• Buro Jansen & Janssen is een onderzoeksburo dat politie, justitie, inlichtingendiensten, de overheid in Nederland en Europa kritisch volgt. Een grond-rechten kollektief dat al 30 jaar publiceert over uitbreiding van repressieve wetgeving, publiek-private samenwerking, bevoegdheden, overheids-optreden en andere staatsaangelegenheden.
    Buro Jansen & Janssen Postbus 10591, 1001EN Amsterdam, 020-6123202, 06-34339533, signal +31684065516, info@burojansen.nl (pgp)
    Steun Buro Jansen & Janssen. Word donateur, NL43 ASNB 0856 9868 52 of NL56 INGB 0000 6039 04 ten name van Stichting Res Publica, Postbus 11556, 1001 GN Amsterdam.

  • Categorieën

  • German spies ‘can’t be trusted’: Relations between the UK and Berlin intelligence chiefs hit after comments by London

    Germany’s spy agency BND is being frozen out by GCHQ as well as in America
    Both believe insecure servers have led to Wikileaks taking classified documents

    Berlin officials are angry that secret intelligence data has not been handed over

    The freeze-out also applies to the Metropolitan Police and UK Border Force

    Relations between British and German spy chiefs have hit rock bottom because London says its counterparts in Berlin cannot be trusted to keep secrets.

    At a time of escalating Islamic terror threats across Europe, Germany’s spy agency BND is being frozen out by GCHQ and the National Security Agency in the US.

    Both London and Washington believe insecure German data servers have contributed to the leaking of tens of thousands of classified documents to Wikileaks.

    And they have infuriated Berlin by refusing to hand over secret intelligence data demanded by left wing and Green politicians which they fear will be aired in the German parliament.

    At a time of escalating Islamic terror threats across Europe, Germany’s spy agency BND is being frozen out by GCHQ (base pictured)
    At a time of escalating Islamic terror threats across Europe, Germany’s spy agency BND is being frozen out by GCHQ (base pictured)

    It is claimed in Germany that a tranche of 500,000 sides of files put out by Wikileaks this month were GCHQ documents on covert mobile phone policy for British intelligence agents dated June 2010 and classified as secret.

    They believe that the documents, once shared with Germany, were transferred to hackers – possibly Russian – who then fed them to the whistleblowing group.

    Also listed as top secret was a briefing paper for attendees at a pre-G20 meeting held in London between September 2 and 5 2009 in which Turkey’s role in Europe was on the agenda.

    It is understood that in November 2014 there was a meeting in Berlin between Sir Simon McDonald, the then British ambassador to Germany, together with Patrick McGuinness, Deputy National Security Adviser for Intelligence, Security, and Resilience at the Cabinet Office, and high security officials in Angela Merkel’s government.

    In November 2014 there was a meeting in Berlin between Sir Simon McDonald, the then-British ambassador to Germany, and high security officials in Angela Merkel’s government
    In November 2014 there was a meeting in Berlin between Sir Simon McDonald, the then-British ambassador to Germany, and high security officials in Angela Merkel’s government

    The British made it plain at the meeting that co-operation between Britain and Germany was becoming increasingly problematic because of leaks.

    A source familiar with the meeting said: ‘They stressed that a secret service is just that and that its workings and operations must remain secret and they felt that Germany was leaking them like a sieve.

    Britain told the Germans that the freeze on information would not only apply to MI6 and GCHQ but also to the Metropolitan Police, the Serious Organised Crime Agency (SOCA) and the UK Border Force.

    The source said: ‘It has now reached the point where there is virtual radio silence between the two biggest and most important intelligence services of the western world and the BND of Germany.

    ‘Germany is worried because it needs the umbrella protection of these agencies. It is virtually blind without it.’

    Another crisis meeting was held in Berlin in February last year to discuss the biggest rift between secret services since the end of the Second World War. It failed to placate the British and the Americans.

    High-grade information on jihadists, their movements and terror plans as discovered by London and Washington and directly involving Germany, are no longer being passed on as a matter of routine.

    The upheaval has been caused in part by left-wing and green politicians still fuming over the spying activities carried out in Germany by America’s National Security Agency, which involved the eavesdropping on Mrs Merkel’s personal mobile telephone.

    The German government requested Britain to release details of the secret operations to a committee probing the NSA and other foreign spy agency activities in the country.

    The move was forced by politicians of the hard-left Die Linke and the environmentalist Green parties.

    Left-wing and green politicians are still fuming over the spying activities carried out by the National Security Agency, including eavesdropping on Mrs Merkel’s personal mobile
    Left-wing and green politicians are still fuming over the spying activities carried out by the National Security Agency, including eavesdropping on Mrs Merkel’s personal mobile

    Both the UK and America refused to send any of the requested files to Germany. Included among them was a demand for information about a 2013 operation handled by both countries – and in co-operation with the BND – which was, and remains, top secret but was known to involve a massive surveillance programme on suspected Islamic terrorists across Europe.

    Britain fears a ‘big debate’ in the German parliament which would lay open secret sources and intelligence gathering techniques.

    A BND insider said: ‘Never has a friendly nation been asked to divulge its secrets in this way. It is outrageous and we completely understand the fury that this has unleashed in Whitehall. But it has left us vulnerable.’

    By ALLAN HALL IN BERLIN and IAN DRURY IN LONDON FOR THE DAILY MAIL
    PUBLISHED: 00:22 GMT, 16 December 2016 | UPDATED: 01:36 GMT, 16 December 2016

    Find this story at 16 December 2016
    © Associated Newspapers Ltd

    UK spy agencies have collected bulk personal data since 1990s, files show Agencies privately concede that ‘intrusive’ practices can invade privacy and that data is gathered on people ‘unlikely to be of interest’

    Britain’s intelligence agencies have been secretly collecting bulk personal data since the late 1990s and privately admit they have gathered information on people who are “unlikely to be of intelligence or security interest”.

    Disclosure of internal MI5, MI6 and GCHQ documents reveals the agencies’ growing reliance on amassing data as a prime source of intelligence even as they concede that such “intrusive” practices can invade the privacy of individuals.

    A cache of more than 100 memorandums, forms and policy papers, obtained by Privacy International during a legal challenge over the lawfulness of surveillance, demonstrates that collection of bulk data has been going on for longer than previously disclosed while public knowledge of the process was suppressed for more than 15 years.

    The files show that GCHQ, the government’s electronic eavesdropping centre based in Cheltenham, was collecting and developing bulk data sets as early as 1998 under powers granted by section 94 of the 1984 Telecommunications Act.

    The documents offer a unique insight into the way MI5, MI6, and GCHQ go about collecting and storing bulk data on individuals, as well as authorising discovery of journalists’ sources.

    Bulk personal data includes information extracted from passports, travel records, financial data, telephone calls, emails and many other open or covert sources. Often they are “fused” together to help pinpoint suspects.

    The frequency of warnings to intelligence agency staff about the dangers of trespassing on private records is at odds with ministers’ repeated public reassurances that only terrorists and serious criminals are having their personal details compromised.

    For example, a newsletter circulated in September 2011 by the Secret Intelligence Agency (SIS), better known as MI6, cautioned against staff misuse. “We’ve seen a few instances recently of individuals crossing the line with their database use … looking up addresses in order to send birthday cards, checking passport details to organise personal travel, checking details of family members for personal convenience,” it says.

    “Another area of concern is the use of the database as a ‘convenient way’ to check the personal details of colleagues when filling out service forms on their behalf. Please remember that every search has the potential to invade the privacy of individuals, including individuals who are not the main subject of your search, so please make sure you always have a business need to conduct that search and that the search is proportionate to the level of intrusion involved.” Better where possible to use “less intrusive” means, it adds.

    Theresa May unveils UK surveillance measures in wake of Snowden claims
    Read more
    There has been disciplinary action. Between 2014 and 2016, two MI5 and three MI6 officers were disciplined for mishandling bulk personal data. Last year, it was reported that a member of GCHQ’s staff had been sacked for making unauthorised searches.

    The papers show that data handling errors remain a problem. Government lawyers have admitted in responses to Privacy International that between 1 June 2014 and 9 February this year, “47 instances of non-compliance either with the MI5 closed section 94 handling arrangements or internal guidance or the communications data code of practice were detected.” Four errors involved “necessity and proportionality” issues; 43 related to mistransposed digits, material that did not relate to the subject of investigation or duplicated requests.

    Another MI5 file notes that datasets “contain personal data about individuals, the majority of whom are unlikely to be of intelligence or security interest”.

    The documents have been disclosed before a trial due later this summer at the investigatory powers tribunal, which hears complaints about state-authorised surveillance and the intelligence agencies. IPT sessions hear secret evidence behind closed doors.

    Release of these internal records follows admissions by David Cameron and by parliament’s intelligence and security committee (ISC) last year in the wake of revelations by the US whistleblower Edward Snowden.

    The most recent documents refer to a “more onerous authorisation process” after the prime minister’s avowal of the “use of bulk personal data”. They provide fresh detail of what is happening in the intelligence agencies.

    Web and phone companies are required to retain data for official access for 12 months, but the intelligence agency documents make clear that acquired bulk data sets can be held far longer.

    An MI5 memorandum says retention of “low intrusion” material needs to be reviewed only every two years. Some key words are missing from the memo, but it adds: “In MI5, a maximum retention period [redaction] is applied to [bulk personal data]. This can be increased in exceptional circumstances via a policy waiver. This waiver must be authorised by a senior MI5 official and agreed by the BPDRP [bulk data retention review panel] but shall be subject to a detailed review.”

    Bulk personal data is exchanged with “foreign agencies”, presumably mainly those from other countries in the UK’s traditional “Five Eyes” alliance – the USA, Canada, Australia and New Zealand.

    European court to consider legality of UK surveillance laws
    Read more
    The documents do not specify every type of information exploited but give examples and broad categories: population data and passports, travel records, financial data and communications information. “Some of this data is publicly available, some of it is purchased and some of it is acquired covertly in accordance with SIS statutory functions,” according to an MI6 note.

    Monetary information is held. “The fact that [MI5] holds bulk financial, albeit anonymised data is assessed to be a high corporate risk since there is no public expectation that the service will hold or have access to this data in bulk. Were it to become widely known that the service held this data, the media response would most likely be unfavourable and probably inaccurate.

    “In some cases, it may be necessary for the relevant team to approach the data provider to examine whether any unnecessary/extraneous parts of the dataset can be removed prior to acquisition. Such extraneous data might include large numbers of minors, details of earnings or medical information.”
    Death provides no escape. “Policy and processes in relation to bulk personal data is the same for both the living and the dead,” a combined agencies memo records.

    Each intelligence service has its own database, it appears from the documents. For MI5, storage of bulk data is at their London HQ, Thames House. “In order to ensure the security and integrity of the datasets that the service relies upon for its enhanced analytical capabilities and to reassure data providers that their data will be handled securely, it is essential that the necessary physical controls are in place to mitigate unauthorised access to, or loss of, this information during transportation to and subsequent storage in Thames House.”

    The justification for assembling such sophisticated databases, according to an MI5 document, is that it speeds up the process of detecting suspects. “By integrating bulk data [redaction] with information about individual subjects of interest from other sources of intelligence (liaison relationships, agent reporting, intercept, eavesdropping, surveillance) and from ‘fusing’ different data-sets in order to identify common links, we can better understand target networks, locations and behaviours, enabling a greater depth and breadth of target coverage.

    “The fragmentary nature of many intelligence leads and the magnitude of the threat all mean that there is currently no effective method of resolving identities in a timely fashion without using bulk data.”

    The standard MI5 form for acquisition of bulk data requires agency staff to a tick box if it holds sensitive personal data such as “biometric, financial, medical, racial or ethnic origin, religious, journalistic, political, legal, sexual or criminal activity” and membership of a trade union. MI5 officers also need to explain why acquisition is “necessary and proportionate”.

    The documents show how alert the agencies are to their legal obligations. They refer to the agencies’ “ethics team”, the need for “proportionality” and “necessity”. One note stresses that GCHQ employees’ conditions of employment state that “unauthorised entry to computer records may constitute gross misconduct”.

    But the papers also reveal how much latitude the law – notably Ripa, the Telecommunications Act, and the Data Protection Act – in practice gives them.

    Investigatory powers bill: the key points
    Read more
    The documents include for the first time certificates under section 28 of the Data Protection Act – signed by David Blunkett and Jack Straw in 2001 when they were home and foreign secretary respectively – which provided secrecy about authorised bulk data interceptions under section 94 of the Telecommunications Act. The existence of such directions were not disclosed until last year.

    The quantity of information the agencies have been forced to release suggests their long-established position of “neither confirming nor denying” any operational details may be crumbling at the edges.

    In parliamentary debate over the investigatory powers bill, the government has argued that the security services only conduct targeted searches of data under legal warrants in pursuit of terrorist or criminal activity and that bulk interception is necessary as a first step in that process.

    Millie Graham Wood, a legal officer at Privacy International, said: “The information revealed by this disclosure shows the staggering extent to which the intelligence agencies hoover up our data.

    “This highly sensitive information about us is vulnerable to attack from hackers, foreign governments and criminals. The agencies have been doing this for 15 years in secret and are now quietly trying to put these powers on the statute book for the first time in the investigatory powers bill, which is currently being debated in parliament. These documents reveal a lack of openness and transparency with the public about these staggering powers and a failure to subject them to effective parliamentary scrutiny.”

    A Home Office spokesman said: “Bulk powers have been essential to the security and intelligence agencies over the last decade and will be increasingly important in the future.

    “The acquisition and use of bulk provides vital and unique intelligence that the security and intelligence agencies cannot obtain by any other means. The security and intelligence agencies use the same techniques that modern businesses increasingly rely on to analyse data in order to overcome the most significant national security challenges.”

    Owen Bowcott and Richard Norton-Taylor
    Thursday 21 April 2016 00.01 BST Last modified on Saturday 7 May 2016 15.01 BST
    Find this story at 21 April 2016

    © 2016 Guardian News and Media Limited

    GCHQ captured emails of journalists from top international media

    • Snowden files reveal emails of BBC, NY Times and more
    • Agency includes investigative journalists on ‘threat’ list
    • Editors call on Cameron to act against snooping on media
    GCHQ

    GCHQ’s bulk surveillance of electronic communications has scooped up emails to and from journalists working for some of the US and UK’s largest media organisations, analysis of documents released by whistleblower Edward Snowden reveals.

    Emails from the BBC, Reuters, the Guardian, the New York Times, Le Monde, the Sun, NBC and the Washington Post were saved by GCHQ and shared on the agency’s intranet as part of a test exercise by the signals intelligence agency.

    The disclosure comes as the British government faces intense pressure to protect the confidential communications of reporters, MPs and lawyers from snooping.

    The journalists’ communications were among 70,000 emails harvested in the space of less than 10 minutes on one day in November 2008 by one of GCHQ’s numerous taps on the fibre-optic cables that make up the backbone of the internet.

    The communications, which were sometimes simple mass-PR emails sent to dozens of journalists but also included correspondence between reporters and editors discussing stories, were retained by GCHQ and were available to all cleared staff on the agency intranet. There is nothing to indicate whether or not the journalists were intentionally targeted.

    The mails appeared to have been captured and stored as the output of a then-new tool being used to strip irrelevant data out of the agency’s tapping process.

    New evidence from other UK intelligence documents revealed by Snowden also shows that a GCHQ information security assessment listed “investigative journalists” as a threat in a hierarchy alongside terrorists or hackers.

    Senior editors and lawyers in the UK have called for the urgent introduction of a freedom of expression law amid growing concern over safeguards proposed by ministers to meet concerns over the police use of surveillance powers linked to the Regulation of Investigatory Powers Act 2000 (Ripa).

    More than 100 editors, including those from all the national newspapers, have signed a letter, coordinated by the Society of Editors and Press Gazette, to the UK prime minister, David Cameron, protesting at snooping on journalists’ communications.

    In the wake of terror attacks on the Charlie Hebdo offices and a Jewish grocer in Paris, Cameron has renewed calls for further bulk-surveillance powers, such as those which netted these journalistic communications.

    Ripa has been used to access journalists’ communications without a warrrant, with recent cases including police accessing the phone records of Tom Newton-Dunn, the Sun’s political editor, over the Plebgate investigation. The call records of Mail on Sunday reporters involved in the paper’s coverage of Chris Huhne’s speeding row were also accessed in this fashion.

    Under Ripa, neither the police nor the security services need to seek the permission of a judge to investigate any UK national’s phone records – instead, they must obtain permission from an appointed staff member from the same organisation, not involved in their investigation.

    However, there are some suggestions in the documents that the collection of billing data by GCHQ under Ripa goes wider – and that it may not be confined to specific target individuals.

    A top secret document discussing Ripa initially explains the fact that billing records captured under Ripa are available to any government agency is “unclassified” provided that there is “no mention of bulk”.

    The GCHQ document goes on to warn that the fact that billing records “kept under Ripa are not limited to warranted targets” must be kept as one of the agency’s most tightly guarded secrets, at a classification known as “Top secret strap 2”.

    That is two levels higher than a normal top secret classification – as it refers to “HMG [Her Majesty’s government] relationships with industry that have areas of extreme sensitivity”.

    Internal security advice shared among the intelligence agencies was often as preoccupied with the activities of journalists as with more conventional threats such as foreign intelligence, hackers or criminals.

    One restricted document intended for those in army intelligence warned that “journalists and reporters representing all types of news media represent a potential threat to security”.

    It continued: “Of specific concern are ‘investigative journalists’ who specialise in defence-related exposés either for profit or what they deem to be of the public interest.

    “All classes of journalists and reporters may try either a formal approach or an informal approach, possibly with off-duty personnel, in their attempts to gain official information to which they are not entitled.”

    It goes on to caution “such approaches pose a real threat”, and tells staff they must be “immediately reported” to the chain-of-command.

    GCHQ information security assessments, meanwhile, routinely list journalists between “terrorism” and “hackers” as “influencing threat sources”, with one matrix scoring journalists as having a “capability” score of two out of five, and a “priority” of three out of five, scoring an overall “low” information security risk.

    Terrorists, listed immediately above investigative journalists on the document, were given a much higher “capability” score of four out of five, but a lower “priority” of two. The matrix concluded terrorists were therefore a “moderate” information security risk.

    A spokesman for GCHQ said: “It is longstanding policy that we do not comment on intelligence matters. Furthermore, all of GCHQ’s work is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the secretary of state, the interception and intelligence services commissioners and the parliamentary intelligence and security committee.

    “All our operational processes rigorously support this position. In addition, the UK’s interception regime is entirely compatible with the European convention on human rights.”

    James Ball
    Monday 19 January 2015 15.04 GMT Last modified on Tuesday 20 January 2015 00.17 GMT

    Find this story at 19 January 2015

    © 2015 Guardian News

    British spooks tapped emails from UK and US media… and rated journalists alongside TERRORISTS as potential security threats, leaked Snowden documents reveal

    Journalists represent ‘a potential threat to security’, according to GCHQ
    Revelation buried in secret documents leaked from the UK spy centre
    Comes amid calls for security services to be given power to monitor emails
    Journalists a ‘low’ security risk compared to terrorists who are ‘moderate’
    GCHQ scooped up 70,000 emails in just 10 minutes, documents reveal
    Among intercepted emails were some sent by BBC and New York Times

    British spooks intercepted emails from US and UK media organisations and rated ‘investigative journalists’ alongside terrorists and hackers as potential security threats, secret documents reveal.
    Internal advice circulated by intelligence chiefs at the Government spy centre GCHQ claims ‘journalists and reporters representing all types of news media represent a potential threat to security’.
    Intelligence documents leaked by the fugitive US whistleblower Edward Snowden also show that British security officers scooped up 70,000 emails in just 10 minutes during one interception exercise in 2008.
    Among the private exchanges were emails between journalists at the BBC, New York Times and US network NBC.

    The disclosure comes amid growing calls for the security services to be handed more power to monitor the internet following the Paris terror attacks.
    Internal security advice, shared among British intelligence agencies, scored journalists in a table of potential threats.
    One restricted document, which according to the Guardian was intended for those in army intelligence, warned that ‘journalists and reporters representing all types of news media represent a potential threat to security’.

    Furious Chuka Umunna storms off ‘ridiculous’ live TV…
    Prime Minister David Cameron makes a speech at Ransomes Jacobsen in Ipswich, Suffolk, where he set out the Tory path to full employment, promising to keep Britain the “jobs factory of Europe” by backing small business. PRESS ASSOCIATION Photo. Picture date: Monday January 19, 2015. Mr Cameron admitted it had been a “tough few years” for UK plc, but said the country was “coming out the other side” – and urged voters to stick with his plan. See PA story POLITICS Cameron. Photo credit should read: Chris Radburn/PA Wire
    Britain is the ‘jobs factory of Europe’, Cameron boasts as…
    Prime Minister David Cameron and his wife Samantha take a drink by a beach during their holiday on the Spanish Island of Ibiza today. PRESS ASSOCIATION Photo. Picture date: Sunday May 26, 2013. See PA story POLITICS Cameron. Photo credit should read: Stefan Rousseau/PA Wire
    Young Tories promised a holiday in Ibiza with Dave and…

    It continued: ‘Of specific concern are “investigative journalists” who specialise in defence-related exposés either for profit or what they deem to be of the public interest.’
    The document adds: ‘All classes of journalists and reporters may try either a formal approach or an informal approach, possibly with off-duty personnel, in their attempts to gain official information to which they are not entitled.’
    It warns staff that ‘such approaches pose a real threat’, adding it must be ‘immediately reported’.
    One table scored journalists a ‘low’ information security risk – compared to terrorists who are seen as a ‘moderate’ threat.

    A spokesman for GCHQ refused to confirm or deny if the leaked documents were accurate. The spokesman said: ‘It is longstanding policy that we do not comment on intelligence matters.
    ‘Furthermore, all of GCHQ’s work is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the secretary of state, the interception and intelligence services commissioners and the parliamentary intelligence and security committee.
    ‘All our operational processes rigorously support this position. In addition, the UK’s interception regime is entirely compatible with the European convention on human rights.’
    According to the Guardian, GCHQ scooped up emails to and from journalists during one 10-minute ’tapping’ session in November 2008.
    Emails from the BBC, the Sun and the Mail on Sunday were picked up and shared on the agency’s internal computer system – alongside memos from US media organisations.
    The revelation comes as the British government faces growing pressure to ensure journalists’ texts and emails are protected from snooping.
    Newspaper editors and lawyers have called for a new freedom of expression law.

    By TOM MCTAGUE, DEPUTY POLITICAL EDITOR FOR MAILONLINE
    PUBLISHED: 16:32 GMT, 19 January 2015 | UPDATED: 18:06 GMT, 19 January 2015

    Find this story at 19 January 2015

    © Associated Newspapers Ltd

    BT and Vodafone among telecoms companies passing details to GCHQ (2013)

    Fears of customer backlash over breach of privacy as firms give GCHQ unlimited access to their undersea cables

    Some of the world’s leading telecoms firms, including BT and Vodafone, are secretly collaborating with Britain’s spy agency GCHQ, and are passing on details of their customers’ phone calls, email messages and Facebook entries, documents leaked by the whistleblower Edward Snowden show.

    BT, Vodafone Cable, and the American firm Verizon Business – together with four other smaller providers – have given GCHQ secret unlimited access to their network of undersea cables. The cables carry much of the world’s phone calls and internet traffic.

    In June the Guardian revealed details of GCHQ’s ambitious data-hoovering programmes, Mastering the Internet and Global Telecoms Exploitation, aimed at scooping up as much online and telephone traffic as possible. It emerged GCHQ was able to tap into fibre-optic cables and store huge volumes of data for up to 30 days. That operation, codenamed Tempora, has been running for 20 months.

    On Friday Germany’s Süddeutsche newspaper published the most highly sensitive aspect of this operation – the names of the commercial companies working secretly with GCHQ, and giving the agency access to their customers’ private communications. The paper said it had seen a copy of an internal GCHQ powerpoint presentation from 2009 discussing Tempora.

    The document identified for the first time which telecoms companies are working with GCHQ’s “special source” team. It gives top secret codenames for each firm, with BT (“Remedy”), Verizon Business (“Dacron”), and Vodafone Cable (“Gerontic”). The other firms include Global Crossing (“Pinnage”), Level 3 (“Little”), Viatel (“Vitreous”) and Interoute (“Streetcar”). The companies refused to comment on any specifics relating to Tempora, but several noted they were obliged to comply with UK and EU law.

    The revelations are likely to dismay GCHQ and Downing Street, who are fearful that BT and the other firms will suffer a backlash from customers furious that their private data and intimate emails have been secretly passed to a government spy agency. In June a source with knowledge of intelligence said the companies had no choice but to co-operate in this operation. They are forbidden from revealing the existence of warrants compelling them to allow GCHQ access to the cables.

    Together, these seven companies operate a huge share of the high-capacity undersea fibre-optic cables that make up the backbone of the internet’s architecture. GCHQ’s mass tapping operation has been built up over the past five years by attaching intercept probes to the transatlantic cables where they land on British shores. GCHQ’s station in Bude, north Cornwall, plays a role. The cables carry data to western Europe from telephone exchanges and internet servers in north America. This allows GCHQ and NSA analysts to search vast amounts of data on the activity of millions of internet users. Metadata – the sites users visit, whom they email, and similar information – is stored for up to 30 days, while the content of communications is typically stored for three days.

    GCHQ has the ability to tap cables carrying both internet data and phone calls. By last year GCHQ was handling 600m “telephone events” each day, had tapped more than 200 fibre-optic cables and was able to process data from at least 46 of them at a time.

    Each of the cables carries data at a rate of 10 gigabits per second, so the tapped cables had the capacity, in theory, to deliver more than 21 petabytes a day – equivalent to sending all the information in all the books in the British Library 192 times every 24 hours.

    This operation is carried out under clandestine agreements with the seven companies, described in one document as “intercept partners”. The companies are paid for logistical and technical assistance.

    The identity of the companies allowing GCHQ to tap their cables was regarded as extremely sensitive within the agency. Though the Tempora programme itself was classified as top secret, the identities of the cable companies was even more secret, referred to as “exceptionally controlled information”, with the company names replaced with the codewords, such as “GERONTIC”, “REMEDY” and “PINNAGE”.

    However, some documents made it clear which codenames referred to which companies. GCHQ also assigned the firms “sensitive relationship teams”. One document warns that if the names emerged it could cause “high-level political fallout”.

    Germans have been enraged by the revelations of spying by the National Security Agency and GCHQ after it emerged that both agencies were hoovering up German data as well. On Friday the Süddeutsche said it was now clear that private telecoms firms were far more deeply complicit in US-UK spying activities than had been previously thought.

    The source familiar with intelligence maintained in June that GCHQ was “not looking at every piece of straw” but was sifting a “vast haystack of data” for what he called “needles”.

    He added: “If you had the impression we are reading millions of emails, we are not. There is no intention in this whole programme to use it for looking at UK domestic traffic – British people talking to each other.” The source said analysts used four criteria for determining what was examined: security, terror, organised crime and Britain’s economic wellbeing.”The vast majority of the data is discarded without being looked at … we simply don’t have the resources.”

    Nonetheless, the agency repeatedly referred to plans to expand this collection ability still further in the future.

    Once it is collected, analysts are able to search the information for emails, online chats and browsing histories using an interface called XKeyscore, uncovered in the Guardian on Wednesday. By May 2012, 300 analysts from GCHQ and 250 NSA analysts had direct access to search and sift through the data collected under the Tempora program.

    Documents seen by the Guardian suggest some telecoms companies allowed GCHQ to access cables which they did not themselves own or operate, but only operated a landing station for. Such practices could raise alarm among other cable providers who do not co-operate with GCHQ programmes that their facilities are being used by the intelligence agency.

    Telecoms providers can be compelled to co-operate with requests from the government, relayed through ministers, under the 1984 Telecommunications Act, but privacy advocates have raised concerns that the firms are not doing enough to challenge orders enabling large-scale surveillance, or are co-operating to a degree beyond that required by law.

    “We urgently need clarity on how close the relationship is between companies assisting with intelligence gathering and government,” said Eric King, head of research for Privacy International. “Were the companies strong-armed, or are they voluntary intercept partners?”

    Vodafone said it complied with the laws of all the countries in which its cables operate. “Media reports on these matters have demonstrated a misunderstanding of the basic facts of European, German and UK legislation and of the legal obligations set out within every telecommunications operator’s licence … Vodafone complies with the law in all of our countries of operation,” said a spokesman.

    “Vodafone does not disclose any customer data in any jurisdiction unless legally required to do so. Questions related to national security are a matter for governments not telecommunications operators.”

    A spokeswoman for Interoute said: “As with all communication providers in Europe we are required to comply with European and local laws including those on data protection and retention. From time to time we are presented with requests from authorities. When we receive such requests, they are processed by our legal and security teams and if valid, acted upon.”

    A spokeswoman for Verizon said: “Verizon continually takes steps to safeguard our customers’ privacy. Verizon also complies with the law in every country in which we operate.”

    BT declined to comment.

    James Ball, Luke Harding and Juliette Garside
    The Guardian, Friday 2 August 2013 18.36 BST

    Find this story at 2 August 2013

    © 2014 Guardian News and Media Limited or its affiliated companies. All rights reserved.

    Newly declassified documents on phone records program released (2013)

    Obama administration officials faced deepening political skepticism Wednesday about a far-reaching counterterrorism program that collects millions of Americans’ phone records, even as they released newly declassified documents in an attempt to spotlight privacy safeguards.

    The previously secret material — a court order and reports to Congress — was released by Director of National Intelligence James R. Clapper as a Senate Judiciary Committee hearing opened Wednesday morning in which lawmakers sharply questioned the efficacy of the collection of bulk phone records. A senior National Security Agency official conceded that the surveillance effort was the primary tool in thwarting only one plot — not the dozens that officials had previously suggested.

    Read the documents
    NSA
    Secret FISA court order to Verizon
    The Obama administration declassified government documents related to NSA collection of telephone metadata records on Wednesday.
    Graphic
    How the secret FISA court works Click Here to View Full Graphic Story
    How the secret FISA court works
    Click here to subscribe.

    In recent weeks, political support for such broad collection has sagged, and the House last week narrowly defeated a bipartisan bid to end the program, at least in its current form. On Wednesday, senior Democratic senators voiced equally strong doubts.

    “This bulk-collection program has massive privacy implications,” said Senate Judiciary Committee Chairman Patrick J. Leahy (Vt.). “The phone records of all of us in this room — all of us in this room — reside in an NSA database. I’ve said repeatedly, just because we have the ability to collect huge amounts of data does not mean that we should be doing so. . . . If this program is not effective, it has to end. So far, I’m not convinced by what I’ve seen.”

    Administration officials defended the collection effort and a separate program targeting foreigners’ communication as essential and operating under stringent guidelines.

    “With these programs and other intelligence activities, we are constantly seeking to achieve the right balance between the protection of national security and the protection of privacy and civil liberties,” Deputy Attorney General James Cole said. “We believe these two programs have achieved the right balance.”

    Cole nonetheless said the administration is open to amending the program to achieve greater public trust. Legislation is pending in the Senate that would narrow its scope.

    The NSA program collecting phone records began after the September 2001 terrorist attacks and was brought under the supervision of the Foreign Intelligence Surveillance Court in 2006. But its existence remained hidden until June, when the Guardian newspaper in Britain published a classified FISC order to a U.S. phone company to turn over to the NSA all call records. Former NSA contractor Edward Snowden leaked the order to the newspaper.

    On Wednesday, the Guardian published new documents provided by Snowden that outlined previously unknown features of an NSA data-retrieval system called XKeyscore. The newspaper reported that the search tool allowed analysts to “search with no prior authorization through vast databases containing emails, online chats and the browsing histories of millions of individuals.”

    NSA slides describing the system published with the Guardian article indicated that analysts used it to sift through government databases, including Pinwale, the NSA’s primary storage system for e-mail and other text, and Marina, the primary storage and analysis tool for “metadata.” Another slide described analysts using XKeyscore to access a database containing phone numbers, e-mail addresses, log-ins and Internet user activity generated from other NSA programs.

    The newspaper said the disclosures shed light on Snowden’s claim that the NSA’s surveillance programs allowed him while sitting at his desk to “wiretap anyone, from you or your accountant, to a federal judge or even the president, if I had a personal ­e-mail.” U.S. officials have denied that he had such capability.

    In a statement responding to the Guardian report, the NSA said “the implication that NSA’s collection is arbitrary and unconstrained is false. NSA’s activities are focused and specifically deployed against — and only against — legitimate foreign intelligence targets.” The agency further said: “Access to XKEYSCORE, as well as all of NSA’s analytic tools, is limited to only those personnel who require access for their assigned tasks. . . . Not every analyst can perform every function, and no analyst can operate freely. Every search by an NSA analyst is fully auditable, to ensure that they are proper and within the law.”

    On Wednesday, Clapper disclosed the FISA court’s “primary” order that spells out the program’s collection rules and two reports to Congress that discussed the program, which is authorized under Section 215 of the “business records” provision of the Foreign Intelligence Surveillance Act. Administration officials released the documents to reassure critics that the program is strictly supervised and minimally invasive.

    For instance, the primary order states that only “appropriately trained and authorized personnel” may have access to the records, which consist of phone numbers of calls made and received, their time and duration, but not names and content. Officials call this metadata. The order also states that to query the data, there must be “reasonable, articulable suspicion,” presumably that the number is linked to a foreign terrorist group.

    But the documents fueled more concern about the program’s scope among civil liberties advocates who are pressing the administration to release the legal rationale that might explain what makes such large numbers of records relevant to an authorized investigation. Perhaps most alarming to some critics was the disclosure, in the order, that queries of the metadata return results that are placed into a “corporate store” that may then be searched for foreign intelligence purposes with fewer restrictions.

    That disclosure takes on significance in light of Deputy NSA Director John C. Inglis’s testimony last month that analysts could extend their searches by “three hops.” That means that starting from a target’s phone number, analysts can search on the phone numbers of people in contact with the target, then the numbers of people in contact with that group, and then the numbers of people in contact with that larger pool. That is potentially millions of people, said Jameel Jaffer, deputy legal director of the American Civil Liberties Union, who also testified Wednesday.

    The Office of the DNI earlier released a statement that fewer than 300 numbers were queried in 2012. That could still mean potentially hundreds of millions of records, Sen. Richard J. Durbin (D-Ill.) said at the hearing.

    Also, according to the order, the NSA does not need to audit the results of searches of the corporate store.

    The order asserts that phone metadata could be obtained with a grand jury subpoena. That may be true for one person or even a group of people, but not for all Americans’ phone records, critics said.

    Privacy advocates criticized redactions in the reports to Congress of information about the NSA’s failure to comply with its own internal rules. That is “among the most important information that the American public needs to critically assess whether these programs are proper,” said Mark Rumold, a staff lawyer at the Electronic Frontier Foundation.

    At the hearing, Leahy voiced upset with the administration for suggesting that the program was as effective in thwarting terrorist plots as another NSA program, authorized under Section 702 of FISA and targeting foreigners’ communications. “I don’t think that’s a coincidence when we have people in government make that comparison, but it needs to stop,” he said of attempts to conflate the two programs’ utility.

    He noted that senior officials had testified that the phone logging effort was critical to thwarting 54 plots, but after reviewing NSA material, he said that assertion cannot be made — “not by any stretch.” Pressed by Leahy on the point, Inglis admitted that the program “made a contribution” in 12 plots with a domestic nexus, but only one case came close to a “but-for” or critical contribution.

    Carol D. Leonnig and William Branigin contributed to this report.

    By Ellen Nakashima, Published: July 31, 2013

    Find this story at 31 July 2013

    © 1996-2014 The Washington Post

    Telekom-Riesen helfen den Geheimdiensten (2013)

    Der britische Geheimdienst wurde bei Abhöraktionen umfangreicher von Telekommunikationsfirmen unterstützt als bislang bekannt. Das berichten “Süddeutsche Zeitung” und NDR. Sogar Programmierarbeit soll an die Firmen ausgelagert worden sein.

    Berlin – Laut übereinstimmenden Berichten des NDR und der “Süddeutschen Zeitung” (SZ) sind einige private Telekommunikationsunternehmen stärker in die Abhöraktionen ausländischer Geheimdienste verwickelt als bisher angenommen. Der britische Geheimdienst GCHQ etwa, ein enger Partner des US-Diensts NSA, arbeite beim Abhören des Internetverkehrs mit sieben großen Firmen zusammen.

    NDR und “Süddeutsche Zeitung” beziehen sich in ihren Berichten auf Dokumente des ehemaligen NSA-Vertragsmitarbeiters Edward Snowden, die sie einsehen konnten. Die interne Präsentation von 2009 nennt neben den internationalen Unternehmen British Telecom, Verizon und Vodafone auch die Netzwerkbetreiber Level 3, Interoute, Viatel und Global Crossing als Schlüsselpartner des GCHQ. Global Crossing wurde inzwischen von Level 3 gekauft.

    Gemeinsam spannen die Unternehmen laut NDR und “SZ” ein engmaschiges Datennetz über Europa und weite Teile der Welt. Einige Firmen wie Level 3 betreiben in Deutschland demnach große Datenzentren. Demnach betreibt Level 3 Rechenzentren in mehreren deutschen Städten, ein Transatlantikkabel von Global Crossing ist in Westerland auf Sylt mit deutschen Netzen verbunden. Das Unternehmen Interoute, das den Unterlagen zufolge auch mit dem GCHQ kooperiert, betreibt 15 Netzknoten in Deutschland.

    Teilweise sei die Kooperation mit dem Geheimdienst über den einfachen Zugang zu den Datennetzen hinausgegangen, berichten “SZ” und NDR. Einige Firmen sollen laut den Dokumenten sogar Computerprogramme entwickelt haben, um dem britischen Geheimdienst das Abfangen von Daten aus ihren Netzen zu erleichtern. Faktisch habe der GCHQ einen Teil seiner Ausspäharbeit an Privatunternehmen delegiert.

    Viatel bestreitet Zusammenarbeit

    Die meisten der Unternehmen verwiesen laut NDR und “SZ” auf Gesetze, die Regierungen erlaubten, Firmen unter bestimmten Umständen zur Herausgabe von Informationen zu verpflichten. Viatel widersprach den Angaben und erklärte, nicht mit dem GCHQ zu kooperieren und dem Geheimdienst auch keinen Zugang zur eigenen Infrastruktur oder zu Kundendaten zu gewähren.

    02. August 2013, 09:20 Uhr

    Find this story at 2 August 2013

    © SPIEGEL ONLINE 2013

    Kiwi spies taught online tricks

    Prime Minister John Key says he has no details on briefings that documents released by US whistleblower Edward Snowden show were given to Kiwi spooks.

    Key would not confirm or deny the briefings, which were revealed overnight by author and journalist Glenn Greenwald, who worked with MSNBC to reveal the documents.

    “The law states very clearly that for SIS or GCSB [Government Communications Security Bureau] to undertake surveillance against New Zealanders it has to be with warranted authority,” Key said this afternoon.

    “In my view that will involve a very small group of New Zealanders from time to time.”

    The Government is bracing itself for more leaks from the Snowden archive.

    “I don’t know what Snowden has … what they chose to release and when, who knows?” Key said.

    “They are of no great consequence, I don’t think.”

    The documents show Kiwi spooks were briefed on setting honey traps and internet “dirty tricks” to “control, infiltrate, manipulate, and warp” online discourse.

    GCSB agents – part of the Five Eyes intelligence network – were briefed by counterparts from the ultra-secret Joint Threat Research Intelligence Group.

    A slide-show presentation, called The Art of Deception: Training for Online Covert Operations, was given at a top secret spy conference in 2012.

    It outlined sex and dirty tricks cyber operations used by JTRIG, a unit of the British signals intelligence agency GCHQ, which focused on cyber forensics, espionage and covert operations. GCHQ described the purpose of the unit as “using online techniques to make something happen in the real or cyber world”, including “information ops (influence or disruption)”.

    According to the slides, JTRIG conducted “honey traps”, sent computer viruses, deleted the online presence of targets and engaged in cyber-attacks on the “hacktivist” collective Anonymous.

    One carried the title “Cyber offensive session: pushing the boundaries and action against hacktivism” revealing the agency was going after online political activists.

    The presentation outlined tactics to destroy the reputation of targets online. It detailed how agents could get another country to “believe a secret” by placing information on a compromised computer or making it visible on networks under surveillance.

    A JTRIG tool, called AMBASSADORS RECEPTION, involved sending a virus to someone’s computer to stop it functioning. It would delete emails, encrypt files, make the screen shake, deny service or stop logins.

    Other methods were deployed to “stop someone communicating”, bombarding their phone with text messages and calls – in some cases every 10 seconds, deleting their online presence and blocking up their fax machines.

    Ad Feedback

    According to the presentation these tactics were used in Afghanistan, “significantly disrupting Taliban operations”.

    Changing a profile photo on social networking sites “can take paranoia to a whole new level”.

    A honey trap was described as “a great option” and “very successful when it works”. Writing false blogs, pretending to be a “victim” of a target worked in “serious crime ops” and in Iran, the conference was told.

    The presentation also outlined “info ops” to discredit a company by leaking confidential information to rival firms and the press, posting negative information to online forums and stopping deals or ruining business relationships.

    The documents were presented to the GCSB, NSA and agents from Australia and Canada.

    Greenwald wrote on The Intercept website that the agencies were “attempting to control, infiltrate, manipulate and warp online discourse, and in doing so are compromising the integrity of the internet itself”.

    Greenwald called the tactics “extremist” and pointed out they do not only target hostile nations or spy agencies, terrorists or nation security threats, but also “people suspected (but not charged or convicted) of ordinary crimes or … those who use online protest activity for political ends”.

    He added: “It is not difficult to see how dangerous it is to have secret government agencies being able to target any individuals they want – who have never been charged with, let alone convicted of, any crimes.”

    ANDREA VANCE
    Last updated 15:14 26/02/2014

    Find this story at 26 February 2014

    © Fairfax NZ News

    Kiwi spies taught ‘honey trap’ tricks – Snowden documents

    Kiwi spooks were briefed on setting honey traps and internet “dirty tricks” to “control, infiltrate, manipulate, and warp” online discourse, documents leaked by Edward Snowden reveal.

