GCHQ's Dubious Role in The 'Quantum' Hacking Spy Tactic

I've not posted here for a while, but I've got a good excuse. For the last month or so I've been out in Brazil working on a series of stories with the American journalist and former Guardian columnist Glenn Greenwald. We've been reporting a series of revelations about government surveillance based on the trove of files leaked by former NSA contractor Edward Snowden.

I've had some time to take a breather tonight and I want to draw attention to something important in one of the latest stories we worked on with a team of excellent Swedish journalists from Uppdrag Granskning — an investigative unit that operates as part of Sweden's national public broadcaster SVT.

We worked on several stories with Uppdrag Granskning in the lead up to an hour-long documentary, aired Wednesday, about Sweden's major role in the global surveillance nexus that is led by the United States, the United Kingdom, and the other members of the so-called Five Eyes group — Australia, Canada, and New Zealand.

As we reported, the documents reveal how Sweden has become a key partner for the US and the UK, and top-secret agreements have been made in the last decade that bolster Sweden's spying role like never before.

But aside from these crucial details, which are hugely important for Swedish citizens to be informed about, I'd like to highlight here one smaller piece of information that we reported that I think is highly notable.

Earlier this year, it was disclosed that UK spy agency GCHQ was involved in hacking into the Belgian telecom company Belgacom's computer systems in order to covertly gather intelligence on unknown targets. But what is interesting is that, despite being involved in using these hacking methods, GCHQ has been worrying behind the scenes about their legality.

One of the Snowden documents we revealed on the Uppdrag Granskning documentary — dated circa April 2013 — shows the NSA describing a so-called 'Quantum' hacking initative that GCHQ was involved in at a "proof-of-concept" level. However, the document notes:

Continued GCHQ involvement may be in jeopardy due to British legal/policy restrictions, and in fact NSA’s goal all along has been to transition this effort to a bilat with the Swedish partner. [Emphasis added.]

This struck me because, last year, I uncovered a document showing something similar. In obscure technical standards meetings with telecom companies about implementing new surveillance capabilities, GCHQ representatives from a little-known unit of the agency called the National Techical Assistance Centre were voicing the same concerns about hacking techniques.

At meetings held between 2010 and 2011 in Estonia and Italy, at which a GCHQ representative was present, the UK was said to be anxious about the legality of performing a so-called 'man-in-the-middle' attack to covertly hack and eavesdrop on communications:

An additional concern in the UK is that performing an active attack, such as the Man-in-the-Middle attack proposed in the Lawful Interception solution...may be illegal. The UK Computer Misuse Act 1990 provides legislative protection against unauthorised access to and modification of computer material. The act makes specific provisions for law enforcement agencies to access computer material under powers of inspection, search or seizure. However, the act makes no such provision for modification of computer material. A Man-in-the-Middle attack causes modification to computer data and will impact the reliability of the data.

This could not be clearer. The UK's position was that it might be unlawful for authorities to hack a computer in order to monitor communications and/or exfiltrate data. That was the position in 2010/11, and I think the same concern is what is being referenced in the 2013 NSA document when UK "legal/policy restrictions" are mentioned.

Yet despite this concern — and this is perhaps the most important point — GCHQ has marched ahead with its participation in clandestine surveillance operations that involve hacking. The Belgacom case is a specific example, but the NSA documents on Sweden illustrate that Belgacom was not an isolated case. GCHQ was (and likely continues to be) involved in a program called WINTERLIGHT that explicitly involves trying to infect hundreds of targeted computers with so-called 'implants' of malware. GCHQ even operates a covert computer server that it uses to help infect targets with the malware, likely by masquerading as legitimate websites such as LinkedIn, as previous reports have suggested. These covert servers are mentioned in one of the NSA documents on Sweden, dated April 2013, revealed by Uppdrag Granskning:

Last month, we received a message from our Swedish partner that GCHQ received FRA [Swedish spy agency] QUANTUM tips that led to 100 shots, five of which were successfully redirected to the GCHQ server.

So, the question here is: how can this be legal? If GCHQ was previously concerned that performing active hacking attacks may be unlawful under the UK's Computer Misuse Act, then how has that situation been resolved? Has the agency been granted immunity to perform these operations? If so, who granted the immunity? Alternatively, has the UK government, with zero public debate and under cover of total secrecy, produced a classified interpretation of the law aimed at justifying and rendering lawful the use of this clandestine hacking technique?

