"This was done under secret agreements with commercial companies, described in one document as 'intercept partners'. […] some companies have been paid for the cost of their co-operation and GCHQ went to great lengths to keep their names secret. They were assigned 'sensitive relationship teams' and staff were urged in one internal guidance paper to disguise the origin of 'special source' material in their reports for fear that the role of the companies as intercept partners would cause 'high-level political fallout'."
I see no list of company names in this article by The Guardian. I believe the British people --or anyone that does business with them (edit: "them" as in the companies that have assisted the GCHQ) in any way, really-- would be very interested in hearing some names right about now.
> As one of the UK's intelligence and security agencies, we gather and analyse digital and electronic signals from many channels, from all corners of the world. Converting this information into intelligence material, we play a significant role in informing national security, military operations, police activity and foreign policy.
This being more or less the entire stated mission of GCHQ, I wonder who's actually surprised by this revelation.
I'm truly appalled that the GCHQ see it as their job to collect network traffic from every communication passing through the UK, and pass that on to foreign intelligence agencies and politicians in the UK and abroad. The potential for corruption and abuse there is astounding, and no organisation or person should have anything like this amount of power over our lives. Politicians can be bribed, judges turned, legal cases undermined, corporate financials exposed, and leaders overthrown, all at the whim of any one of the millions of people with access to these databases, which apparently also have appallingly lax access controls and standards of oversight, along with their terrible standards for defining which signals they should intercept.
If complete surveillance of the population is the purpose of the GCHQ, it should be shut down in my opinion, but I think that's a perversion of the role of signals intelligence in our society. The purpose of these agencies should be (and originally was) to defend the communications of our government from interception, to intercept communications from known enemies of the nation and to assist law enforcement and the judiciary in intercepting the communications of criminals, using all the standards of reasonable suspicion, judicial oversight etc that we hold so dearly to in collecting evidence in every other domain. Just because it's easier and more practical for them to intercept everything and record it for later use, doesn't make that extreme violation of many of our codes of privacy and law acceptable, predictable or desirable. It has enormous implications for our society, this is an essential debate when so much of our lives are now held in digital form, and I'm surprised that you try to blow it off as old news and of little consequence.
Perhaps people shouldn't be surprised, but the discussion of the data sharing with the NSA certainly appears to call into question some of the US government's claims:
"This includes recordings of phone calls, the content of email messages, entries on Facebook and the history of any internet user's access to websites – all of which is deemed legal, even though the warrant system was supposed to limit interception to a specified range of targets....
By May last year 300 analysts from GCHQ, and 250 from the NSA, had been assigned to sift through the flood of data."
In the late 1990s I worked for the UK subsidiary of a large US defence contractor. They had an international network which connected their subsidiaries to transfer documents, emails and engineering drawings. Most work was done for the US DoD. This was a typical leased ISDN system from BT.
It had cryptos at each end of a link (each in a literally a 2m by 2m room declared US soil by the then home secretary).
The biggest threat vector they had was actually listed as GCHQ and the line would suspiciously go down occasionally for a few ms resulting in the cryptos being "red buttoned" (key erasure).
People who are still locked into the mold of Henry Stimson, I would imagine.
I think people are more surprised that their own traffic is falling into this and not just diplomatic/military signals. But that's one of the unintended consequences of communications in general shifting over to Internet methods instead of dedicated circuits.
Yes but one month ago they still had plausible deniability, not anymore. In short the term it may change nothing but in the long run it will have an impact, no doubt.
I'm confused as to how anyone could have believed that one of the 5 largest signals intelligence agencies in the world could not have been tapping Internet backbone cables.
Can we just resolve this right here? The Internet backbone is tapped. To whatever extent NSA isn't looking at our traffic (or is pretending not to, or pantomiming not doing it), some other foreign SIGINT agency is.
To believe otherwise is to believe that state-sponsored intelligence agencies somehow believe the Internet is off limits to surveillance because I don't know freedom and progress or something. Of course they don't believe that.
> I'm confused as to how anyone could have believed that one of the 5 largest signals intelligence agencies in the world could not have been tapping Internet backbone cables.
I feel bad for conspiracy theorists. Had they made the same statement a month ago, they would have been called tin-foil hat wearing nuts and now people say things like the above so casually and pretend like it was obvious all along.
I wouldn't be surprised if tomorrow it is revealed that the NSA has collaborated with Verisign and other certificate authorities so as to decrypt SSL certificates a whole bunch of people would come out of the woodworks to claim "of course the NSA can decrypt your SSL connection".
> To believe otherwise is to believe that intelligence agencies believe the Internet is off limits ... Of course they don't believe that.
Of course they don't. People probably doubted they had the capability to sort through and and find useful information inside an internet backbone. It's a tremendous effort collecting and querying that much data.
