Extraordinary Rendition and the Secret Role of Metadata

Thursday, 28 August 2014

On Monday, I had a new story out at The Intercept revealing a secret search engine that the National Security Agency built to share a massive amount of data with other US government agencies, including domestic law enforcement. There are many new and important details scattered through the piece. But there is one in particular I would like to take a minute to focus on here, because it is a fact that strikes at the heart of the debate about government surveillance and deserves some more attention.

In one of the classified documents that we published with the story, dated from 2005, the NSA outlined some of the "successes" of a data-sharing project called CRISSCROSS that was led by the Central Intelligence Agency. The document shows that metadata collected about communications was integral to the CIA's extraordinary rendition program during the Bush Administration, which involved kidnapping terror suspects and taking them to secret "black site" jails where they would be brutally interrogated and sometimes tortured. The NSA document says:

Since 9/11, the contributions to the GWOT [global war on terror] due to our increased collection of signaling metadata are innumerable and significant. It is safe to say that it has been a contribution to virtually every successful rendition of suspects and often, the deciding factor.

This is an incredible detail. Remember, metadata is not the audio content of a phone call or the words contained within the body of an email message. It is merely information showing who you have contacted and when. Governments have often sought to defend the mass-scale collection of metadata by insisting that it is not information that is sensitive or very private. In June last year, President Obama tried to dismiss concerns about metadata collection in the United States by claiming that "nobody is listening to your telephone calls." But, clearly, the government doesn't need to be listening to your calls to deem you a threat. That metadata has been the deciding factor in targeting people for extraordinary rendition is a profound illustration of that — and it shows that metadata collection has real-world ramifications: it is not just some benign activity.

You might think, "well, I'm not a terror suspect so what do I care?" But this is not only about the Bad Guys — there are much wider consequences at play here. During the height of the extraordinary rendition program, for instance, some of the people targeted were victims of what was called "erroneous rendition." In other words, the CIA would kidnap the wrong person. (Yes, seriously.) In 2005, it was reported by the Washington Post that the CIA's inspector general was investigating a "growing number" of erroneous renditions, with some anonymous government officials saying that they believed there were as many as 30 instances of it having taken place.

Much is still unknown about these cocked-up renditions because the information has been kept secret. But now that we know metadata played a key role in targeting people — in some cases even being the "deciding factor" — questions must surely be asked about whether this method was ever to blame. From a legal and human rights perspective, it is disturbing enough that the CIA was secretly kidnapping, imprisoning, and then torturing people. But the possibility of innocent individuals being targeted on the basis of their metadata trail clearly adds a chilling extra dimension. It is a policy of guilt by association that bears all the hallmarks of a kind of terrible and flawed style of totalitarian policing.

Today, the practice of extraordinary rendition appears to have been largely phased out by President Obama. But the concerns raised by the use of metadata to target people are still highly pertinent. Indeed, as The Intercept reported back in February, metadata is actively being used to target and kill terror suspects in drone strikes in countries like Yemen, Pakistan and Somalia. One military source said that the method can result in the "wrong people" being bombed. And if you think that sounds far-fetched — that the US would not launch missiles at people because of their metadata — you don't need to take my word for it. Just go and listen to what former CIA and NSA chief Michael Hayden has to say. As he boasted in April: "We kill people based on metadata."

Sabu, LulzSec, and the FBI's WikiLeaks Investigation

Monday, 26 May 2014

Some very intriguing new details emerged on Friday about the case of former Anonymous hacker turned FBI informant Hector Monsegur, or "Sabu" as he is better known.

A document filed in a New York district court shed light on the "extraordinarily valuable and productive" extent of Sabu's cooperation with the government over a period of approximately three years.

It is already widely known that Sabu secretly helped authorities track down and jail his former hacker comrades who were part of LulzSec, a high-profile Anonymous splinter group that attacked and infiltrated major corporate and government websites in the summer of 2011.

But the latest court document for the first time hints at Sabu's broader role aiding another major FBI undercover operation — one that I believe likely relates to an aggressive investigation into WikiLeaks and its founder Julian Assange. The section of the document in question is vague, deliberately so, but offers enough detail to indicate that it directly involves WikiLeaks and is potentially of high importance, for reasons I'll explain below. The document states:

Monsegur also engaged in a significant undercover operation in an existing investigation through which, acting at the direction of law enforcement, Monsegur gathered evidence that exposed a particular subject’s role in soliciting cyber attacks on a foreign government. The evidence he enabled the Government to obtain was extremely valuable, and the Government could not otherwise have obtained it without his assistance. Although this cooperation has not resulted in any prosecutions to date, the Government believes his information, and the evidence he helped to obtain in this matter, is extremely significant.

To understand why this matters and why it struck me straight away, a bit of background is necessary.

