public acceptance and acceptability of SOSTs. Surprise. Surveillance, Privacy and Security.
Simcox, R. 2015. Surveillance after Snowden: Effective Espionage in an Age of Transparency. London: The Henry Jackson Society.

No comments:

Post a Comment