Another very intriguing theory I have considered is that GCHQ lets one of the other agencies do the "dirty work" — the part of the hack that would illegal under UK law. The NSA may deploy the malware, for instance, while GCHQ plays a lesser role by merely facilitating the attack by hosting the server — but still reaping the benefits (i.e. it gets access to the intercepted data). Having spent countless hours now looking at the Snowden documents, it certainly appears to me that this is something that occurs — that the spy agencies circumvent their domestic laws by allowing partner agencies to do things that they could not do themselves.

Either way, GCHQ's clear and undeniable role in Quantum hacking attacks raises hugely significant legal questions and it is remarkable to me — but perhaps not totally surprising — that the blundering British parlimentarians who are supposed to hold the agency to account have thus far failed to raise any of these key issues.

The Torture & Rendition Report the UK Government Hasn't Published

Last year, the UK government was presented with a preliminary report about an inquiry into British security services' alleged role in the extraordinary rendition and torture of terror suspects. The government said at the time that it would make the report public — but it has never surfaced.

The report was produced as part of the so-called 'Detainee Inquiry', set up by prime minister David Cameron in 2010 to investigate allegations of British security agencies' involvement in the mistreatment of individuals accused of terror offences. Spy agency MI6, for instance, has been blamed for helping to facilitate the abduction and subsequent alleged torture of a Libyan Islamist and his pregnant wife, who were covertly 'rendered' from Bangkok and reportedly taken to a Libyan prison run by the Gaddafi regime in 2004.

Headed by retired judge Sir Peter Gibson, the Detainee Inquiry was supposed to look into these allegations and others. It was scrapped in 2012 amid controversy because the government said that it clashed with ongoing police investigations into some of the same cases. But a preliminary report was produced by the inquiry and sent to the prime minister on 27 June 2012. At the time, the government issued a statement saying that the report focused on "preparatory work to date, highlighting particular themes or issues which might be the subject of further examination." Justice Secretary Ken Clarke said that the government was committed to publishing "as much of this interim report as possible."

Almost 18 months on, however, where is the preliminary report? That is exactly what I have been trying to find out. And the UK government is not returning my emails.

In September, I sent a Freedom of Information Act request seeking a copy of the report to the government's Cabinet Office. Under the FOIA, the government has 20 working days to issue a response. 31 working days have now passed and I have sent three separate emails related to the request. I have received nothing in response — not even an acknowledgement informing me that my request has been received. This means that the government is violating its legal obligations, according to an official I consulted at the Information Commissioner's Office, the public body that enforces access to information legislation in the UK.

I submit quite a lot of FOI requests, and I can't think of another occasion when a government department has flat-out ignored a request in this way. It is very unusual. Normally, the procedure is that you will receive an acknowledgement within a few days. And a couple of weeks later the respective department will either send you the information or refuse to release it, usually citing some flimsy national security secrecy exemption.

Notably, the chap who runs the website Spy Blog has also previously attempted to obtain a copy of the preliminary report. His efforts have so far been stonewalled. But unlike me, Spy Blog has at least been privileged enough to receive responses from the Cabinet Office, most recently in July. The Cabinet refused to disclose the report to the website, claiming that officials were busy "clearing the report for publication" and adding that they expected that it could be published "in the autumn, although no date has been set."

It is not clear why the Cabinet Office has needed almost a year and a half to "clear" a report for public consumption. At best, it looks to me like a case of incompetence and bureaucratic inefficiency; at worst, it is a red herring being deployed to delay the release of controversial information for political convenience. Either way, the delay suggests that there could be some interesting details contained in the report. And the government is running out of excuses to postpone publication. Indeed, under section 22 of the Freedom of Information Act, the government can decline to disclose information requested if it is already intended for future release. However, Ministry of Justice guidance on the Section 22 exemption explicitly states that:

These qualifications recognise that sometimes there will be an overriding public interest in the information being released prior to the intended publication date. Public authorities should not be able to avoid putting information in the public domain by adopting unreasonable publication timetables or an 'intention' to publish where there is little prospect of that happening within a reasonable timescale.