As I reported last year in a piece for Slate, Sabu, while working as an FBI informant in 2011, was in contact with a young WikiLeaks volunteer who had established a close relationship with Assange.

The volunteer, Sigurdur Thordarson, told me that with Assange's approval he set up a line of communication between Sabu, LulzSec, and WikiLeaks. He said he then solicited the hackers to infiltrate computers at the Icelandic Ministry of Finance to find evidence of anti-WikiLeaks sentiment. "That was the first assignment WikiLeaks gave to LulzSec," Thordarson claimed, because the Ministry of Finance had months earlier thwarted an attempt by DataCell, a company that processes WikiLeaks donations, to purchase a large new data center in Reykyavik. The FBI appears to have monitored the exchange between WikiLeaks and LulzSec through Sabu, and a few days later contacted Icelandic authorities to warn them about an imminent cyber attack. Icelandic police travelled to the United States to discuss the matter, according to information published by the country's state prosecutor.

According to Thordarson, the LulzSec hackers eventually turned over some confidential documents to WikiLeaks that related to the US embassy in Iceland, as well as other hacked files, such as a huge trove of emails mined from Syrian government servers that were later released by WikiLeaks. Thordarson alleged that Assange spoke with Sabu over Skype during this time, and he showed me records of chats he had with Sabu that appear to support his version of events. Again, Sabu was secretly working as an FBI informant during his correspondence with WikiLeaks; FBI agents, who were monitoring Sabu's online activity 24/7 and directing his conduct, would have almost certainly been watching over his shoulder during any conversations with Assange or others.

In a bizarre twist, Thordarson himself later became an FBI informant, before he found out that Sabu, too, was working for the Bureau. (You can read the whole crazy backstory here.) WikiLeaks says Thordarson was a rogue operative and has accused the FBI of using "coercion and payments" in an effort to extract information that could be used against its staff in a prosecution. It is unclear whether Assange was personally involved at all in any attempt to solicit the hacking of foreign government computers.

Either way, one thing that is clear and undisputed is that Sabu was in contact with WikiLeaks while he was working for the FBI. And the new court document in Sabu's case strongly suggests to me that the contact was not some random occurrence — rather, it suggests it was part of a concerted FBI undercover sting operation aimed at implicating Assange and his colleagues in criminal activity.

The mention of "a particular subject’s role in soliciting cyber attacks on a foreign government" stood out to me immediately as a likely reference to the Assange-Thordarson-Sabu-Iceland affair, perhaps even intended as a warning shot from the Justice Department that this is an angle still being pursued. WikiLeaks seems to have noticed it, as well, tweeting on Saturday that the document contained an "apparent reference to [an] FBI operation against WL."

It is worth recalling that the FBI and the Justice Dept. still have an active and ongoing criminal investigation into WikiLeaks, a fact that was most recently confirmed just last week. But because of constitutional press freedom protections in the United States under the First Amendment, to prosecute any WikiLeaks staff for their role in publishing leaked classified US government documents would be untenable. That is precisely why it is far more likely that the FBI will be seeking to find other charges it can lay against Assange, such as conspiracy, and that is where I think Sabu comes into the frame. The new court document refers to an "existing investigation" and notes that while the information Sabu gleaned about the cyber attacks being solicited "has not resulted in any prosecutions to date," it remains "extremely significant." [Emphasis added.]

So watch this space. I expect more details about this dramatic debacle are going surface before long — possibly even in an indictment against Assange, if the FBI gets its way.

The Detainee Report and the UK Government Flouting FOIA Law

Wednesday, 26 March 2014

Back in September, as I explained in a previous post, I filed a Freedom of Information Act (FOIA) request with the UK government in an attempt to obtain a long-withheld report on British spies' complicity in torture and extraordinary rendition. The government repeatedly ignored my requests — refusing to even acknowledge them, as obligated under the law — but finally published the report in December.

As I suspected it would, the so-called 'Detainee Inquiry' report shined a light on the dubious involvement of the UK's security services in brutal interrogation tactics and kidnapping methods carried out by US government operatives in the aftermath of the September 11 attacks. British agents, it found, were under no obligation to report breaches of the Geneva conventions and turned a "blind eye" to the torture of detainees held in foreign prisons.

The report was put together by the Detainee Inquiry as a preliminary report and, unfortunately, it only scratched the surface. Headed by retired judge Sir Peter Gibson, the inquiry was originally supposed to dig deep into the allegations of complicity in the abuses. However, it was postponed in 2012 amid controversy because the government said that it clashed with ongoing police investigations into some of the same cases. Justice Secretary Ken Clarke promised that an independent judge-led inquiry would continue in time, but the government suddenly pulled a policy reversal in December and now says the issues will be dealt with (or should I say, swept under the rug) by the largely toothless parliamentary intelligence and security committee — a move that has been strongly criticised by human rights groups, lawyers, and two United Nations special rapporteurs.