    Government Communications Security Bureau (GCSB) agents – part of the Five Eyes intelligence network – were briefed by counterparts from the ultra-secret Joint Threat Research Intelligence Group. A slide-show presentation, called “The Art of Deception: Training for Online Covert Operations”, was given at a top secret spy conference in 2012.

    It outlined sex and dirty tricks cyber operations used by JTRIG, a unit of the British Signals intelligence agency GCHQ which focused on cyber forensics, espionage and covert operations. GCHQ described the purpose of the unit as “using online techniques to make something happen in the real or cyber world,” including “information ops (influence or disruption).”

    According to the slides, JTRIG conducted “honey traps,” sent computer viruses, deleted the online presence of targets and engaged in cyber-attacks on the “hacktivist” collective Anonymous.

    One carried the title “Cyber offensive session: pushing the boundaries and action against hacktivism” revealing the agency was going after online political activists.

    Reputation destroying tactics

    The presentation outlined tactics to destroy the reputation of targets online. It detailed how agents could get another country to “believe a secret” by placing information on a compromised computer or making it visible on networks under surveillance.

    A JTRIG tool, called AMBASSADORS RECEPTION, involved sending a virus to someone’s computer to stop it functioning. It would delete emails, encrypt files, make the screen shake, deny service or stop log-ins.

    Other methods were deployed to “stop someone communicating,” bombarding their phone with text messages and calls – in some cases every 10 seconds, deleting their online presence and blocking up their fax machines. According to the presentation these tactics were used in Afghanistan “significantly disrupting Taliban Operations.”

    Changing a profile photo on social networking sites “can take paranoia to a whole new level.” A honey trap was described as ” a great option” and “very successful when it works.” Writing false blogs, pretending to be a “victim” of a target worked in “serious crime ops” and in Iran, the conference was told.

    The documents were presented to the GCSB, NSA and agents from Australia and Canada.

    Author and journalist Glen Greenwald worked with MSNBC to reveal the documents. On “The Intercept” website he wrote that the agencies were “attempting to control, infiltrate, manipulate and warp online discourse, and in doing so are compromising the integrity of the internet itself.”

    Published: 1:41PM Wednesday February 26, 2014 Source: Fairfax

    Find this story at 26 February 2014

    © 2014, Television New Zealand Limited

    GCHQ and European spy agencies worked together on mass surveillance

    Edward Snowden papers unmask close technical cooperation and loose alliance between British, German, French, Spanish and Swedish spy agencies

    The German, French, Spanish and Swedish intelligence services have all developed methods of mass surveillance of internet and phone traffic over the past five years in close partnership with Britain’s GCHQ eavesdropping agency.

    The bulk monitoring is carried out through direct taps into fibre optic cables and the development of covert relationships with telecommunications companies. A loose but growing eavesdropping alliance has allowed intelligence agencies from one country to cultivate ties with corporations from another to facilitate the trawling of the web, according to GCHQ documents leaked by the former US intelligence contractor Edward Snowden.

    The files also make clear that GCHQ played a leading role in advising its European counterparts how to work around national laws intended to restrict the surveillance power of intelligence agencies.

    The German, French and Spanish governments have reacted angrily to reports based on National Security Agency (NSA) files leaked by Snowden since June, revealing the interception of communications by tens of millions of their citizens each month. US intelligence officials have insisted the mass monitoring was carried out by the security agencies in the countries involved and shared with the US.

    The US director of national intelligence, James Clapper, suggested to Congress on Tuesday that European governments’ professed outrage at the reports was at least partly hypocritical. “Some of this reminds me of the classic movie Casablanca: ‘My God, there’s gambling going on here,’ ” he said.

    Sweden, which passed a law in 2008 allowing its intelligence agency to monitor cross-border email and phone communications without a court order, has been relatively muted in its response.

    The German government, however, has expressed disbelief and fury at the revelations from the Snowden documents, including the fact that the NSA monitored Angela Merkel’s mobile phone calls.

    After the Guardian revealed the existence of GCHQ’s Tempora programme, in which the electronic intelligence agency tapped directly into the transatlantic fibre optic cables to carry out bulk surveillance, the German justice minister, Sabine Leutheusser-Schnarrenberger, said it sounded “like a Hollywood nightmare”, and warned the UK government that free and democratic societies could not flourish when states shielded their actions in “a veil of secrecy”.

    ‘Huge potential’

    However, in a country-by-country survey of its European partners, GCHQ officials expressed admiration for the technical capabilities of German intelligence to do the same thing. The survey in 2008, when Tempora was being tested, said the Federal Intelligence Service (BND), had “huge technological potential and good access to the heart of the internet – they are already seeing some bearers running at 40Gbps and 100Gbps”.

    Bearers is the GCHQ term for the fibre optic cables, and gigabits per second (Gbps) measures the speed at which data runs through them. Four years after that report, GCHQ was still only able to monitor 10 Gbps cables, but looked forward to tap new 100 Gbps bearers eventually. Hence the admiration for the BND.

    The document also makes clear that British intelligence agencies were helping their German counterparts change or bypass laws that restricted their ability to use their advanced surveillance technology. “We have been assisting the BND (along with SIS [Secret Intelligence Service] and Security Service) in making the case for reform or reinterpretation of the very restrictive interception legislation in Germany,” it says.

    The country-by-country survey, which in places reads somewhat like a school report, also hands out high marks to the GCHQ’s French partner, the General Directorate for External Security (DGSE). But in this case it is suggested that the DGSE’s comparative advantage is its relationship with an unnamed telecommunications company, a relationship GCHQ hoped to leverage for its own operations.

    “DGSE are a highly motivated, technically competent partner, who have shown great willingness to engage on IP [internet protocol] issues, and to work with GCHQ on a “cooperate and share” basis.”

    Noting that the Cheltenham-based electronic intelligence agency had trained DGSE technicians on “multi-disciplinary internet operations”, the document says: “We have made contact with the DGSE’s main industry partner, who has some innovative approaches to some internet challenges, raising the potential for GCHQ to make use of this company in the protocol development arena.”

    GCHQ went on to host a major conference with its French partner on joint internet-monitoring initiatives in March 2009 and four months later reported on shared efforts on what had become by then GCHQ’s biggest challenge – continuing to carry out bulk surveillance, despite the spread of commercial online encryption, by breaking that encryption.

    “Very friendly crypt meeting with DGSE in July,” British officials reported. The French were “clearly very keen to provide presentations on their work which included cipher detection in high-speed bearers. [GCHQ’s] challenge is to ensure that we have enough UK capability to support a longer term crypt relationship.”

    Fresh opportunities

    In the case of the Spanish intelligence agency, the National Intelligence Centre (CNI), the key to mass internet surveillance, at least back in 2008, was the Spaniards’ ties to a British telecommunications company (again unnamed. Corporate relations are among the most strictly guarded secrets in the intelligence community). That was giving them “fresh opportunities and uncovering some surprising results.

    “GCHQ has not yet engaged with CNI formally on IP exploitation, but the CNI have been making great strides through their relationship with a UK commercial partner. GCHQ and the commercial partner have been able to coordinate their approach. The commercial partner has provided the CNI some equipment whilst keeping us informed, enabling us to invite the CNI across for IP-focused discussions this autumn,” the report said. It concluded that GCHQ “have found a very capable counterpart in CNI, particularly in the field of Covert Internet Ops”.

    GCHQ was clearly delighted in 2008 when the Swedish parliament passed a bitterly contested law allowing the country’s National Defence Radio Establishment (FRA) to conduct Tempora-like operations on fibre optic cables. The British agency also claimed some credit for the success.

    “FRA have obtained a … probe to use as a test-bed and we expect them to make rapid progress in IP exploitation following the law change,” the country assessment said. “GCHQ has already provided a lot of advice and guidance on these issues and we are standing by to assist the FRA further once they have developed a plan for taking the work forwards.”

    The following year, GCHQ held a conference with its Swedish counterpart “for discussions on the implications of the new legislation being rolled out” and hailed as “a success in Sweden” the news that FRA “have finally found a pragmatic solution to enable release of intelligence to SAEPO [the internal Swedish security service.]”

    GCHQ also maintains strong relations with the two main Dutch intelligence agencies, the external MIVD and the internal security service, the AIVD.

    “Both agencies are small, by UK standards, but are technically competent and highly motivated,” British officials reported. Once again, GCHQ was on hand in 2008 for help in dealing with legal constraints. “The AIVD have just completed a review of how they intend to tackle the challenges posed by the internet – GCHQ has provided input and advice to this report,” the country assessment said.

    “The Dutch have some legislative issues that they need to work through before their legal environment would allow them to operate in the way that GCHQ does. We are providing legal advice on how we have tackled some of these issues to Dutch lawyers.”

    European allies

    In the score-card of European allies, it appears to be the Italians who come off the worse. GCHQ expresses frustration with the internal friction between Italian agencies and the legal limits on their activities.

    “GCHQ has had some CT [counter-terrorism] and internet-focused discussions with both the foreign intelligence agency (AISE) and the security service (AISI), but has found the Italian intelligence community to be fractured and unable/unwilling to cooperate with one another,” the report said.

    A follow-up bulletin six months later noted that GCHQ was “awaiting a response from AISI on a recent proposal for cooperation – the Italians had seemed keen, but legal obstacles may have been hindering their ability to commit.”

    It is clear from the Snowden documents that GCHQ has become Europe’s intelligence hub in the internet age, and not just because of its success in creating a legally permissive environment for its operations. Britain’s location as the European gateway for many transatlantic cables, and its privileged relationship with the NSA has made GCHQ an essential partner for European agencies. The documents show British officials frequently lobbying the NSA on sharing of data with the Europeans and haggling over its security classification so it can be more widely disseminated. In the intelligence world, far more than it managed in diplomacy, Britain has made itself an indispensable bridge between America and Europe’s spies.

    Julian Borger
    The Guardian, Friday 1 November 2013 17.02 GMT

    Find this story at 1 November 2013

    © 2014 Guardian News and Media Limited or its affiliated companies. All rights reserved.

    Snowden Documents Reveal Covert Surveillance and Pressure Tactics Aimed at WikiLeaks and Its Supporters

    Top-secret documents from the National Security Agency and its British counterpart reveal for the first time how the governments of the United States and the United Kingdom targeted WikiLeaks and other activist groups with tactics ranging from covert surveillance to prosecution.

    The efforts – detailed in documents provided previously by NSA whistleblower Edward Snowden – included a broad campaign of international pressure aimed not only at WikiLeaks founder Julian Assange, but at what the U.S. government calls “the human network that supports WikiLeaks.” The documents also contain internal discussions about targeting the file-sharing site Pirate Bay and hacktivist collectives such as Anonymous.

    One classified document from Government Communications Headquarters, Britain’s top spy agency, shows that GCHQ used its surveillance system to secretly monitor visitors to a WikiLeaks site. By exploiting its ability to tap into the fiber-optic cables that make up the backbone of the Internet, the agency confided to allies in 2012, it was able to collect the IP addresses of visitors in real time, as well as the search terms that visitors used to reach the site from search engines like Google.

    Another classified document from the U.S. intelligence community, dated August 2010, recounts how the Obama administration urged foreign allies to file criminal charges against Assange over the group’s publication of the Afghanistan war logs.

    A third document, from July 2011, contains a summary of an internal discussion in which officials from two NSA offices – including the agency’s general counsel and an arm of its Threat Operations Center – considered designating WikiLeaks as “a ‘malicious foreign actor’ for the purpose of targeting.” Such a designation would have allowed the group to be targeted with extensive electronic surveillance – without the need to exclude U.S. persons from the surveillance searches.

    In 2008, not long after WikiLeaks was formed, the U.S. Army prepared a report that identified the organization as an enemy, and plotted how it could be destroyed. The new documents provide a window into how the U.S. and British governments appear to have shared the view that WikiLeaks represented a serious threat, and reveal the controversial measures they were willing to take to combat it.

    In a statement to The Intercept, Assange condemned what he called “the reckless and unlawful behavior of the National Security Agency” and GCHQ’s “extensive hostile monitoring of a popular publisher’s website and its readers.”

    “News that the NSA planned these operations at the level of its Office of the General Counsel is especially troubling,” Assange said. “Today, we call on the White House to appoint a special prosecutor to investigate the extent of the NSA’s criminal activity against the media, including WikiLeaks, its staff, its associates and its supporters.”

    Illustrating how far afield the NSA deviates from its self-proclaimed focus on terrorism and national security, the documents reveal that the agency considered using its sweeping surveillance system against Pirate Bay, which has been accused of facilitating copyright violations. The agency also approved surveillance of the foreign “branches” of hacktivist groups, mentioning Anonymous by name.

    The documents call into question the Obama administration’s repeated insistence that U.S. citizens are not being caught up in the sweeping surveillance dragnet being cast by the NSA. Under the broad rationale considered by the agency, for example, any communication with a group designated as a “malicious foreign actor,” such as WikiLeaks and Anonymous, would be considered fair game for surveillance.

    Julian Sanchez, a research fellow at the Cato Institute who specializes in surveillance issues, says the revelations shed a disturbing light on the NSA’s willingness to sweep up American citizens in its surveillance net.

    “All the reassurances Americans heard that the broad authorities of the FISA Amendments Act could only be used to ‘target’ foreigners seem a bit more hollow,” Sanchez says, “when you realize that the ‘foreign target’ can be an entire Web site or online forum used by thousands if not millions of Americans.”
    GCHQ Spies on WikiLeaks Visitors

    The system used by GCHQ to monitor the WikiLeaks website – codenamed ANTICRISIS GIRL – is described in a classified PowerPoint presentation prepared by the British agency and distributed at the 2012 “SIGDEV Conference.” At the annual gathering, each member of the “Five Eyes” alliance – the United States, United Kingdom, Canada, Australia and New Zealand – describes the prior year’s surveillance successes and challenges.

    In a top-secret presentation at the conference, two GCHQ spies outlined how ANTICRISIS GIRL was used to enable “targeted website monitoring” of WikiLeaks (See slides 33 and 34). The agency logged data showing hundreds of users from around the world, including the United States, as they were visiting a WikiLeaks site –contradicting claims by American officials that a deal between the U.K. and the U.S. prevents each country from spying on the other’s citizens.

    The IP addresses collected by GCHQ are used to identify individual computers that connect to the Internet, and can be traced back to specific people if the IP address has not been masked using an anonymity service. If WikiLeaks or other news organizations were receiving submissions from sources through a public dropbox on their website, a system like ANTICRISIS GIRL could potentially be used to help track them down. (WikiLeaks has not operated a public dropbox since 2010, when it shut down its system in part due to security concerns over surveillance.)

     

    In its PowerPoint presentation, GCHQ identifies its target only as “wikileaks.” One slide, displaying analytics derived from the surveillance, suggests that the site monitored was the official wikileaks.org domain. It shows that users reached the targeted site by searching for “wikileaks.org” and for “maysan uxo,” a term associated with a series of leaked Iraq war logs that are hosted on wikileaks.org.

    The ANTICRISIS GIRL initiative was operated by a GCHQ unit called Global Telecoms Exploitation (GTE), which was previously reported by The Guardian to be linked to the large-scale, clandestine Internet surveillance operation run by GCHQ, codenamed TEMPORA.

    Operating in the United Kingdom and from secret British eavesdropping bases in Cyprus and other countries, GCHQ conducts what it refers to as “passive” surveillance – indiscriminately intercepting massive amounts of data from Internet cables, phone networks and satellites. The GTE unit focuses on developing “pioneering collection capabilities” to exploit the stream of data gathered from the Internet.

    As part of the ANTICRISIS GIRL system, the documents show, GCHQ used publicly available analytics software called Piwik to extract information from its surveillance stream, not only monitoring visits to targeted websites like WikiLeaks, but tracking the country of origin of each visitor.

    It is unclear from the PowerPoint presentation whether GCHQ monitored the WikiLeaks site as part of a pilot program designed to demonstrate its capability, using only a small set of covertly collected data, or whether the agency continues to actively deploy its surveillance system to monitor visitors to WikiLeaks. It was previously reported in The Guardian that X-KEYSCORE, a comprehensive surveillance weapon used by both NSA and GCHQ, allows “an analyst to learn the IP addresses of every person who visits any website the analyst specifies.”

    GCHQ refused to comment on whether ANTICRISIS GIRL is still operational. In an email citing the agency’s boilerplate response to inquiries, a spokeswoman insisted that “all of GCHQ’s work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorized, necessary and proportionate, and that there is rigorous oversight.”

    But privacy advocates question such assurances. “How could targeting an entire website’s user base be necessary or proportionate?” says Gus Hosein, executive director of the London-based human rights group Privacy International. “These are innocent people who are turned into suspects based on their reading habits. Surely becoming a target of a state’s intelligence and security apparatus should require more than a mere click on a link.”

    The agency’s covert targeting of WikiLeaks, Hosein adds, call into question the entire legal rationale underpinning the state’s system of surveillance. “We may be tempted to see GCHQ as a rogue agency, ungoverned in its use of unprecedented powers generated by new technologies,” he says. “But GCHQ’s actions are authorized by [government] ministers. The fact that ministers are ordering the monitoring of political interests of Internet users shows a systemic failure in the rule of law.”
    Going After Assange and His Supporters

    The U.S. attempt to pressure other nations to prosecute Assange is recounted in a file that the intelligence community calls its “Manhunting Timeline.” The document details, on a country-by-country basis, efforts by the U.S. government and its allies to locate, prosecute, capture or kill alleged terrorists, drug traffickers, Palestinian leaders and others. There is a timeline for each year from 2008 to 2012.

     

    An entry from August 2010 – headlined “United States, Australia, Great Britain, Germany, Iceland” – states: “The United States on August 10 urged other nations with forces in Afghanistan, including Australia, United Kingdom, and Germany, to consider filing criminal charges against Julian Assange.” It describes Assange as the “founder of the rogue Wikileaks Internet website and responsible for the unauthorized publication of over 70,000 classified documents covering the war in Afghanistan.”

     

    In response to questions from The Intercept, the NSA suggested that the entry is “a summary derived from a 2010 article” in the Daily Beast. That article, which cited an anonymous U.S. official, reported that “the Obama administration is pressing Britain, Germany, Australia, and other allied Western governments to consider opening criminal investigations of WikiLeaks founder Julian Assange and to severely limit his nomadic travels across international borders.”

    The government entry in the “Manhunting Timeline” adds Iceland to the list of Western nations that were pressured, and suggests that the push to prosecute Assange is part of a broader campaign. The effort, it explains, “exemplifies the start of an international effort to focus the legal element of national power upon non-state actor Assange, and the human network that supports WikiLeaks.” The entry does not specify how broadly the government defines that “human network,” which could potentially include thousands of volunteers, donors and journalists, as well as people who simply spoke out in defense of WikiLeaks.

    In a statement, the NSA declined to comment on the documents or its targeting of activist groups, noting only that the agency “provides numerous opportunities and forums for their analysts to explore hypothetical or actual circumstances to gain appropriate advice on the exercise of their authorities within the Constitution and the law, and to share that advice appropriately.”

    But the entry aimed at WikiLeaks comes from credentialed officials within the intelligence community. In an interview in Hong Kong last June, Edward Snowden made clear that the only NSA officials empowered to write such entries are those “with top-secret clearance and public key infrastructure certificates” – a kind of digital ID card enabling unique access to certain parts of the agency’s system. What’s more, Snowden added, the entries are “peer reviewed” – and every edit made is recorded by the system.

    The U.S. launched its pressure campaign against WikiLeaks less than a week after the group began publishing the Afghanistan war logs on July 25, 2010. At the time, top U.S. national security officials accused WikiLeaks of having “blood” on its hands. But several months later, McClatchy reported that “U.S. officials concede that they have no evidence to date that the documents led to anyone’s death.”

    The government targeting of WikiLeaks nonetheless continued. In April 2011, Salon reported that a grand jury in Virginia was actively investigating both the group and Assange on possible criminal charges under espionage statutes relating to the publication of classified documents. And in August of 2012, the Sydney Morning Herald, citing secret Australian diplomatic cables, reported that “Australian diplomats have no doubt the United States is still gunning for Julian Assange” and that “Australia’s diplomatic service takes seriously the likelihood that Assange will eventually be extradited to the US on charges arising from WikiLeaks obtaining leaked US military and diplomatic documents.”

    Bringing criminal charges against WikiLeaks or Assange for publishing classified documents would be highly controversial – especially since the group partnered with newspapers like The Guardian and The New York Times to make the war logs public. “The biggest challenge to the press today is the threatened prosecution of WikiLeaks, and it’s absolutely frightening,” James Goodale, who served as chief counsel of the Times during its battle to publish The Pentagon Papers, told the Columbia Journalism Review last March. “If you go after the WikiLeaks criminally, you go after the Times. That’s the criminalization of the whole process.”

    In November 2013, The Washington Post, citing anonymous officials, reported that the Justice Department strongly considered prosecuting Assange, but concluded it “could not do so without also prosecuting U.S. news organizations and journalists” who had partnered with WikiLeaks to publish the documents. According to the Post, officials “realized that they have what they described as a ‘New York Times problem’” – namely, that any theory used to bring charges against Assange would also result in criminal liability for the Times, The Guardian, and other papers which also published secret documents provided to WikiLeaks.
    NSA proposals to target WikiLeaks

    As the new NSA documents make clear, however, the U.S. government did more than attempt to engineer the prosecution of Assange. NSA analysts also considered designating WikiLeaks as a “malicious foreign actor” for surveillance purposes – a move that would have significantly expanded the agency’s ability to subject the group’s officials and supporters to extensive surveillance.

    Such a designation would allow WikiLeaks to be targeted with surveillance without the use of “defeats” – an agency term for technical mechanisms to shield the communications of U.S. persons from getting caught in the dragnet.

    That top-secret document – which summarizes a discussion between the NSA’s Office of the General Counsel and the Oversight and Compliance Office of the agency’s Threat Operations Center – spells out a rationale for including American citizens in the surveillance:

    “If the foreign IP is consistently associated with malicious cyber activity against the U.S., so, tied to a foreign individual or organization known to direct malicious activity our way, then there is no need to defeat any to, from, or about U.S. Persons. This is based on the description that one end of the communication would always be this suspect foreign IP, and so therefore any U.S. Person communicant would be incidental to the foreign intelligence task.”

    In short, labeling WikiLeaks a “malicious foreign target” would mean that anyone communicating with the organization for any reason – including American citizens – could have their communications subjected to government surveillance.

    When NSA officials are asked in the document if WikiLeaks or Pirate Bay could be designated as “malicious foreign actors,” the reply is inconclusive: “Let us get back to you.” There is no indication of whether either group was ever designated or targeted in such a way.

    The NSA’s lawyers did, however, give the green light to subject other activists to heightened surveillance. Asked if it would be permissible to “target the foreign actors of a loosely coupled group of hackers … such as with Anonymous,” the response is unequivocal: “As long as they are foreign individuals outside of the US and do not hold dual citizenship … then you are okay.”
    NSA Lawyers: “It’s Nothing to Worry About”

    Sanchez, the surveillance expert with the Cato Institute, says the document serves as “a reminder that NSA essentially has carte blanche to spy on non-Americans. In public statements, intelligence officials always talk about spying on ‘terrorists,’ as if those are the only targets — but Section 702 [of the 2008 FISA Amendments Act] doesn’t say anything about ‘terrorists.’ They can authorize collection on any ‘persons reasonably believed to be [located] outside the United States,’ with ‘persons’ including pretty much any kind of group not ‘substantially’ composed of Americans.”

    Sanchez notes that while it makes sense to subject some full-scale cyber-attacks to government surveillance, “it would make no sense to lump together foreign cyberattackers with sites voluntarily visited by enormous numbers of Americans, like Pirate Bay or WikiLeaks.”

    Indeed, one entry in the NSA document expressly authorizes the targeting of a “malicious” foreign server – offering Pirate Bay as a specific example –“even if there is a possibility that U.S. persons could be using it as well.” NSA officials agree that there is no need to exclude Americans from the surveillance, suggesting only that the agency’s spies “try to minimize” how many U.S. citizens are caught in the dragnet.

    Another entry even raises the possibility of using X-KEYSCORE, one of the agency’s most comprehensive surveillance programs, to target communications between two U.S.-based Internet addresses if they are operating through a “proxy” being used for “malicious foreign activity.” In response, the NSA’s Threat Operations Center approves the targeting, but the agency’s general counsel requests “further clarification before signing off.”

    If WikiLeaks were improperly targeted, or if a U.S. citizen were swept up in the NSA’s surveillance net without authorization, the agency’s attitude seems to be one of indifference. According to the document – which quotes a response by the NSA’s Office of General Counsel and the oversight and compliance office of its Threat Operations Center – discovering that an American has been selected for surveillance must be mentioned in a quarterly report, “but it’s nothing to worry about.”

    The attempt to target WikiLeaks and its broad network of supporters drew sharp criticism from the group and its allies. “These documents demonstrate that the political persecution of WikiLeaks is very much alive,” says Baltasar Garzón, the Spanish former judge who now represents the group. “The paradox is that Julian Assange and the WikiLeaks organization are being treated as a threat instead of what they are: a journalist and a media organization that are exercising their fundamental right to receive and impart information in its original form, free from omission and censorship, free from partisan interests, free from economic or political pressure.”

    For his part, Assange remains defiant. “The NSA and its U.K. accomplices show no respect for the rule of law,” he told The Intercept. “But there is a cost to conducting illicit actions against a media organization.” Referring to a criminal complaint that the group filed last year against “interference with our journalistic work in Europe,” Assange warned that “no entity, including the NSA, should be permitted to act against a journalist with impunity.”

    Assange indicated that in light of the new documents, the group may take further legal action.

    “We have instructed our general counsel, Judge Baltasar Garzón, to prepare the appropriate response,” he said. “The investigations into attempts to interfere with WikiLeaks’ work will go wherever they need to go. Make no mistake: those responsible will be held to account and brought to justice.”

    By Glenn Greenwald and Ryan Gallagher
    18 Feb 2014, 1:50 AM EST

    Find this story at 18 February 2014

    © 2014 First Look Productions, Inc.

    Leaked NSA documents show debate over tracking WikiLeaks, The Pirate Bay, and others

    Leaked documents posted by Glenn Greenwald and Ryan Gallagher hint at the discussions that took place around online actors like WikiLeaks, The Pirate Bay, and Anonymous, as well as the standards for spying on foreign and domestic internet users. At The Intercept, Greenwald and Gallagher have revealed details about when the NSA and agencies abroad believe it’s acceptable to target a person or site without “defeats” or measures to prevent collecting American information, with an eye towards groups that have proved a thorn in the side of government agencies.

    Julian Assange appears in national security ‘Manhunting Timeline’

    “Can we treat a foreign server who stores, or potentially disseminates leaked or stolen US data on it’s [sic] server as a ‘malicious foreign actor’ for the purpose of targeting with no defeats? Examples: WikiLeaks, thepiratebay.org, etc.” says one of several frequently asked questions apparently posted to an intelligence wiki for the US and other nations in the Five Eyes surveillance partnership. “Let us get back to you,” said a response from the NSA/CSS [Central Security Service] Threat Operation Center and the NSA’s Office of General Counsel. Another question asks whether it’s legal to target members of Anonymous who operate outside the US. “As long as they are foreign individuals outside of the US and do not hold dual citizenship… then you are okay,” came the answer. Agencies were not, however, apparently allowed to store copies of classified documents leaked by Anonymous or other groups in order to analyze the data.

    WikiLeaks in particular came under fire. In addition to these questions, The Intercept leaked parts of a “Manhunting Timeline” that details where and how the US government is attempting to find, capture, or kill terrorists, drug traffickers, and others. This timeline apparently included information on Julian Assange, including attempts to pressure foreign governments into taking legal action against him and “the human network that supports WikiLeaks.” None of this comes as a surprise — the government’s attempts to get governments to put pressure on Assange is well known. Likewise, Anonymous has allegedly compromised government computers, and it’s not strange that the NSA wants to monitor it. The question of treating leaked document repositories as malicious foreign actors is thornier, playing into much larger debates over whether non-traditional journalism should be given the same protection as older outlets like The New York Times.

    “If you ‘guess’ foreign and it’s not, then it is a serious violation.”

    More generally, the document shows a complicated dance between minimizing US data collection and casting an expansive net over foreign surveillance. According to the FAQ, it’s legal to monitor foreign servers that Americans visit (The Pirate Bay is cited again) so long as agents attempt to filter out US information. The same goes for botnets that are operated from hacked US computers by a foreign source. As before, the document points to a fairly low standard for being certain that a target is foreign: 51 percent. A more complicated question is how agents are allowed to search traffic from US-based web giants like Gmail and Twitter. If an agency knows that a foreign potential threat is using one of these sites, it’s theoretically possible to look for traffic from it. But “if you ‘guess’ foreign and it’s not, then it is a serious violation.” In general, though, accidentally making queries a US person who was believed to be foreign was “nothing to worry about,” although it had to be logged for the Office of General Counsel.

    The revelations here are far less conclusive than many of the leaked documents published so far. One slide apparently from an expanded version of this GCHQ document shows an analytics page that seems to monitor visits to WikiLeaks, including which countries visitors came from and how they found the site. But it’s not clear whether this is an ongoing program or a proof of concept test, especially given how few visits appear to be logged. The results are also broadly similar to what someone would get from a basic analytics page, not detailed user information. This slideshow and the FAQ do, however, give us a look into how the NSA and other agencies view online spycraft, both inside and outside the US.

    By Adi Robertson on February 18, 2014 10:36 am

     

    Find this story at 18 February 2014

    © 2014 Vox Media,

    New Snowden docs show NSA, GCHQ spied on WikiLeaks, Pirate Bay users; GCHQ conducts broad surveillance of social media and watched WikiLeaks users.

    Squeaky Dolphin, GCHQ’s broad social media monitoring tool, is part of the agency’s campaign to “understand and shape the Human Terrain”—that is, regional public sentiment.

     

    Documents obtained by former NSA contractor Edward Snowden and published on The Intercept show that NSA analysts monitored content on The Pirate Bay and used the agency’s surveillance systems to track where it came from. The documents also show that the NSA’s British partners at the GCHQ used XKeyscore data as part of a surveillance program on sites that included WikiLeaks. That was part of a broader psychological profiling and targeting program to collect intelligence, influence individuals online, and disrupt groups like Anonymous that were considered threats.

    The new documents show that the GCHQ conducted “broad real-time monitoring of social media activities, processing data on activities like watching YouTube videos and Facebook Likes to profile, categorize, and target individuals for psychological operations.” The NSA documents in the latest disclosure refer to monitoring for content that could be considered “malicious foreign activity.” But it’s clear that the NSA also used its XKeyscore surveillance to dig through traffic to the torrent-sharing site, and it could very well have profiled foreign users of sites like WikiLeaks and monitored their access to that and other websites.

    However, the documents—one an internal NSA “frequently asked questions” Wiki page and the other a set of GCHQ slides on psychological operations—do not provide a picture of how much information about people accessing WikiLeaks was shared between the GCHQ and the NSA. And while the documents point to NSA monitoring of Pirate Bay, there’s no suggestion of how the information gathered was used or if it was used at all.

    A third, unpublished document shows that the Obama administration apparently encouraged foreign governments in 2010 (including the UK) to pursue charges against WikiLeaks for the publication of diplomatic “wires” provided by Chelsea Manning, formerly known as Bradley Manning.
    “Squeaky Dolphin,” “Airwolf,” and “AnticrisisGirl”

    The GCHQ slide deck, published in 2012, highlights two tools used to conduct social networking, Web monitoring, and profiling. The first, called “Squeaky Dolphin,” pulls online activities within Web traffic caught by the agency’s monitoring systems. The monitoring systems are called “Airwolf” in the slides, which may be a UK codeword for the GCHQ’s equivalent of XKeyscore. That data includes webmail, blogs visited, YouTube views, Facebook “likes” clicked on websites themselves, and other data culled from individual users’ captured activity.

    It runs those activities, captured in real-time, through IBM’s InfoSphere Streams processing software to create analytical feeds. Those feeds are then piped into a Splunk database and surfaced through a “dashboard” view that allows analysts to find trends in sentiment. As an example, the slides showed activity related to cricket matches in London and the surge in Facebook likes for Conservative member of Parliament Liam Fox. It can also be used to spot trends in traffic that might indicate upcoming events such as protests or other civil unrest.

    While Squeaky Dolphin tends to look at things with a wider view, “AnticrisisGirl” is a bit more targeted. It can be used to passively monitor specific websites—including traffic to WikiLeaks, as the slides demonstrate. The tool can be tuned to a specific set of Internet user signatures or keywords, and it provides analytics of their behavior in real time, capturing search terms or direct Web addresses used to get to the sites in question.
    “Nothing to worry about”

    The final document in the latest disclosure, from an NSA internal Wiki, is entitled “Discovery SIGINT Targeting Scenarios and Compliance.” Created in 2011, it provides guidance on what is and isn’t allowed in performing XKeyscore queries and using other analytics tools to capture and analyze data. The document explains when it’s allowed to query against US “selectors”—people or systems running within the United States.

    One of the entries is entitled “Unknowingly targeting a US person”:

    I screwed up…the selector had a strong indication of being foreign, but it turned out to be US…now what?

    NOC/OGC RESPONSE: With all querying, if you discover it actually is US, then it must be submitted and go in the [Office of General Counsel] quarterly report…’but it’s nothing to worry about.’ (Source #001)

    Several of the entries on the Wiki page relate to monitoring of PirateBay. One question posted asked whether it was OK to back-trace connections to thepiratebay.org “even if it hops through US based proxies.” The NSA’s Office of General Counsel responded that it was allowed only by use of metadata “chaining” in compliance with the Department of Defense’s Supplemental Procedures Governing Communications Metadata Analysis” (SPCMA). That order requires that analysts “enter a foreign intelligence (FI) justification for making a query or starting a chain”—in other words, analysts can’t just start a query of a post on The Pirate Bay without documenting their cause.

    Another question posted about The Pirate Bay asked if a password for an account associated with a US person was enough to rule out tracking the source. “If a list of .mil passwords were released to thepiratebay.org…can we go back into [XKeyscore data] (using a custom created fingerprint) to search for traffic containing that password in foreign traffic just before the release?” The official response was that while a password alone would not normally be considered to a “US person,” searching for the password data for military accounts would be allowed due to the NSA’s support role for the Defense Department. Such actions would be “consistent with the SIGINT Consensual Collection package signed by [the commander of] USCYBERCOM and [director of the NSA], appropriate to both of his hats”—referring to Gen. Keith Alexander’s dual role as head of both DOD’s cyber operations and the NSA.

    Ironically, the NSA’s privacy regulations do keep it from collecting one type of data—private information published by hackers. In a response to a question on whether it was legal to store data exposed by Anonymous or other groups for forensic purposes, the NSA general counsel said it was only legal to retain “.mil information.” It wasn’t clear whether it was legal to retain data from other government agencies.

    by Sean Gallagher – Feb 18 2014, 8:35pm +0100

     Find this story at 18 February 2014

    © 2014 Condé Nast.

    NSA, GCHQ targeted WikiLeaks network; U.K. and U.S. governments used surveillance and political pressure against publishers of government abuses

    The latest report from the Intercept based on Edward Snowden’s NSA leaks reveals how the NSA and its British counterpart GCHQ targeted WikiLeaks and its supporters. The report details how the U.S. and U.K. governments deployed surveillance tools against WikiLeaks networks and supporters, while pressuring international governments to persecute the organization’s founder, Julian Assange, over the publication of the Afghanistan war logs. The documents also show that the NSA considered ways to spy on Anonymous affiliates and hackers as well as users of file-sharing site Pirate Bay.

    The documents are some of the most significant to come to light yet in highlighting the government’s engagement in what Snowden’s attorney Jesselyn Raddack has long called a “war on information.” Publishers and activists have been specifically targeted for making public otherwise secrecy-shrouded instances of abuses of power by the government and the military. “This is a very troubling report,” said Jameel Jaffer, American Civil Liberties Union deputy legal director. “Publishers who disclose abuses of government power should not be subjected to invasive surveillance for having done so, and individuals should not be swept up into surveillance dragnets simply because they’ve visited websites that report on those abuses.”

    The efforts – detailed in documents provided previously by NSA whistleblower Edward Snowden – included a broad campaign of international pressure aimed not only at WikiLeaks founder Julian Assange, but at what the U.S. government calls “the human network that supports WikiLeaks.” The documents also contain internal discussions about targeting the file-sharing site Pirate Bay and hacktivist collectives such as Anonymous.

    One classified

    Tuesday, Feb 18, 2014 07:31 PM +0100
    Natasha Lennard

    Find this story at 18 February 2013

    © 2014 The Associated Press

    NSA, British spy agency targeted Assange & the WikiLeaks’ ‘human network’

    American and British spy agencies conducted a campaign against the WikiLeaks website and its surrounding “human network,” according to a new report.

    The article, appearing Tuesday in the online publication The Intercept, is based on new information found in documents previously released by Edward Snowden. He is the former National Security Agency (NSA) contractor who has made public — through WikiLeaks — a large cache of otherwise secret NSA materials.

    One classified document from the British spy agency Government Communications Headquarters (GCHQ) appears to be presenting a primer on passive monitoring of websites. But the Intercept story adds the factor that GCHQ’s monitoring system, called ANTICRISIS GIRL, secretly monitored visitors to WikiLeaks via a tap into Internet backbone cables, capturing in real time the IP addresses of site visitors.

    Also included is a 2011 document of an internal NSA wiki with a brief discussion about whether the classification “malicious foreign actor” can be applied to WikiLeaks:

    “Can we treat a foreign server who stores or potentially disseminates leaked or stolen data on its server as a ‘malicious foreign actor’ for the purpose of targeting with no defeats? Examples: WikiLeaks, thepiratebay.org, etc.”

    The response by an unnamed NSA employee says, “Let me get back to you.” The term “no defeats” is considered to mean “with no protections.” The inclusion of the Pirate Bay site, which has been cited for copyright violations, either indicates that classified material was thought to be part of its inventory, or the national security agency was expanding its scope to include copyright.

    There is no indication that WikiLeaks or Pirate Bay was actually classified as a “malicious foreign actor” by the NSA. But a 2008 U.S. Army report did identify WikiLeaks as an enemy.

    The “human network” also included, of course, WikiLeaks’ founder and editor-in-chief, Julian Assange. An August, 2010 unclassified document also unearthed by The Intercept indicates that the U.S. urged other countries fighting in Afghanistan to file criminal charges against Assange for the publication of more than 70,000 classified documents relating to the war, which had been provided by Army Private First Class Bradley Manning.

    The document said that this “appeal exemplifies the start of an international effort to focus the legal element of national power upon non-state actor Assange and the human network that supports WikiLeaks.”

    Last year, James Goodale, then the chief counsel of The New York Times, told the Columbia Journalism Review that “the biggest challenge to the press today is the threatened persecution of WikiLeaks, and it’s absolutely frightening.” The Times worked with WikiLeaks in publishing the content of some of the secret documents.

    February 18, 2014 1:00 PM
    Barry Levine

     Find this story at 18 February 2014

    © Copyright 2014 VentureBeat

    Visited WikiLeaks? NSA and GCHQ know about it

    Julian Assange in 2011 after losing appeals against extradition to Swedenacidpolly/Flickr/CC BY-NC-SA 2.0

    Efforts undertaken by the NSA and GCHQ to target groups including WikiLeaks, Anonymous and Pirate Bay using internet surveillance and prosecution have been detailed in an article published by The Intercept.

    The latest documents leaked by NSA contractor Edward Snowden reveal that the NSA went to great lengths to target individuals associated with WikiLeaks, including founder Julian Assange and “the human network that supports it”.

    One particular document revealed that GCHQ tapped into fibre-optic cables to monitor visitors to the site in real time by tracking their IP addresses. It also tracked the search terms that visitors were using to reach the site, all as part of an operation codenamed ANTICRISIS GIRL. This suggests that internet users from anywhere in the world who visited WikiLeaks regularly could potentially have become a target for the NSA.

    The documents also reveal that the NSA labelled WikiLeaks “a malicious foreign actor”. The US government encouraged foreign regimes to press charges against Assange over WikiLeaks’ publication of Afghanistan war logs.

    “WikiLeaks strongly condemns the reckless and unlawful behaviour of the National Security Agency,” said Julian Assange in a statement published on the WikiLeaks site. He called upon the Obama administration to conduct an investigation into the extent of the NSA’s activity regarding the media, including the WikiLeaks network. He also criticised the media-monitoring activities of GCHQ, saying it shows no respect for the rule of law.

    “No entity, including the NSA, should be permitted to act against journalists with impunity. We have instructed our General Counsel Judge Baltasar Garzón to prepare the appropriate response. The investigations into attempts to interfere with the work of WikiLeaks will go wherever they need to go. Make no mistake: those responsible will be held to account and brought to justice.”

    The Intercept — the new publication launched by ex-Guardian journalist Glenn Greenwald, who has headed up the reporting on the Snowden documents — points out that the WikiLeaks surveillance reveals just how far the NSA’s actions stray from its “self-proclaimed focus on terrorism”.

    “The documents call into question the Obama administration’s repeated insistence that US citizens are not being caught up in the sweeping surveillance dragnet being cast by the NSA. Under the broad rationale considered by the agency, for example, any communication with a group designated as a ‘malicious foreign actor,’ such as WikiLeaks and Anonymous, would be considered fair game for surveillance,” the site points out.

    The targeting of WikiLeaks, Anonymous and Pirate Bay follows earlier revelations that GCHQ used DDoS attacks to target hacker collectives Anonymous and LulzSec. These latest accusations do not reflect well on GCHQ, which maintains its stance that “all of GCHQ’s work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight”. It’s hard to see how this would apply to the monitoring of citizens from the UK and abroad who might be doing nothing more than reading the WikiLeaks site.

    Politics / 19 February 14 / by Katie Collins

     

    Find this story at 19 February 2014

    © Condé Nast UK 2014

     

    It’s outrageous to accuse the Guardian of aiding terrorism by publishing Snowden’s revelations

    Alan Rusbridger is being grilled by MPs – but he has published nothing that could be a threat to national security

    The Guardian’s editor, Alan Rusbridger, is due to appear before the House of Commons home affairs select committee on Tuesday to answer questions about his newspaper’s publication of intelligence files leaked by Edward Snowden. Unlike the directors of MI5, MI6 and GCHQ, who gave evidence recently before the intelligence and security committee, Rusbridger will not be provided with a list of questions in advance.

