Yesterday came more revelations by Edward Snowden via an article by Jeremy Scahill and Josh Begley in The Intercept that confirms that GCHQ in collusion with the NSA are probably the biggest criminal organisations in recent history (see below for details). This comes only days after the UK Government was forced to admit in the second time this month that UK intelligence services have been acting unlawfully. Bang to rights, as the saying goes. Yet the UK Government naively believes that by merely publishing a draft code of practice this will provide immunity for those services for all the crimes they have committed to date and that they continue to practise these crimes from now on. They’re having a laugh…
The Intercept article explains how GCHQ and the NSA hacked into the internal computer network of Gemalto, a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards and the largest manufacturer of SIM cards in the world. Gemalto is also a global leader in digital security, producing banking cards, mobile payment systems, two-factor authentication devices used for online security, hardware tokens used for securing buildings and offices, electronic passports and identification cards. It provides chips to Vodafone in Europe and France’s Orange, as well as EE, a joint venture in the U.K. between France Telecom and Deutsche Telekom.
The spy agencies stole from Gemalto encryption keys used to protect the privacy of cellphone communications across the globe. Among Gemalto’s clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. The company operates in 85 countries and has more than 40 manufacturing facilities. In all, Gemalto produces some 2 billion SIM cards a year.
Possessing the encryption keys sidestepped the need for the spy agencies to get a warrant or organise a wiretap, while at the same time leaving no trace on the wireless provider’s network that communications were intercepted. Bulk key theft additionally enabled the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt. According to one secret GCHQ slide, the British intelligence agency penetrated Gemalto’s internal networks, planting malware on several computers, giving GCHQ secret access. Most significantly, GCHQ also penetrated “authentication servers,” allowing it to decrypt data and voice communications between a targeted individual’s phone and his or her telecom provider’s network.
The privacy of all mobile communications — voice calls, text messages and Internet access — depends on an encrypted connection between the cellphone and the wireless carrier’s network, using keys stored on the SIM, a tiny chip smaller than a postage stamp, which is inserted into the phone. All mobile communications on the phone depend on the SIM, which stores and guards the encryption keys created by companies like Gemalto. SIM cards can be used to store contacts, text messages, and other important data, like one’s phone number. In some countries, SIM cards are used to transfer money.
(Note… Gemalto board member Alex Mandl was shown to be a founding trustee of the CIA-funded venture capital firm In-Q-Tel.)
Privacy advocates and security experts also argue that it would take billions of dollars, significant political pressure, and several years to fix the fundamental security flaws in the current mobile phone system that NSA, GCHQ and other intelligence agencies regularly exploit.
(Note… The Intercept’s Laura Poitras has previously reported that in 2013 Australia’s signals intelligence agency, a close partner of the NSA, stole some 1.8 million encryption keys from an Indonesian wireless carrier.)
The implications of this grand theft by GCHQ and the NSA has probably not yet been fully evaluated. That this was a crime on a massive scale is not in doubt. It may well – and should – lead to litigation: this could include legal action by Gemalto and communications providers, as well as possible class action by consumers.
And there is already a growing list of legal cases against the intelligence services. The UK intelligence services (GCHQ, MI5 and MI6) as well as the police have for years been involved in criminal activities, including hacking on a massive scale, theft of data, conspiracy and global surveillance contrary to legislation (in a number of countries and with reference to European-wide legislation).
Only two days ago the UK Government issued a statement admitting that the surveillance of lawyers and their clients by UK intelligence services was unlawful. Again, this will have serious ramifications. Also, at the beginning of the month the UK Government admitted that its mass surveillance programme using PRISM and Tempura contravened the European Convention on Human Rights. However, it also rushed out a draft code of practice in the ludicrous belief that in doing so this will provide immunity to GCHQ and its UK sister organisations, including the police, on past demeanour. But this is most definitely not the case and civil rights organisations, journalists and others are busy taking legal action via the IPT (Investigatory Powers Tribunal) and the ECHR (European Court of Human Rights).
Yesterday we published a full list (courtesy of the Bureau of Investigative Journalists) of all these legal cases (and they are re-published below).
Ongoing court actions against UK intelligence services
(The following is courtesy of The Bureau of Investigative Journalism.)
Last autumn, the Bureau launched a legal challenge in the European Court of Human Rights (ECHR) to the UK government’s surveillance practices. The case argues that bulk collection of communications data using methods such as internet cable tapping, which were exposed by the US National Security Agency whistleblower Edward Snowden, breaches human rights law. Storage of meta-data (which details who is contacting whom and when, but not the content of the message) by the government makes it harder for journalists to guarantee their sources’ confidentiality. Listed below are some of the other challenges to government surveillance brought by organisations and individuals currently going through the British and European courts.
Basis of challenge: The UK’s practice of sucking communications data out of internet cables in bulk through a programme known as Tempora, breaches the “Wilson doctrine” that guarantees MPs’ communications are not spied upon. The claimants also allege that the practice breaches Article 8 and 10 of the European Convention on Human Rights (ECHR). This case and that of George Galloway (below) were put on hold until the Liberty case (see case no. 5 below) which challenged the legality of the Prism and Tempora programmes had completed. Lawyers in the Jones, Lucas and Galloway cases are now working on a response to the Liberty judgment. Read more about the case here.
Basis of challenge: The UK’s practice of sucking communications data out of internet cables in bulk, a programme known as Tempora, breaches the “Wilson doctrine” that guarantees MPs’ communications are not spied upon. The claimant also alleges that the practice breaches Article 8 and 10 of the ECHR. Galloway’s lawyer is currently putting together a response to Liberty judgment. Read more about the case here.