Aside from pointing to substance of the Gibson report, though, I wanted address something else here: that is, he dismal conduct of the government in ignoring my original request to obtain it. The Cabinet Office repeatedly failed to respond to my inquires for a period of about five months, even after the Information Commissioner's Office (ICO) got involved. (The ICO is the public body that enforces access to information legislation in the UK.) Under the terms of the FOIA law, the government should have responded to my initial request within 30 days. Instead, it chose not to respond at all — not even an acknowledgement; nothing. I've never experienced anything like that, and I have submitted quite a lot of FOIA requests in my time.

It seemed that the Cabinet Office was clearly flouting its legal obligations, so I decided to submit a formal complaint with the ICO. Last month, the ICO issued a "decision notice" in my case (see below), finding in my favour that the government broke the law under section 10 of the Freedom of Information Act by ignoring my request. The ICO threatened to pursue contempt of court action against the government in the High Court if it did not contact me within a further 35 days. Unsurprisingly, earlier this month, about a day before the deadline was due to expire, the Cabinet Office finally responded — claiming "oversights" were the cause of the long delay while having the cheek to open its letter by referring to my "recent" FOIA request. The request was submitted half a year prior.

Cabinet officials were contacted on several occasions about my request over this six-month period; they confirmed to the ICO over the phone that they had received it, and were then warned about potential "enforcement action." Yet they continued to not respond to me. It was not until the government was formally threatened with contempt in the decision notice that it acted. And by then, the Detainee Inquiry report that I was originally seeking had been released publicly anyway.

I have no idea whether the government deliberately ignored my request in a bid to delay releasing the report, so that it could release it later on its own terms. But frankly that does not seem like a far-fetched possibility, especially given that some public bodies, like London's Metropolitan Police, have admitted treating FOIA requests from journalists as "high risk" — even though all requests are supposed to be treated "applicant and motive blind." Either way, whether the failure to respond was calculated or just down to total incompetence, I have certainly not come away from this debacle with a sense that the government cares much about fulfilling its legal responsibilities in the realm of transparency.

For that reason, there is a satisfaction in seeing the government get reprimanded by the ICO for its unlawful conduct in this case. But ultimately there is a kind of depressing futility about the finding. The decision notice will go against the government — damaging the Cabinet Office's FOIA credentials with the Information Commissioner, especially if other cases such as this continue to stack up. (The Cabinet could be placed on the ICO's "monitoring programme" if it keeps egregiously flouting its FOIA obligations.) However, that doesn't really count for much in practice. I would like to see the ICO given much stronger powers to enforce compliance with FOIA law — the power to dish out heavy fines for flagrant violations and inexplicably extreme delays in responding to people. Otherwise it seems highly likely that the government and other public bodies will continue to be content to ignore requests whenever it suits them to do so.

UPDATE, 27 March 2014: As a commenter below has pointed out, it turns out that the Cabinet Office has in fact already been placed on the "monitoring programme" by the Information Commissioner's Office after "serious shortcomings" were identified in its responses to freedom of information requests. The ICO announced in January, while my complaint was still ongoing, that it would be examining the Cabinet's responses to requests received between 1 January and 31 March 2014. The ICO claims that "failure to show signs of improvement during this period may result in enforcement action."

Canada's WiFi Surveillance and CSEC's Non-Denial Denials

Saturday, 1 February 2014

On Thursday, a report I worked on with Glenn Greenwald and Greg Weston was published in Canada, revealing how the country's spy agency CSEC secretly developed a program to monitor WiFi users in a major Canadian airport.

The piece, based on documents leaked by the former US National Security Agency contractor Edward Snowden, has led to CSEC being accused of acting unlawfully and has triggered calls for better oversight of the agency.

But one of the most intriguing aspects of the fallout from the story has been the Canadian government's response — which merits some scrutiny and analysis.

First, some context.

Back in November, Greenwald, Weston and I reported separate revelations about Canada's role in an NSA operation to spy at the G8 and G20 summits in Canada in 2010. In response, CSEC's chief John Forster claimed in response to reporters' questions:

What I can tell you is that CSEC, under its legislation, cannot target Canadians anywhere in the world or anyone in Canada, including visitors to Canada.

During a speech in October, Forster had made a similar statement:

I can tell you that we do not target Canadians at home or abroad in our foreign intelligence activities, nor do we target anyone in Canada. In fact, it's prohibited by law. Protecting the privacy of Canadians is our most important principle.

And again, in January, he repeated this assertion in a letter to a Canadian newspaper:

Under the law, CSE’s foreign intelligence mandate specifically dictates that our activities be directed only at foreign entities, and not at Canadians or anyone in Canada. That is the law and we fully respect that.

Having analysed Canadian documents in the Snowden material, these statements struck me as quite astonishing.