    There are at least five legal and political issues arising out of Snowden’s revelations on which reasonable opinion is divided. These include whether Snowden should enjoy the legal protection accorded a whistleblower who reveals wrongdoing; whether his revelations have weakened the counter-terrorism apparatus of the US or the UK; whether, conversely, they show the need for an overhaul of surveillance powers on both sides of the Atlantic (and even an international agreement to protect partners like Germany); whether parliament has been misled by the services about the extent of intrusive surveillance; and whether the current system for parliamentary oversight of the intelligence and security services is sufficiently robust to meet the international standards laid down by my predecessor at the UN, Martin Scheinin.

    These questions are too important for the UN to ignore, and so on Tuesday I am launching an investigation that will culminate in a series of recommendations to the UN general assembly next autumn. As in the case of Chelsea Manning, there are also serious questions about sensitive information being freely available to so many people. The information Snowden had access to, which included top-secret UK intelligence documents, was available to more than 850,000 people, including Snowden – a contractor not even employed by the US government.

    There is, however, one issue on which I do not think reasonable people can differ, and that is the importance of the role of responsible media in exposing questions of public interest. I have studied all the published stories that explain how new technology is leading to the mass collection and analysis of phone, email, social media and text message data; how the relationship between intelligence services and technology and telecoms companies is open to abuse; and how technological capabilities have moved ahead of the law. These issues are at the apex of public interest concerns. They are even more important – dare I say it – than whether Hugh Grant’s mobile was hacked by a tabloid.

    The astonishing suggestion that this sort of journalism can be equated with aiding and abetting terrorism needs to be scotched decisively. Attacking the Guardian is an attempt to do the bidding of the services themselves, by distracting attention from the real issues. It is the role of a free press to hold governments to account, and yet there have even been outrageous suggestions from some Conservative MPs that the Guardian should face a criminal investigation.

    It is disheartening to see some tabloids give prominence to this nonsense. When the Mail on Sunday took the decision to publish the revelations of the former MI5 officer David Shayler, no one suggested that the paper should face prosecution. Indeed, when the police later tried to seize the Guardian’s notes of its own interviews with Shayler, Lord Judge, the former lord chief justice, refused to allow it to happen – saying, rightly, that it would interfere with the vital role played by the media to expose public wrongdoing.

    When it comes to damaging national security, comparisons between the two cases are telling. The Guardian has revealed that there is an extensive programme of mass surveillance that potentially affects every one of us, while being assiduous in avoiding the revelation of any name or detail that could put sources at risk. Rusbridger himself has made most of these decisions, as befits their importance. The Mail on Sunday, on the other hand, published material that was of less obvious public interest.

    An even closer example is Katharine Gunn, the GCHQ whistleblower who revealed in 2003 that the US and UK were spying on the missions of Mexico and five other countries at the UN, in order to manipulate a vote in the security council in favour of military intervention in Iraq. Like Snowden, her defence was that she was acting to prevent a greater wrong – the attempt to twist the security council to the bellicose will of the US and UK. She was charged under the Official Secrets Act, but the case was dropped because the director of public prosecutions and attorney general rightly concluded that no jury would convict Gunn.

    There can be no doubt that the Guardian’s revelations concern matters of international public interest. There is already an intense debate that has drawn interventions from some of the UK’s most senior political figures. Wholesale reviews have been mooted by President Obama, Chancellor Merkel and Nick Clegg, Britain’s deputy prime minister. Current and former privy councillors and at least one former law officer have weighed in.

    In the US, a number of the revelations have already resulted in legislation. Senior members of Congress have informed the Guardian that they consider the legislation to have been misused, and the chair of the US Senate intelligence committee has said that as a result of the revelations it is now “abundantly clear that a total review of all intelligence programmes is necessary”.

    In Europe, and particularly in Germany (which has a long and unhappy history of abusive state surveillance) the political class is incandescant. In November the Council of Europe parliamentary assembly endorsed the Tshwane International Principles on National Security and the Right to Information, which provide the strongest protection for public interest journalism deriving from whistleblowers. Lord Carlile, the former independent reviewer of terrorism legislation in the UK, took part in the drafting of the principles and has endorsed them as an international template for resolving issues such as the present one. Many states have registered serious objections at the UN about spying, and there are diplomatic moves towards an international agreement to restrict surveillance activity. In direct response to the Guardian’s revelations, Frank La Rue, the special rapporteur on freedom of expression, has brought forward new guidelines on internet privacy, which were adopted last week by the UN general assembly.

    When it comes to assessing the balance that must be struck between maintaining secrecy and exposing information in the public interest there are often borderline cases. This isn’t one. It’s a no-brainer. The Guardian’s revelations are precisely the sort of information that a free press is supposed to reveal.

    The claims made that the Guardian has threatened national security need to be subjected to penetrating scrutiny. I will be seeking a far more detailed explanation than the security chiefs gave the intelligence committee. If they wish to pursue an agenda of unqualified secrecy, then they are swimming against the international tide. They must justify some of the claims they have made in public, because, as matters stand, I have seen nothing in the Guardian articles that could be a risk to national security. In this instance the balance of public interest is clear.

    Ben Emmerson
    The Guardian, Monday 2 December 2013 18.21 GMT

    Find this story at 2 December 2013

    © 2013 Guardian News and Media Limited or its affiliated companies. All rights reserved.

    Checking in with ‘Royal Concierge’: GCHQ ran hotel surveillance ring to spy on diplomats and delegations

    Britain’s secret listening service, GCHQ, uses a spying system codenamed “Royal Concierge” to carry out detailed surveillance on foreign diplomats and government delegations at more than 350 hotels across the world, Germany’s Der Spiegel magazine reported on Sunday.

    The disclosures, based on intelligence data leaked by the US whistleblower Edward Snowden, follow reports that British intelligence installs secret software to spy on selected companies and revelations earlier this month by The Independent that GCHQ operates a listening post on the roof of the UK’s Berlin embassy.

    Der Spiegel said that GCHQ used “Royal Concierge” to spy on the booking arrangements of the hotels involved in order to gain information about the travel plans of diplomats and government delegations. It said the system was used to “prepare” their hotel rooms for more detailed surveillance.

    The magazine said the information gained enabled the GCHQ’s so-called “technical departments” to bug the telephones and computers used by diplomats in their hotel rooms. It said “Royal Concierge” was also used to prepare the ground for the setting up of the GCHQ’s so-called “Humint Operations” – an abbreviation for “Human Intelligence” surveillance involving the deployment of agents to spy on diplomats.

    Der Spiegel did not say which hotels were targeted. Contacted by the magazine, a spokesman for GCHQ said he could “neither confirm nor deny” Der Spiegel’s report.

    The disclosures are the latest in a series of embarrassing revelations about the covert activities of GCHQ and its US counterpart, the National Security Agency, leaked to the media by fugitive whistleblower Edward Snowden.

    The intelligence leaks have revealed the existence of the GCHQ/NSA “Tempora” spying operation involving the mass surveillance of Internet, phone and email traffic which crosses the Atlantic through undersea fibre-optic cables. The British government has claimed to have had no knowledge of the programme.

    Disclosures published by Der Spiegel last week said that GCHQ used doctored websites including those from the business network LinkedIn to install surveillance software on the computers of unwitting companies and individuals.

    The system was said to be codenamed “Quantum Insert”. One of the targeted companies was identified as the part-state-owned Belgian telecommunications firm Belgacom. Another was a concern named Mach, which is used by several mobile phone companies to coordinate international roaming traffic.

    In Germany, disclosures that the NSA used an embassy listening post to bug Chancellor Angela Merkel’s mobile phone were followed a fortnight ago by an investigation by The Independent which revealed that GCHQ runs a similar listening post.

    German MPs have said they are outraged that US and British intelligence spies on the politicians of a country which is their key European ally. They have called for the setting up of no-spying agreements between Washington, London and Berlin.

    Germany’s two main political parties announced yesterday that they had agreed to set up a cyber security centre to establish how networks could be better protected from invasive surveillance.

    Tony Paterson
    Sunday, 17 November 2013

    Find this story at 17 November 2013

    © independent.co.uk

    ‘Royal Concierge’ GCHQ Monitors Diplomats’ Hotel Bookings

    Britain’s GCHQ intelligence service monitors diplomats’ travels using a sophisticated automated system that tracks hotel bookings. Once a room has been identified, it opens the door to a variety of spying options.

    When diplomats travel to international summits, consultations and negotiations on behalf of governments, they generally tend to spend the night at high-end hotels. When they check-in, in addition to a comfortable room, they sometimes get a very unique form of room service that they did not order: a thorough monitoring by the British Government Communications Headquarters, or GCHQ in short.

    Intelligence service documents from the archive of NSA whistleblower Edward Snowden show that, for more than three years, GCHQ has had a system to automatically monitor hotel bookings of at least 350 upscale hotels around the world in order to target, search and analyze reservations to detect diplomats and government officials.

    The top secret program carries the codename “Royal Concierge,” and has a logo showing a penguin wearing a crown, a purple cape and holding a wand. The penguin is apparently meant to symbolize the black and white uniform worn by staff at luxury hotels.

    The aim of the program is to inform GCHQ, at the time of the booking, of the city and hotel a foreign diplomat intends to visit. This enables the “technical operations community” to make the necessary preparations in a timely manner, the secret documents state. The documents cast doubt on the truthfulness of claims made last week to a committee in parliament by the heads of the three British intelligence agencies: Namely that the exclusive reason and purpose behind their efforts is the battle against terrorism, and to make sure they can monitor the latest postings by al-Qaida and similar entities.

    The documents show that the prototype of “Royal Concierge” was first tested in 2010. The much-touted program, referred to internally as an “innovation,” was apparently so successful that further development continued.

    Daily Alerts

    The documents provide details on how the British program for tracking international diplomats functioned. Whenever a reservation confirmation is emailed to a conspicuous address inside a government domain (like gov.xx) from any of the 350 hotels around the world being monitored, a daily alert “tip-off” is sent to the appropriate GCHQ analysts. The documents seen by SPIEGEL do not include hotel names, but they do cite anonymized hotels in Zurich and Singapore as examples.

    A further document states that this advance knowledge of which foreign diplomats will be staying in what hotels provides GCHQ with a whole palette of intelligence capabilities and options. The documents reveal an impressive listing of capabilities for monitoring a hotel room and its temporary resident that seem to exhaust the creative potential of modern spying. Among the possibilities, of course, are wiretapping the room telephone and fax machine as well as the monitoring of computers hooked up to the hotel network (“computer network exploitation”).

    It also states that a “Technical Attack” is deployed by the British “TECA” team for guests of high interest. The documents state that these elite units develop a range of “specialist technologies” that are “designed to bridge the gaps to communications that our conventional accesses cannot reach.” These “Active Approach Teams” are small, but possess advanced technical skill that allow them to work within “often unique requirements.”

    The guests, of course, have no clue about these advanced technical preparations that are made for their visits. In cases of “governmental hard targets,” the information obtained through “Royal Concierge” can also involve “Humint” operations. The abbreviation is short for “human intelligence” — in other words, the deployment of human spies who might then be listening in on a diplomat’s conversations at the hotel bar.

    ‘Wild, Wild West’

    The documents seen by SPIEGEL do not state how often the program has been used, but they do indicate that it continued to be developed and that it captured the imagination of the intelligence agency’s workers, including the GCHQ unit responsible for “effects.” Given the access they had to hotel bookings through “Royal Concierge,” one document pondered: “Can we influence the hotel choice?” And: Did they have the ability to cancel visits entirely? Another slide lists “car hire” as one of the possible extensions to the program.

    Contacted by SPIEGEL, GCHQ said that it “neither confirms nor denies the allegation.”

    Her Royal Majesty’s agents appear to be very conscious of the fact that the automated monitoring of diplomats’ travel by the British intelligence service crosses into controversial terrain. One of the presentations describing “Royal Concierge” is titled “Tales from the Wild, Wild West of GCHQ Operational Datamining.”

    11/17/2013 08:09 AM
    By Laura Poitras, Marcel Rosenbach and Holger Stark

    Find this story at 17 November 2013

    © SPIEGEL ONLINE 2013

    Defense Contractors Cyber Expertise Behind ‘PRISM’ And ‘Boundless Informant’

    A string of U.S. and international defense contractors helped in developing the now infamous ‘PRISM’ and ‘Boundless Informant’ systems that spy’s on American and international internet and telephone traffic.

    Defenseworld.net took a close look at the contractors which supplied equipment and expertise to the U.S. National Security Administration (NSA) to help develop the all-pervasive spying technology.

    Among the NSA’s top contractors are Booz Allen Hamilton thanks to its wide range of intelligence and surveillance expertise. Another top contractor heavily involved with the NSA is SAIC. Of its 42,000 employees, more than 20,000 hold U.S. government security clearances, making it one of the largest private intelligence services in the world, according to U.S. media reports.

    “SAIC provides a full suite of intelligence, surveillance and reconnaissance (ISR) and cybersecurity solutions across a broad spectrum of national security programs,” it says on its website.

    Northrop Grumman, Raytheon and, CACI International act as the NSA’s SIGINT analysis team making them integral to ISR projects. “SIGINT involves collecting foreign intelligence from communications and information systems and providing it to customers across the U.S. government, such as senior civilian and military officials,” according to the NSA website.

    “NSA/CSS collects SIGINT from various sources, including foreign communications, radar and other electronic systems.” Most recently, BAE Systems announced that its experts will provide architecture, installation and administration for a complex networking environment that supports multiple network enclaves and high-speed datacenter access.

    “BAE Systems’ Intelligence & Security manages big data, informs big decisions, and supports big missions. BAE Systems delivers a broad range of services including IT, cybersecurity and intelligence analysis to enable the U.S. military and government to recognize, manage and defeat threats,” according to a company statement.

    Northrop Grumman, CACI International and Raytheon all boast an impressive array of ISR capabilities. Northrop Grumman has recently bagged several IT contracts from the NSA including a Cloud-Based Cyber Security Contract in 2012 to develop, integrate and sustain cloud-based information repositories.

    In 2007, the company along with Computer Sciences Corporation was awarded Project Groundbreaker, a $5 billion contract to rebuild and operate the NSA’s “nonmission-critical” internal telephone and computer networking systems.

    In managing the project for the NSA, CSC and Logicon created the “Eagle Alliance” consortium that drew in practically every major company involved in defense and intelligence outsourcing. Subcontractors included General Dynamics, BAE Systems, Titan Corp. (now L-3 Communications Inc.), CACI International, TRW (now part of Northrop Grumman), Mantech, Lockheed Martin, and Verizon (one of the companies that allegedly granted the NSA access to its consumer database under the Terrorist Surveillance Program), as well as Dell Computers, Hewlett-Packard, and Nortel Networks.

    Earlier last year, Northrop Grumman and DRS Technologies won a $67 million NATO contract for cybersecurity and computer management services. Northrop said the team will implement a computer incident response capability for 50 NATO websites in 28 countries from cyber threats and vulnerabilities.

    The same year, it was revealed that the NSA had a Raytheon ‘semi-secret’ technology to protect the nation’s power grid called “Perfect Citizen.” Since a crippling cyber attack in 2010, a 491 million contract was awarded to Raytheon to develop its overall mission.

    Virtually all other details about the program are secret, including any information on whether the technology will allow any kind of domestic data collection on citizens. NSA vigorously denies that it will. “Perfect Citizen” would be able to detect cyber assaults on private companies and government agencies running such critical infrastructure as the electricity grid and nuclear-power plants. It would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack.

    Meanwhile, NATO earlier last month announced plans to set up rapid reaction teams to fight the number of growing cyber-attacks on their military alliances. “In the progress report we have adopted today, we agreed to establish rapid reaction teams that can help protect NATO’s own systems,” alliance head Anders Fogh Rasmussen said. This “cyber-defence capability should be fully operational by the autumn,” Rasmussen told a press conference. “This is a first phase. A second phase would be to look into how the alliance can respond to requests from Allies who come under cyber-attack,” he said.

    Operational since 2007, the program codenamed PRISM was intended to monitor foreign communications that take place on US servers. It allowed the NSA to listen in on Skype conversations as long as one person was using a conventional phone. Edward Snowden’s leaked documents revealed that the NSA is monitoring Google products such as Gmail, voice and video chat, file transfers, photos, and a live surveillance of your search terms.

    Users of social media and cloud services (such as iCloud, Google Drive and Dropbox) are also being monitored, according to the Washington Post. About one in seven intelligence reports contain data collected by PRISM, according to the leaked documents. PRISM monitors the internet traffic of foreigners, but sweeps up American communicators in the process while the Boundless Information program analyzes and is fed in part by metadata on calls routed through Verizon, and other telecommunications carriers as well.

    The telecommunications data mining appears to be both vast and indiscriminate but only collects so-called metadata; that is, data on which phone numbers called which other numbers, how long the calls lasted, the locations where calls were made and received and the like. No conversations have been recorded, so what was said is forever beyond the government’s reach, according to reports.

    PRISM is a finer intelligence gathering program but far more invasive.

    It can confine not just metadata but the content of communications transmitted via the web, including messages sent and retrieved, uploaded videos et al.

    “NSA’s systems environment is a haven for computer scientists, with vast networks able to manipulate and analyze huge volumes of data at mind-boggling speeds,” the agency says on its website.

    The NSA and the the Government Communications Headquarters (GCHQ), a British intelligence agency, had hacked Chinese mobile-phone companies to collect millions of text messages and computers in China and Hong Kong for over a four-year period, according to Snowden’s documents.

    U.S officials have confirmed they do not know how many documents Snowden took but the enormity of the implication is staggering. China has come out in support of Snowden and even aided him in fleeing from Hong Kong to Moscow saying it will says it will “absolutely not accept” U.S.

    charges. Snowden’s passport has been revoked and charged with theft of government property, indicted by the United States for stealing and leaking classified documents.

    Source : Bindiya Thomas ~ Dated : Monday, July 1, 2013 @ 01:36 PM

    Find this story at 1 July 2013

    Defense World © 2012

    Die Top 3 der Mietspione

    Alleine in Deutschland haben die USA bisher 140 Millionen Euro für private Spione ausgegeben. Die meisten Aufträge gingen an die drei Firmen SOSi, Caci und MacAulay-Brown. Was sind das für Konzerne?

    Etwa 70 Prozent ihres Budgets geben die US-Geheimdienste für Aufträge an Privatfirmen aus. Das ist bekannt, seit vor Jahren eine interne Präsentation des amerikanischen Geheimdienstdirektors im Internet auftauchte. Die privaten Auftragnehmer, auf Englisch Contractors, sind eine riesige Schattenarmee (mehr dazu hier).

    Und sie sind auch in Deutschland tätig: Rund 140 Millionen Dollar haben die USA in den vergangenen zehn Jahren in Deutschland für private Spione ausgegeben (hier alle Aufträge in einer Tabelle zum Herunterladen). Dazu kommen Hunderte Millionen Dollar für spionagenahe Dienstleistungen wie Datenbankpflege oder Datenverarbeitung.

    Süddeutsche.de stellt die drei Spionagehelfer vor, die am meisten Umsatz in Deutschland mit Geheimdienstarbeiten machen.
    Nummer 1: SOSi – Vom Übersetzungsbüro zum Flughafenbetreiber

    Mitarbeiter von SOSi seien das Ziel von internationalen Terroristen und ausländischen Geheimdiensten, sagt der Sicherheitschef der Firma. Das Unternehmen arbeite mit den geheimsten Daten der US-Regierung. Es gelte daher, besondere Sicherheitsmaßnahmen zu treffen, erzählt er in einem Video im Intranet. Nach dem Urlaub müssten die Mitarbeiter eine kurze Befragung über sich ergehen lassen: Wen haben sie getroffen? Warum? Änderungen im Privatleben seien der Firma bitte umgehend zu melden. Und wichtig sei auch, sagt er, den Vorgesetzten von verdächtigem Verhalten von Kollegen zu berichten.

    SOS International, der Sicherheitschef kürzt es gerne S-O-S-i ab, ist der größte Spionagedienstleister der Amerikaner in Deutschland. Allein 2012 hat die Firma für Geheimdiensttätigkeiten in Deutschland 11,8 Millionen Euro von der US-Regierung bekommen, insgesamt waren es in den vergangenen Jahren rund 60 Millionen Dollar.

    Auf den ersten Blick gibt sich die Firma offen: Es gibt eine Internetseite, eine Facebook-Seite, die Vorstände twittern, der Firmenchef sendet Videobotschaften. Mehrere Anfragen zu ihrer Tätigkeit in Deutschland ließ die Firma allerdings unbeantwortet. Wie die Firma tickt lässt sich trotzdem gut rekonstruieren: aus den öffentlichen Daten – und aus einer älteren Version des Intranets der Firma, die sie offenbar versehentlich ins Internet stellte.

    Dort findet sich allerhand: Hinweise zum Dresscode (konservativ-professionell), Empfehlungen zum Umgang mit Drogen (geringe Mengen Alkohol bei Firmenfeiern erlaubt) oder Anweisungen zur Reaktion auf Kontaktversuche der Medien (nichts herausgeben). Und auch das eindringliche Briefing des Sicherheitschefs, in dem er an den Patriotismus und die Paranoia seiner Mitarbeiter appelliert.

    Öffentlich verkauft sich das Unternehmen als Familienunternehmen mit Vom-Tellerwäscher-zum-Millionär-Geschichte. Ursprünglich ist Sosi der Vorname der Unternehmensgründerin: Sosi Setian kam 1959 als Flüchtling aus Armenien nach Amerika, heißt es in der Selbstdarstellung der Firma. Sie arbeitete als Übersetzerin für US-Behörden, gründete 1989 ein Übersetzungsbüro. Nach sechs Monaten hatte sie 52 Mitarbeiter, die sie angeblich alle regelmäßig zum Abendessen in ihr Zuhause einlud.

    Heute ist der Sohn der Gründerin, Julian Setian, Geschäftsführer, seine Schwester Pandora sitzt ebenfalls im Vorstand. Der große Erfolg kam nach dem 11. September 2001 – und mit den immens gestiegenen Spionageausgaben der USA. 2002 begann SOSi Übersetzer nach Afghanistan und in den Irak zu schicken. Ein Jahr später heuerten sie auch Spionageanalysten und Sicherheitstrainer an – die Firma hatte erkannt, wie lukrativ das Geheimdienstgeschäft war. Inzwischen beschäftigt das Unternehmen zwischen 800 bis 1200 Mitarbeiter und ist auf allen Feldern der Spionage aktiv, steht auf der Firmenhomepage.

    Was das konkret heißt, lässt sich mit Broschüren aus dem Intranet rekonstruieren: SOSi hat die US Army in Europa bei der Auswertung ihrer Spionageergebnisse unterstützt, in Afghanistan PR-Arbeit für die US-Truppen gemacht, im Irak Einheimische auf der Straße angeworben, um die Sicherheitslage im Land einzuschätzen, und in Amerika FBI-Agenten die Techniken der Gegenspionage beigebracht.

    Neben den USA hat die Firma Büros in acht weiteren Ländern, darunter Deutschland, heißt es in der Broschüre, die aus dem Jahr 2010 stammt. Auf seiner Homepage sucht das Unternehmen Mitarbeiter in Darmstadt, Heidelberg, Mannheim, Stuttgart und Wiesbaden – also an den traditionellen Standorten der Amerikaner. Im September hat SOSi in einer Pressemitteilung veröffentlicht, dass sie die 66. Military Intelligence Brigade in Darmstadt in den kommenden drei Jahren beim Planen, Sammeln und Auswerten von Geo-Daten unterstützen werde, der sogenannten Geospatial-Intelligence.
    Solche Software müssen GEOINT-Analysten von SOSi bedienen können. (Foto: Screenshot exelisvis.com)

    Im Mai gewann die Firma eine Ausschreibung der irakischen Regierung. SOSi übernimmt nach dem Abzug der letzten amerikanischen Truppen aus dem Irak die Verantwortung für die Logistik und die Sicherheit von drei ehemaligen US-Stützpunkten sowie einem Flugplatz. Mehr als 1500 Mitarbeiter werden dafür gebraucht, das würde die Unternehmensgröße fast verdoppeln.

    Die Verantwortung für das Geschäft trägt dann Frank Helmick, der seit Dezember 2012 bei SOSi arbeitet. Vor seiner Pensionierung war Helmick übrigens General der US-Army. Zuletzt kommandierte er den Abzug der US-Truppen aus dem Irak.

    “Du siehst den Hund dort? Wenn du mir nicht sagst, was ich wissen will, werde ich den Hund auf dich hetzen”, soll Zivilist 11 gesagt haben, damals 2003 im berüchtigten US-Militärgefängnis Abu Ghraib im Irak. Sein Kollege, Zivilist 21, soll einen Gefangenen gezwungen haben, rote Frauen-Unterwäsche auf dem Kopf zu tragen. So steht es in zwei internen Berichten des US-Militärs (dem Fay- und dem Tabuga-Report). Und dort steht auch: Zivilist 11 und Zivilist 21 waren Angestellte der US-Firma Caci.

    Bis heute bestreitet das Unternehmen, an den Misshandlungen beteiligt gewesen zu sein, deren Bilder damals um die Welt gingen: Nackte Häftlinge aufgestapelt zu menschlichen Pyramiden, traktiert mit Elektroschocks, angeleint wie Hunde. Unstrittig ist nur, dass Dutzende Mitarbeiter der Firma im Irak waren, um dort Gefangene zu befragen – weil das US-Militär mit dem eigenen Personal nicht mehr hinterherkam. Für viele Kritiker der US-Geheimdienste ist Caci damit zum erschreckendsten Beispiel geworden, wie weit Privatfirmen in die schmutzigen Kriege der Amerikaner verstrickt sind.

    Nachhaltig geschadet haben die Foltervorwürfe der Firma aber nicht: 2012 hat Caci einen Rekordumsatz von 3,8 Milliarden Dollar erwirtschaftet, 75 Prozent davon stammen immer noch aus Mitteln des US-Verteidigungsministeriums. 15.000 Mitarbeiter sind weltweit für das Unternehmen tätig. Unter dem Firmenmotto “Ever vigilant” (stets wachsam) bieten sie den Geheimdiensten Unterstützung in allen Bereichen der Spionage, wie das Unternehmen im Jahresbericht 2006 schrieb: Informationen sammeln, Daten analysieren, Berichte schreiben, die Geheimdienstarbeit managen.

    Caci hat 120 Büros rund um die Welt, in Deutschland sitzt die Firmen in Leimen, einer Kreisstadt in Baden mit 25.000 Einwohnern. Laut der offiziellen Datenbank der US-Regierung hat die Firma in den vergangenen zehn Jahren in Deutschland 128 Millionen Dollar umgesetzt. Auf seiner Homepage hat Caci Mitarbeiter in Wiesbaden, Schweinfurt, Stuttgart, Heidelberg, Darmstadt und Bamberg gesucht, den klassischen Standorten des US-Militärs. Bei manchen Jobs sind die genauen Standorte geheim, bei fast allen die Berechtigung nötig, “Top Secret” arbeiten zu dürfen.

    Was die Firma in Deutschland treibt, zeigt sich an einem Auftrag aus dem Jahr 2009. Damals bekam das Unternehmen den Zuschlag, für fast 40 Millionen Dollar SIGINT-Analysten nach Deutschland zu schicken. SIGINT steht für Signals Intelligence, Fernmeldeaufklärung sagen die deutschen Behörden. Was das heißt? Mitarbeiter von Caci haben in Deutschland demnach Telefonate und Internetdaten wie E-Mails abgefangen und ausgewertet.

    MacAulay-Brown, Eberstädter Weg 51, Griesheim bei Darmstadt. Offiziell ist der Deutschlandsitz des drittgrößten Spionagezulieferers des US-Militärs in Deutschland nirgendwo angegeben. Doch in einem Prospekt aus dem Jahr 2012 findet sich diese Adresse. Und die ist durchaus brisant: Es ist die Adresse des Dagger Complex. Streng abgeschirmt sitzt dort die 66. Military Intelligence Brigade des US-Militärs und offenbar auch die NSA.

    Sogar eine Telefonnummer mit Griesheimer Vorwahl hatte MacAulay-Brown veröffentlicht. Wer dort anruft, bekommt erzählt, dass der Mitarbeiter der Firma etwa seit einem Jahr dort nicht mehr arbeitet. Mehr erfährt man nicht; nicht einmal, wer den Anruf jetzt entgegengenommen hat.

    Dass die Firma so engen Kontakt zu Geheimdiensten und Militär hat, überrascht nicht. Geschäftsführer Sid Fuchs war früher Agent der CIA. Weitere Vorstandsmitglieder waren Agenten oder ranghohe Militärs. Die Firma rühmt sich damit, dass 60 Prozent ihrer Mitarbeiter mehr als 15 Jahre Erfahrung im Militär oder sonstigen Regierungstätigkeiten hat.

    Dementsprechend ist auch das Tätigkeitsspektrum von MacAulay-Brown, die sich auch MacB abkürzen. Auf seiner Homepage wirbt das Unternehmen damit, einen Rundum-Service für Geheimdienste anzubieten. Die Firma habe, heißt es, kostengünstige, innovative und effiziente Spionage-Möglichkeiten für die Geheimdienste gefunden. Der Fokus liegt dabei auf den eher technischen Spionagebereichen der Signalauswertung und Erderkundung (Fachwörter: Geoint, Masint, Sigint).

    Auch in Deutschland hat MacB in diesem Bereich gearbeitet. 2008 hat das Unternehmen mitgeteilt, einen Auftrag der 66. Military Intelligence Brigade in Darmstadt für technische Spionage über Satelliten und Sensoren bekommen zu haben. Insgesamt hat MacAulay-Brown laut Zahlen aus der offiziellen US-Datenbank für Staatsaufträge in den vergangenen Jahren fast zehn Millionen Dollar von der 66. Military Intelligence Brigade erhalten, mit der sich das Unternehmen den Bürositz in Darmstadt zumindest zeitweise teilte.

    Mit Signaltechnik und Erderkundung hat das Unternehmen lange Erfahrung. MacAulay-Brown wurde 1979 von zwei Technikern gegründet, John MacAulay und Dr. Charles Brown. Sie waren zunächst ein Ingenieurbüro für die Army, arbeiteten unter anderem an Radarsystemen. Später fokussierte sich die Firma auf das Testen militärischer System für die Air Force. Bis heute ist MacB in diesem Bereich tätig, auch in Deutschland: Das Unternehmen sucht beispielsweise derzeit in Spangdahlem einen Flugzeugtechniker, in dem Ort in Rheinland-Pfalz unterhält die Air Force einen Flughafen.

    Ein weiterer Geschäftsbereich von MacB ist die Cybersicherheit – auch hier ist die Firma offenbar in Deutschland tätig: Dem veröffentlichten Prospekt mit der Büroadresse im Dagger-Complex ist eine Liste von Experten angehängt, die das Militär auf Abruf von dem Unternehmen mieten kann – inklusive der Stundenpreise. Neben technischen Schreibern und Grafikdesignern finden sich dabei auch Jobbeschreibungen, die Hackertätigkeiten beinhalten.

    Bis heute ist die Firma in Privatbesitz. Sie gehört Syd und Sharon Martin, die MacB 2001 mit ihrer inzwischen verkauften Mutterfirma Sytex gekauft hatten. Als sie 2005 Sytex an den US-Rüstungskonzern Lockheed Martin verkauften, behielten sie MacB – und machten es immer erfolgreicher. Der Umsatz ist seit 2005 von 65 auf 350 Millionen Dollar gewachsen. Die Firma beschäftigt inzwischen 2000 Mitarbeiter weltweit.

    Den Erfolg haben dabei vor allem Verträge der US-Regierung gebracht. 2012 war das Unternehmen erstmals auf der Liste der 100 größten Regierungs-Contractors, 2013 steht sie bereits auf Platz 91. Und wenn es nach dem Management geht, soll es so weiter gehen. In einem Interview mit den Dayton Business News sagte Geschäftsführer Fuchs, er wolle in den kommenden Jahren den Umsatz auf eine Milliarde steigern und die Mitarbeiterzahl verdoppeln.

    16. November 2013 12:21 Aufträge in Deutschland
    Von Oliver Hollenstein

    Find this story at 16 November 2013

    © Süddeutsche Zeitung Digitale Medien GmbH / Süddeutsche Zeitung GmbH

    Private firms selling mass surveillance systems around world, documents show

    One Dubai-based firm offers DIY system similar to GCHQ’s Tempora programme, which taps fibre-optic cables

    Advanced Middle East Systems has been offering a device called Cerebro, which taps information from fibre-optic cables carrying internet traffic. Photograph: Corbis

    Private firms are selling spying tools and mass surveillance technologies to developing countries with promises that “off the shelf” equipment will allow them to snoop on millions of emails, text messages and phone calls, according to a cache of documents published on Monday.

    The papers show how firms, including dozens from Britain, tout the capabilities at private trade fairs aimed at offering nations in Africa, Asia and the Middle East the kind of powerful capabilities that are usually associated with government agencies such as GCHQ and its US counterpart, the National Security Agency.

    The market has raised concerns among human rights groups and ministers, who are poised to announce new rules about the sale of such equipment from Britain.

    “The government agrees that further regulation is necessary,” a spokesman for the Department for Business, Innovation and Skills said. “These products have legitimate uses … but we recognise that they may also be used to conduct espionage.”

    The documents are included in an online database compiled by the research watchdog Privacy International, which has spent four years gathering 1,203 brochures and sales pitches used at conventions in Dubai, Prague, Brasilia, Washington, Kuala Lumpur, Paris and London. Analysts posed as potential buyers to gain access to the private fairs.

    The database, called the Surveillance Industry Index, shows how firms from the UK, Israel, Germany, France and the US offer governments a range of systems that allow them to secretly hack into internet cables carrying email and phone traffic.

    The index has details from 338 companies, including 77 from the UK, offering a total of 97 different technologies.

    One firm says its “massive passive monitoring” equipment can “capture up to 1bn intercepts a day”. Some offer cameras hidden in cola cans, bricks or children’s carseats, while one manufacturer turns cars or vans into surveillance control centres.

    There is nothing illegal about selling such equipment, and the companies say the new technologies are there to help governments defeat terrorism and crime.

    But human rights and privacy campaigners are alarmed at the sophistication of the systems, and worry that unscrupulous regimes could use them as tools to spy on dissidents and critics.

    Libya’s former leader Muammar Gaddafi is known to have used off-the-shelf surveillance equipment to clamp down on opposition leaders.

    Privacy International believes UK firms should now be subject to the same strict export licence rules faced by arms manufacturers.

    “There is a culture of impunity permeating across the private surveillance market, given that there are no strict export controls on the sale of this technology, as there are on the sale of conventional weapons,” said Matthew Rice, research consultant with Privacy International.

    “This market profits off the suffering of people around the world, yet it lacks any sort of effective oversight or accountability.

    “This lack of regulation has allowed companies to export surveillance technology to countries that use their newly acquired surveillance capability to spy on human rights activists, journalists and political movements.”

    Privacy International hopes the Surveillance Industry Index will give academics, politicians and campaigners a chance to look at the type of surveillance technologies now available in the hope of sparking a debate about improved regulation.

    The documents include a brochure from a company called Advanced Middle East Systems (AMES), based in Dubai. It has been offering a device called Cerebro – a DIY system similar to the Tempora programme run by GCHQ – that taps information from fibre-optic cables carrying internet traffic.

    AMES describes Cerebro as a “core technology designed to monitor and analyse in real time communications … including SMS (texting), GSM (mobile calls), billing data, emails, conversations, webmail, chat sessions and social networks.”

    The company brochure makes clear this is done by attaching probes to internet cables. “No co-operation with the providers is required,” it adds.

    “Cerebro is designed to store several billions of records – metadata and/or communication contents. At any time the investigators can follow the live activity of their target with advanced targeting criteria (email addresses, phone numbers, key words),” says the brochure.

    AMES refused to comment after being contacted by the Guardian, but said it followed similar protocols to other surveillance companies. “We don’t want to interact with the press,” said a spokesman.

    Another firm selling similar equipment is VASTech, based in South Africa, which has a system called Zebra. Potential buyers are told it has been designed to help “government security agencies face huge challenges in their combat against crime and terrorism”.

    VASTech says Zebra offers “access to high volumes of information generated via telecommunication services for the purposes of analysis and investigation”.

    It has been designed to “intercept all content and metadata of voice, SMS, email and fax communications on the connected network, creating a rich repository of information”.

    A spokesman for the company said: “VASTech produces products for governmental law enforcement agencies. These products have the primary goal of reducing specifically cross-border crimes such as child pornography, human trafficking, drug smuggling, weapon smuggling, money laundering, corruption and terrorist activities. We compete internationally and openly against several suppliers of similar systems.

    “We only supply legal governments, which are not subjected to international sanctions. Should their status change in this regard, we hold the right to withdraw our supplies and support unilaterally.”

    Ann McKechin, a Labour member of the arms export control committee, said: “Obviously we are concerned about how our government provides licences, given these new types of technology.

    “Software technology is now becoming a very large component of our total exports and how we police it before it gets out of country will become an increasingly difficult question and I think the government has to review its processes to consider whether they are fit for the task.”

    She said the Department for Business, Innovation and Skills, which has responsibility for granting export licences, had to ensure it has the skills and knowledge to assess new technologies, particularly if they were being sold to “countries of concern”.

    “The knowledge of staff which maybe more geared to more traditional types of weaponry,” she added.

    A business department spokesperson said: “The government agrees that further regulation is necessary. These products have legitimate uses in defending networks and tracking and disrupting criminals, but we recognise that they may also be used to conduct espionage.

    “Given the international nature of this problem we believe that an internationally agreed solution will be the most effective response. That is why the UK is leading international efforts to agree export controls on specific technologies of concern.

    “We expect to be able to announce real progress in this area in early December.”
    What’s on offer

    Some companies offer a range of spy equipment that would not look out of place in a James Bond film

    Spy vans

    Ordinary vans, cars and motorbikes can be customised to offer everything a spy could need. Tiny cameras and microphones are hidden in wing mirrors, headlights and even the makers’ logo. Vehicles can also be fitted with the latest mass surveillance technology, allowing them to intercept, assess and store a range of digital communications from the surrounding area.

    Hidden cameras

    The range of objects that can hide high-quality cameras and recording equipment appears almost limitless; from a box of tissues giving a 360-degree view of the room, to a child’s car seat, a brick and a key fob. Remote controls allow cameras to follow targets as they move around a room and have a powerful zoom to give high definition close-ups.

    Recorders

    As with cameras recording equipment is getting more sophisticated and more ubiquitous. From cigarette lighters to pens their are limitless ways to listen in on other people’s conversations. One firm offers a special strap microphone that straps to the wearer’s would be spies’ back and records conversations going on directly behind them. According to the brochure: “[This] is ideal because people in a crowd think that someone with their back turned can’t hear their conversation.. Operatives can work much closer to their target.”

    Handheld ‘biometric cameras’

    This system, made by a UK firm, is currently being used by British forces in Afghanistan to help troops identify potential terrorists. The brochure for the Mobile Biometric Platform says: “Innocent civilian or Insurgent? Not Certain? Our systems are.” It adds: “The MBP is tailored for military use and enables biometric enrolment and identification of finger, face and iris against on board watchlists in real time from live or forensic data.”

    Mobile phone locators

    It is now possible, from a single laptop computer, to locate where a mobile phone is calling from anywhere in the world, with an accuracy of between 200 metres and a mile. This is not done by attaching probes, and it is not limited to the area where the laptop is working from. The “cross border” system means it is now theoretically possible to locate a mobile phone call from a town abroad from a laptop in London.

    Nick Hopkins and Matthew Taylor
    The Guardian, Monday 18 November 2013 21.42 GMT

    Find this story at 18 November 2013

    © 2013 Guardian News and Media Limited or its affiliated companies. All rights reserved.

    Oil Espionage; How the NSA and GCHQ Spied on OPEC

    America’s NSA and Britain’s GCHQ are both spying on the OPEC oil cartel, documents from whistleblower Edward Snowden reveal. The security of the global energy supply is one of the most important issues for the intelligence agencies.

    Documents disclosed by whistleblower Edward Snowden reveal that both America’s National Security Agency (NSA) and Britain’s Government Communications Headquarters (GCHQ) have infiltrated the computer network of the the Organization of the Petroleum Exporting Countries (OPEC).

    In January 2008, the NSA department in charge of energy issues reported it had accomplished its mission. Intelligence information about individual petroleum-exporting countries had existed before then, but now the NSA had managed, for the first time, to infiltrate OPEC in its entirety.

    OPEC, founded in 1960, has its headquarters in a box-like building in Vienna. Its main objective is to control the global oil market, and to keep prices high. The 12 member states include Saudi Arabia, Venezuela, Iran and Iraq.

    A Treasure Trove of Information

    When the NSA used the Internet to infiltrate OPEC’s computers, its analysts discovered an internal study in the OPEC Research Division. It stated that OPEC officials were trying to cast the blame for high oil prices on speculators. A look at files in the OPEC legal department revealed how the organization was preparing itself for an antitrust suit in the United States. And a review of the section reserved for the OPEC secretary general documented that the Saudis were using underhanded tactics, even within the organization. According to the NSA analysts, Riyadh had tried to keep an increase in oil production a secret for as long as possible.

    Saudi Arabia’s OPEC governor is also on the list of individuals targeted for surveillance, for which the NSA had secured approval from the secret Foreign Intelligence Surveillance Court. The documents show how careful the Americans were to suspend their surveillance when the Saudi visited the United States. But as soon as he had returned to Riyadh, the NSA analysts began infiltrating his communications once again.

    Praise from Department of Energy

    According to a 2010 report, one of the analysts’ conclusions was that the Saudis had released incorrect oil production figures. The typical “customers” for such information were the CIA, the US State Department and the Department of Energy, which promptly praised the NSA for confirming what it had suspected for years.

    The British, who also targeted OPEC’s Vienna headquarters, were at least as successful as the NSA. A secret GCHQ document dating from 2010 states that the agency had traditionally had “poor access” to OPEC. But that year, after a long period of meticulous work, it had managed to infiltrate the computers of nine OPEC employees by using the “Quantum Insert” method, which then creates a gateway to gain access into OPEC’s computer system. GCHQ analysts were even able to acquire administrator privileges for the OPEC network and gain access to two secret servers containing “many documents of interest.”