Given the seriousness of the allegations about UK security agencies' role in facilitating extraordinary rendition and torture, there is evidently a very strong public interest case for this preliminary report to be immediately released under the Freedom of Information Act. That is especially true given the inexplicably lengthy delay that we have already had to endure.

It's worth also pointing out that despite the sort of behaviour detailed above, the government continues to audaciously insist it is committed to transparency. Just last week the Cabinet Office was proclaiming "wide-ranging new commitments to bring more of the benefits of transparency into people’s everyday lives." Cabinet minister Francis Maude was quoted as saying that "transparency is an idea whose time has come."

Unfortunately, the section of Maude's own department responsible for implementing transparency does not appear to have received the memo — and is currently flouting the Freedom of Information Act in a case involving the withholding of important information that the public clearly has a right to know.

I have lodged a formal complaint about the Cabinet Office's conduct with the Information Commissioner's Office — so watch this space.

UPDATE, 4 December 2013: Late last month, the Information Commissioner's Office replied to the complaint I filed about the UK government's non-response to my request that it release the rendition/torture report. An official from the ICO said he had contacted the government's Cabinet Office to confirm that my request had been received and to give the government a 10-day deadline to contact me. The ICO reminded the government of its obligations under the Freedom of Information Act and noted that it "may consider taking enforcement action" should similar complaints arise (read the ICO's correspondence here).

However, despite this light reprimand from the ICO, incredibly I've still received no response from the government about the rendition report. The 10-day deadline expired yesterday and I've heard nothing — I've not yet so much as received an acknowlegement that my initial request is being dealt with, even though it was submitted more than two months ago (the government is supposed to respond within 20 working days; it's now been more than 50). This means that the Cabinet Office, which likes to tout its transparency credentials, is not only actively flouting its obligations under the Freedom of Information Act — it has also now failed to act on a formal request made by the authority that enforces the FOIA law, the ICO. Before the end of the week, I'll be following up my complaint with the ICO in the hope that more serious action can be taken. Of course, I'll post further updates here with any new developments in this strange case as and when they arise.

UPDATE, 29 December 2013: The government has released the Detainee Report today; the Guardian reports that it reveals how "MI6 officers were under no obligation to report breaches of the Geneva conventions and turned a 'blind eye' to the torture of detainees in foreign jails, according to the report into Britain's involvement in the rendition of terror suspects." I am still pursuing my complaint against the Cabinet Office for its handling of my FOIA request.

UPDATE, 26 March 2014: In response to my complaint, the Information Commissioner's Office issued a "decision notice" stating that the Cabinet Office breached section 10 of the Freedom of Information Act in ignoring my request. More details here.

The Chenagai Madrassa Incident

On 30 October 2006, an Islamic school in Pakistan was targeted in a missile strike that killed up to 81 people, most of whom were reportedly children, some as young as seven.

At the time of the strike, which took place in the town of Chenagai in the tribal area of Bajaur, Pakistan's military claimed responsibility, saying it had targeted the school — known as a madrassa — because it was being used as a terrorist training facility. However, an anonymous former Pakistan official, described as an ex-"key aide" to then-President Pervez Musharraf, later reportedly claimed that the attack had been carried out by a US drone, according to the Sunday Times. The US denied any role, saying it was "completely done by the Pakistani military."

Now, a newly published report has raised fresh questions about exactly who was behind this horrific incident. A leaked Pakistan government document, published by London's Bureau of Investigative Journalism on Monday, lists the Bajaur case among a series of US Predator drone strikes and NATO-backed attacks in Pakistan between 2006 and 2009. The Bureau says that the document shows the attack was the result of "a single drone strike," though the document does not specify whether a drone or other aircraft was involved.

So who carried out this controversial attack?

At the time of the strike, Pakistan's army spokesman said that it had been carried out by Pakistan military helicopter gunships that fired four or five missiles into the madrassa. One local villager told the BBC he had "heard helicopters flying in and then heard bombs." An NBC news correspondent, who was reportedly about a mile away from the madrassa at the time of the incident, said that it "was dark and very early in the morning when the blast occurred. And then I heard helicopters over the village of Chenagai where the madrassa school is located."