Why? Because one of the top-secret Snowden documents revealed that, in 2012, CSEC had set up a program that involved monitoring WiFi usage at a large Canadian airport. The secret files showed how CSEC was able to use a huge amount of data about the WiFi connections to follow users "backward and forward in recent time" — identifying visits to hotels, other airports, Internet cafes, coffee shops, and a library.

The tactic is described by CSEC in the files as "IP profiling" — a surveillance method that can be used to track users' movements over time. In one case, as we reported at CBC on Thursday, the spy agency says that it performed a sweep of an entire "modest-sized" city and identified 300,000 user IDs:

The "mission impact" of the tactic, according to the document, is that it can alert spies to "target country location changes" and "webmail logins with time-limited cookies":

The full document [pdf] speaks for itself. It illustrates a secret surveillance operation was conducted on Canadian soil — sweeping up metadata on the WiFi usage of thousands of people not suspected of any crime. Equally significant, the revelation contradicts CSEC chief Forster's repeated assertion that "we do not target Canadians at home or abroad in our foreign intelligence activities, nor do we target anyone in Canada."

After we reported the airports story, it got more interesting.

CSEC issued a statement that was notable for three reasons. First, the agency did not repeat its previous mantra claiming not to "target anyone in Canada." Second, it appeared to make an admission that it is sweeping up metadata within Canada, saying that it was "legally authorized" to "collect and analyze" this information. And third, it issued a fresh denial, saying that "no Canadian or foreign travellers were tracked. No Canadian communications were, or are, targeted, collected or used."

Shortly afterwards, on Friday, a similar denial was made by the Canadian prime minister's parliamentary secretary, who launched a bizarre personal attack on Greenwald while claiming that the "facts" were that "nothing in the stolen documents showed that Canadians' communications were targeted, collected, or used, nor that travellers' movements were tracked."

But these denials are hollow.

It's a straw man to claim that the revelations were about communications being "targeted, collected, or used." That is not what our story was about. The issue at hand is how CSEC initiated a program to sweep up information showing when people are connecting to WiFi networks and using this information to build "profiles" of their movements back and forward in time.

And that brings us to the more important point. CSEC and the prime minister's secretary claimed that "no Canadian or foreign travellers were tracked." However, what they did not say was how they were defining the word "tracked."

The documents quite clearly show how the agency used user "IP profiles" to monitor WiFi users' movements over time, with this capability enabling it to generate "alerts" when a person relocates to another country.

The dictionary definition of "tracking" says that it means "the act or process of following something or someone." CSEC's IP profiling is exactly that — monitoring users' location and keeping tabs on where they are. Indeed, the document says as much, outlining how CSEC uses this tactic to "follow IDs backward and forward in recent time." The documents also mention how CSEC used tools called "Quova" and "Atlas database" — which are technologies used to pinpoint the geolocation of an IP address.

CSEC's denial that it "tracked" Canadians or foreign travellers, I think, hinges upon a narrowly defined interpretation of the word. The US Department of Defence, for instance, uses "tracking" as a specific technical term meaning the "precise and continuous position-finding of targets by radar, optical, or other means." CSEC's IP profiling definitely fits the dictionary definition of "tracking" as it is understood by most people — but does it fit the narrower military definition? Perhaps CSEC believes that IP profiling does not constitute "precise and continuous" tracking. But if so, it should be explaining this — as otherwise its denial is highly misleading.

Spy agencies are professionals in the art of deception, and sometimes that seems to be reflected in their public relations strategy. Afterall, we have seen misleading denials issued repeatedly by the National Security Agency and its Five Eyes counterparts about various surveillance revelations in recent months. Again and again, officials have used narrowly defined words or jargon terms in a carefully crafted way in order to issue non-denial denials in which they appear to refute an allegation but on closer reading do not really refute it at all.

The ultimate point here is that the tactics being used by CSEC and the Canadian government to deflect criticism of their secret surveillance programs merit as much attention as the revelations themselves. That is especially clear when, in response to disclosures about their secret programs, senior government officials launch childish character assassination attempts against the journalists who reported the information. In a democratic society, surely a higher standard is required. It is not enough for governments and spy agencies to spit out a few indignant statements and denials with the expectation that people should just blindly trust that they are telling the truth.

Also, no matter how "tracking" is being defined, what is clear is that CSEC was (and our sources say still is) running a large-scale surveillance operation on domestic soil, seriously calling into question spy chief Forster's previous statements that "our activities" are not directed "at Canadians or anyone in Canada." The CSEC boss is due to appear before a Senate committee hearing on Monday. Hopefully Canada's lawmakers will take the opportunity to ask some probing questions.


UPDATE, 7 February 2014: Since the story was published last week, there have been several developments. There have been more calls for an independent review of CSEC's activities, while spy chief Forster was forced to publicly defend the surveillance in Monday's Senate hearing.