    OPEC appears in the “National Intelligence Priorities Framework,” which the White House issues to the US intelligence community. Although the organization is still listed as an intelligence target in the April 2013 list, it is no longer a high-priority target. Now that the United States is less dependent on Saudi petroleum, thanks to fracking and new oil discoveries, the fact that OPEC is not identified as a top priority anymore indicates that interest in the organization has declined.

    11/11/2013 12:05 AM
    By SPIEGEL Staff

    Find this story at 11 November 2013

    © SPIEGEL ONLINE 2013

    Stateroom

    STATEROOM sites are covert SIGINT collection sites located in diplomatic facilities abroad. SIGINT agencies hosting such sites include SCS (at U.S> diplomatic facilities), Government Communications headquarters or GCHQ (at British diplomatic facilities), Communication Security Establishments or CSE (at Canadian diplomatic facilities), and Defense Signals Directorate (at Australian diplomatic facilities). These sites are small in size and in the number of personnel staffing them. They are covert, and their true mission is not known by the majority of the diplomatic staff at the facility where they are assigned.”

    Find this story at 27 October 2013

    NSA and GCHQ – too close for comfort

    It makes sense for the US and UK to co-operate and share, but payments between the two agencies must mean influence

    ‘One budget report states GCHQ (right) will spend money according to NSA and UK government requirements – in that order.’ Photographs: EPA/NSA; Barry Batchelor/PA

    The intelligence files leaked by the whistleblower Edward Snowden have highlighted two major issues that are specific to Britain. Neither have been welcomed by the government or our security agencies, and most of the political classes are trying to ignore them too. The first involves tactics.

    Thanks to Snowden, we have found out about techniques that have given GCHQ the capability to suck up vast amounts of people’s personal data from the cables that carry the internet in and out of the country.

    The programme, called Tempora, is unquestionably ingenious, but it is underpinned by laws that are outdated and poorly worded.

    Even the most sympathetic of scrutinising bodies – the parliamentary intelligence and security committee (ISC) – has put a question mark over this legislative framework.

    The second issue involves British strategic thinking. The files seen by the Guardian are explicit about the importance of the UK’s relationship with the US, and the desire for GCHQ to be as tightly bound as possible to its US counterpart, the National Security Agency. They will doubtless be welcomed by anyone who believes that the need for a “special relationship” with Washington – which has underpinned UK foreign policy since the second world war – is pre-eminent.

    But in the light of these latest revelations, it is also right to assess the price we are paying for this relationship, and the compromises that come with it.

    Without Snowden, we would not have known that the NSA pays GCHQ tens of millions of pounds a year.

    These are the payments we actually know about – there may be others, because so many of our intelligence projects and programmes are historic and interlinked.

    Yet none of the bodies that have notional responsibility for overseeing the money flowing into and out of GCHQ – the National Audit Office (NAO), the public accounts committee, the ISC – have ever mentioned these sums.

    The NAO and the public accounts committee almost certainly didn’t know about them. It is worth dwelling on this. The US government is paying money to support Britain’s most important intelligence-gathering service. Would this be regarded as normal, or acceptable, in any other institution, such as the police or the military, both of whom work closely with the US?

    And what does the US expect to get from this investment? Quite a bit, seems to be the answer. The influence the NSA has over GCHQ seems considerable. Whether this is down to the money, or the pressure a senior partner in a relationship can bring to bear, is not entirely clear.

    Common sense suggests it’s a mixture of the two. What is clear is this: the Snowden files are littered with remarks from GCHQ senior and middle managers worrying about the NSA “ask” and whether the British agency is doing enough to meet it.

    One budget report states GCHQ will spend money according to NSA and UK government requirements – in that order. Does GCHQ feel compromised by this? If it does, it seems the imperative of keeping close to the Americans is overriding. That appears to be the view of the Cabinet Office too.

    Asked about the NSA payments, the American demands and the concerns that the UK might be vulnerable to being pushed about, the Cabinet Office said: “In a 60-year close alliance it is entirely unsurprising that there are joint projects in which resources and expertise are pooled, but the benefits flow in both directions.”

    It may be entirely unsurprising in Whitehall that our subservience has been institutionalised in this way, but everyone else is entitled to ask whether that makes it healthy or right.

    People are also entitled to ponder whether the price of keeping the Americans so close might involve undertaking some of their “dirty work” – developing intelligence-gathering techniques that are beyond the US legislative and judicial framework, but can be accommodated within ours.

    Critics of the ISC argue it is simply too under-resourced and uncritical to give plausible answers to such questions; and the pronouncements of ministers who sign hundreds of warrants every year are hardly reassuring.

    It would be naive to think that the US and the UK could work – or would want to work – in isolation of each other when its government-class shares many of the same perspectives on the world.

    There are many advantages to sharing intelligence. But sovereignty and independence are important too. The NSA and GCHQ seem deeply enmeshed and interlinked, but the line between the agencies needs to be drawn more clearly.

    Follow Nick Hopkins by emailBeta

    Nick Hopkins
    theguardian.com, Thursday 1 August 2013 16.04 BST

    Find this story at 1 August 2013

    © 2013 Guardian News and Media Limited or its affiliated companies.

    Exclusive: NSA pays £100m in secret funding for GCHQ

    • Secret payments revealed in leaks by Edward Snowden
    • GCHQ expected to ‘pull its weight’ for Americans
    • Weaker regulation of British spies ‘a selling point’ for NSA

    The NSA paid £15.5m towards redevelopments at GCHQ’s site in Bude, north Cornwall, which intercepts communications from the transatlantic cables that carry internet traffic. Photograph: Kieran Doherty/Reuters

    The US government has paid at least £100m to the UK spy agency GCHQ over the last three years to secure access to and influence over Britain’s intelligence gathering programmes.

    The top secret payments are set out in documents which make clear that the Americans expect a return on the investment, and that GCHQ has to work hard to meet their demands. “GCHQ must pull its weight and be seen to pull its weight,” a GCHQ strategy briefing said.

    The funding underlines the closeness of the relationship between GCHQ and its US equivalent, the National Security Agency. But it will raise fears about the hold Washington has over the UK’s biggest and most important intelligence agency, and whether Britain’s dependency on the NSA has become too great.

    In one revealing document from 2010, GCHQ acknowledged that the US had “raised a number of issues with regards to meeting NSA’s minimum expectations”. It said GCHQ “still remains short of the full NSA ask”.

    Ministers have denied that GCHQ does the NSA’s “dirty work”, but in the documents GCHQ describes Britain’s surveillance laws and regulatory regime as a “selling point” for the Americans.

    The papers are the latest to emerge from the cache leaked by the American whistleblower Edward Snowden, the former NSA contractor who has railed at the reach of the US and UK intelligence agencies.

    Snowden warned about the relationship between the NSA and GCHQ, saying the organisations have been jointly responsible for developing techniques that allow the mass harvesting and analysis of internet traffic. “It’s not just a US problem,” he said. “They are worse than the US.”

    As well as the payments, the documents seen by the Guardian reveal:

    • GCHQ is pouring money into efforts to gather personal information from mobile phones and apps, and has said it wants to be able to “exploit any phone, anywhere, any time”.

    • Some GCHQ staff working on one sensitive programme expressed concern about “the morality and ethics of their operational work, particularly given the level of deception involved”.

    • The amount of personal data available to GCHQ from internet and mobile traffic has increased by 7,000% in the past five years – but 60% of all Britain’s refined intelligence still appears to come from the NSA.

    • GCHQ blames China and Russia for the vast majority of cyber-attacks against the UK and is now working with the NSA to provide the British and US militaries with a cyberwarfare capability.

    The details of the NSA payments, and the influence the US has over Britain, are set out in GCHQ’s annual “investment portfolios”. The papers show that the NSA gave GCHQ £22.9m in 2009. The following year the NSA’s contribution increased to £39.9m, which included £4m to support GCHQ’s work for Nato forces in Afghanistan, and £17.2m for the agency’s Mastering the Internet project, which gathers and stores vast amounts of “raw” information ready for analysis.

    The NSA also paid £15.5m towards redevelopments at GCHQ’s sister site in Bude, north Cornwall, which intercepts communications from the transatlantic cables that carry internet traffic. “Securing external NSA funding for Bude has protected (GCHQ’s core) budget,” the paper said.

    In 2011/12 the NSA paid another £34.7m to GCHQ.

    The papers show the NSA pays half the costs of one of the UK’s main eavesdropping capabilities in Cyprus. In turn, GCHQ has to take the American view into account when deciding what to prioritise.

    A document setting out GCHQ’s spending plans for 2010/11 stated: “The portfolio will spend money supplied by the NSA and UK government departments against agreed requirements.”

    Other documents say the agency must ensure there has been “an appropriate level of contribution … from the NSA perspective”.

    The leaked papers reveal that the UK’s biggest fear is that “US perceptions of the … partnership diminish, leading to loss of access, and/or reduction in investment … to the UK”.

    When GCHQ does supply the US with valuable intelligence, the agency boasts about it. In one review, GCHQ boasted that it had supplied “unique contributions” to the NSA during its investigation of the American citizen responsible for an attempted car bomb attack in Times Square, New York City, in 2010.

    No other detail is provided – but it raises the possibility that GCHQ might have been spying on an American living in the US. The NSA is prohibited from doing this by US law.

    Asked about the payments, a Cabinet Office spokesman said: “In a 60-year alliance it is entirely unsurprising that there are joint projects in which resources and expertise are pooled, but the benefits flow in both directions.”

    A senior security source in Whitehall added: “The fact is there is a close intelligence relationship between the UK and US and a number of other countries including Australia and Canada. There’s no automaticity, not everything is shared. A sentient human being takes decisions.”

    Although the sums represent only a small percentage of the agencies’ budgets, the money has been an important source of income for GCHQ. The cash came during a period of cost-cutting at the agency that led to staff numbers being slashed from 6,485 in 2009 to 6,132 last year.

    GCHQ seems desperate to please its American benefactor and the NSA does not hold back when it fails to get what it wants. On one project, GCHQ feared if it failed to deliver it would “diminish NSA’s confidence in GCHQ’s ability to meet minimum NSA requirements”. Another document warned: “The NSA ask is not static and retaining ‘equability’ will remain a challenge for the near future.”

    In November 2011, a senior GCHQ manager working in Cyprus bemoaned the lack of staff devoted to one eavesdropping programme, saying: “This is not sustainable if numbers reduce further and reflects badly on our commitments to the NSA.”

    The overriding necessity to keep on the right side of the US was revealed in a UK government paper that set out the views of GCHQ in the wake of the 2010 strategic defence and security review. The document was called: “GCHQ’s international alliances and partnerships: helping to maintain Britain’s standing and influence in the world.” It said: “Our key partnership is with the US. We need to keep this relationship healthy. The relationship remains strong but is not sentimental. GCHQ must pull its weight and be seen to pull its weight.”

    Astonishingly, the document admitted that 60% of the UK’s high-value intelligence “is based on either NSA end-product or derived from NSA collection”. End product means official reports that are distillations of the best raw intelligence.

    Another pitch to keep the US happy involves reminding Washington that the UK is less regulated than the US. The British agency described this as one of its key “selling points”. This was made explicit two years ago when GCHQ set out its priorities for the coming years.

    “We both accept and accommodate NSA’s different way of working,” the document said. “We are less constrained by NSA’s concerns about compliance.”

    GCHQ said that by 2013 it hoped to have “exploited to the full our unique selling points of geography, partnerships [and] the UK’s legal regime”.

    However, there are indications from within GCHQ that senior staff are not at ease with the rate and pace of change. The head of one of its programmes warned the agency was now receiving so much new intelligence that its “mission management … is no longer fit for purpose”.

    In June, the government announced that the “single intelligence account” fund that pays for GCHQ, MI5 and MI6 would be increased by 3.4% in 2015/16. This comes after three years in which the SIA has been cut from £1.92bn to £1.88bn. The agencies have also been told to make £220m savings on existing programmes.

    The parliamentary intelligence and security committee (ISC) has questioned whether the agencies were making the claimed savings and said their budgets should be more rigorously scrutinised to ensure efficiencies were “independently verifiable and/or sustainable”.

    The Snowden documents show GCHQ has become increasingly reliant on money from “external” sources. In 2006 it received the vast majority of its funding directly from Whitehall, with only £14m from “external” funding. In 2010 that rose to £118m and by 2011/12 it had reached £151m. Most of this comes from the Home Office.

    Follow Julian Borger by emailBeta
    Nick Hopkins and Julian Borger
    The Guardian, Thursday 1 August 2013 16.04 BST

    Find this story at 1 August 2013

    © 2013 Guardian News and Media Limited or its affiliated companies.

    For Western Allies, a Long History of Swapping Intelligence

    BERLIN — When Edward J. Snowden disclosed the extent of the United States data mining operations in Germany, monitoring as many as 60 million of the country’s telephone and Internet connections in one day and bugging its embassy, politicians here, like others in Europe, were by turns appalled and indignant. But like the French before them, this week they found themselves backpedaling.

    In an interview released this week Mr. Snowden said that Germany’s intelligence services are “in bed” with the National Security Agency, “the same as with most other Western countries.” The assertion has added to fresh scrutiny in the European news media of Berlin and other European governments that may have benefited from the enormous American snooping program known as Prism, or conducted wide-ranging surveillance operations of their own.

    The outrage of European leaders notwithstanding, intelligence experts and historians say the most recent disclosures reflect the complicated nature of the relationship between the intelligence services of the United States and its allies, which have long quietly swapped information on each others’ citizens.

    “The other services don’t ask us where our information is from and we don’t ask them,” Mr. Snowden said in the interview, conducted by the documentary filmmaker Laura Poitras and Jacob Appelbaum, a computer security researcher, and published this week in the German magazine Der Spiegel. “This way they can protect their political leaders from backlash, if it should become public how massively the private spheres of people around the globe are being violated.”

    Britain, which has the closest intelligence relationship with the United States of any European country, has been implicated in several of the data operations described by Mr. Snowden, including claims that Britain’s agencies had access to the Prism computer network, which monitors data from a range of American Internet companies. Such sharing would have allowed British intelligence agencies to sidestep British legal restrictions on electronic snooping. Prime Minister David Cameron has insisted that its intelligence services operate within the law.

    Another allegation, reported by The Guardian newspaper, is that the Government Communications Headquarters, the British surveillance center, tapped fiber-optic cables carrying international telephone and Internet traffic, then shared the information with the N.S.A. This program, known as Tempora, involved attaching intercept probes to trans-Atlantic cables when they land on British shores from North America, the report said.

    President François Hollande of France was among the first European leaders to express outrage at the revelations of American spying, and especially at accusations that the Americans had spied on French diplomatic posts in Washington and New York.

    There is no evidence to date that French intelligence services were granted access to information from the N.S.A., Le Monde reported last week, however, that France’s external intelligence agency maintains a broad telecommunications data collection system of its own, amassing metadata on most, if not all, telephone calls, e-mails and Internet activity coming in and out of France.

    Mr. Hollande and other officials have been notably less vocal regarding the claims advanced by Le Monde, which authorities in France have neither confirmed nor denied.

    Given their bad experiences with domestic spying, first under the Nazis and then the former the East German secret police, Germans are touchy when it comes to issues of personal privacy and protection of their personal data. Guarantees ensuring the privacy of mail and all forms of long-distance communications are enshrined in Article 10 of their Constitution.

    When the extent of the American spying in Germany came to light the chancellor’s spokesman, Steffen Seibert, decried such behavior as “unacceptable,” insisting that, “We are no longer in the cold war.”

    But experts say ties between the intelligence services remain rooted in agreements stemming from that era, when West Germany depended on the United States to protect it from the former Soviet Union and its allies in the East.

    “Of course the German government is very deeply entwined with the American intelligence services,” said Josef Foschepoth, a German historian from Freiburg University. Mr. Foschepoth spent several years combing through Germany’s federal archives, including formerly classified documents from the 1950s and 1960s, in an effort to uncover the roots of the trans-Atlantic cooperation.

    In 1965, Germany’s foreign intelligence service, known by the initials BND, was created. Three years later, the West Germans signed a cooperation agreement effectively binding the Germans to an intensive exchange of information that continues up to the present day, despite changes to the agreements.

    The attacks on Sept. 11, 2001, in the United States saw a fresh commitment by the Germans to cooperate with the Americans in the global war against terror. Using technology developed by the Americans and used by the N.S.A., the BND monitors networks from the Middle East, filtering the information before sending it to Washington, said Erich Schmidt-Eenboom, an expert on secret services who runs the Research Institute for Peace Politics in Bavaria.

    In exchange, Washington shares intelligence with Germany that authorities here say has been essential to preventing terror attacks similar to those in Madrid or London. It is a matter of pride among German authorities that they have been able to swoop in and detain suspects, preventing several plots from being carried out.

    By focusing the current public debate in Germany on the issue of personal data, experts say Chancellor Angela Merkel is able to steer clear of the stickier questions about Germany’s own surveillance programs and a long history of intelligence sharing with the United States, which still makes many Germans deeply uncomfortable, more than two decades after the end of the cold war.

    “Every postwar German government, at some point, has been confronted with this problem,” Mr. Foschepoth said of the surveillance scandal. “The way that the chancellor is handling it shows that she knows very well, she is very well informed and she wants the issue to fade away.”

    Reporting contributed by Stephen Castle from London, Scott Sayare from Paris and Eric Schmitt from Washington.

    July 9, 2013
    By MELISSA EDDY

    Find this story at 9 July 2013

    © 2013 The New York Times Company

    When states monitored their citizens we used to call them authoritarian. Now we think this is what keeps us safe

    The internet is being snooped on and CCTV is everywhere. How did we come to accept that this is just the way things are?

    These days we are all supects, or at least consumers. Photograph: Alamy

    America controls the sky. Fear of what America might do can make countries divert planes – all because Edward Snowden might be on one.

    Owning the sky has somehow got to me more than controlling the internet. Maybe because I am a simpleton and sometimes can only process what I can see – the actual sky, rather than invisible cyberspace in which data blips through fibre-optic cables.

    Thus the everyday internet remains opaque to all but geeks. And that’s where I think I have got it wrong. My first reaction to the Prism leaks was to make stupid jokes: Spies spy? Who knew? The fact that Snowden looked as if he came from central casting didn’t help. Nor did the involvement of Julian Assange, a cult leader who should be in Sweden instead of a cupboard in an embassy.

    What I failed to grasp, though, was quite how much I had already surrendered my liberty, not just personally but my political ideals about what liberty means. I simply took for granted that everyone can see everything and laughed at the idea that Obama will be looking at my pictures of a cat dressed as a lobster. I was resigned to the fact that some random FBI merchant will wonder at the inane and profane nature of my drunken tweets.

    Slowly but surely, The Lives of Others have become ours. CCTV cameras everywhere watch us, so we no longer watch out for each other. Public space is controlled. Of course, much CCTV footage is never seen and often useless. But we don’t need the panopticon once we have built one in our own minds. We are all suspects.

    Or at least consumers. iTunes thinks I might like Bowie; Amazon thinks I want a compact tumble dryer. Really? Facebook seems to think I want to date men in uniform. I revel in the fact that the algorithms get it as wrong as the man who knocks on my door selling fish out of a van. “And not just fish,” as he sometimes says mysteriously.

    But how did I come to accept that all this data gathered about me is just the way it is? Wasn’t I once interested in civil liberties? Indeed, weren’t the Lib Dems? Didn’t freedom somehow incorporate the idea of individual privacy? When the state monitored all its citizens as though they were suspects – whether in East Germany or North Korea – we called it authoritarianism. Now we think it is what keeps us safe.

    In 2009 I sat on a panel with Vince Cable at the cross-party Convention on Modern Liberty. Cable told us that a recession could provide the preconditions for fascism. Gosh, I thought, that’s a bit strong. Then the recession hit and austerity became the narrative that subsumed all debates about freedom. No one poor is free, and it is no coincidence that the poor are the most snooped on of all.

    What Snowden, who is no spy, has revealed is the nature of the game: that surveillance is a huge private industry; that almost full control of the internet has been achieved already; that politicians here and in the US have totally acquiesced to industrial-scale snooping. There is a generation now made up of people who will never have had a private conversation online or by phone. These are my children. And should they or anyone else want to organise against the powers that be, they will be traceable. We have sleepwalked into this because liberty remains such an alien concept, still. But the US has the fourth amendment: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizure, shall not be violated.”

    It has been violated. Bradley Manning is in prison, Guantánamo remains open, CIA agents who spoke out about waterboarding are banged up. And there are other kinds of whistleblowers who conveniently kill themselves. The letter from Daniel Somers, who served in Iraq, says he was made to do things he could not live with. He described his suicide as a mercy killing and reminded us that 22 veterans kill themselves every day. This is not whistleblowing. It is screaming into a void.

    But we remain passive while other European countries are angry at what Snowden has told us. We maintain the special relationship. For Snowden, the truth will not set him free, it will imprison him for ever. We now debate whether we should exchange liberty for security, but it is too late. As John Locke said: “As soon as men decide all means are permitted to fight an evil, then their good becomes indistinguishable from the evil they set out to destroy.” He could have been talking about our passivity.

    When did you surrender your freedom to communicate, something that was yours and yours alone, whether an email to a lover or a picture of your child? Ask yourself, do you feel safer now you know that you have no secrets? Now, the intimacies that are of no import to anyone but you have been subject to virtual extraordinary rendition. Because, fundamentally, your government does not trust you. Why therefore should you trust it?

    Suzanne Moore
    The Guardian, Wednesday 3 July 2013 20.00 BST

    Find this story at 3 July 2013

    © 2013 Guardian News and Media Limited or its affiliated companies. All rights reserved.

    Answers to Frequently Asked Questions (FAQ) about Echelon

    Q – What is Project ECHELON?

    ECHELON is the term popularly used for an automated global interception and relay system operated by the intelligence agencies in five nations: the United States, the United Kingdom, Canada, Australia and New Zealand (it is believed that ECHELON is the code name for the portion of the system that intercepts satellite-based communications). While the United States National Security Agency (NSA) takes the lead, ECHELON works in conjunction with other intelligence agencies, including the Australian Defence Signals Directorate (DSD). It is believed that ECHELON also works with Britain’s Government Communications Headquarters (GCHQ) and the agencies of other allies of the United States, pursuant to various treaties. (1)

    These countries coordinate their activities pursuant to the UKUSA agreement, which dates back to 1947. The original ECHELON dates back to 1971. However, its capabilities and priorities have expanded greatly since its formation. According to reports, it is capable of intercepting and processing many types of transmissions, throughout the globe. In fact, it has been suggested that ECHELON may intercept as many as 3 billion communications everyday, including phone calls, e-mail messages, Internet downloads, satellite transmissions, and so on. (2) The ECHELON system gathers all of these transmissions indiscriminately, then distills the information that is most heavily desired through artificial intelligence programs. Some sources have claimed that ECHELON sifts through an estimated 90 percent of all traffic that flows through the Internet. (3)

    However, the exact capabilities and goals of ECHELON remain unclear. For example, it is unknown whether ECHELON actually targets domestic communications. Also, it is apparently very difficult for ECHELON to intercept certain types of transmissions, particularly fiber communications.

    Q – How does ECHELON work?

    ECHELON apparently collects data in several ways. Reports suggest it has massive ground based radio antennae to intercept satellite transmissions. In addition, some sites reputedly are tasked with tapping surface traffic. These antennae reportedly are in the United States, Italy, England, Turkey, New Zealand, Canada, Australia, and several other places. (4)

    Similarly, it is believed that ECHELON uses numerous satellites to catch “spillover” data from transmissions between cities. These satellites then beam the information down to processing centers on the ground. The main centers are in the United States (near Denver), England (Menwith Hill), Australia, and Germany. (5)

    According to various sources, ECHELON also routinely intercepts Internet transmissions. The organization allegedly has installed numerous “sniffer” devices. These “sniffers” collect information from data packets as they traverse the Internet via several key junctions. It also uses search software to scan for web sites that may be of interest. (6)

    Furthermore, it is believed that ECHELON has even used special underwater devices which tap into cables that carry phone calls across the seas. According to published reports, American divers were able to install surveillance devices on to the underwater cables. One of these taps was discovered in 1982, but other devices apparently continued to function undetected. (7)
    It is not known at this point whether ECHELON has been able to tap fiber optic phone cables.

    Finally, if the aforementioned methods fail to garner the desired information, there is another alternative. Apparently, the nations that are involved with ECHELON also train special agents to install a variety of special data collection devices. One of these devices is reputed to be an information processing kit that is the size of a suitcase. Another such item is a sophisticated radio receiver that is as small as a credit card. (8)

    After capturing this raw data, ECHELON sifts through them using DICTIONARY. DICTIONARY is actually a special system of computers which finds pertinent information by searching for key words, addresses, etc. These search programs help pare down the voluminous quantity of transmissions which pass through the ECHELON network every day. These programs also seem to enable users to focus on any specific subject upon which information is desired. (9)

    Q – If ECHELON is so powerful, why haven’t I heard about it before?

    The United States government has gone to extreme lengths to keep ECHELON a secret. To this day, the U.S. government refuses to admit that ECHELON even exists. We know it exists because both the governments of Australia (through its Defence Signals Directorate) and New Zealand have admitted to this fact. (10) However, even with this revelation, US officials have refused to comment.

    This “wall of silence” is beginning to erode. The first report on ECHELON was published in 1988. (11) In addition, besides the revelations from Australia, the Scientific and Technical Options Assessment program office (STOA) of the European Parliament commissioned two reports which describe ECHELON’s activities. These reports unearthed a startling amount of evidence, which suggests that Echelon’s powers may have been underestimated. The first report, entitled “An Appraisal of Technologies of Political Control,” suggested that ECHELON primarily targeted civilians.

    This report found that:

    The ECHELON system forms part of the UKUSA system but unlike many of the electronic spy systems developed during the cold war, ECHELON is designed for primarily non-military targets: governments, organisations and businesses in virtually every country. The ECHELON system works by indiscriminately intercepting very large quantities of communications and then siphoning out what is valuable using artificial intelligence aids like Memex to find key words. Five nations share the results with the US as the senior partner under the UKUSA agreement of 1947, Britain, Canada, New Zealand and Australia are very much acting as subordinate information servicers.

    Each of the five centres supply “dictionaries” to the other four of keywords, phrases, people and places to “tag” and the tagged intercept is forwarded straight to the requesting country. Whilst there is much information gathered about potential terrorists, there is a lot of economic intelligence, notably intensive monitoring of all the countries participating in the GATT negotiations. But Hager found that by far the main priorities of this system continued to be military and political intelligence applicable to their wider interests. Hager quotes from a “highly placed intelligence operatives” who spoke to the Observer in London. “We feel we can no longer remain silent regarding that which we regard to be gross malpractice and negligence within the establishment in which we operate.” They gave as examples. GCHQ interception of three charities, including Amnesty International and Christian Aid. “At any time GCHQ is able to home in on their communications for a routine target request,” the GCHQ source said. In the case of phone taps the procedure is known as Mantis. With telexes its called Mayfly. By keying in a code relating to third world aid, the source was able to demonstrate telex “fixes” on the three organisations. With no system of accountability, it is difficult to discover what criteria determine who is not a target. (12)

    A more recent report, known as Interception Capabilities 2000, describes ECHELON capabilities in even more elaborate detail. (13) The release of the report sparked accusations from the French government that the United States was using ECHELON to give American companies an advantage over rival firms. (14) In response, R. James Woolsey, the former head of the US Central Intelligence Agency (CIA), charged that the French government was using bribes to get lucrative deals around the world, and that US surveillance networks were used simply to level the playing field. (15) However, experts have pointed out that Woolsey missed several key points. For example, Woolsey neglected to mention alleged instances of economic espionage (cited in Intelligence Capabilities 2000) that did not involve bribery. Furthermore, many observers expressed alarm with Woolsey’s apparent assertion that isolated incidents of bribery could justify the wholesale interception of the world’s communications. (16)

    The European Parliament formed a temporary Committee of Enquiry to investigate ECHELON abuses. (17) In May 2001, members of this committee visited the United States in an attempt to discover more details about ECHELON. However, officials from both the NSA and the US Central Intelligence Agency (CIA) canceled meetings that they had previously scheduled with the European panel. The committee’s chairman, Carlos Coelho, said that his group was “very disappointed” with the apparent rebuffs; in protest, the Parliamentary representatives returned home a day early. (18)

    Afterwards, the committee published a report stating that ECHELON does indeed exist and that individuals should strongly consider encrypting their emails and other Internet messages. (19) However, the panel was unable to confirm suspicions that ECHELON is used to conduct industrial espionage, due to a lack of evidence. (20) Ironically, the report also mentioned the idea that European government agents should be allowed greater powers to decrypt electronic communications, which was criticized by some observers (including several members of the committee) as giving further support to Europe’s own ECHELON-type system. (21) The European Parliament approved the report, but despite the apparent need for further investigation, the committee was disbanded. (22) Nevertheless, the European Commission plans to draft a “roadmap” for data protection that will address many of the concerns aired by the EP panel. (23)

    Meanwhile, after years of denying the existence of ECHELON, the Dutch government issued a letter that stated: “Although the Dutch government does not have official confirmation of the existence of Echelon by the governments related to this system, it thinks it is plausible this network exists. The government believes not only the governments associated with Echelon are able to intercept communication systems, but that it is an activity of the investigative authorities and intelligence services of many countries with governments of different political signature.” (24)These revelations worried Dutch legislators, who had convened a special hearing on the subject. During the hearing, several experts argued that there must be tougher oversight of government surveillance activities. There was also considerable criticism of Dutch government efforts to protect individual privacy, particularly the fact that no information had been made available relating to Dutch intelligence service’s investigation of possible ECHELON abuses.(25)

    In addition, an Italian government official has begun to investigate Echelon’s intelligence-gathering efforts, based on the belief that the organization may be spying on European citizens in violation of Italian or international law. (26)

    Events in the United States have also indicated that the “wall of silence” might not last much longer. Exercising their Constitutionally created oversight authority, members of the House Select Committee on Intelligence started asking questions about the legal basis for NSA’s ECHELON activities. In particular, the Committee wanted to know if the communications of Americans were being intercepted and under what authority, since US law severely limits the ability of the intelligence agencies to engage in domestic surveillance. When asked about its legal authority, NSA invoked the attorney-client privilege and refused to disclose the legal standards by which ECHELON might have conducted its activities. (27)

    President Clinton then signed into law a funding bill which required the NSA to report on the legal basis for ECHELON and similar activities. (28) However, the subsequent report (entitled Legal Standards for the Intelligence Community in Conducting Electronic Surveillance) gave few details about Echelon’s operations and legality. (29)

    However, during these proceedings, Rep. Bob Barr (R-GA), who has taken the lead in Congressional efforts to ferret out the truth about ECHELON, stated that he had arranged for the House Government Reform and Oversight Committee to hold its own oversight hearings.(30)

    Finally, the Electronic Privacy Information Center has sued the US Government, hoping to obtain documents which would describe the legal standards by which ECHELON operates.(31)

    Q – What is being done with the information that ECHELON collects?

    The original purpose of ECHELON was to protect national security. That purpose continues today. For example, we know that ECHELON is gathering information on North Korea. Sources from Australia’s DSD have disclosed this much because Australian officials help operate the facilities there which scan through transmissions, looking for pertinent material. (32) Similarly, the Spanish government has apparently signed a deal with the United States to receive information collected using ECHELON. The consummation of this agreement was confirmed by Spanish Foreign Minister Josep Pique, who tried to justify this arrangement on security grounds. (33)

    However, national security is not Echelon’s only concern. Reports have indicated that industrial espionage has become a part of Echelon’s activities. While present information seems to suggest that only high-ranking government officials have direct control over Echelon’s tasks, the information that is gained may be passed along at the discretion of these very same officials. As a result, much of this information has been given to American companies, in apparent attempts to give these companies an edge over their less knowledgeable counterparts. (34)

    In addition, there are concerns that Echelon’s actions may be used to stifle political dissent. Many of these concerns were voiced in a report commissioned by the European Parliament. What is more, there are no known safeguards to prevent such abuses of power. (35)

    Q – Is there any evidence that ECHELON is doing anything improper or illegal with the spying resources at its disposal?

    ECHELON is a highly classified operation, which is conducted with little or no oversight by national parliaments or courts. Most of what is known comes from whistleblowers and classified documents. The simple truth is that there is no way to know precisely what ECHELON is being used for.

    But there is evidence, much of which is circumstantial, that ECHELON (along with its British counterpart) has been engaged in significant invasions of privacy. These alleged violations include secret surveillance of political organizations, such as Amnesty International. (36) It has also been reported that ECHELON has engaged in industrial espionage on various private companies such as Airbus Industries and Panavia, then has passed along the information to their American competitors. (37) It is unclear just how far Echelon’s activities have harmed private individuals.

    However, the most sensational revelation was that Diana, Princess of Wales may have come under ECHELON surveillance before she died. As reported in the Washington Post, the NSA admitted that they possessed files on the Princess, partly composed of intercepted phone conversations. While one official from the NSA claimed that the Princess was never a direct target, this disclosure seems to indicates the intrusive, yet surreptitious manner by which ECHELON operates. (38)

    What is even more disquieting is that, if these allegations are proven to be true, the NSA and its compatriot organizations may have circumvented countless laws in numerous countries. Many nations have laws in place to prevent such invasions of privacy. However, there are suspicions that ECHELON has engaged in subterfuge to avoid these legal restrictions. For example, it is rumored that nations would not use their own agents to spy on their own citizens, but assign the task to agents from other countries. (39) In addition, as mentioned earlier, it is unclear just what legal standards ECHELON follows, if any actually exist. Thus, it is difficult to say what could prevent ECHELON from abusing its remarkable capabilities.

    Q – Is everyone else doing what ECHELON does?

    Maybe not everyone else, but there are plenty of other countries that engage in the type of intelligence gathering that ECHELON performs. These countries apparently include Russia, France, Israel, India, Pakistan and many others. (40) Indeed, the excesses of these ECHELON-like operations are rumored to be similar in form to their American equivalents, including digging up information for private companies to give them a commercial advantage.

    However, it is also known that ECHELON system is the largest of its kind. What is more, its considerable powers are enhanced through the efforts of America’s allies, including the United Kingdom, Canada, Australia, and New Zealand. Other countries don’t have the resources to engage in the massive garnering of information that the United States is carrying out.

    Notes

    1. Development of Surveillance Technology and Risk of Abuse of Economic Information (An appraisal of technologies for political control), Part 4/4: The state of the art in Communications Intelligence (COMINT) of automated processing for intelligence purposes of intercepted broadband multi-language leased or common carrier systems, and its applicability to COMINT targeting and selection, including speech recognition, Ch. 1, para. 5, PE 168.184 / Part 4/4 (April 1999). See Duncan Campbell, Interception Capabilities 2000 (April 1999) (http://www.iptvreports.mcmail.com/stoa_cover.htm).

    2. Kevin Poulsen, Echelon Revealed, ZDTV (June 9, 1999).

    3. Greg Lindsay, The Government Is Reading Your E-Mail, TIME DIGITAL DAILY (June 24, 1999).

    4. PE 168.184 / Part 4/4, supra note 1, Ch. 2, para. 32-34, 45-46.

    5. Id. Ch. 2, para. 42.

    6. Id. Ch. 2, para. 60.

    7. Id. Ch. 2, para. 50.

    8. Id. Ch. 2, para. 62-63.

    9. An Appraisal of Technologies for Political Control, at 20, PE 166.499 (January 6, 1998). See Steve Wright, An Appraisal of Technologies for Political Control (January 6, 1998) (http://cryptome.org/stoa-atpc.htm).

    10.Letter from Martin Brady, Director, Defence Signals Directorate, to Ross Coulhart, Reporter, Nine Network Australia 2 (Mar. 16, 1999) (on file with the author); see also Calls for inquiry into spy bases, ONE NEWS New Zealand (Dec. 28, 1999).

    11. Duncan Campbell, Somebody’s listening, NEW STATESMAN, 12 August 1988, Cover, pages 10-12. See Duncan Campbell, ECHELON: NSA’s Global Electronic Interception, (last visited October 12, 1999) (http://jya.com/echelon-dc.htm).

    12. PE 166.499, supra note 9, at 19-20.

    13. PE 168.184 / Part 4/4, supra note 1.

    14. David Ruppe, Snooping on Friends?, ABCNews.com (US) (Feb. 25, 2000) (http://abcnews.go.com/sections/world/dailynews/echelon000224.html).

    15. R. James Woolsey, Why We Spy on Our Allies, WALL ST. J., March 17, 2000. See also CRYPTOME, Ex-CIA Head: Why We Spy on Our Allies (last visited April 11, 2000) (http://cryptome.org/echelon-cia2.htm).

    16. Letter from Duncan Campbell to the Wall Street Journal (March 20, 2000) (on file with the author). See also Kevin Poulsen, Echelon Reporter answers Ex-CIA Chief, SecurityFocus.com (March 23, 2000) (http://www.securityfocus.com/news/6).

    17. Duncan Campbell, Flaw in Human Rights Uncovered, HEISE TELEPOLIS, April 8, 2000. See also HEISE ONLINE, Flaw in Human Rights Uncovered (April 8, 2000) (http://www.heise.de/tp/english/inhalt/co/6724/1.html).

    18.Angus Roxburgh, EU investigators ‘snubbed’ in US, BBC News, May 11, 2001 (http://news.bbc.co.uk/hi/english/world/europe/newsid_1325000/1325186.stm).

    19.Report on the existence of a global system for intercepting private and commercial communications (ECHELON interception system), PE 305.391 (July 11, 2001) (available in PDF or Word format at http://www2.europarl.eu.int).

    20. Id.; see also E-mail users warned over spy network, BBC News, May 29, 2001 (http://news.bbc.co.uk/hi/english/world/europe/newsid_1357000/1357264.stm).

    21. Steve Kettman, Echelon Furor Ends in a Whimper, Wired News, July 3, 2001 (http://www.wired.com/news/print/0,1294,44984,00.html).

    22. European Parliament resolution on the existence of a global system for the interception of private and commercial communications (ECHELON interception system) (2001/2098(INI)), A5-0264/2001, PE 305.391/DEF (Sept. 5, 2001) (available at http://www3.europarl.eu.int); Christiane Schulzki-Haddouti, Europa-Parlament verabsciedet Echelon-Bericht, Heise Telepolis, Sept. 5, 2001 (available at http://www.heise.de/tp/); Steve Kettman, Echelon Panel Calls It a Day, Wired News, June 21, 2001 (http://www.wired.com/news/print/0,1294,44721,00.html).

    23. European Commission member Erkki Liikanen, Speech regarding European Parliament motion for a resolution on the Echelon interception system (Sept. 5, 2001) (transcript available at http://europa.eu.int).

    24. Jelle van Buuren, Dutch Government Says Echelon Exists, Heise Telepolis, Jan. 20, 2001 (available at http://www.heise.de/tp/).

    25. Jelle van Buuren, Hearing On Echelon In Dutch Parliament, Heise Telepolis, Jan. 23, 2001 (available at http://www.heise.de/tp/).

    26. Nicholas Rufford, Spy Station F83, SUNDAY TIMES (London), May 31, 1998. See Nicholas Rufford, Spy Station F83 (May 31, 1998) (http://www.sunday-times.co.uk/news/pages/sti/98/05/31/stifocnws01003.html?999).

    27. H. Rep. No. 106-130 (1999). See Intelligence Authorization Act for Fiscal Year 2000, Additional Views of Chairman Porter J. Goss (http://www.echelonwatch.org/goss.htm).

    28. Intelligence Authorization Act for Fiscal Year 2000, Pub. L. 106-120, Section 309, 113 Stat. 1605, 1613 (1999). See H.R. 1555 Intelligence Authorization Act for Fiscal Year 2000 (Enrolled Bill (Sent to President)) http://www.echelonwatch.org/hr1555c.htm).

    29. UNITED STATES NATIONAL SECURITY AGENCY, LEGAL STANDARDS FOR THE INTELLIGENCE COMMUNITY IN CONDUCTING ELECTRONIC SURVEILLANCE (2000) (http://www.fas.org/irp/nsa/standards.html).

    30. House Committee to Hold Privacy Hearings, (August 16, 1999) (http://www.house.gov/barr/p_081699.html).

    31. ELECTRONIC PRIVACY INFORMATION CENTER, PRESS RELEASE: LAWSUIT SEEKS MEMOS ON SURVEILLANCE OF AMERICANS; EPIC LAUNCHES STUDY OF NSA INTERCEPTION ACTIVITIES (1999). See also Electronic Privacy Information Center, EPIC Sues for NSA Surveillance Memos (last visited December 17, 1999) (http://www.epic.org/open_gov/foia/nsa_suit_12_99.html).

    32. Ross Coulhart, Echelon System: FAQs and website links, (May 23, 1999).

    33. Isambard Wilkinson, US wins Spain’s favour with offer to share spy network material, Sydney Morning Herald, June 18, 2001 (http://www.smh.com.au/news/0106/18/text/world11.html).

    34. PE 168.184 / Part 4/4, supra note 1, Ch. 5, para. 101-103.

    35. PE 166.499, supra note 9, at 20.

    36. Id.

    37. PE 168.184 / Part 4/4, supra note 1, Ch. 5, para. 101-102; Brian Dooks, EU vice-president to claim US site spies on European business, YORKSHIRE POST, Jan. 30, 2002 (available at http://yorkshirepost.co.uk).

    38. Vernon Loeb, NSA Admits to Spying on Princess Diana, WASHINGTON POST, December 12, 1998, at A13. See Vernon Loeb, NSA Admits to Spying on Princess Diana, WASHINGTON POST, A13 (December 12, 1998) (http://www.washingtonpost.com/wp-srv/national/daily/dec98/diana12.htm).

    39. Ross Coulhart, Big Brother is listening, (May 23, 1999).

    40. PE 168.184 / Part 4/4, supra note 1, Ch. 1, para. 7.

    Find this story at 2000

    © ACLU

    24 February 2000: Link to Presentation and Analysis Volume 1/5, by Peggy Becker, October 1999. Volume 1 renumbers the reports below.

    20 August 1999
    Source: Hardcopy of 61 pages. Thanks to Sten Linnarsson.

    Find this story at 2000 part 1
    Find this story at 2000 part 2
    Find this story at 2000 part 3
    Find this story at 2000 part 4
    Campbell’s report: http://cryptome.org/jya/ic2000.zip (981KB)
    http://www.fas.org/irp/program/process/docs/98-14-01-2en.pdf

    This is part 1 of 4 of “Development of Surveillance Technology and Risk of Abuse of Economic Information (an appraisal of technologies of political control).”

