Snowden Vindicated: The Truth About Raw Intelligence Sharing
Many people imagine intelligence sharing to be a practice whereby men in trench coats silently slide manilla envelopes containing anonymous tip-offs or intelligence reports marked TOP SECRET across tables in smoke-filled rooms.
While such practices certainly exist, they represent only a tiny slice of intelligence sharing activities, and are vastly overshadowed by the massive exchange of bulk unanlysed (raw) intelligence data that takes place between the UK and its Five Eyes allies. It is this practice, little understood and shrouded in secrecy, that has escaped the scrutiny of the courts and of the public.
Today Privacy International has revealed that GCHQ does not need a warrant to receive unlimited bulk intelligence from the NSA and other foreign agencies, can search for anything or anyone they like, including those inside the UK and can keep this data on a massive searchable database for up to two years. In order to grasp the gravity of this revelation, it is necessary understand the reality of modern-day raw intelligence sharing.
What gets shared?
The receipt of solicited or unsolicited unanalysed intercepted material makes up a huge percentage of the raw data that GCHQ crunches through. The original Five Eyes agreement (the UKUSA agreement) declassified in 2010, more than 60 years after its execution in 1946, explains that the exchange of the intelligence between the parties:
will be unrestricted on all work undertaken except when specifically excluded from the agreement at the request of either party to limit such exceptions to the absolute minimum and to exercise no restrictions other than those reported and mutually agreed upon.”
Indeed, in addition to facilitating collaboration, the agreement suggests that all intelligence material is shared between Five Eyes States by default. The text stipulates that
all raw traffic shall continue to be exchanged except in cases where one or the other party agrees to forgo its copy.”
The details of the modern day UKUSA arrangement remain secret, despite legal attempts to obtain them, including FOI requests in all Five Eyes countries and an ongoing legal challenge from Privacy International in the European Court of Human Rights.
However, significant quantities of intelligence material are almost certainly being shared between the parties. Indeed, in an essay by an ex-NSA employee marked UNCLASSIFIED and approved for public release by the NSA's office of Pre-Publication Review it was confirmed that:
If you are a citizen of the UK, Canada, New Zealand, or Australia, you may also be glad, because everything the NSA collects is by default shared with your government.”
Consider the numbers: NSA's CO-TRAVELLER programme collects five billion locational records a day, DISHFIRE is 194 million text messages daily, and the NSA's UPSTREAM access yields unmeasurable quantities of data. With NSA having partnerships with 33 countries, all of which provide some kind of TEMPORA-esque access to them thanks to RAMPART-A, it is not surprising that some ex- GCHQ staffers have said “95 per cent of all SIGINT handled at GCHQ is American.”
What the secret policy reveals
Thanks to a court case brought by human rights groups including Privacy International, Bytes for All, Liberty, and Amnesty International, we now know some details of the Government's secret policy around information sharing. Where it is “not technically feasible to obtain the communications via RIPA interception”, British intelligence agencies can accept a bulk feed of unanalysed data from the government of another country without even needing to obtain a warrant.
This is an extraordinary position. A narrow and targeted request to a foreign agency under a Mutual Legal Assistance Treaty request would require a warrant. But if GCHQ solicits bulk “unanalysed” intercept, which involves incomprehensibly larger quantities of data and intrusion into privacy, no warrant is needed.
Of even greater concern is that the legal restrictions on analysis and searching of intercepted material, contained in section 16 of RIPA, do not apply to this material. The only “internal rules and safeguards” applied are those applying to “selected communications content”. This is defined as “content resulting… from the selection processes that are applied, pursuant to s16 of RIPA”. “Unanalysed” foreign intercept is instead treated as having already been “selected” under s16, meaning that it is beyond the reach of the s16 safeguards.
Simply put, as s16 does not apply, GCHQ are able to search through raw unanalyzed data from foreign agencies for people known to be in British Islands without restriction, sidestepping the few safeguards and protections that do exist in RIPA.
Exploiting the loophole
Consider an email, text message, or Facebook message collected by GCHQ's TEMPORA programme as it travels through undersea fibre optic cables. GCHQ relies on broad section8(4) RIPA warrants to justify this mass collection, but insist protections are strong enough for those within the British Isles because GCHQ cannot search through that material by using a search term referable to a person known to be in the UK. So a search for “Eric King” or “firstname.lastname@example.org" would be prohibited unless an additional 8(1) warrant or a 16(3) certificate is signed.
There are serious problems with this protection, not least that the communication has already been intercepted and the individual's privacy interfered with. Moreover, the safeguard only applies to people in the British Isles – meaning no protection for those outside the UK - and can be sidestepped using careful search terms. Nevertheless, it is an additional – if inadequate – restriction on GCHQ's surveillance powers.
However, as soon as GCHQ outsources the interception to foreign agencies, the rules change. Should NSA provide GCHQ with an unanalysed bulk data feed from their UPSTREAM collection, no RIPA 8(4) warrant is required, and these s. 16 restriction do not apply. All of a sudden GCHQ can receive without a warrant large quantities of data and search through them directly for “Eric King” or “email@example.com".
There has been no promise to apply “by analogy” the safeguards in RIPA, only to establish necessity and proportionality as “to its receipt.” This loophole is the most significant indication yet of the inadequacy of British law to properly regulate surveillance.
The truth about Snowden's allegation
Despite repeated attempts by officials to reaffirm that "GCHQ has not circumvented or attempted to circumvent UK law" it is hard to see that the basic allegation made by Edward Snowden - that agencies like GCHQ and NSA can swap data, playing games of jurisdictional arbitrage, exploiting the weakness in each others frameworks - is anything else but correct.
Today's release of GCHQ's secret policy marks a critical moment in the development of our understandings of the failings of UK law and the inability of current oversight mechanisms to ensure surveillance is being undertaken in accordance with law.
The Investigatory Powers Tribunal will be deciding the legality of these practices in the coming months. Nothing less than an end to unregulated mass intelligence sharing will do.