There have also been some interesting analyses of the leaked documents worth responding to.

First, the surveillance blog Electrospaces claimed that the secret documents seemed to have been "incorrectly interpreted" in our CBC report. The blog published an anonymous analysis from someone who says that CSEC's surveillance project was "was not surveillance of Canadian citizens per se but just a small research project." The second analysis came from Bruce Schneier, who claimed that it was "not really true" that CSEC used "airport Wi-Fi information to track travellers."

First of all, it is a mischaracterization to claim that the CSEC project was just a small research project that didn't implicate Canadians "per se." It was part of a pilot initiative that involved sweeping up data on hundreds of thousands of people — many of whom would have been Canadian citizens. Our sources for the story told us that the pliot had since gone live — i.e. that it had gone from being a "proof-of-concept" to an operationally active domestic program. This is about much more than a "small research project."

Second, it is absolutely the case that CSEC tracked travellers' movements based on the Internet activity by using IP and ID data and honing in on a major Canadian airport's WiFi system.

It may be about more than that — and I agree with Schneier when he says that it is "actually far more interesting than simply eavesdropping on airport Wi-Fi sessions" because of the wider ramifications of this kind of 'big data' analysis.

But this particular initiative was focused on pulling out a huge trove of user ID and IP data and following users "backward and forward in recent time" to and from a Canadian airport to see if it would be possible to keep tabs movements and trigger alerts based on those movements.

What we reported was accurate and remains so: "Canada's electronic spy agency used information from the free internet service at a major Canadian airport to track the wireless devices of thousands of ordinary airline passengers for days after they left the terminal."

Even CSEC chief Forster has since come out and admitted that a kind of tracking was going on (though he says it didn't occur in "real time," which is not something we actually claimed):

Forster said the agency used metadata to develop a model that showed they could track an internet user's network activity "around a public access mode," and that the tracking didn't happen in real time.

Some of the more insightful analysis on the CSEC affair has come from Bill Robinson, a Canadian surveillance expert described by the Toronto Star as "Canada's authority on CSEC."

Robinson makes some interesting points on the meaning of "tracking" in this context and CSEC's initial denial that it had tracked people — and I think he could be hitting the nail on the head here:

While normal human beings might conclude that both Canadian and foreign travellers were indeed tracked, CSEC's claim may be that only devices were tracked in the specific tests reported in the document. Since no device was tracked specifically on account of the fact that it belongs to a particular person, and the analysis itself (as far as I know) did not seek to associate particular individuals with particular devices (although it may well have utilized information associated or associatable with specific individuals), CSEC may feel it is justified in stating that no individuals were tracked. The same or similar logic seems to underlie the agency's claim that it can collect metadata related to thousands or even millions of Canadians and persons in Canada for foreign intelligence purposes while at the same time stating that its foreign intelligence operations do not "target" any Canadians or persons in Canada.

In a separate blog post after spy chief Forster's testimony before the Canadian Senate committee on Monday, Robinson wrote:

In essence, the government's position is that the metadata project reported by the CBC did take place, that its purpose was to develop targeting and analysis techniques that are in fact now being used operationally by CSEC, and that the collection, analysis, use, and retention of Canadian metadata is a normal part of CSEC's operations, necessary to those operations, and entirely legal. Officials also insist, however, that CSEC does not use the data to target Canadians for foreign intelligence purposes.
To have CSEC now appearing to admit (under pressure) that it is using metadata to conduct domestic monitoring on a mass scale is revelatory — and that is where the focus should be. As I wrote here previously, how "tracking" is being defined as a word should not be the most central point in the debate. The attention should be on CSEC conducting a large-scale surveillance operation on Canadian soil and misleading Canadian citizens about it in a series of public statements. Robinson asks the right questions in his earlier blog post:

If real-world operations are now being conducted using the techniques described in the document, or similar kinds of techniques, those operations will indeed involve the tracking of specific individuals who are either known before the tracking began or identified subsequent to their being singled out by analysis of the data.

Will the government state that no Canadian or foreign travellers have ever been tracked (or, if it prefers, detected in a number of different locations over time) in Canada, either by CSEC or by any other Canadian or allied agency, under any mandate, using these or similar metadata-based techniques?

The EU Parliamentary Inquiry's Report on Mass Surveillance

Saturday, 11 January 2014

After about five months of hearings and investigating, the European Parliament's civil liberties committee has published its report on the revelations about mass surveillance leaked by the American former National Security Agency contractor Edward Snowden.

The comprehensive 52-page report, published Wednesday in draft form [pdf], contains a large number of important findings and recommendations — some of which I think it's worth highlighing here.