Analysts speculated that Pakistan's military may have not had the skills required to conduct the helicopter strike, because it was apparently conducted at 5am while it was still dark and had the hallmarks of an elite operation. Hours after the attack, Bill Roggio at the Long War Journal suggested that a US special operations team may have been behind it. "Look for signs of Task Force 145 having carried out this raid," Roggio wrote, "with unmanned Predators firing Hellfire missiles, and possibly C-130 and helicopters following up."

Others had an alternative theory. On October 31, 2006, Syed Saleem Shahzad at the Asia Times wrote:

Recently, Islamabad agreed with NATO that it could conduct operations in Pakistan from across the border in Afghanistan... Significantly, Pakistan and Taliban authorities struck a peace deal in Bajour only two days ago and were scheduled to sign a document to that effect on Monday. This lends credence to the possibility that it was NATO and not Pakistani forces that made the raid.

Among those who died in the attack was the leader of the madrassa, a reportedly pro-Taliban radical cleric named Maulana Liaqat. Pakistan officials also claimed that Ayman al-Zawahiri — who was then Osama bin Laden's deputy — had used the madrassa to train suicide bombers. That would certainly have given both US and NATO forces a motive to want to target the building. And Pakistan has covered up for US drone strikes in the past.

But still, there is still no concrete information that has been presented confirming beyond doubt that a US drone or any other US or NATO military aircraft was involved.

Indeed, secret US diplomatic cables published by WikiLeaks in 2010, four years after the strike, did not hint at any US or NATO role. US officials writing in classified cables dated from 2006 described the incident alternately as a "Pakistan military strike against a madrassa/militant training camp" and a "Pak-Mil attack on an extremist madrassa."

Even with the Bureau of Investigative Journalism's publication of the leaked Pakistani document attributing the attack to NATO forces or a US drone, in my view, the facts remain murky and contentious. And that is perhaps one of the most shocking elements of this story — that seven years on there is still such a lack of clarity about the circumstances of this grave incident, involving the reported deaths of dozens of innocent children.

Without an answer to such a simple question — who pulled the trigger? — there can be no accountability, no closure, no recourse for justice for the families of those who lost a child on that day in Chenagai. It is an incident that seems to symbolise the bloody, faceless brutality of the ruthless covert warfare that has become a staple feature of the so-called War on Terror over the past decade, especially in the tribal regions of Pakistan. But just because there may be dangerous, high-level terror targets operating in these places, military forces, wherever they are from, should not get a pass to kill and maim with impunity. For that reason alone, the madrassa strike surely requires serious further scrutiny — perhaps from UN special rapporteur Ben Emmerson, who is currently investigating the issue of civilian drone deaths.

How UK Surveillance is on the Rise

Earlier this week, the UK's official communications interception commissioner published his annual report. The commissioner releases statistics every year that offer an insight into the levels of surveillance being conducted by UK authorities, including police, security and intelligence agencies.

The latest report provides more evidence that the trend in recent years has been towards a general increase in surveillance of communications. In 2012, the report shows, there were a record 570,135 authorisations for police and other agencies to obtain so-called "communications data." This can include subscriber information about suspects' phone and email accounts, as well as call and email records showing who a suspect is phoning/emailing and when. It does not include the actual content of the communication.

Notably, the 570,135 figure is a 15 percent increase on the figure for 2011 and amounts to about an average 1,562 communications data authorisations every day. In addition, the commissioner noted in his report that "979 communications data errors" were made by authorities in cases involving the wrongful collection of data from innocent individuals. The botched surveillance had serious ramifications, with six members of the public "wrongly detained / accused of crimes" as a consequence.

Here's a quick graph I've knocked up showing how, with the exception of a unusual drop in authorisations in 2011, UK authorities have been increasingly obtaining communications data as part of investigations in recent years:

The same trend is reflected in the latest statistics on the interception of communications. Interception is when the authorities obtain a warrant, signed off by the secretary of state, enabling them to secretly eavesdrop on phone calls or read emails and texts. There were 3,372 interception warrants authorised in 2012, which represents a 16 percent increase on the figure for 2011. It is crucial to note that a single interception warrant can encompass large groups of individuals. It is not known exactly how many people were swept up in the 3,372 warrants because these figures are, unfortunately, not published.