    Part 2: “The legality of the interception of electronic communications: A concise survey of the principal legal issues and instruments under international, European and national law,” by Prof. Chris Elliott: http://cryptome.org/dst-2.htm

    Part 3: “Encryption and cryptosystems in electronic surveillance: a survey of the technology assessment issues,” by Dr. Franck Leprévost: http://cryptome.org/dst-3.htm

    Part 4: “The state of the art in Communications Intelligence (COMINT) of automated processing for intelligence purposes of intercepted broadband multi-language leased or common carrier systems, and its applicability to COMINT targeting and selection, including speech recognition,” by Duncan Campbell: http://www.iptvreports.mcmail.com/stoa_cover.htm [dead]

    Campbell’s report: http://cryptome.org/jya/ic2000.zip (981KB)

    EUROPEAN PARLIAMENT

    SCIENTIFIC AND TECHNOLOGICAL OPTIONS ASSESSMENT
    STOA
    DEVELOPMENT OF SURVEILLANCE
    TECHNOLOGY AND RISK OF ABUSE
    OF ECONOMIC INFORMATION
    (An appraisal of technologies of political control)

    Part 1/4

    The perception of economic risks arising from the potential vulnerability
    of electronic commercial media to interception

    Survey of opinions of experts
    Interim Study

    Working document for the STOA Panel

    Luxembourg, May 1999 PE 168.184/Int.St./part 1/4
    Directorate General for Research

    Cataloguing data:

    Title:

    Part 1/4 of:
    DEVELOPMENT OF SURVEILLANCE TECHNOLOGY AND
    RISK OF ABUSE OF ECONOMIC INFORMATION
    (An appraisal of technologies of political control)

    Workplan Ref.: EP/IV/B/STOA/98/1401

    Publisher: European Parliament
    Directorate General for Research
    Directorate A
    The STOA Programme

    Author: Mr Nikos BOGONIKOLOS – ZEUS E.E.I.G.

    Editor: Mr Dick HOLDSWORTH, Head of STOA Unit

    Date: May 1999

    PE number: PE 168. 184/Int.St./1/4

    This document is a working Document for the ‘STOA Panel’. It is not an official publication of STOA.

    This document does not necessarily represent the views of the European Parliament.

    CONTENTS
    PART A: OPTIONS
    Introduction
    General overview of the outcome of the survey (interim stage)
    Views on privacy collected from the survey
    General privacy issue
    The market for privacy
    The role of industry
    The need for European legislation

    Options for action on surveillance and privacy
    PART B: ARGUMENTS AND EVIDENCE
    General
    Examples of Abuse of Economic Information
    PART C: TECHNICAL FILE
    1. INTRODUCTION
    Surveillance and Privacy
    Dataveillance Techniques
    Risks Inherent in Data Surveillance
    Controls

    2. SURVEILLANCE: TOOLS AND TECHNIQUES – Current technologies
    1. Visual Surveillance
    2. Audio Surveillance
    3. Phone Tapping and Encryption
    4. Voice and Word Pattern Recognition
    5. Proximity Smart Cards
    6. Transmitter Location
    7. E-mail at Workplace
    8. Electronic Databases
    9. The Internet

    3. THE USE OF SURVEILLANCE TECHNOLOGY SYSTEMS FOR THE TRANSMISSION AND COLLECTION OF ECONOMIC INFORMATION
    3.1 CALEA System
    3.2 ECHELON Connection
    3.3 Inhabitant identification Schemes

    4. THE NATURE OF ECONOMIC INFORMATION SELECTED BY SURVEILLANCE TECHNOLOGY SYSTEMS
    A. From telecommunication systems
    B. From new information technologies (Internet)
    C. Some examples of data collection on the Internet

    5. PROTECTION FROM ELECTRONIC SURVEILLANCE
    A. Encryption (Cryptography)
    Private sector initiatives

    B. Key – recovery
    Encryption and the global information infrastructure
    Key-Recovery: Requirements and proposals

    6. SURVEILLANCE TECHNOLOGY SYSTEMS IN LEGAL AND REGULATORY CONTEXT
    A. Privacy regulation
    Multinational data protection measures
    Data protection directive in Europe
    Privacy regulation in the United States

    B. Protection of Privacy in the telecommunications sector

    C. Cryptography
    Cryptography policy in USA
    Cryptography policy guidelines from OECD
    E. U. cryptography policy
    Other national and international activities related to cryptography policy

    D. Key recovery

    E. European Initiatives
    DLM-FORUM- Electronic Records
    Promoting Safe Use of Internet
    REFERENCES

    PART A: OPTIONS

    Introduction

    The present study, ‘Development of surveillance technology and risk of abuse of economic information’ presents the interim results from a survey of the opinions of experts, together with additional research and analytical material by the authors. It has been conducted by ZEUS E.E.I.G. as part of a technology assessment project on this theme initiated by STOA in 1998 at the request of the Committee on Civil Liberties and Internal Affairs of the European Parliament. This STOA project is a follow-up to an earlier one entitled: “An appraisal of technologies of political control” conducted for the same Committee. The earlier project resulted in an Interim Study (PE 166.499) written by OMEGA Foundation, Manchester, and published by STOA on January 1998 and later updated (September 1998).

    In the earlier study it was reported that within Europe all fax, e-mail and telephone messages are routinely intercepted by means of what is called the ECHELON global surveillance system. The monitoring was said to be “routine and indiscriminate”. The ECHELON system formed part of the UKUSA system, but unlike many of the electronic spy systems developed during the cold war, ECHELON was said to be designed for primarily non-military targets: governments, organisations and businesses in virtually every country.

    In the present study the authors were requested to investigate the use of surveillance technology systems, for the collection and possible abuse of sensitive economic information.

    The principal method selected was a procedure of data collection and processing based on a modified DELPHI method (to be referred to here as “the survey”). Under this method, a list of potential sources of data was prepared. These were some 49 experts from universities, industrial and commercial undertakings in the informations and telecommunications technology sector, as well as a smaller number of persons in international or governmental organisations. The experts were drawn from 11 Member States of the European Union, plus Cyprus, Norway and Switzerland.

    The next step was the collection of the data. This was mostly achieved by direct interviews of the experts, with the use of a questionnaire. The views (data) were processed and a convergence examination performed. The convergence procedure was based on a recursive approach for the exclusion of the non-reliable data. The last step was the drawing of the analytical results.

    General overview of the outcome of the survey

    The predominant view among the experts was that since nowadays almost all economic information is exchanged through electronic means (telephone, fax, e-mail), and, in addition, all digital telecommunication devices and switches have enhanced wiretapping capabilities, for these reasons they suggested that we must focus on the protection of the data when transmitted (using encryption products), on the use of government-approved encryption products and on the adoption of common standards concerning encryption and key-recovery products. The position could be summed up in the statement that ‘since it is difficult to prove that economic information has been captured by ECHELON system and passed on by the NSA, we have to consider privacy protection in a global international networked society’.

    In summary, therefore, we see that two perceptions of this question emerge: (1) a concern about the possible threat to privacy and economic and civil rights potentially posed by global clandestine electronic surveillance systems operated by large and powerful secret government agencies, and (2) anxiety about the problems of commercial and personal privacy which arise now that so much commercial and other communications traffic is conducted over the Internet. Managers of businesses engaged in electronic commerce may perhaps be concerned about global clandestine surveillance systems: what is certain is that they are worried in a more familiar way about threats to commercial security posed by the nature of the new electronic business media and their possible vulnerability to interception by competitors and fraudsters.

    Reflecting the feedback from the survey, the present study tends to reflect Perception 2, whereas the earlier one of 1998 tended to reflect Perception 1.

    Advances in information and communication technologies have fostered the development of complex national and international networks which enable thousands of geographically dispersed users to distribute, transmit, gather and exchange all kinds of data. Transborder electronic exchanges — private, professional, industrial and commercial — have proliferated on a global scale and are bound to intensify among businesses and between businesses and consumers, as electronic commerce develops.

    At the same time developments in digital computing have increased the capacity for accessing, gathering, recording, processing, sorting, comparing and linking alphanumeric, voice and image data. This substantial growth in international networks and the increase in economic data processing have arisen the need at securing privacy protection in transborder data flows.

    Today, it is not necessary to define new principles for the protection of data (and privacy) in an expanding global electronic environment. It is necessary to define the appropriate means of putting the established principles into practice, particularly on the information and communication networks.

    An active education strategy may be one of the ways to help achieve on-line and privacy protection and to give all actors the opportunities to understand their common interests.

    Common technological solutions can assist in implementing privacy and data protection guidelines in global information networks. The general optimism about technological solutions, the pressure to collect economic information and the need for political and social policy decisions to ensure privacy must be considered.

    The growth in international networks and the increase in economic data processing have arisen the need at securing privacy protection in transborder data flows and especially the use of contractual solutions. Global E-Commerce has changed the nature of retailing. There were great cultural and legal differences between countries affecting attitudes to the use of sensitive data (economic or personal) and the issue of applicable law in global transaction had tope resolved. Contracts might bridge the gab between those with legislation and the others.

    Since Internet symbolised global commerce, faced with a rapid expansion in the numbers of transactions, there is a need to define a stable lasting framework for business. Internet is changing profound the markets and adjusting new contracts. To that reality is a complex problem.

    Views on privacy collected from the survey

    In this section the experts’ views on the various privacy issues are reported. The information was mostly collected by direct interviews of the experts, based on a predefined questionnaire.

    General privacy issues

    Privacy can be a contentious subject because it means different things to different people. The definition given is: “Privacy is the claim of individuals, groups, or institutions to determine for themselves how, when and to what extent information about them is communicated to others”
    A clear problem expressed is that in an electronic environment, it becomes hard to differentiate between a private and public place and therefore what should be protected and what should not.
    It was argued that is unreasonable for the society to subsidise the cost of individuals to maintain their privacy, pointing out that most people will choose utility over security (and consequently privacy)
    It was suggested that privacy in many ways sacrifices other goods (time, effort and energy among them) in order to obtain it.
    Three basic tools necessary for privacy protection were outlined: notice (to the data supplier), consent (to the consumer), and accountability.
    Although accountability may be essential to ensuring privacy, it unfortunately conflicts with the anonymity, privacy implies. For any commerce to take place on the Internet, therefore, some level of anonymity and therefore privacy must be sacrificed. The question to be answered is ” how much and who will decide”.

    The market for privacy

    When the European Commission adopted the privacy directive (95/46/EC), it stated that privacy protection is a central precondition to consumers’ acceptance of electronic commerce. Accordingly, a critical issue experts argued, was whether there was a “market failure’ in the electronic environment that required some sort of government intervention to ensure data privacy.
    Some experts responded that data privacy is not purely a public good, and so at some point someone will have a market incentive to protect it. Some corporations that have tried to market their strong privacy protection have yet to see any results and have concluded that: “privacy doesn’t sell”. Other industries have marketed privacy successfully (such as the cellular telephone industry) which could mean that the public demands for privacy are forthcoming and will eventually be profitable.
    They feel that a question to be answered is: Who governs the responsibility of the information collector, or does society have to impose a sense of responsibility?”

    The role of industry

    Most experts expressed the view that the information industry should be primarily self-regulated: the industry is changing too rapidly for government legislative solutions, and most corporations are not simply looking at National or European but at global markets, which national governments cannot regulate.
    Indeed several experts expressed the fear that any European attempt to allow USA to oversee (via global surveillance systems) data would lead to abuses by the government or other competitive companies.
    They noted that many companies (such as Citibank) already inform consumers and clients that, unless told otherwise, they will disclose information to their affiliates. They suggested that a simple seal on the home page of a Web site, declaring that a company adheres to certain industry privacy standards might cease the fears of the public and offer some level of accountability.
    Alternatively, they suggested that the media could act as an effective watchdog, informing consumers and companies of what information is being collected about them and how that information is being used.
    They also noted that multinational companies could better negotiate for themselves across national boundaries than governments can. Electronic commerce is unlikely to gain popularity until the issues of notice, consent and recourse have been resolved. The market will force companies wishing to participate in this medium to address and solve these concerns.

    The need for European legislation

    Experts took the view that the European Parliament must now ask how, in a world of the Internet, one reconciles the objectives of protecting both: privacy and free flow of information.
    In recent years there have been disclosures that unauthorised individuals have examined financial information from the Internal Revenue Service in USA. Several experts pointed to the flap over the decision by the Social Security Administration in USA to provide companies account information on-line. Each of these examples suggests that protecting data privacy may be a great challenge for the European Parliament.
    Experts agreed that the European Parliament should play a role in creating a standard for disclosure. Several experts went further and argued the need of a privacy agency within the European Union to act as an ombudsman and to represent privacy interests, so that in debates between European Union and USA there is someone whose responsibility would be to protect privacy.
    Whatever several experts believe the appropriate role for national governments to be in ensuring privacy in an electronic environment, some “private regulation” is already occurring on the Internet by the computer engines, who write code and decide computer standards. In fact experts suggested that when encryption software becomes ubiquitous it will push Internet commerce because it allows for potentially anonymous transactions, which will solve privacy issues by default.
    It was pointed out that a group of high-tech companies in co-operation with standardisation organisations should agree on a web-based standard that would allow companies and consumers to interact with data collectors and inform them of what information they would be comfortable having disclosed to other parties.

    Options for action on surveillance and privacy

    The policy options for consideration by the committee on Civil Liberties and Internal Affairs of the European Parliament which emerged from the survey are:

    Authorities in the EU and Member States should:

    engage in a dialogue involving the private sector and individual users of networks in order to learn about their needs for implementing the privacy guidelines in the global network;

    undertake an examination of private sector technical initiatives;

    encourage the development of applications within global networks, of technological solutions that implement the privacy principles and uphold the right of users, businesses and consumers for protection of their privacy in the electronic environment.
    Drafting methods for enforcing codes of conduct and privacy statements ranging from standardisation, labelling and certification in the global environment through third-party audit to formal enforcement by a regulatory body.
    Definitions of the transactions which must remain anonymous, and technical capabilities for providing anonymity need to be specified.
    Enforcement for the adoption of adequate standards (cryptography and key encryption) from all E.U. member states. Multilateral agreements with other countries could then be negotiated.
    Drafting of common guidelines of credit information use (in each member state of the E.U. different restriction policies exist). It must be dear how those restrictions could apply to a globally operating credit reference agency.
    Drafting of common specifications for cryptography systems and government access key recovery systems, which must be compatible with large scale, economical, secure cryptographic systems.
    Enforcement for the adoption of special authorisation schemes for Information Society Services and supervision of their activities by National Authorisation Bodies.
    Drafting of a common responsibilities framework for on-line service providers, who transmit and store third party information. This could be drafted and supervised by National PTTs.
    The European Parliament should examine critically proposals from the US for the elimination of cryptography and the adoption of encryption controls supervised by US Agencies.
    Annual statistics and reporting on abuse of economic information by any means must be reported to the Parliament of each member state of the E.U.
    Measures for encouraging the formal education systems of each member state of the E.U. or the appropriate European Training Institute/Organisation to take up the general task of educating users in the technology and their rights.

    PART B: ARGUMENTS AND EVIDENCE

    General

    Nowadays almost all economic information is exchanged through electronic means (telephone, fax, e-mail). In addition, all digital telecommunication devices and switches have enhanced wiretapping capabilities. As a conclusion we have to consider privacy protection in a global international networked society. And when we speak about electronic protection and privacy in the exchange of economic information, we actually speak for electronic commerce over the Internet.

    The information society promises economic and social benefits for all: citizens, companies and governments. Advances in information and communication technologies have fostered the proliferation of private, professional, industrial and commercial transborder electronic exchanges on a global scale which are bound to intensify among businesses and between businesses and consumers as electronic commerce develops. New methods for processing the vast accumulation of data -such as data mining techniques- make it possible, on the basis of demographic data, credit information, details of on-line transactions etc, to identify new kinds of purchasing patterns or unusual relationships.

    Indeed, compliance with rules governing the protection of privacy and personal data is crucial to establishing confidence in electronic transactions, and particularly in Europe, which has traditionally been heavily regulated in this area. The development of the global information society makes the convergence of government policies, the transparency of rules and regulations and their effective implementation on economic and social life. In particular, in the context of electronic commerce, the development of on-line commercial activities hinges to a large extent, not only on the faith consumers have in business in terms of guaranteed product delivery or security payment systems, but also on the confidence that users and consumers will have in the ways that businesses handle their personal data.

    To operate with confidence on the global networks, most consumers need assurance that their on-line activities and electronic transactions will not be collected or used without their knowledge or made available to parties other than their initial correspondents. Neither linked to other data about them in order to compile behavioural profiles without their consent.

    The importance of information and communication systems for society and the global economy is intensifying with the increasing value and quantity of data that is transmitted and stored on those systems. At the same time those systems and data are also increasingly vulnerable to a variety of threats such as unauthorised access and use, misappropriation, alteration and destruction. Proliferation of computers, increased computing power, interconnectivity, decentralisation, growth of networks and the number of users, as well as the convergence of information and communication technologies, while enhancing the utility of these systems, also increase system invulnerability.

    Cryptography is an important component of secure information and communication systems and a variety of application have been developed that incorporate cryptographic methods to provide data security.

    Although there are legitimate governmental, commercial and individual needs and uses for cryptography, it may also be used by individuals or entities for illegal activities, which can affect public safety, national security, the enforcement of laws, business interests, consumers interests or privacy. Governments together with industry and the general public, are challenged to develop balanced policies to address these issues.

    Cryptography uses an algorithm to transform data in order to render it unintelligible to anyone who does not possess certain secret information (the cryptographic “key”), necessary for decryption of the data. Within the new concept of cryptography, rather than sharing one secret key, the new design uses two mathematically related keys for each communication party: a “public key” that is disclosed to the public and a corresponding “private key”, that is kept secret. A message that is encrypted with a public key can only be decrypted by the corresponding private key.

    An important application for public key cryptography is “digital signature”, which can be used to verify the integrity of data or the authenticity of the sender of data. In this case, the private key is used to “sign” a message, while the corresponding public key is used to verify a “signed” message.

    Public key cryptography plays an important role in developing information infrastructure. Much of the interest in information and communication networks and technologies centres on their potential to accommodate electronic commerce; however open networks such as the Internet present significant challenges for making enforceable electronic contracts and secure payments.

    Since Electronic Commerce on one hand is one of the key strategies of the European Union and the privacy protection on the other hand, one of its main principles, E.U. in 1998 released three “key” working documents:

    Proposal for a European Parliament and Council Directive on certain legal aspects of Electronic Commerce in the internal market [ COM(1998) 586 final].
    Proposal for a European Parliament and Council directive on a common framework for electronic signatures [COM (1998)297 final].
    Ensuring security and trust in electronic communication: “Towards a European framework for digital signatures and Encryption” [COM(1997) 503 final].

    Increasing the number of people with authorised access to the critical infrastructure and to business data, will increase the likelihood of attack, whether through technical means, by exploitation of mistakes or through corruption. Further “key-recovery” requirements to the extent that they made encryption can have the effect of discouraging or delaying the deployment of cryptography in increasingly vulnerable computing and communication networks.

    As the Internet and other communications systems reach further into everyday lives, national security, law enforcement and individual privacy have become perilously intertwined. Governments want to restrict the free flow of information; software producers are seeking ways to ensure consumers are not bugged from the very moment of purchase. The US is behind a world-wide effort to limit individual privacy and enhance the capability of its intelligence services to eavesdrop on personal conversations. The campaign has had two legal strategies: the first made it mandatory for all digital telephone switches, cellular and satellite phones and all developing communication technologies to build in surveillance capabilities; the second sought to limit the dissemination of software that contains encryption, a technique which allows people to scramble their communications and files to prevent others from reading them. The first effort to heighten surveillance opportunities was to force telecommunications companies to use equipment designed to include enhanced wiretapping capabilities. The end goal was to ensure that the US and its allied intelligence services could easily eavesdrop on telephone networks anywhere in the world. In the late 1980s, in a programme known internally as ‘Operation Root Canal’, US law enforcement officials demanded that telephone companies alta their equipment to facilitate the interception of messages. The companies refused but, after several years of lobbying, Congress enacted the Communications Assistance for Law Enforcement Act (CALEA) in 1994.

    CALEA requires that terrestrial carriers, cellular phone services and other entities ensure that all their ‘ equipment, facilities or services’ are capable of expeditiously. . . enabling the government…to intercept… all wire and oral communications carried by the carrier…concurrently with their transmission.’ Communications must be interceptable in such a form that they could be transmitted to a remote government facility.

    Manufacturers must work with industry and law enforcement officials to ensure that their equipment meets federal standards. A court can fine a company US$10,000 per day for each product that does not comply.

    The passage of CALEA has been controversial but its provisions have yet to be enforced due to FBI efforts to include even more rigorous regulations under the law. These include the requirement that cellular phones allow for location-tracking on demand and that telephone companies provide capacity for up to 50,000 simultaneous wiretaps.

    While the FBI lobbied Congress and pressured US companies into accepting a tougher CALEA, it also leaned on US allies to adopt it as an international standard. In 1991, the FBI held a series of secret meetings with EU member states to persuade them to incorporate CALEA into European law. The plan, according to an EU report, was to ‘call for the Western World (EU, US and allies) to agree to norms and procedures and then sell their products to Third World countries. Even if they do not agree to interception orders, they will find their telecommunications monitored by the UK-USA signals intelligence network the minute they use the equipment.’ The FBI’s efforts resulted in an EU Council of Ministers resolution that was quietly adopted in January 1995, but not publicly released until 20 months later. The resolution’s text is almost word for word identical to the FBI’s demands at home. The US government is now pressuring the International Telecommunications Union (ITU) to adopt the standards globally.

    The second part of the strategy was to ensure that intelligence and police agencies could understand every communication they intercepted. They attempted to impede the development of cryptography and other security measures, fearing that these technologies would reduce their ability to monitor the emissions of foreign governments and to investigate crime.

    These latter efforts have not been successful. A survey by the Global Internet Liberty Campaign (GILC) found that most countries have either rejected domestic controls or not addressed the issue at all. The GILC found that ‘many countries, large and small, industrialised and developing, seem to be ambivalent about the need to control encryption technologies’.

    The FBI and the National Security Agency (NSA) have instigated efforts to restrict the availability of encryption world-wide. In the early 1970s, the NSA’s pretext was that encryption technology was ‘born classified’ and, therefore, its dissemination fell into the same category as the diffusion of A-bomb materials. The debate went underground until 1993 when the US launched the Clipper Chip, an encryption device designed for inclusion in consumer products. The Clipper Chip offered the required privacy, but the government would retain a ‘pass-key’ – anything encrypted with the chip could be read by government agencies.

    Behind the scenes, law enforcement and intelligence agencies were pushing hard for a ban on other forms of encryption. In a February 1993 document, obtained by the Electronic Privacy Information Center (EPIC), they recommended ‘Technical solutions, such as they are, will only work if they are incorporated into all encryption products’.

    To ensure that this occurs, legislation mandating the use of government-approved encryption products, or adherence to government encryption criteria, is required.’ The Clipper Chip was widely criticised by industry, public interest groups, scientific societies and the public and, though it was officially adopted, only a few were ever sold or used.

    From 1994 onwards, Washington began to woo private companies to develop an encryption system that would provide access to keys by government agencies. Under the proposals – variously known as ‘key escrow’, ‘key recovery’ or ’trusted third parties’ – the keys would be held by a corporation, not a government agency, and would be designed by the private sector, not the NSA. The systems, however, still entailed the assumption of guaranteed access to the intelligence community and so proved as controversial as the Clipper Chip. The government used export incentives to encourage companies to adopt key escrow products: they could export stronger encryption, but only if they ensured that intelligence agencies had access to the keys.

    Under US law, computer software and hardware cannot be exported if it contains encryption that the NSA cannot break. The regulations stymie the availability of encryption in the USA because companies are reluctant to develop two separate product lines — one, with strong encryption, for domestic use and another, with weak encryption, for the international market. Several cases are pending in the US courts on the constitutionality of export controls; a federal court recently ruled that they violate free speech rights under the First Amendment.
    (… The NSA is one of the shadowiest of the US intelligence agencies. Until a few years ago, it existence was a secret and its charter and any mention of its duties are still classified. However, it does have a Web site (www.nsa.gov:8080) in which it describes itself as being responsible for the signals intelligence and communications security activities of the US government. One of its bases, Menwith Hill, was to become the biggest spy station in the world. Its ears — known as radomes — are capable of listening in to vast chunks of the communications spectrum throughout Europe and the old Soviet Union

    In its first decade the base sucked data from cables and microwave links running through a nearby Post Office tower, but the communications revolutions of the Seventies and Eighties gave the base a capability that even its architects could scarcely have been able to imagine. With the creation of Intelsat and digital telecommunications, Menwith and other stations developed the capability to eavesdrop on an extensive scale on fax, telex and voice messages. Then, with the development of the Internet, electronic mail and electronic commerce, the listening posts were able to increase their monitoring capability to eavesdrop on an unprecedented spectrum of personal and business communications.

    This activity has been all but ignored by the UK Parliament. When Labour MPs raised questions about the activities of the NSA, the Government invoked secrecy rules. It has been the same for 40years…. )

    (Simon Davis report: http://www.telegraph.co.uk)

    The FBI has not let up on efforts to ban products on which it cannot eavesdrop. In mid-1997, it introduced legislation to mandate that key-recovery systems be built into all computer systems. The amendment was adopted by several congressional Committees but the Senate preferred a weaker variant. A concerted campaign by computer, telephone and privacy groups finally stopped the proposal; it now appears that no legislation will be enacted in the current Congress.

    While the key escrow approach was being pushed in the USA, Washington had approached foreign organisations and states. The linchpin for the campaign was David Aaron, US ambassador to the Organisation for Economic Co-operation and Development (OECD), who visited dozens of countries in what one analyst derided as a programme of ‘laundering failed US policy through international bodies to give it greater acceptance’.

    Led by Germany and the Scandinavians, the EU has been generally distrustful of key escrow technology. In October 1997, the European Commission released a report which advised: ‘Restricting the use of encryption could well prevent law-abiding companies and citizens from protecting themselves against criminal attacks. It would not, however, totally prevent criminals from using these technologies.’ The report noted that ‘privacy considerations suggest limit the use of cryptography as a means to ensure data security and confidentiality’.

    Some European countries have or are contemplating independent restrictions. France had a longstanding ban on the use of any cryptography to which the government does not have access. However, a 1996 law, modified the existing system, allowing a system of “tiers du confidence”, although it has not been implemented, because of EU opposition. In 1997, the Conservative government in the UK introduced a proposal creating a system of trusted third parties.

    It was severely criticised at the time and by the new Labour government, which has not yet acted upon its predecessor’s recommendations. The debate over encryption and the conflicting demands of security and privacy are bound to continue. The commercial future of the Internet depends on a universally-accepted and foolproof method of on-line identification; as of now, the only means of providing it is through strong encryption. That put the US government and some of the world’s largest corporations, notably Microsoft, on a collision course. (Report of David Banisar, Deputy director of Privacy International and Simon Davies, Director General of Privacy International).

    The issue of encryption divides the member states of the European Union. Last October the European Commission published a report entitled: “Ensuring security and Trust in Electronic Commerce”, which argued that the advantages of allowing law enforcement agencies access to encrypted messages are not clear and could cause considerable damage to the emerging electronic industry. It says that if citizens and companies “fear that their communications and transactions are being monitored with the help of key access or similar schemes unduly enlarging the general surveillance possibility of government agencies, they may prefer to remaining in the anonymous off-line world and electronic commerce will just not happen”.

    However, Mr Straw said in Birmingham (JHA Informal JHA Ministers) that: “It would not be in the public interest to allow the improper use of encryption by criminals to be totally immune from the attention of law enforcement agencies”. The UK, along with France (which already has a law obliging individuals to use “crackable” software) and the USA, is out on a limb in the EU. “The UK presidency has a particular view and they are one of the access hard-liners. They want access: “them and the French”, commented an encryption expert. They are particularly about “confidential services” which ensure that a message can only be read by the person for whom it is intended who has a “key” to access it. The Commission’s report proposes “monitoring” Member States laws’ on “confidential services” to ensure they do not contravene the rules of the single market.

    Examples of Abuse of Economic Information

    In the course of collecting the data for and preparing this Interim Study various examples were cited of abuse of privacy via global surveillance telecommunication systems. A number of them is given in [54]. For the final version of the study, we shall see whether the experts have further comments to make on these examples, or whether they have new examples to suggest.

    The consultation of experts in our survey so far yielded the following comments:

    Since Internet has come to play a significant role in global commerce, then (as in Examples 1, 2, 3 and 4 cited below) Internet also became a tool of misleading information and a platform for deceitful advertisement.
    On the positive side, Internet is a “golden highway” for those interested in the process of information.
    However, apart from global surveillance technology systems, additional tools have been developed for surveillance. The additional tool used for information transferred via Internet or via Digital Global telecommunication systems is the capture of data with Taiga software. Taiga software has the possibility to capture, process and analyse multilingual information in a very short period of time (I billion characters per second), using key-words.

    The examples given below are taken from the sources named:

    Example 1

    On January 15, 1990, the telephone network of AT&T company, in all the North-east part of USA faced serious difficulties. The network NuPrometheus had illegally owned and distributed the key-code of the operational system of AT&T Macintosh computer (Apple company).
    J.P. Barlow: “A not terribly brief history of the Electronic Frontier Foundation,” 8 November 1990

    Example 2

    On January 24, 1990, the Electronic Frontier Foundation (EFF) in USA, accused a huge police operation under the encoded name “Sun Devil”, in which 40 computers and 23,000 diskettes were seized from teenagers, in 15 towns within USA. Teenager Craig Neidorf supported by EFF, not to be punished in 60 years prison and 120,000 USD penalty. Craig Neidorf had published in Phrack (a hackers magazine) part of the internal files of a telephone company.
    M. Godwin: “The EFF and virtual communities,” 1991

    Example 3

    On June 25, 1998, in Absheim, an aircraft A-320 of the European Company “Airbus Industries” crashed during a demonstration flight. The accident was reportedly caused by dangerous manoeuvres. One person died and 20 were injured.

    Very soon afterwards, and before the announcement of the official report, in the aerospace and transport Internet newsgroups there appeared many hostile messages against the Airbus undertaking and against the French company Aerospatiale as well, with which Airbus had close cooperation. Messages declared that the accident was to be expected because European engineers are not so highly qualified as American engineers. It was also clearly stated, that in the future similar accidents were to be expected.

    Aerospatiale’s representatives took these hostile messages very seriously. They tried to discover the sources of messages and they finally realised that senders’ identification data, addresses and nodes were false. The source messages came from USA, from computers with misleading identification data and transferred from anonymous servers in Finland.
    B. Martnet and Y.M. Marti: “L’intelligence econimique. Les yeux et les oreilles de 1′ enterprise, Editions d’organisation”. Paris 1995

    Example 4

    In October 31, 1994, in USA, an accident occurred to an ATR aircraft (of the European Consortium Aeritalia and Aerospatiale). Owing to this accident, a ban on ATR flights for two months was imposed. This decision became catastrophic on a commercial level for the company, because ATR was obliged to carry out test flights in fog conditions.

    During this period, in Internet newsgroups (and especially in the AVSIG forum, supported by Compuserve), the exchange of messages was of vital significance. The messages supporting the European company were few, while the messages against ATR were many.

    At the beginning of January 1995, there appeared a message from a journalist in this forum asking the following: “I have heard that ATR flights will begin soon. Can anybody confirm this information?” The answer came very soon. Three days after, unexpectedly, permission to continue ATR flights was given. The company learned this, as soon as the permission announced. But if they had actively participated in the newsgroups, they would have gained some days to inform their offices and their clients.
    “Des langages pour analyser la poussiere d’ info”, Liberation, 9 June 1995

    Example 5

    The government of Brasil in 1994, announced its intention to assign an international contract (Amazonios). This procurement was of great interest since the total amount available for the contract was 1,4 billion USD. From Europe, the French companies Thomson and Alcatel expressed their interest and from USA, the huge weapon industry Raytheon. Although the offer of the French companies was technically excellent and allegedly better documented, the contract was eventually assigned to the USA company. It was reported in the press that this was achieved with a new offensive strategy used by USA. When the government of Brazil was about to assign the contract to the French companies, American Officials (allegedly with the personal involvement of President Bill Clinton) readjusted their offer, according to the offer of the European companies, and asserted that French companies influenced the committee, an accusation which was never proved. On the other hand, the European companies were reported to have indications that the intention of the government of Brazil to assign the contract to the European companies became known to Americans with the use of FBI’s surveillance technologies.
    “La nouvelle machine de querre americaine”, LeMonde du reseingnement no 158, 16 February 1995

    Example 6

    In January 1994 Edouard Balladur, French Prime Minister, went to Ryadh (Saudi Arabia), feeling certain to bring back a historic contract for more than 30 million francs in sale of weapons and, especially, Airbus. He returned disappointed. The contract went to the McDonnell-Douglas American company, rival of Airbus. The French were report to believe that this was at least in part due to electronic surveillance by the ECHELON system, which had given to the Americans the financial conditions and incentives authorised by Airbus.

    French press reports said the National Security Agency is the most secret and most significant of the thirteen secret agencies of the United States. It receives about a third of the appropriations allocated with clandestine intelligence: 8 of the 26,6 billion dollars (160 18 billion francs) registered appropriations in the 1997 budget. With its 20.000 employees in United States and some thousands of agents throughout the world, the NSA (which forms part of ministry for Defence since its creation in 1956) is more important than the CIA, even if the latter is better known to the public. Its site at Fort Meade contains, according to sources familiar with the place, the greatest concentration of data processing power and mathematicians in the world. They are employed to sort and analyse the flood of data acquired by ECHELON on the networks of international telecommunications.
    “Echelon est au service des interets americains”, Liberation, 21 April 1998

    PART C: TECHNICAL FILE
    1. INTRODUCTION

    Surveillance and Privacy

    Surveillance is the systematic investigation or monitoring of the actions or communications of one or more persons. It has traditionally been undertaken by physical means (e.g. prison guards on towers). In recent decades it has been enhanced through image amplification devices such as binoculars and high-resolution satellite cameras.

    The basic born [sic] physical surveillance comprises watching (visual surveillance) and listening (aural surveillance). Monitoring may be undertaken remotely in space, with the aid of image amplification devices like field glasses, infrared binoculars, light amplifiers and satellite cameras and sound amplification devices like directional microphones; and remotely in time with the aid of image and sound recording devices.

    Electronic devices have been developed to augment physical surveillance and offer new possibilities such as closed-circuit TV (CCTV), VCR, telephone bugging, Proximity cards, Electronic Database, etc.

    In addition to physical surveillance, several kinds of communications surveillance are practiced, including mail covers and telephone interception.

    The popular term electronic surveillance refers to both augmentations to physical surveillance (such as directional microphones and audio bugs) and to communication surveillance, particularly telephone taps.

    The recent years have seen the emergence and refinement of a new form of surveillance no longer of the real person, but of the person’s data shadow or digital persona. Data surveillance or Dataveillance is the systematic use of personal data systems in the investigation or monitoring of the actions or communications of one or more persons. Dataveillance is significantly lees expensive than physical and electronic surveillance, because it can be automated. As a result, the economic constraints on surveillance are diminished and more individuals and larger populations are capable of being monitored. Like surveillance, more generally, Dataveillance is of two kinds: “personal Dataveillance”, where a particular person has been previously identified as being of interest, “mass Dataveillance”, where a group or large population is monitored, in order to detect individuals of interest, and / or to deter people from stepping out of line.

    Surveillance technology systems are mechanisms, which can identify, monitor and track movements and data. During the last few decades since information technology has become immensely sophisticated real benefits have been achieved in the development of surveillance technology systems.

    On the other hand, negative impacts have been considerable:
    The application of IT to the surveillance of people through their data.

    IT technology may have substantial implications in privacy.

    People often think of privacy as some kind of right. Unfortunately, the concept of a “right” is a problematic way to start, became a right seems to be some kind of absolute standard. What’s worse, is very easy to get confused between legal rights on one hand and natural or moral rights on the other. It turns out to be much more useful to think about privacy as one kind of thing (among many kinds of things) that people like to have lots of.

    Privacy the interest that individuals have in sustaining a “personal space” free from interference by other people and organizations.

    To a deeper level privacy turns out not to be a single interest but rather has several dimensions:

    privacy of the person
    privacy of personal behavior
    privacy of personal communications
    privacy of personal data

    With the close coupling that has occurred between computing and communications, particularly since the 1980’s the last two aspects have become closely linked, and are commonly referred as information privacy.

    Information privacy is the interest an individual has in controlling, or at least significantly influencing the handling of data about themselves.

    The term ‘data privacy’ is sometimes used in the same way. ‘Data’ refers to inert numbers, where information implies the use of data by humans to extract meaning; hence ‘information privacy’ is arguably the more descriptive way of the two alternatives.

    ‘Confidentiality’ is an incidental and wholly inadequate substitute for proper information privacy, protection, where:
    ‘Confidentiality is the legal duty of individuals who come into the procession of information about others, especially in the course of particular kinds of relationships with them’.

    Dataveillance Techniques

    A variety of Dataveillnce techniques exists. Front-end verification (FEV), for example, comprises the checking of data supplied by an applicant (e.g. for a loan or government benefit) against data from a variety of additional sources, in order to identify discrepancies.

    FEV may be applied as a person dataveillance tool where responsible grounds exist for suspecting that the information the person has provided may be unreliable; where, on the other hand, it is applied to every applicant, mass dataveillance is being undertaken. Data matching is a facilitative mechanism of particular value in mass dataveillance. It involves trawling through large volumes of data collected for different purposes, searching for discrepancies and drawing influences from them.
    Personal dataveillance of previously identified individuals

    integration of data hitherto stored in various locations within a single organization
    screening or authentication of transactions against internal norms
    front-end verification of transactions that appear to be exceptional, against data relevant to the matter at hand. and sought from other databases or from third parties.
    front-end audit of individuals who appear to be exceptional against data related to other databases or from third parties.
    cross-system enforcement against individuals, where a third party reports that the individual has committed a transgression in his or her relationship with the third party.

    Mass dataveillance of groups of people.

    screening or authentication of all transactions, where or not they appear to be exceptional, against internal norms
    front-end verification of all transactions, whether or not they appear to be exceptional against data relevant to the matter at hand, as sought from other internal databases or from third parties.
    front-end audit of individuals, whether or not they appear to be exceptional against data relevant to the matter at hand, as sought from other internal databases or from third parties.
    single-factor file analysis of all data held or able to be acquired, whether or not they appear to be exceptional, variously involving transaction data compared against a norm, permanent data or other transaction data.
    profiling or multi-factor file analysis of all data held or able to acquire, whether or not they appear to be exceptional, variously involving singular profiling of data held at a point in time, or aggregative profiling of transaction trails over time.

    Facilitative mechanisms could be:

    computer data matching, in which personal data records relating to many people are compared in order to identify cases of interest
    data concentration, homely the combination of personal data interchange networks and hub systems.

    Risks inherent in Data Surveillance

    Data surveillance’s broader social impacts can be grouped as follows:
    In personal dataveillance

    low data quickly decisions [sic]
    lack of subject knowledge of, and consent to, data flows
    blacklisting
    denial of redemsion [sic]

    In mass surveillance
    a. Risks to the individuals:

    arbitrariness
    a contextual data merger
    complexity and incomprehensibility of data
    witch hunts
    ex-ante discrimination and guilt prediction
    selective advertising
    inversion of the onus of proof
    covert operations
    unknown accusations and accusers
    denial of due process

    b. Risks to society:

    prevailing climate of suspicion
    adversarial relationships
    focus of law enforcement on easily detectable and provable offences
    inequitable application of the law
    decreased respect for the law and low enforcers
    reduction in the meaningfulness of individual actions
    reduction in self-reliance and self-determination
    stultification of originality
    increased tendency to opt out of the official level of society
    weakening of society’s moral fibre and cohesion
    destabilization of the strategic balance of
    power repressive potential for the totalitarian government.

    By way of example, individuals can suffer as a result of misunderstandings about the meaning of data on the file, or because the file contains erroneous data, which the individual does not understand and against which he / she has little or not chance of arguing without the help of a specialized lawyer.

    Such seemingly small, but potentially very frustrating and infuriating personal problems can escalate into widespread distrust by people of government agencies and the legal system as a whole

    Of course, many of the risks referred are diffuse. On the other hand, there is a critical economic difference between conventional forms of surveillance and Dataveillance.

    Physical surveillance is expensive because it requires the application of considerable resources. Although (with few exceptions), this expense has been sufficient to restrict the use of surveillance. Admittedly the selection criteria used by the surveillance agencies have not always accorded with what the citizenry might have preferred, but at least its extent was limited. The effect was that in most countries the abuses affected particular individuals who had attracted the attention of the state, but were not so pervasive that artistic and potential freedoms were widely constrained.

    Dataveillance changes all that. Dataveillance is relatively very cheap and getting cheaper all the time, thanks to progress in information technology. The economic limitations are overcome and the digital persona can be monitored with thoroughness and frequency and surveillance extended to whole populations. Nowadays, a number of particular populations have attracted the bulk of the attention, because the state already processed substantial data – holdings about them. There are social welfare recipients and employers of the state. Now that techniques have been refined, they are being pressed into more general usage, in the private as well in the public sector.

    Controls

    If dataveillance is burgeoning, controls are needed to ensure that its use is not excessive or unfair. There is a variety of natural or intrinsic controls, such as self-restraint and morality. Unfortunately morality has been shown many times to be an entirely inadequate influence over people’s behaviour. There is also the economic constraint, whereby work that isn’t worth doing tends not to get done, because people perceive better things to do with the same scarce resources. Regrettably this too is largely ineffective. Cost/benefit analysis of dataveillance measures is seldom performed, and when it has been the quality has generally been appalling. This reflects the dominance of political over economic considerations — both politicians and public servants want action to be seen to be being taken, and are less concerned about its effectiveness than its visibility.