The report accuses spy agencies — particularly in the US (NSA) and the UK (GCHQ) — of operating dragnet snooping programs that appear to involve illegal actions. It says that the UK government has on at least two occasions breached the European Convention on Human Rights and the EU Charter in how it has tried to crack down on reporting of the Snowden leaks (examples cited are the detention of former Guardian journalist Glenn Greenwald's partner and the destruction of Guardian computers). In addition, the committee calls for the European Parliament to suspend data sharing deals with the US government, and it says new legal protections are necessary for journalists and whistleblowers.

Crucially, the report does not shy away from attempting to address some of the larger issues — such as the profound and unprecedented existential questions new mass surveillance technologies raise for modern democracies. It calls on US authorities and EU member states to "prohibit blanket mass surveillance activities and bulk processing of personal data," adding:

[The committee] sees the surveillance programmes as yet another step towards the establishment of a fully fledged preventive state, changing the established paradigm of criminal law in democratic societies, promoting instead a mix of law enforcement and intelligence activities with blurred legal safeguards, often not in line with democratic checks and balances and fundamental rights, especially the presumption of innocence. [Emphasis added.]

This kind of policing, it warns, is leading to "every citizen being treated as a suspect." For that reason, the report notes that the committee

condemns in the strongest possible terms the vast, systemic, blanket collection of the personal data of innocent people, often comprising intimate personal information; emphasises that the systems of mass, indiscriminate surveillance by intelligence services constitute a serious interference with the fundamental rights of citizens; stresses that privacy is not a luxury right, but that it is the foundation stone of a free and democratic society; points out, furthermore, that mass surveillance has potentially severe effects on the freedom of press, thought and speech as well as a significant potential for abuse of the information gathered against political adversaries; emphasises that these mass surveillance activities appear also to entail illegal actions by intelligence services and raise questions regarding extraterritoriality of national law.

UK surveillance laws are singled out for criticism, with the inquiry concluding that the UK's legal framework is in need of an overhaul because it is outdated. But the finger is not pointed solely at the spooks in the UK and the US. The report accuses countries including France, Germany, and Sweden of running their own mass surveillance programs, too. It also rightly blasts the general incompetence of oversight committees — both in Europe and the US — that are supposed to be tasked with holding spy agencies accountable:

despite the fact that oversight of intelligence services’ activities should be based on both democratic legitimacy (strong legal framework, ex ante authorisation and ex post verification) and an adequate technical capability and expertise, the majority of current EU and US oversight bodies dramatically lack both, in particular the technical capabilities. [Emphasis added.]

Moreover, it calls on the European Commission — the EU's executive body — to evaluate the possibility of introducing legal liabilities that could be used to punish technology companies for not fixing known vulnerabilities in their software or for installing secret backdoors for spying. It wants the European Parliament to consider only procuring software that is open source, so that the software code can be reviewed to ensure it is secure and free from backdoors inserted for spying. And it also urges European Union member states to initiate investigations into "possible cybercrimes and cyber attacks committed by governments or private actors in the course of the activities under scrutiny."

"Trust has been profoundly shaken," the report says. "Trust between the two transatlantic partners, trust among EU Member States, trust between citizens and their governments, trust in the respect of the rule of law, and trust in the security of IT services...in order to rebuild trust in all these dimensions a comprehensive plan is urgently needed."

It's worth a read if you have the time. The full report is here [pdf].

GCHQ's Dubious Role in The 'Quantum' Hacking Spy Tactic

Thursday, 12 December 2013

I've not posted here for a while, but I've got a good excuse. For the last month or so I've been out in Brazil working on a series of stories with the American journalist and former Guardian columnist Glenn Greenwald. We've been reporting a series of revelations about government surveillance based on the trove of files leaked by former NSA contractor Edward Snowden.

I've had some time to take a breather tonight and I want to draw attention to something important in one of the latest stories we worked on with a team of excellent Swedish journalists from Uppdrag Granskning — an investigative unit that operates as part of Sweden's national public broadcaster SVT.

We worked on several stories with Uppdrag Granskning in the lead up to an hour-long documentary, aired Wednesday, about Sweden's major role in the global surveillance nexus that is led by the United States, the United Kingdom, and the other members of the so-called Five Eyes group — Australia, Canada, and New Zealand.

As we reported, the documents reveal how Sweden has become a key partner for the US and the UK, and top-secret agreements have been made in the last decade that bolster Sweden's spying role like never before.

But aside from these crucial details, which are hugely important for Swedish citizens to be informed about, I'd like to highlight here one smaller piece of information that we reported that I think is highly notable.

Earlier this year, it was disclosed that UK spy agency GCHQ was involved in hacking into the Belgian telecom company Belgacom's computer systems in order to covertly gather intelligence on unknown targets. But what is interesting is that, despite being involved in using these hacking methods, GCHQ has been worrying behind the scenes about their legality.