Here's a graph that illustrates the steady increase in interceptions since 2008:

While surveillance is on the rise, as the above graphs show, the UK government has been arguing that it does not have enough digital spying capabilities and needs more surveillance powers.

The government's case may have recently been damaged, however, by leaked secret documents, published by the Guardian in June, that revealed how UK spy agency GCHQ was tapping into internet cables and reportedly monitoring some 600 million "telephone events" every day. The exposed extent of GCHQ's spying offered a rare and startling insight into the sweeping scope of surveillance already being conducted by the UK government, and seemed to affirm what the UN's special rapporteur on free expression, Frank La Rue, warned about in an unprecedented report published just weeks before the leaks.

"Technological advancements," La Rue wrote, "mean that the state’s effectiveness in conducting surveillance is no longer limited by scale or duration."

Rights Groups on Snowden

Edward Snowden is the NSA whistleblower whose document leaks have in recent weeks cracked open the US and UK governments' secret surveillance programs to an unprecedented level of public scrutiny. The former Hawaii-based NSA contractor, 30, is currently holed up in Sheremetyevo airport in Moscow, Russia, as he attempts to seek asylum in a number of countries — fearing persecution if he returns to the United States.

But Snowden's options are limited. The US government has revoked his passport while exerting extraordinary pressure on countries across the world in order to prevent the whistleblower from gaining asylum. This has raised questions about the US government's commitment to international law and has led a number of human rights groups to weigh in with criticism of US officials' actions. Today, Snowden is said to have set up a meeting with groups including Amnesty International in order to discuss his next steps.

Below, I've compiled a quick list for my own reference of the various rights groups that have issued a statement on the Snowden case so far. There may be others that I've missed. If so, add a comment at the bottom or send me a link via Twitter and I'll update this post.

American Civil Liberties Union

"In addition to infringing on Mr. Snowden's right to asylum, [the US government's] actions also create the risk of providing cover for other countries to crack down on whistleblowers and deny asylum to individuals who have exposed illegal activity or human rights violations." (Statement, 11 July.)

Amnesty International

"The US authorities’ relentless campaign to hunt down and block whistleblower Edward Snowden’s attempts to seek asylum is deplorable and amounts to a gross violation of his human rights." (Statement, 2 July.)

Article 19

“The manhunt for Edward Snowden must be stopped. More energy is being spent on arresting one whistleblower that exposed human rights violations than has been spent on finding and arresting perpetrators of war crimes or crimes against humanity." (Statement, 5 July.)

Government Accountability Project (US)

"Snowden disclosed information about a secret program that he reasonably believed to be illegal. Consequently, he meets the legal definition of a whistleblower, despite statements to the contrary made by numerous government officials and security pundits." (Statement, 14 June.)

Human Rights Watch

"[The US government] should not apply a double standard by working against other governments that might extend asylum in this case." (Statement, 3 July.)

“Edward Snowden has a serious asylum claim that should be considered fairly by Russia or any other country where he may apply. He should be allowed at least to make that claim and have it heard... Washington’s actions appear to be aimed at preventing Snowden from gaining an opportunity to claim refuge, in violation of his right to seek asylum under international law.” (Statement, 12 July.)

Index on Censorship

"The mass surveillance of citizens’ private communications is unacceptable – it both invades privacy and threatens freedom of expression. The US government cannot use the excuse of national security to justify either surveillance on this scale or the extradition of Snowden for revealing it." (Statement, 24 June.)

Norwegian PEN

"The threat of criminal prosecution against whistleblower Edward Snowden on the charge of espionage is an allegation against an individual who has used his right to free speech in order to uncover serious abuse, not worthy of a country that abides by the rule of law. By going out with this information, Edward Snowden has questioned the democratic openness of US counter-terrorism strategy. The practice uncovered in the United States is in clear conflict with the principles of a democratic constitutional state." (Statement, 3 July.)

Reporters Without Borders

"Now that Edward Snowden, the young American who revealed the global monitoring system known as Prism, has requested asylum from 20 countries, the EU nations should extend a welcome, under whatever law or status seems most appropriate... [European Union] countries owe Snowden a debt of gratitude for his revelations, which were clearly in the public interest... American leaders should realize the glaring contradiction between their soaring odes to freedom and the realities of official actions, which damage the image of their country." (Statement, 3 July.)