So much this. People on this forum have consistently presented very compelling arguments that they don't have SSL keys and couldn't retroactively decrypt collected traffic even if they did. Unsettling then that people I generally considered trustworthy in the crypto community (say, Matt Blaze) previously were adamant to claim that large scale duplication and retention of backbone traffic was not only highly unlikely to be attempted, but technically unfeasible.
Because of this I'm almost ashamed of how much credit I've been doling out to other allegedly shady accusations that get made and dismissed as passing conspiracy theories.
Just because someone is an expert in the field, doesn't mean what he says is to be trusted. Some are just supporting the status quo and the "government wisdom". Some might even be paid to say what they say or be linked by contracts to such stuff.
> Had they made the same statement a month ago, they would have been called tin-foil hat wearing nuts and now people say things like the above so casually and pretend like it was obvious all along.
It actually was obvious all along. There have been many programs of gathering as much data as they can. ECHELON is pretty old.
> People probably doubted they had the capability to sort through and and find useful information inside an internet backbone. It's a tremendous effort collecting and querying that much data.
Yes, it is a lot of data. GCHQ have a lot of computers (largest LAN in Europe, part of largest WAN in world, etc.) They also have a lot of expertise in this kind of thing. Who else would be buying all the data-mining books? (http://www.springer.com/?SGWID=0-102-24-0-0&searchType=EASY_...)
If you've been following recent threads, there should be no confusion as to the fact that Tptacek consistently supports an establishment view.
He nit-picks small details to steer conversation away from the big picture. Any notion of abuse, scandal or surprise is routinely dismissed. People who disagree are brushed off as hysterical or conspiracy theorists.
"The GCHQ mass tapping operation has been built up over five years by attaching intercept probes to transatlantic fibre-optic cables where they land on British shores carrying data to western Europe from telephone exchanges and internet servers in north America."
"One key innovation has been GCHQ's ability to tap into and store huge volumes of data drawn from fibre-optic cables for up to 30 days so that it can be sifted and analysed. That operation, codenamed Tempora, has been running for some 18 months."
"UK officials could also claim GCHQ "produces larger amounts of metadata than NSA"."
Roughly 1.5 million people have top secret clearance[1], I would personally be alarmed if over half of them had access to data like this, although I can't say it would surprise me at this point.
"... This includes recordings of phone calls, the content of email messages, entries on Facebook and the history of any internet user's access to websites ..."
It has been discussed over and over on hackernews recently so just tldr version.
Let’s consider two scenarios.
1) NSA forces CA to issues a certificate for google.com and decide to man-in-the-middle you.
In that case there is a mechanism call certificate pinning. To put it simply certificates of Google, Facebook, Twitter etc. are hard coded into Firefox and Google Chrome. (Microsoft provides this ability in IE using latest EMET 4.0). So if someone tries to send you cert for google, which doesn’t match the one hardcoded your browser would get crazy and issue a big red warning :)
2) NSA records your encrypted communication with Google and later obtains Google private key (either by factoring Google public key or using some secret court order or whatever). In this case they CAN’T decrypt your communication with Google because Google uses version of Diffi- Hellman protocol with so called ephemeral keys. More here http://googleonlinesecurity.blogspot.com/2011/11/protecting-.... Ephermal DH is not implement by many sites (hackernews does it, facebook doesn’t)
SSL can be broken in myriad of different ways but at least in these two scenarios you are to certain degree safe
The encryption (if implemented correctly) is good, but if an intelligence agency has access to a Certificate Authority, or the target of your communications, man-in-the-middle attacks are feasible.
It is likely that internal user data within Facebook (and other websites) is not encrypted, and can be freely snooped between the backend servers and the frontend servers.
From the article, "(Metadata describes basic information on who has been contacting whom, without detailing the content.)".
Could someone let the journalists know what metadata really is? I mean, come on. Metadata is a concise, highly valued description of the data, also including identifying information. In other words, keywords!
For this comment, the keywords (metadata) might be:
I think your definition of meta-data is too narrow. It's not just keywords.
Excuse me if I state the obvious, but with something like a web page access, the meta data will be in part: your internet address, what time you accessed it, the referring url etc. A phone call's meta data could include the length of the call, which phone the call was made on, which mast was used etc.
Meta data is additional data about the data isn't it?
One assumes that you could then make telling deductions from that meta data. Like a persons movements (acquired from phone, financial and internet records). You can also draw a lot about their character: their interests, their political views, their cicles etc.
A) Access is MUCH broader than just tapping Google, FB, MSFT, etc. Access is at the far broader level of telecommunication cables. Encryption can be broken later, with specialty FPGA chips.
B) More importantly, with the US taking "everything foreign" and with GCHQ (also) taking "everything foreign" ... the Venn set of these two closely associated govt spying operations means they get "everything, period", including US domestic communications.
If true, the original Snowden revelations are (small) child's play to what may actually be being surveilled, which may indeed be everything.
Important to extend your Venn diagram to the "Five Eyes". Canada, US, UK, Australia, and New Zealand. A much wider intersection is possible in that context.