One of the Snowden documents we revealed on the Uppdrag Granskning documentary — dated circa April 2013 — shows the NSA describing a so-called 'Quantum' hacking initative that GCHQ was involved in at a "proof-of-concept" level. However, the document notes:

Continued GCHQ involvement may be in jeopardy due to British legal/policy restrictions, and in fact NSA’s goal all along has been to transition this effort to a bilat with the Swedish partner. [Emphasis added.]

This struck me because, last year, I uncovered a document showing something similar. In obscure technical standards meetings with telecom companies about implementing new surveillance capabilities, GCHQ representatives from a little-known unit of the agency called the National Techical Assistance Centre were voicing the same concerns about hacking techniques.

At meetings held between 2010 and 2011 in Estonia and Italy, at which a GCHQ representative was present, the UK was said to be anxious about the legality of performing a so-called 'man-in-the-middle' attack to covertly hack and eavesdrop on communications:

An additional concern in the UK is that performing an active attack, such as the Man-in-the-Middle attack proposed in the Lawful Interception solution...may be illegal. The UK Computer Misuse Act 1990 provides legislative protection against unauthorised access to and modification of computer material. The act makes specific provisions for law enforcement agencies to access computer material under powers of inspection, search or seizure. However, the act makes no such provision for modification of computer material. A Man-in-the-Middle attack causes modification to computer data and will impact the reliability of the data.

This could not be clearer. The UK's position was that it might be unlawful for authorities to hack a computer in order to monitor communications and/or exfiltrate data. That was the position in 2010/11, and I think the same concern is what is being referenced in the 2013 NSA document when UK "legal/policy restrictions" are mentioned.

Yet despite this concern — and this is perhaps the most important point — GCHQ has marched ahead with its participation in clandestine surveillance operations that involve hacking. The Belgacom case is a specific example, but the NSA documents on Sweden illustrate that Belgacom was not an isolated case. GCHQ was (and likely continues to be) involved in a program called WINTERLIGHT that explicitly involves trying to infect hundreds of targeted computers with so-called 'implants' of malware. GCHQ even operates a covert computer server that it uses to help infect targets with the malware, likely by masquerading as legitimate websites such as LinkedIn, as previous reports have suggested. These covert servers are mentioned in one of the NSA documents on Sweden, dated April 2013, revealed by Uppdrag Granskning:

Last month, we received a message from our Swedish partner that GCHQ received FRA [Swedish spy agency] QUANTUM tips that led to 100 shots, five of which were successfully redirected to the GCHQ server.

So, the question here is: how can this be legal? If GCHQ was previously concerned that performing active hacking attacks may be unlawful under the UK's Computer Misuse Act, then how has that situation been resolved? Has the agency been granted immunity to perform these operations? If so, who granted the immunity? Alternatively, has the UK government, with zero public debate and under cover of total secrecy, produced a classified interpretation of the law aimed at justifying and rendering lawful the use of this clandestine hacking technique?

Another very intriguing theory I have considered is that GCHQ lets one of the other agencies do the "dirty work" — the part of the hack that would illegal under UK law. The NSA may deploy the malware, for instance, while GCHQ plays a lesser role by merely facilitating the attack by hosting the server — but still reaping the benefits (i.e. it gets access to the intercepted data). Having spent countless hours now looking at the Snowden documents, it certainly appears to me that this is something that occurs — that the spy agencies circumvent their domestic laws by allowing partner agencies to do things that they could not do themselves.

Either way, GCHQ's clear and undeniable role in Quantum hacking attacks raises hugely significant legal questions and it is remarkable to me — but perhaps not totally surprising — that the blundering British parlimentarians who are supposed to hold the agency to account have thus far failed to raise any of these key issues.

The Torture & Rendition Report the UK Government Hasn't Published

Thursday, 7 November 2013

Last year, the UK government was presented with a preliminary report about an inquiry into British security services' alleged role in the extraordinary rendition and torture of terror suspects. The government said at the time that it would make the report public — but it has never surfaced.

The report was produced as part of the so-called 'Detainee Inquiry', set up by prime minister David Cameron in 2010 to investigate allegations of British security agencies' involvement in the mistreatment of individuals accused of terror offences. Spy agency MI6, for instance, has been blamed for helping to facilitate the abduction and subsequent alleged torture of a Libyan Islamist and his pregnant wife, who were covertly 'rendered' from Bangkok and reportedly taken to a Libyan prison run by the Gaddafi regime in 2004.

Headed by retired judge Sir Peter Gibson, the Detainee Inquiry was supposed to look into these allegations and others. It was scrapped in 2012 amid controversy because the government said that it clashed with ongoing police investigations into some of the same cases. But a preliminary report was produced by the inquiry and sent to the prime minister on 27 June 2012. At the time, the government issued a statement saying that the report focused on "preparatory work to date, highlighting particular themes or issues which might be the subject of further examination." Justice Secretary Ken Clarke said that the government was committed to publishing "as much of this interim report as possible."