    If intrinsic controls are inadequate, extrinsic measures are vital. For example, the codes of ethics of professional bodies and industry associations could be of assistance. Regrettably, these are generally years behind the problems, and largely statements of aspiration rather than operational guidelines and actionable statements of what is and is not acceptable behaviour. Over twenty years after the information privacy movement gathered steam, there are few and very limited laws which make dataveillance activities illegal, or which enable regulatory agencies or the public to sue transgressing organisations. A (limited) statute exists at national level, but none at all at the level of State Governments. In any case, statutory regimes are often weak due to the power of data-using lobbies, the lack of organisation of the public, and the lack of comprehension and interest by politicians. The public has demonstrated itself as being unable to focus on complex issues; public apathy is only overcome when a proposal is presented simply and starkly, such as ’the State is proposing to issue you with a plastic card. You will need to produce it whenever anyone asks you to demonstrate that you have Permission to breathe’.

    There is a tendency for dataveillance tools to be developed in advanced nations, which have democratic traditions and processes (however imperfect). There is a further tendency for the technology to be exported to less developed countries.

    Many of these have less well-developed democratic traditions, more authoritarian and even repressive regimes. The control mechanisms in advanced western democracies are inadequate to cope with sophisticated dataveillance technologies; in third world countries there is very little chance indeed of new extrinsic controls being established to ensure balance in their application. It appears that some third-world countries may be being used as test-beds for new dataveillance technologies.

    2. SURVEILLANCE: TOOLS AND TECHNIQUES – Current technologies

    Surveillance is using some of the most advanced and sophisticated technology to keep track of individuals; where they go, what they do and even what they say.

    Visual and audio surveillance are almost everywhere, and, modern electronic technology gives the possibility of keeping track of individual’s moments without cameras or microphones, just with surveillance of their data (Dataveillance )

    1. Visual Surveillance

    Closed-circuit TV (CCTV) is the most common electronic visual surveillance technique.

    Recording can be in two modes: real-time or time-lapse. Real-time is regular TV (at 30 frames (second) showing full motion). Time-lapse selects only a few frames per time period, perhaps one or two per second, to record. The advantage of time-lapse is that it allows one tape to record for a much longer time than real time recording

    Video electronics can be very sophisticated indeed and the recent trend is digital video. This allows using the QUAD recording system, a method of compressing four separate camera images into a single frame, so that the guard could see all four views on the monitor screen and record them on a VCR (Video Cassette Recorder) at the same time. These systems allow detailed surveillance and plant monitoring, so that responsibles can observe everything happening within the facility.

    In the previous years may be, only the entrance (or specific spaces) would be under video surveillance. Now it is possible to have surveillance everywhere. Using hard disks instead of videotape allows keeping a record of several month’s worth of time-lapse video.

    Cameras also are much more sophisticated today than years ago. New circuits allow the camera to ignore bright, light-emitting objects within their fields of view. Miniaturization allows easier concealment, infra-red cameras allow surveillance in darkness. Video surveillance is portable as well. The old days of concealing a camcorder in a briefcase or duffel bag have given way to subminiature cameras concealed in neckties and other items. Decoy items (items containing the surveillance equipment) include baseball caps, belt buckles, briefcases, eyeglasses and wristwatches.

    CCTV is very quickly becoming an internal part of crime control policy, social control theory and Community consciousness. It is promoted by police and politicians as primary solution for urban dysfunction.

    They are now used in many areas, including roads, trains, railway platforms, car parks, loading docks, shopping centers, individual retail stores, banks, automatic teller machines, petrol stations, lifts, lobby areas, cash handling and storage areas and employee recreation rooms.

    Within the aims of the contract, this study looks at its usage in five main industrial contexts: retail stores, financial services, manufacturing, warehousing and distribution, larger office buildings and leisure and entertainment complexes.

    Video surveillance is used in these industries for several reasons:

    to minimize the risk of theft, especially in the retail industry for purposes of deterring and detecting crime
    protect premises from threats to property such as sabotage, arson and vandalism
    to monitor individual employee work performance
    to improve customer service by observing peak periods and planning the allocation of staff throughout the day
    to assist in staff training
    to enhance health and safety standards
    to ensure that employees comply with legal obligations
    to protect employers from liability claims
    to monitor production processes.

    Most surveillance systems are being installed to prevent theft, either by outsiders or employees, but, video surveillance systems often are used for a range of purposes beyond what was originally intended. Surveillance systems which are initially installed for the purpose of protecting property against an external security threat can be used for other purposes, such as to monitor employees’ productivity and work behavior.

    The routine use of video surveillance has the potential to undermine employees’ sense of privacy and dignity in the workplace. Surveillance is associated with increased levels of stress, undermining morale and creating distrust and suspicion between employees and management. While it may be an effective instrument to protect an employer from external security threats, it is not appropriate as a means of monitoring individual employee performance.

    Covert surveillance with a smaller number of hidden cameras may in fact be a much popular and at the same time cheaper option than a general security system.

    Some of the justifications offered for covert video surveillance are:

    employers have a right to protect their business interests
    covert surveillance affect fewer employees than overt surveillance and is much cheaper
    if employees are unaware of surveillance, there is less risk of individual disputation
    covert surveillance is often the most effective means of detecting unlawful activity.

    2. Audio Surveillance

    Audio surveillance is no longer merely an arcane art practiced by spies and private detectives. Today, it’s common place and spreading. Tape recorders are a fact of life, and they’re often used to document a transaction. Trying to telephone some companies and some government agencies there is a recording sign says: “This transaction is being recorded to help us assure …”.

    In some companies the real purpose of tape recording conversation is to check how may the handle an hour, and to have evidence in case the customer says something that can used against him.

    In prisons, officials often use electronic equipment to record all telephone conversations. Some of these are between lawyer and client, but all they go onto tape. It depends on the ethics of the guards whether they listen or not.

    They are “high tech voice recorders” that put every conversation on a CD disk. A model made for correctional use is the “Laser voice”, using optional disk voice recording.

    “Tube mike” is an electric device for “bugging” a room, motor vehicle, or other premises. It is a plastic tube passed through a small hole in a wall to conduct sound from the room to a small microphone at the other end.

    This could be characterized as “non- access surveillance”.

    “Tube microphones” come in all sizes. Some are relatively large plastic tubes (about 1/2” in diameter), but for tight spaces or maximum concealment there are “needle microphones” pressed against a wall to hear sounds in the next room.

    If there is access to a room, a bug could be planted almost anywhere, even in the subject’s clothing. “Radio mikes” transmit whatever they pick up to a nearby receiver eliminating the need for tell-tale wires. Their only drawback, if they’re totally self-contained, is battery life. Other models fit into wall plugs, and take their power from the house current

    One type of portable radio mike is the size and shape of a credit card, with a range of several hundred feet and a 30-hour battery life. Placed into the beast pocket of the subjects jacket, it permits monitoring a conversation held outdoors. The value of this is that many people think its possible to overhear a conversation held on the street or in a park, and that walking will defeat any prospect of a bug planted nearby.

    In the open market there are several models of “gimmicked telephones” that use in the built in microphone to pick up any conversation in the room even when the telephone is not in use.

    All the types of audio surveillance with miscellaneous bugging devices described before, are used today mainly in police and internal security agencies (such as FBI, NSA etc) or in companies security departments.

    Telephone tapping still exists, but with today’s Electronic Switching System (ESS) its no longer necessary to go out and physically tap a person’s telephone line.

    3. Phone Tapping and Encryption

    Whenever a telephone line is tapped the privacy of the persons at both ends of the line is invaded and all conversations between them upon any subject and although proper, confidential and privileged ma be overheard.

    The phone tapping normally used for surveillance of communications to combat “serious crime” and to protect “national security”.

    On the other hand often companies keep records of phone numbers calls and the duration of such calls. In some companies these records are used to gauge job performance, while in others it simply allows employees to review calls and reimburse the employer for calls of a purely personal nature.

    4. Voice and Word Pattern Recognition

    Since it is no possible for an Agency or organization to employ a staff large enough to listen to all telephone conversations, read all faxes, etc, word recognition has to be computerized.

    In this case a central computer could monitor all (or a group) of telephone conversations and recognize those in which the agency had an interest by using voice patterns and key words.

    A wide variety of techniques are used to perform speech recognition. Typically speech recognition starts with the digital sampling of speech. The next stage is acoustic signal processing. Most techniques include spectral analysis e.g. LPC (Linear Predictive Coding), MFCC (Mel Frequency Cepstral Coefficients) cochlea modeling and many more.

    The next stage is recognition of phonemes, groups of phonemes and words. This stage can be achieved by many processes such as DTW (Dynamic Time Warping), HMM (Hidden Markov modeling), expert systems and combination of techniques.

    Most systems utilize some knowledge of the language to aid the recognition process. Some systems try to “understand” speech. That is try to convert the words into a representation of what the speaker intended to mean or achieve by what they said.

    Voice and pattern recognition used as an advanced tool and a helpful technique (thanks to the IT) for surveillance of communications to combat “serious crime” or to protect “national security”

    5. Proximity Smart Cards

    Originally, electronic cards were substitutes for keys, which were too easy to reproduce. A metal key blank and a file where all that were necessary to duplicate a key, but more sophisticated equipment is necessary to duplicate even the simplest sort of electronic card.

    The first type of electronic card used barium ferrite as magnetic dots embedded in the magnetic layer. This was a significant advance over punched cards, that were relatively easy to duplicate.

    In the early 1970s, magnetic stripe cards were produced (by IBM), which are still used in credit cards and are somewhat more secure. However, they’re still too easy to forge and should pass through a magnetic stripe reader.

    In the early 1980s, the advent of Application Specific Integrated Circuit (ASIC) technology, resulted in what quickly become known as “smart card” which could hold a variety of codes and information to make misuse or duplication almost impossible. This was the first “proximity card”, which did not require direct contact through a card recorder.

    The proximity card is basically a “transponder” an electronic device that replies to a radio signal that “interrogates” it. The extended range model doesn’t require even placing it near the card reader, as it transmits to a receiver several feet away.

    Use of proximity smart card as Transport card / E-purse

    Transportation companies use the proximity smart cards to replace metro, bus, train tickets and boarding cards, etc.
    The proximity smart card results in considerable time saving by greatly increasing passenger flow without diminishing security
    With the contact part of the card, the proximity smart card is perfectly suited to financial transactions involving small amounts of money: automatic vending cafeterias, local shops, parking fees, cinemas, recreation / amusement parks, cultural and sports centers etc.

    Use of proximity smart card as Access control / ID card

    The company Proximity smart card contains data used to identify cardholders, as well as his own different access rights. The contactless part of the card is used to access building and other protected areas.
    The contact portion can be used for network access, such as the Internet. With the electronic purse function it can be used in the company restaurant, at automatic vending machines, just like a traditional multi-service card.

    One application, although, extends the proximity card’s usefulness by turning it into a tracking device. Proximity readers installed along the walls of a building allow tracking each card within the facility. If somebody is carrying one of these cards within a building so equipped, the central computer can sense exactly where he (she is at all times). There is a record of which area the employee (or visitor) is in, when he leaves, and where else within the building he may go. If the employee goes to the cafeteria, the computer will log when he lefts his work station, how long it took him to get to the cafeteria, which root he took, how long he remained in the cafeteria, when he started back and by which route, and when he arrived back in his work area. Likewise if he went to the bathroom. The computer can record whether he/she went to the men’s room or the ladies’ room.

    Many countries are actively considering adopting national ID cards for the variety of functions. These include the United States, United Kingdom and Canada.

    There are ID cards (credit cards) used for digital cash service which is supposed to be “anonymous”. But, it appears that the bank and the merchants could find the identity of the users.

    The customer is identified to the trader and ultimate to the bank by the 300 previous transactions. Each of these will soon be superseded by further transactions and drop off end of the list.

    These can be monitored by the bank and could be used for marketing purposes. This is the audit trail and could be sold to business users for third party marketing.

    6. Transmitter Location

    When a telephone or mobile phone used, the location of the user could be identified. The science of location radio uses three methods of finding a transmitter. The oldest is triangulation, in which several receiving stations with directional antennas take bearing on a transmission and communicate the bearing to a central plotting room.

    Technicians trace each bearing on a map of the area and the intersection of the bearing pinpoints the location of the transmitter.

    The second method requires several receives as well, and works by measuring the relative strengths of signals received. A computer analyses the strengths and determines the location of the transmitter

    The third method also requires a computer-controlled chain of receives and measures the minute differences in the time the signal arrives at each receiver.

    Formerly classified, these techniques are now available on the civilian market for law enforcement and private security. One application is locating stolen cars by pinpointing radio transmitters installed in the vehicle for this purpose.

    Location of cellular phones in another application. Police today are using (in some countries) this application to pinpoint the location of cellphone users. Purportedly, this is to speed emergency response when a citizen calls for help (at home or in the road). Once the equipment is in place, it can, and must, serve other purposes. Criminal investigators will be able to pinpoint a specific cellphone each time the caller uses it, this will help an investigation into a stolen cellphone, or help locate wanted persons unwise enough to use cellphone or mobile phone.

    Another device, sold only to police, is the “cellphone ESN Reader”, which reads the numbers of the targeted cellphone. This detects and records the cellular phone number, called number and ESN of the target phone of a ranges of up to two miles.

    Theoretically, the technology can locate every cellphone and every mobile phone in the country every time someone makes a call on it (for cellphones) or just open it (for mobile phones).

    7. E-mail at workplace

    Personal messages the employee sent over his company’s e-mail are not private. They are not, and court decisions have held that they’re not.

    It is a safe assumption that companies will keep an increasingly watchful eye on their internal email, and scrutinize what employees are saying to each other. It is easy to see that some companies may find that scrutinising staff e-mail can have more than one advantage for a company management. Originally instigated to avoid liability, reading employee’s e-mail can also serve to alert management of dishonesty, disloyalty or even matters like union activity.

    8. Electronic Databases

    The computer age has brought surveillance into a new era in which information about almost anybody is available to almost anybody.

    Databases from Human Identification

    There are a lot of government databases containing information about almost every resident in United States and in many European Countries as well.

    A variety of person identification techniques are available, which can assist in associating data with them. Important examples of these techniques are:

    names (what the person is called by other people)
    codes (what the person is called by the organization)
    knowledge (what the person knows)
    biometrics (what the person is, does, or looks like e.g. appearance, natural physiography, etc.)

    Data bases for financial surveillance

    Financial records are gathered privately by several giant companies that specialize in this sort of information. These “credit reporting bureaus” purportedly maintain credit records, but in fact keep far more than credit information in their databases.

    Other databases for human identification

    There exist specialized databases available mainly to private investigators. These call information from telephone directories, city directories, voter registration records and many other public and private records to provide a profile of the person being investigated.

    9. The Internet

    The Internet, which began as a Computer communication network between Universities and laboratories decades ago, has turned into a vast public forum accessible to anyone with a computer.

    International organizations, Public authorities, Companies, Universities, Research centers and individuals have access and exploit the Internet.

    On the other hand Internet became:

    an entertainment tool
    a huge Information source
    an important marketing tool
    a big virtual electronic market with a considerable number of economic transactions every second

    IT technology at the same time, restricted the individuals’ right to privacy since they could be identified through their ID number or through their records or transactions.

    The growing rift between the needs of Internet Commerce and the individual’s right to privacy gave rise to the development of new tools.

    In January 1999 Intel announced its plans for the development of a microchip containing embedded electronic serial numbers that allow individual computers to be readily identified.

    The identities, similar to the unique vehicle identification numbers on cars and trucks would be a caller ID technology for computer.

    But critics see it is on an ominous development, ushering in a new period of electronic surveillance. Privacy experts fear the new Intel chip could mean the death of anonymity on the Internet.

    But this would appear to really variously endanger privacy on the Internet by creating a permanent ID number for every Intel user on the Net.

    3. THE USE OF SURVEILLANCE TECHNOLOGY SYSTEMS FOR THE TRANSMISSION AND COLLECTION OF ECONOMIC INFORMATION

    As the Internet and other communication systems reach further into the everyday lives, national security, low enforcement and individual privacy have become perilously intertwined. Governments want to restrict the free flow of information and software producers are seeking ways to ensure consumers are not bugged from the moment of purchases.

    All developing communication technologies, digital telephone switches cellular and satellite phones HAVE SURVEILLANCE CAPABILITIES. On the other hand the development of software that contains encryption, a telephone which allows people to scramble their communications and files to prevent others from reading them gourd earth [sic].

    3.1 CALEA system

    The first effort to heighten surveillance opportunities (made by USA) was to force telecommunication companies to use equipment desired to include enhanced wiretapping capabilities.

    In the late 1980s in a program known internally as “Operation Root Canal” US low enforcement officials demanded that telephone companies alter their equipment to facilitate the interception of messages. The companies refused but, after several years of lobbying, Congress enacted the Communications Assistance for Law Enforcement ACT (CALEA) in 1994.

    CALEA requires that terrestrial cellular phone services and other entities ensure that all their equipment, facilities or services are capable of expeditiously, enabling the government to intercept all wire and oral communications varied by the carrier concurrently with their transmission.

    Communications must be interceptable in such a form that they could be transmitted to a remote government facility. Manufactures must work with industry and low enforcement officials to ensure that their equipment meets federal standards.

    The passage of CALEA has been controversial, but its provisions have yet to be enforced due to FBI efforts to include even more rigorous regulations under the law. These include: the requirement, the cell phones allow for location – tracking on demand and that telephone companies provide capacity for up to 50.000 simultaneous wiretaps.

    CALEA finally has been accepted as an International standard in US. In 1991 the FBI contacted EU member states in order to propose to them do incorporate CALEA into European Law. This plan according to an EU report, was to call for the Western World (EU, US and allies) to agree to norms and procedures and then sell their products to Third World countries. There is a council resolution that was adopted on 17 January 1997 on the lawful interception of communications (961C329/a). The US government is now in negotiations with the International Telecommunications Unit (ITU) to adopt the standards globally.

    3.2 ECHELON Connection

    The previous STOA Interim Study (PE 166.499) entitled “An Appraisal of technologies of political control” made certain statements concerning the ECHELON global surveillance system. This is reported to be a world-wide surveillance system designed and coordinated by the US NSA (National Security Agency) that intercepts e-mail, fax, telex and international telephone communications carried via satellites and has been operating since the early 1980s – it is part of the post Cold War developments based on the UK-USA agreement signed between the UK, USA, Canada, Australia and New Zealand in 1948.

    The five agencies said to be involved are: the US National Security Agency (NSA), the Government Communications Security Bureau (GCSB) in New Zealand, Government Communications Headquarters Signals Directorate (DSD) in Australia. The system was brought to light by the author Nicky Hager in his 1996 book Secret Power: New Zealand’s role in the International Spy Network. For this, he interviewed more than 50 people who work or have worked in intelligence who are concerned at the uses of ECHELON. It is said that “The ECHELON system is not designed to eavesdrop on a particular individual’s e-mail or fax link. Rather, the system works by indiscriminately intercepting very large quantities of communications and using computers to identify and extract messages from the mass of unwanted ones”.

    According to Interim Study (PE 166.499) of 1998, there are reported to be three components to ECHELON:
    1. The monitoring of Intelsats, international telecommunications satellites used by phone companies In most countries. A key ECHELON station is at Morwenstow in Cornwall monitoring Europe, the Atlantic and the Indian Ocean.

    2. ECHELON interception of non-Intelsat regional communication satellites. Key monitoring stations are Menwith Hill in Yorkshire and Bad Aibling in Germany.

    3. The final element of the ECHELON system is the surveillance of land-based or under-sea systems, which use cables or microwave tower networks.

    At present it is thought ECHELON’s effort is primarily directed at the “written form” (e-mails, fixes, and telexes) but new satellite telephones system which take over from old land-based ones will be as vulnerable as the “written word”.

    Each of the five centres supply to the other four “Dictionaries” of keywords, phrases, people and places to ‘stag” and tagged intercept is forwarded straight to the requesting country.

    It is the interface of the ECHELON system and its potential development on phone calls combined with the standardisation of”tappable” telecommunications centres and equipment being sponsored by the EU and the USA which presents a truly global threat over which there are no legal or democratic controls.

    The earlier study (PE 166.499) identified a number of options for the European Union, centred round the proposition that:
    “All surveillance technologies, operations and practices should be subject to procedures to ensure democratic accountability and there should be proper codes of practice to ensure redress if malpractice or abuse takes place. Explicit criteria should be agreed for deciding who should be targeted for surveillance and who should not, how such data is stored, processed and shared. Such criteria and associated codes of practice should be made publicly available.”

    Other points included:
    – All requisite codes of practice should ensure that new surveillance technologies are brought within the appropriate data protection legislation.

    – Given that data from most digital monitoring systems can be seamlessly edited, new guidance should be provided on what constitutes admissible evidence. This concern is particularly relevant to automatic identification systems which will need to take cognizance of the provisions of Article 15, of the 1995 European Directive on the Protection of Individuals and Processing of Personal Data.

    – Regulations should be developed covering the provision of electronic bugging and tapping devices to private citizens and companies, so that their sale is governed by legal permission rather than self regulation.

    – Use of telephone interception by Member states should be subject to procedures of public accountability referred to in (1) above. Before any telephone interception takes place a warrant should be obtained in a manna prescribed by the relevant parliament. In most cases, law enforcement agencies will not be permitted to self-authorise interception except in the most unusual of circumstances which should be reported back to the authorising authority at the earliest opportunity.

    – Annual statistics on interception should be reported to each member states’ parliament. These statistics should provide comprehensive details of the actual number of communication devices intercepted and data should be not be aggregated. (This is to avoid the statistics only identifying the number of warrants, issued whereas organisations under surveillance may have many hundreds of members, all of whose phones may be subject to interception).

    – Technologies facilitating the automatic profiling and pattern analysis of telephone calls to establish friendship and contact networks should be subject to the same legal requirements as those for telephone interception and reported to the relevant member state parliament.

    – The European Parliament should reject proposals from the United States for making private messages via the global communications network (Internet) accessible to US Intelligence Agencies. Nor should the Parliament agree to new expensive encryption controls without a wide ranging debate within the EU on the implications of such measures. These encompass the civil and human rights of European citizens and the commercial rights of companies to operate within the law, without unwarranted surveillance by intelligence agencies operating in conjunction with multinational competitors.

    3. Inhabitant identification Schemes

    Inhabitant identification schemes are schemes, which provide all, or most people in the country with a unique code and a token (generally a card) containing the code.

    Such schemes are used in many European Countries for a defined set of purposes, typically the administration of taxation, natural superannuation and health insurance. In some countries, they are used for multiple additional purposes.

    4. THE NATURE OF ECONOMIC INFORMATION SELECTED BY SURVEILLANCE TECHNOLOGY SYSTEMS

    A. From telecommunication systems

    Concerning public authorities and organizations:

    secret telephone conversations, fax messages and electronic mail
    sensitive information concerning taxation
    information concerning various fund transfers especially from one service to the other and financial transactions
    data used in the critical banking infrastructure systems

    Concerning business:

    private business communication, including telephone conversations, fax messages and electronic mail
    order from fund transfers and other financial transactions (e.g. payments by credit cards by fax)
    sensitive business information and trade secrets

    Concerning individuals:

    private conversations, fax messages, e-mail
    payments by credit cards
    secret information concerning taxation

    B. From new information technologies (Internet)

    Concerning public authorities and organizations:

    sensitive information and state secrets
    tele-banking
    tax records and other financial information
    data used in the operation of critical infrastructure systems
    public contracts received by electronic mail

    Concerning business:

    contracts
    invoices and other official documents
    secret electronic transactions
    risk of international property and license in secret transactions
    payment orders by credit cards
    payments received on-line

    Concerning consumers and individuals:

    payment by credit cards
    payment on-line
    contracts and agreements
    electronic financial transactions (e.g. tele-banking).

    C. Some examples of data collection on tSe Internet

    Data can be collected over the Internet either directly or indirectly; in other words, it can be collected either at the time of contact with a correspondent or without the knowledge of the person concerned, often automatically. The nature of the data collected varies according to the protocol used on the network i.e. according to the type of service. In practice, different protocols are very often used in combination to augment the profitability or quality of exchanges. For example, a Web page may propose an exchange of correspondence or a transfer of documents via links with the e-mail protocol and the protocol used for transferring files, which is more powerful.

    When electronic messaging is used (Simple Mail Transfer Protocol — SMTP, and Network News Transfer Protocol — NNTP), communication is established from one personal mailbox to another, or between a personal mailbox and a mailbox common to a number of correspondents. The information transmitted consists of the name and e-mail address, the server address and the signature file (sig.file) if created by the user of the machine. If a communication is addressed to a joint mailbox, this information is given out to an indeterminate number of correspondents, participation in a discussion group being theoretically free. As a result, any person listed on a distribution list can at the very least obtain the e-mail addresses of all other listed parties, since this information is provided automatically for purposes of communication on a given topic.

    While most downloading (File Transfer Protocol — FTP) is done anonymously, with only the network’s Internet Protocol — IP — address being revealed, the same cannot be said for document presentation (World Wide Web — WWW, Hyper Text Transfer Protocol — HTTP). The minimum information revealed at each step in the Web is the name of the network machine making the request and the type of browser being used. Browsers contain an identification — ID — file which, is configured by the user or at the user’s request, stores various personal data such as the user’s name or e-mail address. If a Web server requests this information, it can be automatically given out.

    A Web server can also send out information, which is stored by the user’s navigator (so-called ‘cookies’) and retrieved at a subsequent connection to the server. This system indicates that a visitor has been there before, but without revealing his identity: identification requires matching with other information. As a result, when linked to the ID file incorporated into the browser and transmitted to a server, the information recorded in cookies c-an yield valuable user profiles. It can be noted, however, that some navigations — to a varying and often inadequate extent — allow use of these cookies to be blocked.

    5. PROTECTION FROM ELECTRONIC SURVEILLANCE

    A. Encryption (Cryptography)

    Finally, new information technologies include the privacy of individuals, the security of data in the computer or on the network, and the availability of encryption software to protect data in the event they are intercepted. In this context, privacy refers to controlling the dissemination and use of data, including information that are unintentionally revealed as a by-product of the use of the information technologies themselves.

    Security refers to the integrity of the data storage, processing, and transmitting systems and includes concerns about the reliability of the hardware and software, the protections against intrusion into the theft of the computer equipment, and the resistance of computer systems to infiltration by unpermitted users, that is, “hacking”. Encryption is the practice of encoding data so that even if a computer or network is compromised, the data’s content will remain secret. Security and encryption issues are important because they are central to public confidence in networks and to the use of the systems for the sensitive or secret data, such as the processing of information touching on national security. These issues are surpassingly controversial because of governments’ interest in preventing digital information from being impervious to official interception and decoding for low enforcement and other purposes.

    Private sector initiatives

    A large number of private sector interests, in the United States in particular, are attempting, a view to fostering electronic commerce, to promote technological solutions that will provide a a1 practical response to consumers concerns while still preserving business interests. In other words, they are starting to explore ways and means of making privacy work in communication networks. These initiatives go in the right direction and it would be worthwhile for governments to engage in a dialogue on the basis.

    As an example, Netscape joined by Microsoft, is leading an industry initiative (40 companies) to cope with privacy issues and proposes standard software intended to enable computer users to control what personal information is obtained when they visit Internet sites and how the information is used, as well as avoid unwanted e-mail. The proposal, called the OPS — Open Profiling Standard –, which has been submitted to the World Wide Web Consortium — W3C, provides the users with a way to pre-package the personal registration information Web sites may require. At the same time, OPS lets users control when and how much of their personal profiles can be passed to a third party. OPS would have users fill out profiles and preference information in a standard that could be identified by a digital certificate (that would give a guarantee from a trusted third party that the person is really who they say they are). The standardized format and brand names associated with the profile forms would be incorporated, in the case of Netscape, into the Communicator browser. According to some specialists, OPS is an addition to rather than replacement for the intrusive cookie method of tracking user information.

    Another project is the new W3C Platform for Privacy Preferences (P3) Project developed by the W3C. The P3 Project is a platform on which other technological, market and regulatory solutions can interoperate and build. The P3 prototype allows Web sites to easily describe their privacy practices as well as users to set policies about the collection and use of their personal data. A flexible ‘negotiation’ between the Web site’s practices and the user’s preferences allows service to offer the preferred level of service and data protection to the user. If there is a match, access to the site is seamless; otherwise the user is notified of the difference and is offered other access options to proceed. With P3, users can download ‘recommended’ settings established by organizations such as industry associations and consumer advocacy groups. According to some privacy specialists, P3 requires users to disclose privacy preferences when good privacy policies should provide meaningful information for users about Web site practices and not require users to disclose personal information.

    Techniques to provide users with more information about privacy practices are also being developed. For instance, a number of companies and service operators have a privacy Icon which appears either when the user enters a site, or when the user starts to provide information. The Icon can either lead by hyper-link to a sophisticated service providing details of the company’s (service operator) data protection policies and a tick box(es) allowing the user to opt out of having his/her data used foe specific purposes, or the icon can lead to page referring the user, for example, to an address from which further details are available.

    Another example is the development of services and branding techniques, which intend to provide, dear meaningful designations for privacy practices such as TRUSTe, formerly eTRUST.

    The TRUSTe program will focus on addressing privacy issues concerning data collection on the Internet. With an emphasis on analysing consumer fears surrounding electronic commerce, the program will utilise Web site icons (trustmarks) to alert online consumers to the uses of their personal information.

    To further consumer privacy the TRUSTe program will utilise a standardised method of informed consent. A branded system of ’trustmarks’ or logos, representing the Web site’s information privacy policy for users’ personal information, will alert consumers to how the information they reveal online will be used.

    The three trustmarks will be:

    No Exchange – no personally identifiable information is used by the site.
    One-to-one Exchange is collected only for the site owner’s use.
    Third Party Exchange – data is collected and provided to specified third parties but only with the user’s knowledge and consent.

    The TRUSTe initiative was launched in July 1996 by the Electronic Frontier Foundation (EFF) and a group of pioneering Internet companies. CommerceNet and the EFF then partnered in October 1996 to move forward in implementing the initiative.

    TRUSTe is a global, non-profit initiative to establish trust and confidence in electronic communication by creating an infrastructure to address online privacy issues. Comprised of premier members from the electronic commerce industry, the program assures consumer privacy through a progressive policy of informed consent utilising a branded system of ’trustmarks’, which represent a company’s online information privacy policy.

    Finally, systems for implementing on-line E-mail Preference Services (EPS) or ‘E-mail Robinson Lists’ are also under consideration (EPS allow consumers who do not wish to receive e-mails to be excluded from lists, the common database used to register opt out demands being then used to clean marketing lists). As an example, a software package is being developed in the USA which would allow consumers to register on-line; would be secure from intruders, and yet user-friendly for industry to clean their E-mail marketing lists; and which could be serviced easily by the operator (the Direct Marketing Association (DMA-US)). A similar system will be developed in the United Kingdom, and it is planned that these two countries would then spearhead a Global Convention on EPS inviting other DMSs to join. Another proposal, which has yet to be fully considered by industry, comes from the UK data protection Registrar, which has suggested a mechanism enabling the consumers to indicate if they do not wish to be contacted be e-mail in their e-mail address. A universally agreed character (a marker) would indicate that the user does not want to receive any marketing solicitations. The user would also be free to make different choices: i.e. to use the marker when visiting one site and not to use it when visiting another. This system should be combined with others, such as the proposed E-mail Preference Service.

    B. Key-recovery

    Cryptography is a complex area, with scientific, technical, political, social, business, and economic dimensions.

    For the purpose of this report, ‘key recovery’ systems are characterized by the presence of some mechanism for obtaining exceptional access to the plain text of encrypted traffic. Key recovery might serve a wide spectrum of access requirements, from a backup mechanism that ensures a business’ continued access to its own encrypted archive in the event keys are lost, to providing covert law enforcement access to wiretapped encrypted telephone conversations. Many of the costs, risks, and complexities inherent in the design, implementation, and operation of key recovery systems depend on the access requirements around which the system is designed.

    We focus specifically on key recovery systems designed to meet government access specifications. These specifications diverge in important ways from the needs of commercial or individual encryption users:

    Access without end-user knowledge or consent — Few commercial users need (or want) covert mechanisms to recover keys or plain text data they protect. On the contrary, business access rules are usually well known, and audit is a very important safeguard against fraud and error. Government specifications require mechanisms that circumvent this important security practice.

    Ubiquitous adoption — Government seeks the use of key recovery for all encryption, regardless of whether there is benefit to the end-user or whether it makes sense in context. In fact, there is little or no demand for key recovery for many applications and users. For example, the commercial demand for recovery of encrypted communications is extremely limited, and the design and analysis of key recovery for certain kinds of communications protocols is especially difficult.

    Fast paths to plain text — Law enforcement demands fast (near real-time), 24-hour-a-day, 365-day-a-year access to plain text, making it impossible to employ the full range of safeguards that could ameliorate some of the risks inherent in commercial key recovery systems.

    Encryption and the global information infrastructure

    The Global Information Infrastructure promises to revolutionize electronic commerce, reinvigorate government, and provide new and open access to the information society. Yet this promise cannot be achieved without information security and privacy. Without a secure and trusted infrastructure, companies and individuals will become increasingly reluctant to move their private business or personal information online.

    The need for information security is widespread and touches all of us, whether users of information technology or not. Sensitive information of all kinds is increasingly finding its way into electronic form. Examples include:

    Private personal and business communications, including telephone conversations, fax messages, and electronic mail;
    Electronic funds and other financial transactions;
    Sensitive business information and trade secrets;
    Data used in the operation of critical infrastructure systems such as air traffic control, the telephone network or the power grid; and
    Health records, personnel files, and other personal information.

    Electronically managed information touches almost every aspect of daily life in modern society. This rising tide of important yet unsecured electronic data leaves our society increasingly vulnerable to curious neighbors, industrial spies, rogue nations, organized crime, and terrorist organizations.

    Paradoxically, although the technology for managing and communicating electronic information is improving at a remarkable rate, this progress generally comes at the expense of intrinsic security. In general, as information technology improves and becomes faster, cheaper, and easier to use, it becomes less possible to control (or even identify) where sensitive data flows, where documents originated, or who is at the other end of the telephone. The basic communication infrastructure of our techniques more and more frequently will become the only visible approach to assuring the privacy and safety of sensitive information as these trends continue.

    Encryption is an essential tool in providing security in the information age. Encryption is based on the use of mathematical procedures to scramble data so that it is extremely difficult — if not virtually impossible — for anyone other than authorized recipients to recover the original ‘plain text’. Properly implemented encryption allows sensitive information to be stored on insecure computers or transmitted across insecure networks. Only parties with the correct decryption ‘key’ (or keys) are able to recover the plain text information.

    Highly secure encryption can be deployed relatively cheaply, and it is widely believed that encryption will be broad}y adopted and embedded in most electronic and communications products and applications for handling potentially valuable data. Applications of cryptography include protecting files from theft or unauthorized access, securing communications from interception, and enabling secure business transactions. Other cryptographic techniques can be used to guarantee that the contents of a file or message have not been altered (integrity), to establish the identity of a party (authentication), or to make legal commitments (non-repudiation).

    In making information secure from unwanted eavesdropping, interception, and theft, strong encryption has an ancillary effect: it becomes more difficult for law enforcement to conduct certain kinds of surreptitious electronic surveillance (particularly wiretapping) against suspected criminals without the knowledge and assistance of the target. This difficulty is at the core of the debate over key recovery.

    Key-Recovery: Requirements and proposals

    The United States and other national governments have sought to prevent widespread use of cryptography unless ‘key recovery’ mechanisms guaranteeing law enforcement access to plain text are built into these systems. The requirements imposed by such government-driven key recovery systems are different from the features sought by encryption users, and ultimately impose substantial new risks and costs.

    Key recovery encryption systems provide some form of access to plain text outside of the normal channel of encryption and decryption. Key recovery is sometimes also called ‘key escrow’. The term ‘escrow’ became popular in connection with the U.S. government’s Clipper Chip initiative, in which a master key to each encryption device was held ‘in escrow’ for release to law enforcement. Today the term ‘key recovery’ is used as generic term for these systems, encompassing the various ‘key escrow’, ’trusted third party’, ‘exceptional access’, ‘data recovery’, and ‘key recovery’ encryption systems introduced in recent years. Although there are differences between these systems, the distinctions are not critical for our purposes. In this report, the general term ‘key recovery’ is used in a broad sense, to refer to any system for assuring third-party (government) access to encrypted data.

    Key recovery encryption systems work in a variety of ways. Early ‘key escrow’ proposals relied on the storage of private keys by the U. S. government, and more recently by designated private entities .

    Other systems have ‘escrow agents’ or ‘key recovery agents’ that maintain the ability to recover the keys for a particular encrypted communication session or stored file; these systems require that such ‘session keys’ be encrypted with the key known by a recovery agent and included with the data. Some systems split the ability to recover keys among several agents.

    Many interested parties have sought to draw sharp distinctions among the various key recovery proposals. It is certainly true that several new key recovery systems have emerged that they can be distinguished from the original ‘Clipper’ proposal by their methods of storing and recovering keys. However, our discussion takes a higher-level view of the basic requirements of the problem rather than the details of any particular scheme; it does not require a distinction between ‘key escrow’, ’trusted third-party’, and ‘key recovery’. All these systems share the essential elements that concern us for the purposes of this study:

    A mechanism, external to the primary means of encryption and decryption, by which a third party can obtain covert access to the plain text of encrypted data.
    The existence of a highly sensitive secret key (or collection of keys) that must be secured for an extended period of time.

    Taken together, these elements encompass a system of ‘ubiquitous key recovery’ designed to meet law enforcement specifications. While some specific details may change, the basic requirements most likely will not: they are the essential requirements for any system that meets the stated objective of guaranteeing law enforcement agencies timely access, without user notice, to the plain text of encrypted communications traffic.

    6. SURVEILLANCE TECHNOLOGY SYSTEMS IN LEGAL AND REGULATORY CONTEXT

    As a conclusion from this present Interim Study is the principle that WE HAVE TO CONSIDER PRIVACY PROTECTION IN THE CONTEXT OF A GLOBAL NETWORKED SOCIETY. And when we speak about electronic privacy in the exchange of economic information, we are speaking about one single thing above all others: Electronic Commerce over the Internet.

    A. Privacy regulation

    Multinational data protection measures

    Enactment of data protection laws by individual European nations has been paralleled and, in some cases anticipated, by multinational actions. In 1980 the Committee of Ministers of the Organization for Economic Cooperation and Development (OECD) issued Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (guidelines). The guidelines outline basic principles for both data protection and the free flow of information among countries that have laws conforming with the protection principles. The guidelines, however, have no blinding force and permit broad variation in national implementation.

    One year after the OECD issued its guidelines, the Council of Europe promulgated a convention, For the Protection of Individuals with Regard to Automatic Processing of Personal Data. The convention, which took effect in 1985, is similar to the guidelines, although it focuses more on the importance of data protection to protect personal privacy. The convention specifies that data must be obtained and processed fairly; used and stored only for legal purposes; adequate, relevant, and not excessive in relation to the purpose for which they are processed; accurate and up-to-date; and stored no longer than necessary. The document gives individuals the right to inquire about the existence of data files concerning them; obtain a copy of that data; and have false or improperly processed data corrected or erased.

    The convention requires each of the member countries (now twenty-six) to enact conforming national laws. By 1992, however, when debate over the more detailed European Union data protection directive, discussed below, overtook the convention, only ten countries — Austria, Denmark France, Germany, Ireland, Luxembourg, Norway, Spain Sweden and the United Kingdom — had ratified the convention, while eight — Belgium, Cyprus, Greece, Island, Italy, Netherlands, Portugal and Turkey — had signed without ratification. The Council of Europe subsequently urged all European Union member states to ratify and implement the convention when it endorsed the European Commission’s proposal for a data protection directive. By 1997, all of the fifteen EU member states (except Greece, which is currently considering a privacy bill) and Switzerland have national legislation consistent with the convention.

    Nevertheless, the resulting protection for personal privacy is far from uniform, for at least three reasons. First, some of the national data protection legislation existed before the adoption of the convention. Second, the convention was not self-executing and therefore permitted each country to implement its national laws conforming to the government’s terms in very different ways. Finally, the convention did not include definitions for important terms, such as what constitutes an ‘adequate’ level of data protection; as result, member countries were left free to adopt their own, inconsistent definitions in their national legislation.

    Data protection directive in Europe

    Although, legal protection for a ‘right of privacy’ originated in the United States, Europe was the site of the first privacy legislation and has been the source of most comprehensive privacy regulation.

    Europe is the site of the first privacy legislation, the earliest national privacy statute, and now the most comprehensive protection for information privacy in the world. That protection reflects on apparent consensus within Europe that privacy is a fundamental human right which few in any other rights equal. In the context of European history and civil law culture, that consensus makes possible extensive, detailed regulation of virtually all activities concerning ‘any information relating to an identified or identifiable natural person’. It is difficult to imagine a regulatory regime offering any greater protection to information privacy, or greater contrast to U.S. law.

    As a result of the variation and uneven application among national laws permitted by both the guidelines and the convention, in July 1990 the commission of the then-European Community (EC) published a draft Council Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on Free Movement of Such Data The draft directive was part of the ambitious program by the countries of the European Union to create not merely the ‘common market’ and ‘economic and monetary union’ contemplated by the Treaty of Rome, but also the potential union embodied in the Treaty on European Union signed in 1992 in Maastricht.

    The shift from economic to broad-based political union brought with it new attention to the protection of information privacy. On March 1 1, 1992, the European Parliament amended the commission’s proposal to eliminate the distinction in the 1990 draft between public and private sector data protection and then overwhelmingly approved the draft directive. On October 15, 1992, the commission issued its amended proposal; on February 20, 1995, the Council of Ministers adopted a Common Position with a View to Adopting Directive 95/46/EC of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data. The directive was formally approved on October 24, 1995, and took effect three years later.

    Privacy regulation in the United States

    The protection for the information privacy in the United States is disjoined, inconsistent, and limited by conflicting interests. There is no explicit constitutional guarantee of a right to privacy in the United States. Although the Supreme Court has fashioned a variety of rights out of the Bill of Rights and the Fourteenth Amendment, ‘information privacy’ has received little protection, primarily based on the Fourth and Fourteenth Amendments. In the Fourth Amendment arena, the Court has found constitutional violations when the police have searched for or seized records without a warrant or meeting one of the exceptions to the warrant requirement. The Court, however, has written that the Fourth Amendment privacy right has little application outside of the context of the investigation and prosecution of criminal activity. Moreover, this protection against such searches does not extend to information controlled by a third person. Under the Fourteenth Amendment, the Court has recognized a constitutional right restricting the government from compelling individuals to disclose certain personal information. This right protects only the interest of an individual in not disclosing certain information, and that right is evaluated under intermediate scrutiny, as opposed to the strict scrutiny required when fundamental rights are at stake

    As with all constitutional rights, these apply only against the government, not private actors. The requirement for state action and the ‘negative’ nature of constitutional rights require only that the government refrain from taking actions that impermissibly invaded individuals’ information privacy rights, not that the government take steps to affirmatively protect those rights. The Constitution also requires, however, that the government avoid actions that infringe other rights enumerated therein, such as the protection for expression in the Fifth Amendment, the government cannot take private property, whether by physical occupation or extensive regulation, without according due process and paying just compensation to the owner.