Basis of challenge: Seizure of a Sun journalist’s phone records by the Metropolitan Police breached Article 10 of the ECHR. The Metropolitan Police ordered Vodafone to hand over Newton Dunn’s phone records as part of an investigation into the “Plebgate saga”, which centred on former Tory chief whip Andrew Mitchell’s spat with police. Read more about the case here.
Basis of challenge: Alleged breaches of Articles 6, 8 and 14 of the ECHR arising from interception of the claimants’ legally privileged communications. Assisted by NGO Reprieve, the claimants are suing in the civil courts for damages arising from the UK government’s involvement in their kidnapping and rendition to Libya, and believe that the security services may have intercepted their conversations with lawyers about the case. At an IPT hearing in November 2014 the government released summary policy documents showing that the intelligence agencies treat legally privileged materials like any other form of intelligence. The documents also showed that there is nothing to stop the involvement in civil litigation of security service lawyers who have previously viewed relevant privileged material. The next hearing is expected in spring 2015. A month before the hearing, in October 2014, the Court of Appeal had ruled that the civil case could go ahead. The government, which is appealing the decision, had argued that the lawsuit should be thrown out on the basis of technicalities of international law. The government’s appeal case is expected to be heard in the Supreme Court in summer 2015. The claimants also lodged a criminal complaint back in November 2011; this case is now being considered by the Crown Prosecution Service. Read more about the cases here.
Basis of challenge: The Tempora and Prism mass surveillance programmes breach Articles 8 and 10 of the ECHR. Current position: The tribunal ruled on December 5 2014 that the legal framework around the government’s surveillance programmes does not breach human rights law. It will now go to consider whether the NGOs’ communications were intercepted. The claimants now plan to take the case to the European Court of Human Rights. They have also filed a separate IPT application following the December 5 ruling. The IPT judgment stated that as the UK government had released some information on its surveillance policies it had complied with human rights obligations on transparency. The court left the question of whether the government had been compliant prior to this disclosure undecided. The claimants then asked the IPT to confirm that by failing to release these documents sooner, the government breached the law. The IPT did so in February. Read more about the case here.
Basis of challenge: Government hacking of internet service providers’ infrastructure and surveillance of their users is unlawful. 1) By interfering with network assets and computers belonging to the network providers, GCHQ has contravened the UK Computer Misuse Act and Article 1 of the First Additional Protocol (A1AP) of the ECHR, which guarantees the individual’s peaceful enjoyment of their possessions. 2) Conducting surveillance of the network providers’ employees is in contravention of Article 8 and 10 of the ECHR. 3) Surveillance of the network providers’ users that is made possible by exploitation of their internet infrastructure, is in contravention of Arts. 8 and 10 ECHR. 4) By diluting the network providers’ goodwill and relationship with their users, GCHQ has contravened A1AP of the ECHR. Read more about the case here.
Basis of challenge: GCHQ hacking techniques, including development of programs that remotely hijack computers’ cameras and microphones without the user’s consent, are illegal. 1) Any GCHQ hacking that impairs the operation of a computer – for instance, by leaving it vulnerable to future exploitation — is unlawful under the Computer Misuse Act; 2) Hacking breaches Articles 8 and 10 of the ECHR. Read more about the case here.
The MPs were given permission in December 2014 to launch a judicial review of the Data Retention and Investigatory Powers Act (Dripa). Basis of challenge: Dripa is not compatible with Article 8 of the ECHR. Read more about the case here.
Basis of challenge: The applicants allege that they are likely to have been the subject of generic surveillance by GCHQ. GCHQ may also have been in receipt of foreign intercept material relating to the claimants’ electronic communications. Big Brother Watch and the other claimants argue this breaches their rights under Article 8 of the ECHR. Specifically, they are arguing that: 1) There is no domestic law governing receipt of information from foreign intelligence agencies and the process for handling, storing and disposing of this data once it has been received; 2) The UK law that is meant to stop the government abusing its powers to directly intercept communications and monitor them when one party is outside the UK, is inadequate; 3) Mass interception of external communications transmitted by transatlantic fibre-optic cables is a disproportionate breach of privacy. The case was prioritised by the court, then stayed pending completion of the Amnesty/Liberty case in the IPT (case no. 5). Read more about the case here.
Basis of challenge: The blanket exemption given to the security agencies by the Freedom of Information Act request breaches Article 10 of the ECHR in that it interferes with citizens’ right to access information. Privacy’s FOI request for information including menus and price lists of the GCHQ canteen as well as a copy of the intelligence-sharing agreement between the UK and its “Five Eyes” partners was refused. Read more about the case here.
Basis of challenge: UK law is incompatible with Articles 8 and 10 of the ECHR, which give journalists the right to keep sources confidential from police and others. The Bureau and journalist Alice Ross argue that: 1) UK law in relation to the government’s gathering and handling of directly intercepted data where one party is outside the UK does not safeguard journalists’ right to protect their sources. 2) UK law in relation to the government’s gathering and handling of meta data (details of the parties communicating, but not what they said) similarly fails to protect journalists’ privileged communications. The case has been prioritised by the European Court. Read more about the case here.
Basis of challenge: The journalists say that police surveillance of their activities and retention of data on a database of “domestic extremists” was unlawful. The case has been stayed until the outcome of the Catt case (case no. 13 below). Read more about the case here.
Basis of challenge: Brighton pensioner Catt argues that the police’s surveillance of his attendance at peace protests and retention of this data on a database of “domestic extremists” was unlawful. In 2013 the Court of Appeal ruled that surveillance of the 89-year old, who has no criminal record, had breached his right to privacy, a decision that was appealed by the police. A decision by the Supreme Court is expected imminently following a hearing in December 2014. Read more about the case here.