Almost 18 months on, however, where is the preliminary report? That is exactly what I have been trying to find out. And the UK government is not returning my emails.

In September, I sent a Freedom of Information Act request seeking a copy of the report to the government's Cabinet Office. Under the FOIA, the government has 20 working days to issue a response. 31 working days have now passed and I have sent three separate emails related to the request. I have received nothing in response — not even an acknowledgement informing me that my request has been received. This means that the government is violating its legal obligations, according to an official I consulted at the Information Commissioner's Office, the public body that enforces access to information legislation in the UK.

I submit quite a lot of FOI requests, and I can't think of another occasion when a government department has flat-out ignored a request in this way. It is very unusual. Normally, the procedure is that you will receive an acknowledgement within a few days. And a couple of weeks later the respective department will either send you the information or refuse to release it, usually citing some flimsy national security secrecy exemption.

Notably, the chap who runs the website Spy Blog has also previously attempted to obtain a copy of the preliminary report. His efforts have so far been stonewalled. But unlike me, Spy Blog has at least been privileged enough to receive responses from the Cabinet Office, most recently in July. The Cabinet refused to disclose the report to the website, claiming that officials were busy "clearing the report for publication" and adding that they expected that it could be published "in the autumn, although no date has been set."

It is not clear why the Cabinet Office has needed almost a year and a half to "clear" a report for public consumption. At best, it looks to me like a case of incompetence and bureaucratic inefficiency; at worst, it is a red herring being deployed to delay the release of controversial information for political convenience. Either way, the delay suggests that there could be some interesting details contained in the report. And the government is running out of excuses to postpone publication. Indeed, under section 22 of the Freedom of Information Act, the government can decline to disclose information requested if it is already intended for future release. However, Ministry of Justice guidance on the Section 22 exemption explicitly states that:

These qualifications recognise that sometimes there will be an overriding public interest in the information being released prior to the intended publication date. Public authorities should not be able to avoid putting information in the public domain by adopting unreasonable publication timetables or an 'intention' to publish where there is little prospect of that happening within a reasonable timescale.

Given the seriousness of the allegations about UK security agencies' role in facilitating extraordinary rendition and torture, there is evidently a very strong public interest case for this preliminary report to be immediately released under the Freedom of Information Act. That is especially true given the inexplicably lengthy delay that we have already had to endure.

It's worth also pointing out that despite the sort of behaviour detailed above, the government continues to audaciously insist it is committed to transparency. Just last week the Cabinet Office was proclaiming "wide-ranging new commitments to bring more of the benefits of transparency into people’s everyday lives." Cabinet minister Francis Maude was quoted as saying that "transparency is an idea whose time has come."

Unfortunately, the section of Maude's own department responsible for implementing transparency does not appear to have received the memo — and is currently flouting the Freedom of Information Act in a case involving the withholding of important information that the public clearly has a right to know.

I have lodged a formal complaint about the Cabinet Office's conduct with the Information Commissioner's Office — so watch this space.

UPDATE, 4 December 2013: Late last month, the Information Commissioner's Office replied to the complaint I filed about the UK government's non-response to my request that it release the rendition/torture report. An official from the ICO said he had contacted the government's Cabinet Office to confirm that my request had been received and to give the government a 10-day deadline to contact me. The ICO reminded the government of its obligations under the Freedom of Information Act and noted that it "may consider taking enforcement action" should similar complaints arise (read the ICO's correspondence here).

However, despite this light reprimand from the ICO, incredibly I've still received no response from the government about the rendition report. The 10-day deadline expired yesterday and I've heard nothing — I've not yet so much as received an acknowlegement that my initial request is being dealt with, even though it was submitted more than two months ago (the government is supposed to respond within 20 working days; it's now been more than 50). This means that the Cabinet Office, which likes to tout its transparency credentials, is not only actively flouting its obligations under the Freedom of Information Act — it has also now failed to act on a formal request made by the authority that enforces the FOIA law, the ICO. Before the end of the week, I'll be following up my complaint with the ICO in the hope that more serious action can be taken. Of course, I'll post further updates here with any new developments in this strange case as and when they arise.

UPDATE, 29 December 2013: The government has released the Detainee Report today; the Guardian reports that it reveals how "MI6 officers were under no obligation to report breaches of the Geneva conventions and turned a 'blind eye' to the torture of detainees in foreign jails, according to the report into Britain's involvement in the rendition of terror suspects." I am still pursuing my complaint against the Cabinet Office for its handling of my FOIA request.

UPDATE, 26 March 2014: In response to my complaint, the Information Commissioner's Office issued a "decision notice" stating that the Cabinet Office breached section 10 of the Freedom of Information Act in ignoring my request. More details here.