    Outside of the constitutional arena, protection for information privacy relies on hundreds of federal and state laws and regulations, each of which applies only to a specific category of information user (such as the government or retailers of videotapes), context (applying for credit or subscribing to cable television), type of information (criminal records or financial information), or use for that information (computer matching or impermissible discrimination). PrivacY laws in 49 the United States most often prohibit certain disclosures, rather than collection, use, or storage, of personal information. When those protections extend to the use of personal information, it is often as a by-product of legislative commitment to another goal, such as eliminating discrimination. And the role provided for the government in most U. S. privacy laws is often limited to providing a judicial form for resolving disputes.

    Passage of the privacy provisions in the Cable Communications Policy Act, and recent passage of the Consumer Credit Reporting Reform Act and the CPNI provision of the Telecommunications Act, demonstrate that Congress can enact serious privacy protection, even if limited to narrow sectoral environments. The later two acts and the expanding debate in Washington over the privacy evince the growing attention to the development of laws and regulations to protect privacy.

    However, as the limits and exceptions within existing privacy laws indicate, privacy protection in the United States is fundamentally in tension with other cherished values. The legal regulation of privacy is significantly influenced by the importance placed by society on the prevention of crime and prosecution of criminals, free expression and an investigatory press, the acquisition and use of property, and a limited role for government involvement in daily life. A comparison of the legal regimes of the EU and the United States suggests that the Europe privacy is more valued and less in conflict with other widely shared values.

    B. Protection of Privacy in the telecommunications sector

    Directive 97/66/EC of the European Parliament and the Council of the 15 December 1997 concerns the processing of personal data and the protection of privacy in the telecommunications sector.

    This directive provides for the harmonisation of the provisions of the member states required to ensure an equivalent level of protection of fundamental rights and freedom, and in particular the right to privacy, with respect to the processing of personal data in the telecommunications sector and to ensure the free movement of such data and telecommunications equipment and services in the Community.

    The provision of this directive particularises and complements the directive 95/46/EC for the purpose mentioned above. Moreover they provide for protection and legitimate interests of subscribers who are legal persons.

    This directive shall not apply to the activities which fall outside the scope of Community law, such as those provided for by titles V and VI of the treaty on European Union, and in any case to activities concerning public security, defence, state security (including the economic well being of the state when the activities relate to state security matters) and the activities of the state in areas of criminal law.

    C. Cryptography

    Cryptography policy in USA

    It is part of the strategy to ensure that police and intelligence agencies could understand every communication they intercepted.

    They attempted to impede the development of cryptography and other security measures, fearing that these technologies would reduce their ability to monitor the emissions of foreign governments and to investigate crime.

    A survey by the Global Internet Liberty Campaign (GILC) found that most countries either rejected domestic controls or not addressed the issue at all. The GILC found that many countries, large and small, industrialised and developing, seem to be ambivalent about the need to control encryption technology.

    The FBI and the National Security Agency (NSA) have instigated efforts to restrict the availability of encryption world-wide, in the early 1970s, the NSA’s pretext was that encryption technology was ‘born classified’ and, therefore, it dissemination fell into the same category as the diffusion of A-bomb materials. The debate went underground until 1993 when the US launched the Clipper Chip, an encryption device designed for inclusion in consumer products. The Clipper Chip offered the required privacy, but the government would remain a ‘pass- key’ — anything encrypted with the chip could be read by government agencies.

    Behind the scenes, law enforcement and intelligence agencies were pushing hard for a ban on other forms of encryption. In a February 1993 document, obtained by the Electronic Privacy Information Centre (EPIC), recommended ‘Technical solutions, such as they are, will only work if they are incorporated into all encryption products. To ensure that this occurs, legislation mandating the use of government-approved encryption products, or adherence to government encryption criteria’. The Clipper Chip was widely criticised by industry, public interest groups, scientific societies and the public and, though it was officially adopted, only a few were ever sold or used.

    From 1994 onwards, USA began to woo private companies to develop an encryption system that would provide access to keys by government agencies. Under the proposals — variously known as ‘key recovery’ or ’trusted third parties’ — the key would be held by a corporation, not a government agency, and would be designed by the private sector, not the NSA. The systems, however, still entitled the assumption of guaranteed access to the intelligence community and so proved as controversial used export incentives to encourage companies to adopt key escrow products: they could export stronger encryptions but only if they ensured that intelligence agencies had access to the keys.

    Under US law, computer software and hardware cannot be exported if it contains encryption that the NSA cannot break. The regulations stymie the availability of encryption in the USA because companies are reluctant to develop two separate product lines – one, with strong encryption, for domestic use and another, with weak encryption, for the international market. Several cases are pending in the US courts on the constitutionality of export controls; a federal court recently ruled that they violate free speech rights under the First Amendment.

    The FBI has not let up on efforts to ban products on which it cannot eavesdrop. In mid-1997, it introduced legislation to mandate that key-recovery systems be built into all computer systems. Several congressional committees adopted the amendment but the Senate preferred a weaker variant. A concerted campaign by computer, telephone and privacy groups finally stopped the proposal; it now appears that no legislation will be enacted in the current Congress.

    Cryptography policy guidelines from OECD

    The organisation for Economic Co-operation and Development in 1997 issued a report on cryptography policy entitled: CRYPTOGRAPHY POLICY: THE GUIDELINES AND THE ISSUES (OCOE / GD (97) 204). The basic principles (each of which addresses an important policy concern) are independent and should be considered as a whole so as to balance the various interests. The principles are:

    Trust in cryptographic methods: Users should be trustworthy in order to generate confidence in the use of information and commercial data.
    Choice of Cryptographic methods: Users should have a right to choose any cryptographic method, subject to applicable law.
    Market driven development of cryptographic methods: Cryptographic methods should be developed in response to the needs, demands and responsibilities of individuals, business and governments.
    Standards for cryptographic methods: Technical standards, criteria and protocols for cryptographic methods should be developed and promulgated at the national and international law.
    Protection of privacy and Personal data: the fundamental rights of individuals, to privacy, including secrecy of communications and protection of personal data, should be respected in national cryptography policies and in the implementation and use of cryptographic methods.
    Lawful access: National cryptography policies may allow lawful access to plain text, or cryptographic keys, of encrypted data. These policies must respect the other principles contained in the guidelines to the greatest extent possible.
    Liability: whether established by contract on legislation, the liability of individuals and entities that offer cryptographic services or hold or access cryptographic keys should be clearly stated.
    International co-operation: Governments should cooperate to coordinate cryptography policies. As part of this effort, governments should remove, or avoid creating in the name of cryptography policy, unjustified obstacles to trade.

    Given the role of cryptography in the information and communications infrastructure and in developing electronic commerce, cryptography policy has the broader perspective to overlap with economic, legal and political aspects of a number of information systems, protection of privacy and personal data and intellectual property protection.

    E.U. cryptography policy

    Led by the Germany and the Scandinavians, the EU has been generally distrustful of key escrow technology. In October 1997, the European Commission released a report entitled: ‘Towards a European Framework of Digital Signatures and Encryption’, ensuring security and trust in electronic communications (COM (97)503 final) which advised: ‘Restricting the use of encryption could well prevent law-abiding companies and citizens from protecting themselves against criminal attacks. It would not, however, totally prevent criminals from using these technologies’. The report noted that ‘privacy considerations suggest limit the use of cryptography as a means to ensure data security and confidentiality’.

    Some European countries have or are contemplating independent restrictions. France had a longstanding ban on the use of any cryptography to which the government does not have access. However, a 1996 law, modifying the existing system, allows a system of tiers du confidence, although it has not been implemented because of EU opposition. In 1997, the Conservative government in the UK introduced a proposal creating a system of trusted third parties. It was severely criticised at the time and by the new Labour government, which has not yet acted upon its predecessor’s recommendations.

    0 The debate over encryption and the conflicting demands of security and privacy are bound to continue. The commercial future of the Internet depends on a universally-accepted and foolproof method of on-line identifications; as of now, the only means of providing it is through strong encryption. This put the US government and some of the world’s largest corporations, notably Microsoft, on a collision course.

    Other national and international activities related to cryptography policy

    Cryptographic products and technologies have historically been subject to export controls. The current basis for export controls in the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (agreed on 13 July 1996), which includes cryptography products on its control lists for export. The Agreement is implemented in national regulations. Regulation [(EC) 3381/94] and Decision [94/942/PESC] of the Council of the European Union of 19 December 1994 on the control of the export of dual-use goods are also applicable to the export of cryptographic products.

    The Council of Europe has developed considerable resources to studying the subject of computer-related crime, issuing the Recommendation [R(95)13] of the Council of Europe of 11 September 1995 concerning problems of criminal procedural law connected with information technology, and is considering suggesting an international convention to address the issue. Such a convention could address matters such as exchange of information among government agencies in case involving the use of cryptography.

    At the G7 Summit meeting on anti-terrorism in July 1996, G7 governments announced that consultations would be accelerated, ‘in appropriate bilateral or multilateral for a, on the use of encryption that allows, when necessary, lawful government access to data and communication in order, inter alia, to prevent or investigate acts of terrorism, while protecting the privacy of legitimate communications’.

    In May 1996 the US National Research Council’s Computer Science and Telecommunications Board published the report ‘Cryptography’s Role in Securing the Information Society’. This interagency study assesses the effect of cryptographic technologies on US national security, law enforcement, commercial and privacy interests, and reviews the impact of export controls on cryptographic technologies. This authoritative report provides a comprehensive review of the cryptography policy issues faced by the US Government.

    C. Key recovery

    As of mid-1998 a wide range of government, industry, and academic efforts toward specifying, prototyping, and standardising key recovery system that meet government specifications have been implemented. Some of industry’s efforts were stimulated by U.S. government policies that offer more favorable export treatment to companies that commit to designing key recovery features into the future products, and by U.K. government moves to link the licensing of certification authorities to the use of key recovery software.

    Yet despite these incentives, and the intense interest and effort by research and development teams, neither industry nor government has yet produced a key recovery architecture that universally satisfies both the demands of government and the security and cost requirements of encryption users.

    The commercial key recovery products in existence today do not reconcile the conflict between commercial requirements and government specifications. In the absence of government pressure, commercial key recovery features are by their nature of interest primarily to business operations willing to pay a significant premium to ensure continued access to stored data maintained only in applications of encryption (such as communication traffic) are known in advance not to require recoverability and therefore would not be designed to use a key recovery system.

    Another problem is that the most secure and economical commercial key recovery do not support the real-time, third-party, covert access sought by governments in order to support surveillance. In particular, ‘self-escrow’ by an individual does not meet government access demands. The third-party nature and global reach implied by these government demands make key recovery systems a much more difficult, expensive, and risky proposition than a facility for internal, off-line recovery in business enterprise. For example, most organizations keep backups in the form of plain text on magnetic media in physically protected premises. Similarly, organizations that keep encrypted data might naturally be best served by storing backup keys in a bank safe deposit box. A requirement for near-real-time access would preclude this approach, however prudent or appropriate.

    Any access-time requirement carries with it special risks. In particular, some sort of network technology will generally be required. Such a network, which must link a large number of law enforcement agencies with different key recovery centers, would be extraordinarily difficult to secure. The current attention in the U.S. on the problem of securing critical infrastructure, such as telephone networks, power grids, national banking networks and air traffic control systems, underscores the problem of managing risk in key recovery. The system that support critical infrastructure, which are increasingly reliant on open networks and information systems, are among the most important current and future applications of cryptography. The complexity and increased risk introduced with key recovery would make critical infrastructure protected by cryptography more vulnerable to the kinds of sophisticated attackers that pose the most serious threats to these systems.

    Government specifications for key recovery systems for export approval are focused on the easier problem of ensuring that keys are recoverable when authorized. They do not address or give techniques for the far harder problem of ensuring against unauthorized disclosure of data. The design and construction of prototype key recovery systems that satisfy government specifications for export, therefore, are not sufficient to demonstrate that these systems can be operated securely, in an economical manner, on a large scale, or without introducing unacceptable new risks. Any assessment of a proposed system must take into account a broad range of design, implementation, operation, and policy considerations.

    As of mid-1998, we are aware of no key recovery proposals that have undergone analysis of the kind required. On the other hand, as our report notes, there are compelling reasons to believe that, given the state of the art in cryptography and secure systems engineering, government-access key recovery is not compatible with large scale, economical, secure cryptography systems.

    D. European Initiatives

    DLM-FORUM — Electronic Records

    The first multidisciplinary European DLM-Forum (DLM-Forum’96) on electronic records which took place in Brussels between the 18th and 20th December 1996 was a major event in the investigation of possibilities for wider co-operation in this area both between Member States and at Community level. It was initiated by the experts’ report Archives in the European Union (Report of the Group of Experts on the Coordination of Archives. Brussels – Luxembourg: OPOCE 1994) and confirmed by the EU-Council Conclusions of June 1994 (94/C 235/03).

    Organised by the European Commission in close co-operation with the EU member states it hosted more than 300 experts and decision-makers from public administration, archives, industry (hard- and software suppliers) and research. The multidisciplinary approach and the aim to publish guidelines on machine readable data as a concrete result as well as the high quality of the presentations were the attractions that turned this inaugural event into a European forum of international interest in the field of electronic records administration and storage. Participants came from all the EU member states, from other European countries (including the Russian Federation and Poland), as well as from Canada and the USA.

    First reviews that have been published by specialised journals are unanimously enthusiastic. The forum’s success owed a lot to the Programme Committee’s preparations and should also be attributed to the undivided and continuous support of the Irish and Dutch presidencies of the EU-Council.

    The forum was opened by the Secretary General of the European Commission, David Williamson who emphasised that archives, including increasingly electronic documents, are our collective memory and how important it is to retain that memory and to insure that it remains accessible in the future. In their keynote addresses the Deputy Director General of the Directorate General for Science, Research and Development, Hendrik Tent and the Permanent Representative of Ireland to the European Union, H.E. Ambassador Denis O’Leary laid out the political and technical framework of the DLM-Forum’96. Mr Tent described the importance of the forum with respect to innovation in the digital era and the Commission’s approach towards this challenge. Mr O’Leary stressed the role of archives in our society and the citizens’ right of access to information. In his closing speech the Head of Commissioner Bangemann’s Cabinet, Paul Weissenberg, pointed to the importance of electronic archives in the European Union’s concept of the Information Society as set out in the Bangemann report and subsequent documents. He stressed the necessity of concrete measures as an immediate consequence to the DLM-Forum.

    The ‘life-cycle’-concept of electronic records guided the three parallel sessions. Thus the speakers in those sessions reflected on electronic documents in the different phases of their administrative life. The multitude of topics ranged from discussions of norms and standards for data interchange to the presentation of new electronic storage material. Surveys on the ‘state of the art’ in Europe completed this first interdisciplinary approach to retaining the collective memory of the Information Society.

    It was the balance between working sessions and spontaneous and informal discussions outside those sessions that produced a most agreeable working atmosphere in which experts’ debates led to the kind of mutual understanding and the establishment of personal ties and relations needed to solve problems that concern all the disciplines represented at the forum. Thus the catalyst effect, which was hoped for, was achieved: experts from industry and research became sensitive to the concerns of archives and administrations.

    The forum will lead, as foreseen, to amendments to the first draft of multidisciplinary guidelines Best practices for using Machine Readable Data which had been distributed to the participants.

    Furthermore a document for follow-up measures, the so-called ’10 points’, was agreed on by the participants. One major topic for follow-up activities is the establishment of national focal points to improve co-ordination and networking and to establish functional requirements for electronic records management in the public and private sectors. Another topic concerns the urge for establishing training programmes for archivists and administrators.

    In a world of continuous and rapid change modern archives services are an element of continuity, stability and a solid base for essential information and indispensable records. Modern management in public and private institutions has to be dynamic, active and innovative, and above all has to cover the entire continuum of the life of documents. ‘The DLM-Forum’96 demonstrated that the issues posed by the preservation and re-use of electronic records are central not only to the work of archivists, but also form the cornerstone of future economic growth and development within the European Union.’ as Seamus Ross points out in his presentation. In short: the problem of preserving electronic records concerns even more people and areas than have been covered by the forum’s participants. Further activities should include among others legal advisors, system designers and application developers, auditors and insurance providers. Contacts with existing working groups (e.g. the European Commission’s Legal Advisory Board for the information market) have to be established or intensified. A first step to co-ordinate these activities is the installation of the DLM-Monitoring Committee in April 1997.

    Promoting safe Use of Internet

    To prevent illegal and harmful content being distributed on the Internet the European Commission is promoting initiatives which are aimed at increasing the general awareness among parents, teachers, public sector and the information industry about how to deal with the issue in practical terms.

    This action accompanies the Green Paper on Protection of Minors and Human Dignity in Audiovisual and Information Services, the Communication on Illegal and Harmful Content on the Internet, and the Action plan on promoting safe use of the Internet.

    REFERENCES

    1. STOA, PE 166499: “An appraisal of technologies of political control”, 1998.

    2. R. Clarke: Dataveillance: Delivering “1984”, Xamax Consultancy Pty Ltd, February 1993.

    3. R. Clarke: Introduction to Dataveillance and Information Privacy and Definitions of Terms, Xamax Consultancy Pty Ltd, October 1998.

    4. R. Clarke: A Future Trace on Dataveillance: Trends in the Anti-Utopial Science Fiction Genre, Xamax Consultancy Pty Ltd. March 1993.

    5. T. Dixon: Workplace video surveillance – controls sought, Privacy law and Policy Reporter, 2 PLPR 141, l995.

    6. T. Dixon: Privacy charter sets new benchmark in privacy protection, Privacy law and Policy Reporter, 2 PLPR 41. 1995.

    7. D. Banisar and S. Davies: The code war, Index online, News Analysis, issue 1998.

    8. T. Lesce: They’re Watching You! The Age of Surveillance, Breakout Productions, 1998.

    9. W.G. Staples: The Culture of Surveillance, St. Martin’s Press, 1997.

    10. D. Lyon and E. Zureik: Computers, Surveillance and privacy, University of Minnesota Press, 1996.

    11. D. Lyon: The Electronic Eye – The rise of Surveillance Society, University of Minnesota Press. 1994.

    12. F.H. Cate: privacy in the Information Age, Brookings Institution Press, 1997.

    13. P. Brookes: Electronic Surveillance Devices, Newnes, 1998.

    14. O.E.C.D.: Privacy Protection in a Global Networked Society, DSTI/ICCPAREG(98)5/FINAL, July 1998.

    15. O.E.C.D.: Implementing the OECD “Privacy Guidelines” in the Electronic Environment: Focus on the Internet, DSTI/ICCP/REG(97)6/FINAL, September 1998.

    16. O.E.C.D.: Cryptography policy: The Guidelines and the issues, OCDE/GD(97)204, 1997.

    17. Report By an Ad Hoc Group of Cryptographers and Computer Scientists: The Risks of Key Recovery, Key Escrow, and Trusted Third Party Encryption, 1998.

    18. COM(98) 586 final: Legal framework for the Development of electronic Commerce.

    19. COM(98) 297 final: Proposal for a European Parliament and Council Directive on a common framework for electronic signatures, OJ C325, 23/10/98.

    20. A. Troye-Walker, European Commission: Electronic Commerce: EU policies and SMEs, August 1998.

    21. COM(97) 503 final: Ensuring security and trust in electronic communications – Towards a European Framework for Digital Signatures and Encryption.

    22. Directive 97/7/EC of the European Parliament and the Council of May 1997 on the protection of Consumers in respect of Distance Contracts. OJ L 144. 14/6/1997.

    23. ISPO: Electronic Commerce – Legal Aspects. http://www.ispo.cec.be .

    24. Privacy International: http://www.privacy.org .

    25. Newton and Mike: Picturing the future of CCTV, Security Management, November 1994.

    26. Gips and A. Michael: Tie Spy, Security Management, November 1996.

    27. Clarke and Barry: Get Carded With Confidence, Security Management, November 1994.

    28. Horowitz and Richard: The Low Down on Dirty Money, Security Management, October 1997.

    29. Cellular E-911 Technology Gets Passing Grade in NJ Tests, Law Enforcement News, July – August 1997.

    30. Shannon and Elaine: Reach Out and Waste Someone, Time Digital, July August 1997.

    31. Thompson, Army, Harowitz, and Sherry: Taking a Reading on E-mail Policy, Security Management, November 1996.

    32. Trickey and L. Fried: E-mail Policy by the Letter, Security Management, April 1996.

    33. Net Proceeds, Law Enforcement News, January 1997.

    34. Burrell, and Cassandra: Lawmen Seek Key to Computer Criminals, Associated Press, July 10, 1997, Albuquerque Journal.

    35. Gips and A. Michael: Security Anchors CNN, Security Management, September 1996.

    36. Bowman and J. Eric: Security Tools up for the Future, Security Management, January 1996.

    37. E. Alderman and C. Kennedy: The right to Privacy, Knopf 1995.

    38. Bennet and J. Colin: Regulating Privacy — Data protection and public Policy in Europe and the United States, Cornell University Press, 1992

    39. BeVier and R Lillian: Information about Individuals in the Hands of Government — Some reflections on Mechanisms for Privacy Protection, William and Mary Bill of Rights Journal 4, Winter 1995.

    40. Branscomb and A. Well: Who owns Information? From Privacy to Public Access, Basic Books 1994

    41. Branscomp: Global Governance of Global Networks, Indiana Journal of Global Legal studies, Spring 1994.

    42. Network Wizards, Internet Domain Survey, January 1997, http://www.nw.com/zone/WWW/report.html .

    43. Network Wizards, Internet Domain Survey, January 1997, http://nw.com/zone/WWW/lisybynum.html .

    44. Simon Davis: report, December 1997, http://www.telegraph.co.uk .

    45. Francis S. Chlapowski: The Constitutional Protection of Information Privacy: Boston University Law Review, January 1991.

    46. Ibid., p. 35.

    47. Ibid., p. 45.

    48. Ibid., p. 48.

    49. Ibid., p. 57

    50. Ibid., p. 82.

    51. Ibid., p. 276.

    52. Ibid., p. 267.

    53. J. Guisnel: Guerres dans le cyberspace, Editions la decouverte, 1995.

    54. http://www.dis.org .

    55. http://www.telegraph.co.uk .

    STOA PROGRAMME

    European Parliament
    Directorate-General for Research
    Directorate A
    SCH 4/61

    L-2929 Luxembourg

    Tel: +352 4300 22511
    Fax:+352 4300 22418
    rholdsworth@europarl.eu.int

    LEO 6 D46
    Rue Wiertz 60
    B-1047 Bruxelles

    Tel: +32 2 284 3962
    Fax:+32 2 284 9059
    msosa@europarl.eu.int

    Digitization and HTML by JYA/Urban Deadline.

    FORMER CIA DIRECTOR WOOLSEY DELIVERS REMARKS AT FOREIGN PRESS CENTER

    SPEAKER: JAMES WOOLSEY, FORMER DIRECTOR, CIA

    (+)

    WOOLSEY: Let me just informally say one or two things.

    First of all, I am five years out of office, and so much of what I say is — indeed virtually all of it is heavily governed by my views and practices when I was DCI. I do continue to hold security clearances and confer with the government from time to time, but I am not up to speed on things like current intelligence operations, and if I were, I wouldn’t talk to you about them anyway.

    I do have, however, a set of views about this set of issues and they were ones that I expressed in rather substantially the same terms when I was DCI that I’m going to express today. But in the context of the [European Parliament, Duncan] Campbell report and the current European interest, particularly in the overall subject of alleged American industrial espionage, I thought it was a perfectly reasonable thing to respond to the State Department’s request that I be available to answer your questions.

    If you look at the Aspin-Brown Commission report of some four years ago, chaired by the late former secretary of defense and chairman of the House Armed Services Committee, Les Aspin, it states quite clearly that the United States does not engage in industrial espionage in the sense of collecting or even sorting intelligence that it collects overseas for the benefit of and to be given to American corporations. And although he does so with a double negative, Mr. Campbell essentially confirms that in his report.

    In the Campbell report there are only two cases mentioned in which, allegedly, American intelligence some years — several years ago obtained information — secret information regarding foreign corporations. One deals with Thomson-CSF in Brazil, one deals with Airbus in Saudi Arabia.

    Mr. Campbell’s summation of those issues in one case is five lines long, in the other case it’s six lines long, and he is intellectually honest enough that in both cases he devotes one line in each to the fact that the subject of American intelligence collection was bribery. That’s correct. Not technological capabilities, not how to design wing struts, but bribery. And it is impossible to understand American intelligence collection, for my period of time anyway, with respect to foreign corporations and foreign government who sometimes assist them without realizing that that issue is front and center.

    Now, the Aspin-Brown Commission also said that approximately 95 percent of U.S. intelligence collection with respect to economic matters, which itself is only one of a reasonable number of U.S. intelligence targets — but with respect to economic matters, 95 percent of our intelligence collection is from open sources. Five percent is essentially secrets that we steal. We steal secrets with espionage, with communications, with reconnaissance satellites.

    Why do we focus, even to that 5 percent degree, on foreign corporations and foreign governments’ assistance to them in the economic area? It is not to provide secrets — technological secrets to American industry.

    In the first place, in a number of these areas, if I may be blunt, American industry is technologically the world leader. It is not universally true. There are some ares of technology where American industry is behind those of companies in other countries. But by and large American companies have no need nor interest in stealing foreign technology in order to stay ahead.

    Why then do we or have we in the past from time to time targeted foreign corporations and government assistance to them?

    WOOLSEY: There are really three main areas. One is that, with respect to countries that are under sanctions — Libya, Serbia, Iraq and the rest — important economic activity is sometimes hidden and it is important for the U.S. government to understand how sanctions are functioning, if they’re functioning successfully, whether Iraq is able to smuggle oil out and if so how much, how Mr. Milosevic does his country’s banking and so on.

    Those types of sanctions-related subjects and economics are the subject of efforts by the United States to steal secrets by various methods — have been in the past.

    Second, with respect to dual-use technology, there are some legitimate products, a number of types of chemicals that are useful in pharmaceuticals and in fertilizers and the like, super-computers are useful for predicting the weather and other purposes, that also have use in designing or producing weapons of mass destruction. So particularly where there are efforts around the world to hide the transportation and sale of certain types of materiel and products that can be used in the production of weapons of mass destruction, yes, there is a big incentive and an important reason why the United States government has in the past felt it important to steal secrets.

    The third area is bribery. We have the Foreign Corrupt Practices Act. It is a statute under which I have practiced as a lawyer. I have done investigations of major American companies on behalf of their boards of directors to detect Foreign Corrupt Practices Act violations. I have sat as a board member of American publicly owned corporations and questioned management about whether there had been any foreign corrupt practices.

    It is a vigorously enforced statute and an important one. And as a result of it, American industry is again not perfect, but as a general proposition it does not try and certainly does not succeed in winning contracts and international commerce by bribery.

    This is not true of the practices of some of our friends and allies and some of our adversaries around the world. Some of our oldest friends and allies have a national culture and a national practice such that bribery is an important part of the way they try to do business in international commerce.

    We have spied on that in the past. I hope, although I have no immediate verification, that the United States government continues to spy on bribery.

    But whether it does or not, it seems to me that it should be understandable to anyone who reads the Campbell report, to anyone who thinks at all about whether American corporations need to steal technological secrets from foreign corporations, and anyone who is at all sophisticated about the way international trade and commerce works, that bribery is — or should be in any case and certainly was in my time at the heart of U.S. intelligence’s need to collect secret intelligence regarding foreign corporations and foreign governments’ assistance to them.

    And with that I’m prepared to take your questions.

    MODERATOR: OK, it’s fairly crowded today. Please wait for the microphone, identify yourself and your news organization. We will go right up here in the front.

    Yes, we might as well start.

    QUESTION: Then I take it that all the hubbub from Brussels and the European parliament with accusations that the NSA is being fed this information, all that is false?

    WOOLSEY: Well, in far as the hubbub in Europe and in Brussels doesn’t mention that if there is any targeting of European corporations, if the past is any guide, it’s likely to be about bribery, then the journalists who are reporting it are hiding the ball. Because Mr. Campbell himself makes it quite clear, in both of the cases he mentions, that bribery is the issue.

    So if people are inventing out of whole cloth in spite of what’s said in the Aspin-Brown report, in spite of what I said when I was DCI, as far as I know, I believe what is being said publicly and officially on the record by the U.S. government today, that the United States does not conduct industrial espionage, it doesn’t steal secrets of foreign companies to give them to American companies for purposes of competitions and so forth — if the hubbub in Brussels ignores that, then those who are creating the hubbub are intentionally looking away from the major issue.

    WOOLSEY: If this were Shakespeare’s “Hamlet,” to discuss the issue without talking about bribery, is like talking about it without talking about the prince of Denmark. It’s the central thing.

    QUESTION: Mr. Woolsey, in spite of all that you said, it seems to me that espionage per se was two kinds — the Cold War kind, which you do against your political and ideological adversaries, and the industrial kind that you’re talking about.

    Now there’s a general feeling throughout the world, that this industrial espionage is sort of open house, and everybody does it to everybody else. And there have been some reports of American agents being expelled from Germany, or France, or somewhere.

    So in spite of all that, you’re saying except for bribery, the United States is not doing it at all.

    WOOLSEY: The other two areas — at least in my time — that we thought were quite important to follow, I did mention. One has to do with sanctions. If companies in countries that are friends and allies of the United States are busting sanctions by what they’re selling to a country like Libya or Iraq, that might be the subject of secret collection. If there are efforts to hide the sales of dual-use technology that can be used with respect to weapons of mass destruction.

    But I generally — and I think most of us who talk about this issue — reserve the term industrial espionage to mean espionage for the direct benefit of an industry. That is, I don’t call it industrial espionage if the United States spies on a European corporation to find out if it is bribing its way to contracts in Asia or Latin America that it can’t win honestly.

    I would — and especially when it is not the practice of the U.S. government — it certainly didn’t occur in my time, and I’m not aware that it ever has — that the U.S. government gives this information about bribery, when we find it, to an American company. That’s not what happens. The information about bribery is not given to the American corporation that may be the victim.

    What happens is that the State Department is informed, and then an ambassador, or in some substantial cases perhaps a very senior official in the State Department, goes to the country where the government official is being bribed, and says, You know, we really don’t — we know about this, and we really don’t think this is the way you ought to make decisions about awarding contracts.

    Now what then typically happens, is that the contract award either is made on the merits — sometimes an American company wins, sometimes not. Or sometimes the host government will split the contract. And the American company, if it wins all or a share of it, doesn’t know that the reason it won was because the U.S. government uncovered bribery and went to the host government, and said, We don’t think you should be engaged in awarding contracts this way. But I don’t call that industrial espionage.

    So in the post-Cold War era, how big a focus is this sort of thing for the United States? I’d say it’s rather modest, in the overall model — at least in my time as DCI — of our intelligence — of our secret intelligence collection.

    Economic intelligence is important, but as I said, it’s about 95 percent from open sources. What our major focus is, is on rogue states, weapons of mass destruction, whether Russia is going to turn into a non-democratic country. We focus on major issues that could directly affect the security of the whole country.

    But there is some increased emphasis on economics — 95 percent of it from open sources. The part that’s from covert sources is as I described.

    QUESTION: You answered part of my question with your statement just now that, if in fact, U.S. intelligence were to uncover attempts at bribery by a corporation from another country, they would not inform the U.S. corporation.

    But while we’re on, sort of the issue of process, presumably U.S. intelligence inadvertently perhaps, runs across technologically interesting information — technologically valuable information — even in the course of investigations predicated on the three areas that you laid out — technologically valuable information that would be commercially useful. What happens to that information? Does it sit mouldering on a shelf, or is there a means by which that information does wind up in the hands, either of U.S. government corporations, or U.S. corporations?

    WOOLSEY: I don’t think so, realistically. Given the fact that the problem for the U.S. intelligence community is that there’s a great deal of data that goes unanalyzed — the problem is sorting through all this material. It is a substantial commitment of time and effort to devote an able analyst to sorting something out. And in the important high-tech areas — computers, telecommunications, software, and the like — these are areas — again, I don’t want to sound nationalistic about this. But bluntly, these are areas in which the United States is the world leader.

    And it is — it would be a substantial misuse, I think, of the time of valuable analysts to go through technological analysis of material from other trading countries, you know, that we have cordial relations with, and deal with all the time, and where there’s a great deal out in the open anyway, in order to do an analytical piece that can’t be given to anybody. I mean, it could not be given to an American corporation.

    There’s a separate problem here, which is, what’s an American corporation? Is it a company that’s headquartered in New York, but does most of its manufacturing in Canada — an American corporation? Is it a Canadian corporation that manufactures largely in Kentucky? Who knows. We have a terrible time sorting this sort of thing out in trade issues, generally. And it’s just a morass that the U.S. intelligence community has no particular instinct or reason to get into.

    And so, can one absolutely guarantee that nothing is ever leaked, that shouldn’t have leaked? I suppose one can never absolutely guarantee anything. But would, in the normal routine business, somebody do a technological analysis of something from a friendly country, which had no importance, other than a commercial use, and then let it sit on the shelf because it couldn’t be given to the American company? I think that would be a misuse of the community’s resources. I don’t think it would be done.

    QUESTION: There was a specific case which involved a radar system that was installed in Brazil, and involving a European company and an American company. Both companies found out what the government had found out, that the European company was trying to bribe the Brazilian companies…

    WOOLSEY: Is this the Thompsen C.S.F. case…

    QUESTION: Yes.

    WOOLSEY: … in the report?

    QUESTION: Yes. I have two questions on that. One is, if you are spying on a company because you think it might be bribing its way to a contract, you can — in this case for example, everyone knew exactly what technology was being sold. So, it isn’t like that you have to get a special analyst to analyze the system, because everyone knew exactly it was radar system.

    So going back to Paul’s question. In the case — knowing that you’re analyzing radars, if you did have some information that, let’s say the European company had a special system, or something, would that just sit on a shelf? That’s one thing.

    And the other thing is, could you use that — if you pass some information to the State Department, but it could be used in commercial negotiations, like let’s say you’re spying on companies or something.

    QUESTION: And then you find out that in a WTO negotiation or a WTO panel something will come up related to that that still is information that can be used by the government commercially or not.

    WOOLSEY: I can’t exclude the possibility that at times in the past, information that would come to the attention of the U.S. intelligence community would be used in a circumstance like the second one you mentioned, for U.S. government purpose. Something like that would not be the focus of collection or the focus of even the sorting of intelligence. But it’s just too far down the food chain of interests, frankly.

    But I think the — you can’t exclude the possibility that if a report including information about something technological were disseminated inside the United States government, it would be used for a government-wide purpose by someone who knew about it in the State Department or elsewhere.

    What wouldn’t be done, is that it wouldn’t be given to the American company in question. But intelligence community’s main problem over the course of the last several years has been that as the Cold War has ended, it’s relatively speaking, its resources are insufficient in its eyes and in mine to do a lot of what is necessary. I’ve often said that it’s as if we were fighting with a dragon for some 45 years and slew the dragon and then found ourselves in a jungle full of a number of poisonous snakes. And that in many ways, the snakes are a lot harder to keep track of than the dragon ever was. The snakes are rogue states and terrorists and the like. We have now six or eight major issues we have to watch instead of just the workings of the Soviet Union and its various manifestations in the world.

    And that has meant that on these crucial issues for U.S. intelligence, rogue states, weapons of mass destruction, terrorism, narcotics smuggling, the community has found itself very strapped. And you know, to spend time trying to figure out whether some technological fact about some friendly country’s part of their technology is relevant to some trade negotiation is — got to be something — I can’t believe anybody would be focusing on or spending any time on.

    MODERATOR: OK, let’s start from the back and we’ll work our way forward.

    QUESTION: I have a question about a definition. If the American company hires a local consultant in China, or Brazil or Afghanistan, who bribes at his own expense and his own account with or without knowledge of the American company, and he pays bribes. Is that as far as you are concerned, is that bribery or it is not?

    WOOLSEY: It probably depends on the facts. But if the American employer had reason to believe from the past behavior of this individual or from the overall circumstances or from his expenses or from the fact that an award was given that didn’t seem understandable or justified by the bids, if for any reason, the American employer including a foreign individual who was directly employed by the United States, the gut (ph) company, had reason to believe that a bribe had occurred, it would be a violation of the Foreign Corrupt Practices Act. This is the sort of thing — there are things under the FCPA called red flags.

    There’s a rather long list of behavior and circumstances which should raise suspicions. And the American companies and their boards of directors, are charged not just to report to the SEC or the Justice Department when they clearly and definitely know that someone overseas has been bribed. They are charged with conducting investigations and being on top of what all of their commercial agents and the like are doing. It’s a very demanding statute.

    QUESTION: My question is not about industrial espionage specifically. I hope that’s all right. Sorry, Charlie.

    There was a report in the New York Times a few weeks ago that said the Jordanian secret service had surpassed the Mossad, the Israeli Mossad in terms of how much they helped the U.S. in fighting terrorists and things like that. And I’m wondering if you could speak at all about how much — and that in fact, even in Jordan that the U.S. identifies its spies to the Jordanian government, a practice it doesn’t do in other places. So I was wondering if you would comment on that.

    But also, if you could describe in any way how much the Israeli intelligence service and the U.S. intelligence service work together in terms of even finding out things about Iraq and weapons of mass destruction and those kinds of things.

    WOOLSEY: Even if I were current — and I have not been current on this subject for the last five years since I left the government — I wouldn’t answer that question. I will say this. Both Jordan and Israel have very fine intelligence services. Both countries are friends of the United States. The countries under a lot of circumstances today are friends of one another. And a number of friendly countries in the Mideast cooperate with intelligence and otherwise, in dealing with rogue states and aggressive states in the Mideast. And I would certainly count Iraq as first and foremost in that later category.

    MODERATOR: Far be it for me to ever try to control the topic of a conversation, but we are — I’ll go across the Sinai Peninsula to Thomas, if he’s on the economic topic?

    OK, Thomas?

    QUESTION: Trying to figure out what you said about (inaudible) and jungle of the snakes. Definitely, in the golden age of espionage there was spying and counter spying. And you cannot say that you are just a victim of the others and you don’t want to try to get information about the others. Definitely there is a kind of a spying, you know, to counter attack his espionage. This is my first question.

    My second question is…

    WOOLSEY: Let me see if I understand. Does the United States spy on countries that are trying to conduct industrial espionage against American corporations?

    QUESTION: Yes.

    WOOLSEY: In my time, yes. I don’t know whether we still do or not. But I would have considered it a useful, although not perhaps actually top priority for the United States to understand the workings of a foreign intelligence service that at the behest of its government was conducting espionage against American corporations to steal say technological secrets. What counter espionage it really is in the international context is essentially intelligence services spying abroad on foreign intelligence services that are in turn spying on their country.

    And that is part of the warp and woof of international intelligence collection for the United States, for Egypt and for the countries represented by essentially everybody in this room.

    QUESTION: My second part of the same question was that what about the privatized economic espionage?

    QUESTION: I mean which is more than related to the industries and the firms and the — in general because always even the regular espionage were asking, for all of the human factor of intelligence collected. It’s important or just…

    WOOLSEY: Well, with respect to some types of intelligence targets, particularly in the post-Cold War era — terrorism is one very good example — human intelligence, the human factor, espionage is distinct from technical intelligence collection, has really got to be first and foremost.

    Terrorism is not something you learn a lot about from plants, to the contrary, notwithstanding from looking at terrorist camps through reconnaissance satellites. You need spies.

    But with respect to you know economic espionage against the United States…

    QUESTION: I mean in general from your perspective, economic espionage doesn’t get more human intelligence or rely on…

    WOOLSEY: It’s hard to say. Again, these three areas that I mentioned that were salient in my time, again for this 5 percent of economic intelligence that’s secret, 95 percent being you pick up newspapers and surf the Web and whatever. But for the 5 percent that involves needing to steal secrets, I would say yes, that human intelligence if you’re talking about bribery, if you’re talking about finding out about companies that are shipping material around sanctions, if you’re talking about companies that are selling super computers to institutions in other countries, that can use them to design nuclear weapons, a lot of that, I would say a rather high proportion of it would typically have to come from human agents, from human sources.

    QUESTION: With all of the other sources can you state why you’re failing and as dragon you mention the snakes? Secondly, recently it was deserved (ph) by India and the United States to cooperate more on international terrorism? Do you expect the intelligence agencies of the two countries to cooperate in order to track international terrorism and cooperate (ph)?

    WOOLSEY: Well, the dragon was the Soviet Union and the last time I looked we won the Cold War. I don’t think we failed against the dragon. I would comment to your Mr. Matrokin (ph) and Mr. Andrews recent book, “The Sword and the Shield,” based on the KGB archives that Matrokin (ph) stole from essentially 1917 to 1985. And it’s a complicated story.

    There were some things the KGB were very successful at such as technical intelligence collection against American corporations actually. But after the demise essentially of the American communist party’s vibrant life, right after the end of World War II and after the end of the American Soviet Alliance in ’45, beginning in ’47 or ’48, the playing field tended to move in an American direction. And Matrokin (ph) and Andrew would say that particularly in the ’60s and ’70s and into the ’80s, probably American intelligence collection against the Soviet Union across the board particularly against the government, was substantially superior to a rather dismal KGB performance against the United States.

    QUESTION: (Inaudible) country?

    WOOLSEY: The dragon that we fought for 45 years and slew, was the Soviet empire in my analogy.

    QUESTION: That isn’t what I had in mind…

    WOOLSEY: Well, but you — it was my analogy so I get to say what I had in mind.

    (LAUGHTER)

    Now with respect to the United States and India, India is a friendly country and we cooperate on a number of things and we’re — both diplomatically and from time to time in intelligence areas, and I would hope that it would continue.