Prism D Notice

Following disclosures by the Guardian earlier this month about a US National Security Agency internet surveillance program called Prism, it has emerged that UK government officials issued a so-called "D notice" in a bid to censor coverage of spy tactics.

The D notice following the NSA leaks was reportedly issued to news organisations including the BBC on 7 June, the day after the Prism story broke. Prism is a system used by the NSA to monitor emails, file transfers, photos, videos, chats, and other data. Intelligence gleaned from the system has been passed to GCHQ, the UK's version of the NSA.

The notice to the media organisations was marked "Private and Confidential: Not for publication, broadcast or use on social media," according to Jeff Stein at And Magazine. It added:

There have been a number of articles recently in connection with some of the ways in which the UK Intelligence Services obtain information from foreign sources.

Although none of these recent articles has contravened any of the guidelines contained within the Defence Advisory Notice System, the intelligence services are concerned that further developments of this same theme may begin to jeopardize both national security and possibly UK personnel.

It particularly warned against reporting on:

specific covert operations, sources and methods of the security services, SIS and GCHQ, Defence Intelligence Units, Special Forces and those involved with them, the application of those methods, including the interception of communications and their targets; the same applies to those engaged on counter-terrorist operations.

The D-notice system was first set up in 1912 and operates in accordance with a voluntary code — providing "advice and guidance to the media about defence and counter-terrorist information the publication of which would be damaging to national security." In 2010, for instance, a D notice was reportedly issued prior to WikiLeaks' release of thousands of US government diplomatic cables. A D notice has no formal legal authority, but defying it can make journalists vulnerable to prosecution under the UK's Official Secrets Act.

Snowden's Fate

On Democracy Now today there was an insightful interview with Hong Kong legislator Charles Mok on the potential next steps for US National Security Agency whistleblower Edward Snowden.

Snowden is currently believed to be in Hong Kong after passing a batch of NSA documents revealing top-secret surveillance programs to the Guardian, the Washington Post, and the South China Morning Post. US authorities have initiated a criminal investigation over the leaks and will probably pursue Snowden's extradition in the weeks and months ahead.

Mok talks about what that process could entail, and says that though Hong Kong enjoys independence from mainland China on many issues, the international magnitude of the Snowden case means the final decision that will determine his fate is ultimately likely to be made by central government in Beijing:

Please understand that at least we have a one-country, two-system system in Hong Kong and between Hong Kong and the mainland. So our laws are different from the laws in China. And we do have a border and so on. We do have different governments, even though as a regional government, we do report to the central government.

So I think what we want locally is to make sure that we can protect [Snowden] and make sure that we can live up to our core values and make sure that we treat this person according to all the rights that he should be getting under Hong Kong law. And... exactly what I don’t want to see, is that this sort of political influence to be interfering into the justice process, the judicial process that Mr. Snowden may end up having to get in Hong Kong. If, for example, the US starts by contacting the Hong Kong government to try to initiate an extradition, and if Mr. Snowden decides to try to get asylum or apply for refugee status here in Hong Kong, he — if he chose to do that, if the process comes to that point, he should be getting all the rights. [...]

If the US started to initiate a process [to] say that we want to arrest this person and start an extradition process, then Mr. Snowden could apply in Hong Kong for refugee status. And then there would be at least two tests: first by the United Nations High Commission on Refugees to determine whether or not, for example, that he will face torture at home and whether or not this is political persecution and so on, and second, also by the Hong Kong court. [...]

He will be accorded rights to appeal all the way up to our highest court in Hong Kong. So, assuming that money and financial issues — because you do need to get lawyers and so on — assuming those are not an issue, these processes in the past could have taken quite a bit of time. But... if [Snowden] isn’t successful and there has to be a final decision to be made about the extradition, our chief executive in Hong Kong, which is pretty much [like] our president... he will have to make the final decision. But because this case very likely will involve foreign relations, then he has to consult the central government. So, in the end, it means that the process can be a pretty prolonged process, and, second, Beijing will probably come into the equation to make a final decision in the end.

You can watch the full interview here.