    At least that was true with I was DCI. For the last five years you would have to ask somebody else.

    QUESTION: I know it’s hard to quantify, but what region of the world, if you can break it down, is most afflicted by this — if I can use the word — by this U.S. espionage, especially bribery?

    Is it Middle East? Is it South Asia? Is it Europe? Is it…

    WOOLSEY: Well, you have the bribers and the bribees. OK. Now in a number of parts of the world although some are struggling against it, there has been a tradition of public officials accepting bribes and it occurs in a number of places.

    The part of the world that where this culture of getting contracts through bribery, that actually has a great deal of money, and is active in international contracting is to a first approximation Europe. And indeed if you look at the recent negotiations that deal with implementing the OECD convention on bribery that was signed, I think in late 1997, there have been a number of parliamentary acts passed.

    WOOLSEY: The Germans, for example, have gotten rid of the provision of German tax law that permitted bribes to be deducted from income taxes. France is debating it; hasn’t gotten rid of it yet.

    But there has been a general history — both because it’s been relatively prosperous, because it’s companies export — that I would say the principle offenders, from the point of view of paying bribes in major international contracts in the world, are Europe. And indeed, they are some of the very same companies — the companies are in some of the very same countries where the most recent flap has arisen about alleged American industrial espionage.

    It leads me to wonder whether the next major international investigation on this sort of subject coming from Europe is going to be charging that there needs to be a major look at the problem of rude American maitre d’s.

    I’ll leave it at that.

    QUESTION: I have two questions, the first one regarding the peace process. In case of the peace process in the Middle East, do you believe the CIA will be able to change the way handling the cases in the region? And the second question regarding how did you handle the espionage against you, United States, from your allies, like Israel and the other famous cases in that?

    WOOLSEY: Second one first. Certainly the United States, often for reasons for learning about technology, is the target of espionage from some very good friends and allies. It happens. Normally we try to work it out. We try not to make a major public fuss about it. But where prosecution is necessary and where it does occur, we are generally of the view that one should impose penalties consistent with the seriousness of the espionage and the amount of material that was turned over, not the degree of friendliness with the country.

    I’m going to use a clear example, one that I’ve spoken on publicly a number of times, Jonathan Pollard. The question has come up, since Israel is a friend of the United States, shouldn’t the United States pardon Mr. Pollard? Both I, and I think almost anybody connected with the American intelligence community and law enforcement community has said no, because of the volume and seriousness of what he stole.

    Now, you’re first question was about?

    QUESTION: It was about the peace process…

    (CROSSTALK).

    WOOLSEY: The peace process, yes. CIA officers in a number of negotiating situations — and here we’re largely talking about analysts — are extremely helpful. I was an ambassador and arms control negotiator for the United States. I negotiated the CFE Treaty in Vienna in 1989 to ’91. And I had several CIA analysts on my delegation and they functioned very much like other U.S. government officials.

    WOOLSEY: We didn’t formally call them CIA officials, but our Soviet and other counterparts knew that they worked for the CIA. And they chaired working groups for me on verification. They negotiated provisions with other countries, dealing with verification. They were valuable members of the team.

    And they had very cordial relations with Soviet counterparts. Sometimes we would even have parties with the American CIA people, and the Soviet KGB people, you know. It was an odd time.

    But nonetheless, this tradition of American intelligence officers being involved in negotiations is one that I think can be entirely positive. There is one aspect of the CIA officers’ involvement in the negotiations in the Mideast that I couldn’t tell from the public statements whether it was taking place or not, but I was concerned that it might, because it seemed to me it put the intelligence officers in the middle, between the negotiating parties, and led them to have to try to assess whether one party was violating the accords, and then explain it to the other party, going both ways. And I thought that was a bad position to put an intelligence officer in.

    I thought the U.S. intelligence officers should collect intelligence for the United States. And if an American official had to go to one party or the other in the negotiations, and say, “You haven’t turned in all your weapons, and we know it,” or, “You haven’t done this, and we know it.” It ought to be a diplomat. It ought to be an official from the State Department, not an intelligence officer.

    But with that footnote, with that, you know — and I can’t tell still, from the public statements, exactly what the role of the CIA officers in the Mid-Eastern — in the Palestinian-Israeli negotiations has been. With that footnote, I think that for the CIA, and for intelligence officers from other countries, there are a number of circumstances in which they can have a quasi-open, and professional, and very useful role on issues such as verifying agreements.

    QUESTION: Mr. Woolsey, I understand that the U.S. is for — to promote democracies around the world, compared to dictatorships — number one. Number two — how much — and also CIA briefs president on a regular basis — on a daily basis on intelligence matters. How much president listen to the CIA reports, or their advice, including now, this report here in India Globe, and around the world in newspapers that he should not visit Pakistan? That’s according to the CIA intelligence reports. Should he visit Pakistan or not, in your guess?

    WOOLSEY: Well, my — I’m not going to bite on that substantive recommendation. But I will say this. I think the CIA got a little bit spoiled in President Bush’s presidency, because having been a director of Central Intelligence himself, he was, and remains absolutely fascinated by intelligence, by the CIA. The CIA headquarters is now named after him. He had the intelligence briefer in every day, and so forth.

    President Clinton is a speed reader. And he rather frequently reads the morning intelligence briefing, and annotates it, and sends it back with questions, rather than having the CIA briefer in. And if you’ll pardon me a moment of humor, when in 1994, in the autumn, after I’d been in the CIA job for a little over a year and a half, a small plane crashed into the south front of the White House. The White House staff joke, at the time, was, That must be Woolsey still trying to get an appointment.

    (LAUGHTER)

    So, I may not be the best individual to ask with respect to daily interactions of that sort. But whether a president absorbs information by a daily meeting, or by reading — as at least in my time, was principally President Clinton’s method of absorbing intelligence — presidents normally pay a great deal of attention to what U.S. intelligence as a whole — not just the CIA — communicates to them. And sometimes they discount it and do something else. And sometimes they have a right to discount it. And sometimes they were wrong. But on that particular issue, I’m going to stay away from that with a 10-foot pole.

    QUESTION: Sir, you mentioned about the dual technology transfer. I believe, you know, that’s from the other side of the story. This is a — maybe that’s falling into the term of an FBI, but given your experience, I’d like to have your comment on that. That is, what are those countries involved the most, in terms of stealing U.S. industry secrets here?

    When you’re talking about rogue states, I consider that — do you consider China as a rogue state, or what? I mean, according to a lot of report that it is China, it is Japan, Korea, Taiwan and Israel involved most in those case.

    QUESTION: But maybe you can tell us what exactly…

    WOOLSEY: I’m not going to get in the business of talking about individual countries that way.

    I would say this. With respect to technology theft from American corporations especially, the Soviet Union and the KGB were very good at this. The Metrokin (ph) book explains how and why. Happily, the Soviet Union was unable to take advantage of much of the technology because of their incredibly decrepit and terribly inefficient economy. But they were very vigorously involved in this.

    It has also been the case, because of American technological leadership in a number of high-technology areas, that some of our old friends and allies are in this business as well, not only by putting microphones in the head rests of their airliners which cross the Atlantic, in first class seats, but in other ways as well.

    There are European countries where one wants to — if you leave your briefcase when you go to dinner, if you’re a businessman and there’s anything sensitive in it, you should have your head examined. There are a number of parts of the world where American companies and individuals when they travel where there’s intelligence collection against them. And there’s some in this country, including from some friends — old friends of the United States.

    We try to discourage this. We work hard at it. We talk privately with the countries and companies involved. We exert a good deal of effort to try to keep this from happening. But it is something that is rather substantially, in this country, principally on the mind of the FBI not the CIA. Because the only way it comes up for U.S. intelligence is if we learn overseas, in conducting an intelligence operation or collection, that that foreign country’s intelligence service is going to be doing something inside the U.S. Anything that actually takes place here, 99.9 percent of the time the relevant people are the FBI not the CIA.

    I don’t know what to say other than I don’t really want to get into accusing individual countries. This waxes and wanes. No one is as involved in it as deeply as the KGB used to be on the behalf of the Soviet Union. But a number of countries still do it.

    MODERATOR: And on that note, I’d like to say thank you. Thank you ladies and gentlemen.

    WOOLSEY: Thank you for having me.

    8 March 2000. Thanks to anonymous.

    TRANSCRIPT
    March 07, 2000
    NEWS BRIEFING
    JAMES WOOLSEY
    FORMER CIA DIRECTOR
    WASHINGTON, D.C.
    JAMES WOOLSEY HOLDS BRIEFING AT THE FOREIGN PRESS CENTER
    EVENT DATE: 03-07

    MARCH 7, 2000

    Find this story at 8 March 2000

    HTML by Cryptome.

    Wie Geheimdienste spionieren; Amerikas Top-Spion aus der Tiefe – das mysteriöse Atom-U-Boot „USS Jimmy Carter“

    Die jüngsten Enthüllungen zeigen, wie umfassend das weltweite Internet überwacht wird. Einer der erfolgreichsten Kundschafter soll ein geheimnisumwittertes Atom-U-Boot der US-Amerikaner sein – die „USS Jimmy Carter“.
    Am Meeresboden entlang sausen gigantische Datenmengen in Glasfaserkabeln um die Welt. Doch sicher sind sie dort keineswegs. Einer der Gründe dafür: das Atom-U-Boot „USS Jimmy Carter“. Der 138 Meter lange Koloss soll in der Lage sein, die Leitungen in der Tiefe anzuzapfen. In allen Ozeanen dieser Erde – und damit in Gebieten, die außerhalb der Hoheit der Vereinigten Staaten liegen.

    Das nach dem früheren US-Präsidenten Jimmy Carter benannte U-Boot unterliegt höchster Geheimhaltung. 140 Mann Besatzung steuern das Boot durch die Ozeane, daneben kann es noch bis zu 50 Spezialkräfte aufnehmen. Von einer Multi-Mission-Platform können Taucher und Mini-U-Boote starten. Seit Anfang 2005 ist die „USS Jimmy Carter“ in den Weltmeeren unterwegs.

    Angriffe auf Unterseekabel
    Wie aber kommt das U-Boot überhaupt an die Daten heran? Darüber gibt es nur Gerüchte, doch mehrere Szenarien sind denkbar. So könnten die Tiefseespione in Glasfaserleitungen so genannte „Splitter“ einklinken. Diese elektronischen Bauteile schicken Kopien aller erfassten Daten über eine eigene Leitung direkt zum US-Militärgeheimdienst NSA.

    Bei einer anderen möglichen Variante müssen die Unterseekabel nicht einmal aufgetrennt werden: „Es genügt, die Kabel leicht zu biegen, um an die Daten zu kommen“, erklärt der IT-Journalist Peter Welchering. Spezielle „Biegekoppler“ fangen die Lichtsignale ab und lesen sie aus. „Moderne Lauschgeräte benötigen weniger als nur zwei Prozent der optischen Leistung der Glasfaser, um dann das komplette Signal abzugreifen und in Bits umzuwandeln“, fügt Welchering hinzu.

    Radarkuppeln und Satellitenspäher
    Wirklich neu ist die Tatsache, dass Amerikaner, Engländer und andere Staaten internationale Kommunikationswege ausspähen, allerdings nicht. „Ich verstehe die ganze Aufregung nicht“, sagt Welchering. „Mit Echelon verhält es sich doch nicht anders, nur dass die jetzt in den Fokus geratenen Lauschangriffe in digitaler Form stattfinden.“

    „Echelon“ heißt ein weltweites Spionagenetz, das mutmaßlich weit in die Zeit des Kalten Krieges zurückreicht. Seit den 1970er-Jahren gab es Gerüchte über seine Existenz. Abhörstationen und Weltraumsatelliten überwachen angeblich Telefongespräche, Faxverbindungen und Internet-Daten, die über Satellit geleitet werden. Auch Handygespräche und Funkverbindungen sollen abgehört werden. Kugelförmige Radarkuppeln wölben sich über die Antennen, die die Signale erfassen. Eine wichtige Anlage stand im bayerischen Bad Aibling. 2004 wurde sie geschlossen, nachdem bekannt geworden war, dass sie nach Ende des Kalten Krieges vor allem europäische Unternehmen ausspioniert hatte.
    Betrieben wird „Echelon“ von Nachrichtendiensten der USA, Großbritanniens, Kanadas, Australiens und Neuseelands. Genau die fünf Staaten also, die auch bei der digitalen Datenspionage zusammenarbeiten.
    Feind und „Freund“ hören mit
    Auch Computer und Telefone anzuzapfen ist für Geheimdienste kein Problem. Um an die Daten zu kommen, bedarf es einfach einer entsprechenden Spionagesoftware. Zwar lassen sich nicht derartige Informationsmengen wie an Unterseekabeln abschöpfen, doch die Spione können gezielter attackieren. Und zum Beispiel ein bestimmtes Unternehmen ins Visier nehmen.

    Der volkswirtschaftliche Schaden durch Industriespionage lässt sich schwer schätzen, weil die Dunkelziffern hoch sind. Das Beratungsunternehmen Corporate Trust geht von mindestens 4,2 Milliarden Euro pro Jahr allein in Deutschland aus.

    Total verwanzt
    Unter Verbündeten sollte das eigentlich ein Tabu sein: Trotzdem spähen US-Geheimdienstler auch die Europäische Union aus. Das berichtet zumindest das Nachrichtenmagazin „Der Spiegel“. Die diplomatischen Vertretungen der EU in Washington und bei den Vereinten Nationen in New York seien verwanzt worden, heißt es in dem Blatt unter Berufung auf Geheimdokumente des NSA-Enthüllers Edward Snowden. Darin würden die Europäer als „Angriffsziel“ benannt.

    Die Methode, die Räume – angeblich oder tatsächlich – gegnerischer Nationen zu verwanzen, war schon im Kalten Krieg sehr beliebt. Der sowjetische Geheimdienst KGB entwickelte zum Beispiel so genannte passive Wanzen, die keine Batterie brauchten, sondern ihre Energie durch von außen eingestrahlte Mikrowellen erhielten. Die Sowjets konnten den US-Botschafter in Moskau auf diese Weise jahrelang abhören, ohne dass dies entdeckt wurde.

    Der Mann mit dem Schlapphut hat noch nicht ausgedient
    Trotz aller Hightech-Methoden, auf die Geheimdienste heute setzen: Nach wie vor ist der klassische Spion nicht aus der Mode gekommen. Für Aufsehen sorgt derzeit in Deutschland der Prozess gegen ein russisches Agentenehepaar, das 25 Jahre lang ein filmreifes Doppelleben geführt hatte. Jetzt müssen beide für mehrere Jahre hinter Gitter. Das Oberlandesgericht Stuttgart verurteilte den Ehemann zu sechseinhalb Jahren und seine Frau zu fünfeinhalb Jahren Haft.
    Auch im Bereich der Wirtschaftsspionage sind Informanten ein wesentlicher Faktor. Denn in vielen Fällen sind es die eigenen Mitarbeiter einer Firma, die Betriebsgeheimnisse verkaufen.

    Dienstag, 02.07.2013, 18:51 · von FOCUS-Online-Autor Harald Wiederschein

    Find this story at 2 July 2013

    © FOCUS Online 1996-2013

    NSA-Abhörskandal; Die Datenräuber von der USS “Jimmy Carter”

    Der US-Geheimdienst NSA überwacht den weltweiten Internetverkehr. Dafür zapfen die Schnüffler auch Glasfaserkabel an, die am Meeresboden zwischen den Kontinenten verlaufen. Eine Schlüsselrolle soll dabei das U-Boot “Jimmy Carter” spielen.

    Berlin – Jimmy Carter inszeniert sich gern als Freiheitskämpfer. Mit seinem Carter Center für Menschenrechte vermittelt der ehemalige US-Präsident in internationalen Konflikten, beobachtet Wahlen und setzt sich für transparente Regierungsführung in Entwicklungsländern ein. Für seine Arbeit wurde er mehrfach ausgezeichnet: Unter anderem erhielt er 1998 den Menschenrechtspreis der Vereinten Nationen und 2002 den Friedensnobelpreis.

    2005 wurde ihm eine besondere Ehre zuteil: Die US-Marine benannte ein U-Boot nach Carter. Es ist das erste amerikanische Militär-U-Boot, das nach einem lebenden Ex-Präsidenten benannt wurde – und es ist nicht irgendeines. Die 138 Meter lange “Jimmy Carter” ist für Spezialoperationen ausgerüstet und nach Einschätzung von Geheimdienstexperten in der Lage, Unterwasserkabel anzuzapfen. Ein Boot also, das ausgerechnet von Carter hochgehaltene bürgerliche Freiheiten wie das Post- und Fernmeldegeheimnis zu verletzen sucht.

    Bau und Ausrüstung des knapp 2,5 Milliarden Euro teuren U-Boots unterlagen strengster Geheimhaltung. “Sie werden niemanden finden, der mit Ihnen darüber spricht”, sagte Marinesprecher Kevin Sykes, als die “Jimmy Carter” Anfang 2005 in Dienst gestellt wurde.

    Nur wenige Monate zuvor, im August 2004, hatte das US-Militär die USS “Parche” eingemottet. Dieses U-Boot hatte während des Kalten Kriegs Unterseekabel angezapft und galt als eine der wichtigsten Waffen im Spionagekrieg. Die Besatzung des Boots ist bis heute die höchstdekorierte Einheit der Marine. Das Militär nimmt ein solches Schiff nur dauerhaft außer Betrieb, wenn ein Nachfolger bereitsteht.

    Das am stärksten bewaffnete U-Boot

    140 Mann Besatzung leisten auf der USS “Jimmy Carter” Dienst. Sie verfügt über eine sogenannte Multi-Missions-Plattform, die wie ein Unterwasser-Hangar funktioniert. Von dort aus können Mini-U-Boote und Kampftaucher ins Wasser gelassen werden. 50 Spezialkräfte, etwa Navy Seals, kann das Atom-U-Boot aufnehmen. Für feindliches Sonar ist es kaum zu orten, weil seine Motoren extrem leise sind und der Bootskörper kaum elektromagnetische Strahlung abgibt.

    Das Schiff ist mit Torpedos sowie Flugkörpern der Typen “Harpoon” und “Tomahawk” ausgerüstet, die feindliche Ziele sowohl zu Wasser als auch an Land ausschalten können – auch mit Nuklearsprengköpfen. Außerdem ist die Besatzung in der Lage, Seeminen zu legen. Damit sei die “Jimmy Carter” das am stärksten bewaffnete U-Boot, das jemals gebaut wurde, jubelte “Undersea Warfare”, das offizielle Magazin der amerikanischen U-Boot-Flotte.

    Seit die “Jimmy Carter” vom Stapel lief, haben US-Medien mehrfach darüber spekuliert, dass das Schiff Glasfaserkabel zwischen den Kontinenten anzapfen könnte. Das Pentagon hat diesen Berichten nie widersprochen. Im vom Whistleblower Edward Snowden enthüllten Prism-Spähprogramm bestätigt der US-Militärgeheimdienst NSA sogar die “Sammlung der Kommunikation über Glasfaserkabel, während die Daten hindurchfließen”. Die Marine teilt lediglich mit, dass das U-Boot mit “fortschrittlicher Technologie für spezielle Marinekriegsführung und taktische Überwachung” ausgestattet sei.

    Unklar ist bislang jedoch, wie die so abgefangenen Daten dann zu den Analysten des US-Militärgeheimdienstes gelangen. In den siebziger Jahren mussten regelmäßig U-Boote zu den Kabeln herabtauchen, um die Bänder einzusammeln. Diese Mission wurde schließlich von einem sowjetischen Spion verraten – das Aufnahmegerät befindet sich seither im Moskauer KGB-Museum. Sollten auch heutzutage die Kommunikationsdaten aus den Unterseekabeln nur zeitversetzt bei den Geheimdienstlern ankommen, wären akute Warnungen vor Terrorwarnungen kaum möglich.

    Wahrscheinlicher ist daher, dass die Besatzung der “Jimmy Carter” an den Glasfaserkabeln einen Splitter installiert und eine eigene Faserleitung in ein Rechenzentrum des Geheimdienstes gelegt hat. Peter Franck, Sprecher des Chaos Computer Clubs, hält es außerdem für möglich, dass IT-Experten an Bord des U-Boots die Daten bereits vor Ort vorfiltern und verdichten und über die normale Funkkommunikation zur Basisstation zurückfunken könnten.

    In beiden Fällen würden die NSA-Agenten praktisch in Echtzeit den Internetverkehr überwachen können.

    01. Juli 2013, 18:02 Uhr
    Von Christoph Sydow

    Find this story at 1 July 2013

    © SPIEGEL ONLINE 2013

    Interaktive Karte zum Überwachungsskandal; Kabel, die die Welt verbinden

    Über 200 Tiefseekabel verbinden die Kontinente und machen moderne Kommunikation erst möglich. stern.de zeigt, wo die wichtigsten Leitungen liegen – und welches deutsche Kabel angezapft wurde. Von Alexander Sturm

    Wenn Sie den Mauszeiger über die Kabel bewegen, öffnen sich Info-Kästen zu den jeweiligen Tiefseekabeln.

    Gäbe es die vielen tausend Kilometer Tiefseekabel nicht, die auf dem Grund der Weltmeere liegen, unser Alltag wäre ein anderer: All die Telefongespräche, E-Mails oder Online-Bankgeschäfte über Kontinente hinweg wären nicht vorstellbar. Knapp 20 der wichtigsten Kabel sind in der Grafik abgebildet. Moderne Leitungen können gut ein Terabit Daten pro Sekunde übertragen; das entspricht dem Inhalt von rund 120 Stunden Spielfilm. Das einzige transatlantische Kabel, das in Deutschland landet, das TAT-14 (im Bild gefettet), schafft laut dem US-Marktforscher Telegeography 1,87 Terabit pro Sekunde – und wurde vom britischen Geheimdienst abgehört.
    Verlegung dauert bis zu drei Jahren

    Eigentümer der Kabel sind Konsortien aus internationalen Telekommunikationsfirmen, die die Leitungen gemeinsam verlegen und betreiben. Staaten haben keinen Anteil, kaufen aber oft Datenkapazitäten, um Botschaften oder Militäreinrichtungen zu verknüpfen. Die Verlegung von Tiefseekabeln ist aufwendig: Je nach Länge, Zahl der Landungspunkte und Wetter dauert es bis zu drei Jahren (etwa für die Strecke Kalifornien-Japan und zurück über Hawaii), denn auf hoher See können nur zehn Kilometer Kabel pro Stunde ins Meer gelassen werden. Wartung ist dagegen kaum nötig: “Wenn die Kabel einmal im Wasser liegen, werden sie in der Regel nicht mehr angefasst”, sagt Alan Mauldin, Forschungsdirektor beim Marktforscher Telegeography.

    1858 gelang die Verlegung des ersten transatlantischen Kabels zwischen Großbritannien und Neufundland, damals ein Kupfer-Eisen-Draht. Moderne Seekabel aus Glasfasern gibt es erst seit 1988. Sie haben einen Durchmesser von rund sieben Zentimetern und bestehen aus Hunderttausenden hauchdünnen Fasern, die von einem Kupferrohr, Aluminium, Stahlseilen und mehreren Schichten Kunststoff geschützt werden. Viele Tiefseekabel enden an sechs großen Knotenpunkten: New York, Cornwall, Alexandria, Hongkong, Singapur und Tokio. Das längste Tiefseekabel der Welt könnte man übrigens beinahe um den Äquator legen. Das 36.500 Kilometer lange EAC-C2C verbindet China und Japan mit den Philippinen, Taiwan, Hongkong, Südkorea und Singapur.

    6. Juli 2013, 14:11 Uhr

    Find this story at 6 July 2013

    © stern.de

    Tapping the world’s fiber optic cables

    Data surveillance: how much is too much?

    Huge masses of data flash around the world along thousands of miles of fiber optic cables. They are regularly tapped – sometimes legally, mostly secretly. While this technology is simple, filtering is a huge challenge.

    Almost all the countries in the world expect their foreign intelligence services to tap and sift through international telecommunications. For that reason, network operators whose lines cross international borders are legally obliged to make certain intersection points available to the authorities. Britain’s Tempora program, for instance, had perfectly legal access to the information it obtained – at least when it passed through British territory.

    From electricity to light, and back

    But fiber-optic cables can also be tapped secretly, without the knowledge of the operators – though this is not exactly easy. To understand how it works, one has to look more closely at how the data actually passes through the cables.

    A standard fiber-optic cable laid across land consists of 144 individual glass fibers, while undersea cables consist of a maximum of eight individual fibers. Using laser technology, the electronic data is initially turned into ultra-short flashes of light. These flashes represent the zeros and ones that all digital information is comprised of. A photodiode at the end of the cable turns the light flashes back into electrical signals.

    Around 10 billion such flashes of light run through these cables every second, and each one can also transfer between 1.2 and 5 gigabytes of data per second. But since the capacity of fiber optics is never completely used up, in practice the data flow is usually equivalent to between one and five standard CDs.

    Fiber optics need amplifiers
    Thousands of miles of fiber optic cables are laid across the ocean floor

    But after a certain distance, the data signal drops. Every 80 kilometers or so, the signals have to be re-amplified, explained Klaus-Dieter Langer of the Fraunhofer Heinrich-Hertz-Institute in Berlin.

    This is done with the help of a “regenerator.” Undersea cables also have regenerators, which are supplied with electricity by copper cables laid across the ocean floor, together with the fiber optics.

    These regenerators are the system’s weak point. At these spots, the fiber optics can be more easily tapped, because they are no longer bundled together, rather laid out individually (since each fiber must be amplified separately). At these points, data piracy is not necessarily easy – but that, as Langer puts it, is “just a technical hurdle.”

    A vigilant network operator can spot such hacking attempts. “You need very sensitive measuring instruments,” said Langer, “then you can see when the signal strength suddenly dips.”

    Order in the data chaos

    Once a spy has succeeded in hacking into a cable, the bigger challenge emerges – sifting through the immense mass of data. This needs to be done quickly. Even if a single glass cable is operating only at 50 percent capacity, it can still deliver 10 terabytes of data in an hour. “Since storage capacity is finite, the trick is to analyze these 10 terabytes within an hour, and filter out what you’re looking for,” said Langer.

    A lot of the data needs to be decrypted – which also means being temporarily stored. At the same time, intelligence agencies must proceed very selectively so as not to get bogged down in the flood of data. Langer believes that agents probably concentrate on single fibers belonging to certain operators of particular interest. “It makes more sense to search for certain content, rather than, for example, email conversations, telephone connections and the like.

    Wire-tapping contest under the ocean
    Huge server capacity must be immediately available to sift data

    Hacking a cable only makes sense if you have large server capacity immediately available, which is why Langer is skeptical of recent media speculation about the USS Jimmy Carter, a nuclear submarine said to be on a mission to tap underwater cables. “It seems bizarre,” said Langer.

    But Peter Franck, spokesman for the Chaos Computer Club digital rights collective, considers the submarine reports “absolutely believable.” Though tapping underwater cables is so secret “that it would never be publicly talked about,” so far reports in the American media have not been denied by the government.

    Franck can imagine a number of ways in which data could be moved from the submarine to servers on shore. He speculates, for instance, that the data could be pre-filtered on board and then broadcast to a base via the normal radio communication. Or a device that records the data could be left on the ocean floor. “An extra vehicle could then come and pick it up,” Franck suggested.

    Such underwater cables are certainly of considerable interest to intelligence agencies, since a huge part of international communication travels through them. It could certainly be the case that a lot of the world’s fiber optic cables are being tapped – and not only in countries where respective intelligence agencies are based.

    Date 30.06.2013
    Author Fabian Schmidt / bk
    Editor Sonya Diehn

    Find this story at 30 June 2013

    © 2013 Deutsche Welle

    Germany fears NSA stole industrial secrets

    The NSA espionage scandal has unsettled German companies. They are concerned that industrial secrets may have been stolen by US intelligence agencies.

    Trust between Washington and Berlin has been shaken by the scandal over the alleged bugging of German government and EU buildings by US intelligence agencies. Reacting angrily to the apparent widespread surveillance of telephone and email communications, German politicians have demanded a speedy explanation from Washington. The EU and Germany do, after all, see themselves as partners of the US.

    While the outrage may be exaggerated, there are legitimate, unanswered questions. For example: Why is the National Security Agency (NSA) collecting such large amounts of data, and for what end is that data being used?

    The Trojan horse

    The chairman of the conservative Christian Social Union’s small business group, Hans Michelbach, sees the surveillance of EU institutions by US intelligence agencies as a cause for alarm.

    “The EU is not a supporter of terrorism, but is indeed a strong competitor in the global economy,” Michelbach said. He fears that not only European institutions, but also European and German firms may have been spied on, giving the US “dishonest advantages.”

    Germany’s consumer protection minister, Ilse Aigner, warns that the joint fight against terrorism could be turned into a “Trojan horse” that “covers up espionage against governments and companies.”

    Meanwhile, German companies have expressed both concern and astonishment at the extent of the spying.

    “There was speculation in the past that conversations and Internet activity were being recorded by foreign intelligence agencies,” Volker Wagner, chairman of the Working Group for Economic Security, told DW. “But if the media reports are true, then the dimensions are alarming.”

    Opportunity makes a thief

    Other economic and industrial groups have reacted in a similar fashion. They want to know what kind of data was recorded and how it was used. At the moment, the European business community only has suspicions that industrial secrets were stolen by US intelligence agencies. Typically, stolen technologies and products show up in the hands of competitors or foreign countries years after they were originally taken.

    But according to Wagner, the amount of data collected creates an incentive for abuse.

    “One has to consider that American security services employ many freelancers, contractors and consultants,” Wagner said. “It’s estimated that in Washington alone, up to 1.5 million contractors work for the security services.”
    Rösler said US espionage hurts prospects for a trade agreement

    It’s uncertain whether all of these contractors respect the law. Rainer Glatz of the German Engineering Federation calls for the creation of an international treaty that clearly regulates data protection and intellectual property. Glatz believes that the private sector has to become more proactive and avoid relying on the state to protect corporate secrets. Countermeasures, such as firewalls, are being implemented by the companies the federation represents.

    “In addition, we have to school the employees in the sales department and the service technicians on how to protect corporate information,” Glatz told DW.

    EU-US trade agreement jeopardized

    Germany’s IT small business association is pursuing a different approach. The group has suggested the creation of Europe-wide corporate consortiums as a counterbalance to the economic power of the US.

    But the American and European economies are supposed to become even more integrated in the future. The EU and US hope to implement a free trade agreement. German Economy Minister Philipp Rösler has said that while Berlin still has an interest in such a partnership with the US, the espionage scandal has negatively impacted the project.

    “The US now has to quickly clarify the allegations and provide transparency,” Rösler said.

    Industrial espionage causes billions of euros in economic damage in Germany. The security consultancy Corporate Trust estimates that it cost 4.2 billion euros ($5.4 billion) in 2012.

    Date 03.07.2013
    Author Jennifer Fraczek / slk
    Editor Andreas Illmer

    Find this story at 3 July 2013

    © 2013 Deutsche Welle

    Germany, UK breaching human rights with NSA spy link-up

    Echelon system identified as “legislation-free zone”

    In a major report to be published this week, the Echelon committee of the European Parliament has found that the conduct of electronic surveillance activities by US intelligence breaches the European Convention of Human Rights even when conducted, allegedly, for law enforcement purposes. It concludes that if the British and German governments fail to prevent the improper use of surveillance stations sited on their territory to intercept private and commercial communications, they may be in breach both of community law and of human rights treaties.

    Composite Signals Organisation Station Morwenstow, run by Britain’s GCHQ, was the first station built to intercept civil commercial satellite communications as part of the ECHELON system

    Two drafts of the proposed EP report, prepared by rapporteur and MEP Gerhard Schmidt, were leaked earlier this month. The form and wording of the committee’s final report is due to be settled by the full committee in a meeting in Brussels on Tuesday 29 May.

    Comparison of the two drafts shows that the committee was waiting to question American government and trade officials about their use of economic intelligence before making its final comments. But, two weeks ago, the American government decided to snub them after members had already arrived in Washington, abruptly cancelling a series of planned meetings.

    The declared policy of the US government, as explained last year by former CIA director James Woolsey, is to use the U.S. intelligence system spy on European companies in order to gather evidence of bribery and unfair trade practices. Woolsey said “Yes, my continental European friends, we have spied on you. And it’s true that we use computers to sort through data by using keywords”. “We have spied on you because you bribe”, he wrote in the Wall Street Journal[1].

    US economic intelligence policies in support of business and trade were exposed four months ago in a detailed new report to the Echelon committee. That report on “COMINT impact on international trade”[2] is published here exclusively for the first time today. The report traces in detail how U.S. intelligence gathering priorities shifted dramatically after the end of the Cold War, with the result that “about 40 percent of the requirements” of U.S. intelligence collection became “economic, either in part or in whole”.

    Echelon committee vice-chairman Neil MacCormick (Scotland) wants to see legal changes to protect private communications; meanwhile “people should treat their e-mails like seaside postcards” that anyone else can read.

    The new priorities for economic intelligence were approved by the first President Bush in a document called NSD-67 (National Security Directive 67), issued by the White House on 20 March 1992. By using the CIA and NSA to spy on foreign rivals of American companies, the declared U.S. objective was to “level the playing field” in foreign trade.

    After the new policies came into force, the incoming Clinton administration set up a new Trade Promotion co-ordinating committee, with direct intelligence inputs from the CIA and direct links to U.S. business through a new “Advocacy Center”. Intelligence from NSA and CIA was supplied to the U.S. government department of Commerce through an “Office of Intelligence Liasion”, which was equipped to handle intercepted communications such as those supplied by the Echelon network.

    According to documents provided to the Echelon Committee and now published here, the CIA team in the Commerce Department proposed gathering information on “primary competitors” of American business in a major Asian market. One document shows that, of 16 U.S. government officials attending a meeting on winning contracts in Indonesia, 5 were from the CIA (see Annexe 2-3[3]).

    Two of the NSA’s largest electronic intelligence stations are located at Bad Aibling, Bavaria and Menwith Hill, in England. Both stations intercept satellite communications and use surveillance satellites to collect communications from the ground, anywhere in the western hemisphere.

    The U.S. congress was recently told that, as a result of “levelling the playing field”, American companies gained $145 billion worth of business during the 1990s, after intelligence agencies claimed to have detected and defeated bribery or unfair conduct by foreign competitors. Many such contracts were listed in dossiers of cases publicised during the 1990s.

    According to reports of “success stories” published by the Advocacy Center, European countries have lost out massively. France lost nearly $17 billion dollars worth of trade, and Germany $4 billion out of a total of about $40 billion. Sweden lost $386 million worth of business, the Netherlands $184 million. Not all “successes” necessarily involved allegations of bribery, but many did.

    Despite the huge number of cases in which it claims to have detected bribery, the U.S. government has never published any evidence to substantiate its claims. Nor has it instigated any prosecutions. Equally hard to substantiate has been evidence in specific cases where secret interception activities are alleged to have affected a major contract. All of the specific accounts of European business losses, such as the lost of an $8 billion Airbus contract in 1994, were published by the American press, at a time when the Clinton administration wanted to publicise that it was doing its best for business.

    The clear motive was to tell the Americans that their government and intelligence agencies were now helping with the economy. But when Europe became concerned about the Echelon system, such stories stopped appearing in the U.S. media, and information dried up.

    The job of the US Department of Commerce’s Advocay Center is to “aggressively support U.S. bidders in global competitions where advocacy is in the national interest”.

    Many MEPs suspect that the American claim only to use their secret listening systems, including the Echelon network, to prevent bribery are a smoke screen to cover straightforward spying for business and trade purposes.

    The report on “COMINT impact on international trade” sets out, with many detailed sources, the case that from 1992 to date Europe is likely to have sustained significant employment and financial loss as a result of the U.S. government policy of “levelling the playing field”. The report does not address whether the U.S. position that such interventions were and are justified by corrupt and or unfair behaviour by foreign competitors or governments are reasonable or, in fact, are true.

    But it is not necessary to show that intelligence information has been given directly to U.S. corporations for major economic damage to be assessed to have occurred. The boundaries of such estimates could lie between $13 billion and $145 billion. The only certain observation is that the exact figure will never be known.

    Although failing to find new reports of European business losses beyond those appearing in the American media in 1994-1996, the Echelon committee has found that even if it were proven that bribery was involved, this does not make NSA activities of this kind legal in Europe. The draft report points out that:

    “The American authorities have repeatedly tried to justify the interception of telecommunications by accusing the European authorities of corruption and taking bribes. It should be pointed out to the Americans that all EU Member States have properly functioning criminal justice systems. If there is evidence that crimes have been committed, the USA must leave the task of law enforcement to the host countries. If there is no such evidence, surveillance must be regarded as unproportional, a violation of human rights and thus inadmissible.”

    Just a week ago, former CIA director Woolsey repeated his claims of European bribery at a meeting in New York. In the context of any such activities conducted at NSA’s British and German stations, this now appears to be an admission of unlawful conduct.

    According to the draft report, “under the terms of the ECHR, interference in the exercise of the right to privacy must be proportional and, in addition, the least invasive methods must be chosen. As far as European citizens are concerned, an operation constituting interference carried out by a European intelligence service must be regarded as less serious than one conducted by an American intelligence service”.

    Not least, this is because European citizens or companies could only get legal redress for such misconduct in national courts, not American courts.

    “Operations constituting interference must therefore be carried out, as far as possible, by the German or UK authorities, particularly when investigations are being conducted for law enforcement.”

    The draft committee report concludes that “there would seem to be good reason … to call on Germany and the United Kingdom to take their obligations under the ECHR seriously and to make the authorisation of further intelligence activities by the NSA on their territory contingent on compliance with the ECHR”.

    The IC2001 papers

    Four new studies on “Interception Capabilities – Impact and Exploitation” were commissioned by the Temporary Committee on the Echelon Interception System of the European Parliament in December 2000. The new studies update and extend the previous EP report, “Interception Capabilities 2000″[4], which was prepared in 1999. They cover the use of communications intelligence (COMINT) for economic purposes, legal and human rights issues, and recent political and technological developments. Among the key topics covered are the documentary and factual evidence for the existence of the COMSAT (communications satellite) intercept system known as “ECHELON”.

    These studies were presented to the Echelon Committee at its Brussels meeting on 22 and 23 January 2001. The fourth study, on new political and technical developments, was presented only in the form of a slideshow. These studies are published with permission from the secretariat of the Echelon Committee.

    ECHELON and its role in COMINT

    IC2001, paper 1[5]

    This paper summarises the evidence for the existence of ECHELON as a global interception system. It records official admissions about the secret UKUSA agreement that links English-speaking signals intelligence organisations. The paper also provides detailed answers to questions put by the Committee. It points out that very few media reports have provided original new information about Echelon, and that many press reports have enlarged on the nature of the interception systems and their capabilities, without evidence.

    COMINT impact on international trade

    IC2001, paper 2[6]

    Paper 2 sets out, with detailed sources, the case that from 1992 to date Europe is likely to have sustained significant employment and financial loss as a result of the U.S. government policy of “levelling the playing field”, introduced in 1991. It also refers to:

    Annexe 2-1[7] Background papers about the U.S. Trade Promotion Co-ordinating Committee (TPCC) and the Advocacy Center, including statements of purpose

    Annexe 2-2[8] A questionaire for U.S. companies to answer in order to determine whether or not they are deemed “American” and thus qualify for official assistance. The questionnaire is also on the internet[9].

    Annexe 2-3[10] Documents revealing the CIA’s role in U.S. trade promotion, obtained under the Freedom of Information Act.

    Annexe 2-4[11] U.S. trade “Success stories” affecting Europe – financial and geographical analysis Many of the stories can be viewed online[12] For example, this report[13] concerns the controversial power plant at Dabhol, India.

    COMINT, privacy and human rights

    IC2001, paper 3[14]

    This paper reveals that Britain undertakes to protect the rights of Americans, Canadians and Australians against interception that would not comply with their own domestic law, while offering no protection of any kind to other Europeans. This and other background papers provided to the Echelon committee have prompted them to observe that “possible threats to privacy and to businesses posed by a system of the ECHELON type arise not only from the fact that is a particularly powerful monitoring system, but also that it operates in a largely legislation-free area.”

    Other Reports

    The committee were also given copies of three key articles about US intelligence and economic activity:

    “Why We Spy on Our Allies”[15], by James Woolsey, former director of the CIA, Wall Street Journal, 17 March 2000.

    “It’s true that we use computers to sort through data by using keywords. Have you stopped to ask yourselves what we’re looking for?”

    “U.S. spying pays off for business” by Bob Windrem, NBC News Online, 15 April 2000 Originally published at MSNBC[16] This link is broken, but an alternative copy is here[17] and on other sites.

    “U.S. companies have benefited when U.S. intelligence redirected its Cold War assets towards economic intelligence.”

    “U.S. steps up commercial spying[18] – Washington gives companies an advantage in information”, by Bob Windrem, NBC News Online, 7 May 2000. Again, the link has recently been broken, but an alternative copy is at www.gn.apc.org/cndyorks/caab/articles/spying.htm[19].

    “Documents, all published during the Clinton administration, appear to confirm reports that America’s electronic eavesdropping apparatus was involved in commercial espionage.”

    Duncan Campbell 27.05.2001

    Find this story at 27 May 2001

    Copyright © Telepolis, Heise Zeitschriften Verlag

    How the NSA Targets Germany and Europe

    Top secret documents detail the mass scope of efforts by the United States to spy on Germany and Europe. Each month, the NSA monitors a half a billion communications and EU buildings are bugged. The scandal poses a threat to trans-Atlantic relations.

    At first glance, the story always appears to be the same. A needle has disappeared into the haystack — information lost in a sea of data.

    For some time now, though, it appears America’s intelligence services have been trying to tackle the problem from a different angle. “If you’re looking for a needle in the haystack, you need a haystack,” says Jeremy Bash, the former chief of staff to ex-CIA head Leon Panetta.

    An enormous haystack it turns out — one comprised of the billions of minutes of daily cross-border telephone traffic. Add to that digital streams from high-bandwidth Internet cables that transport data equivalent to that held in Washington’s Library of Congress around the world in the course of a few seconds. And then add to that the billions of emails sent to international destinations each day — a world of entirely uncontrolled communication. And also a world full of potential threats — at least from the intelligence services’ perspective. Those are the “challenges,” an internal statement at the National Security Agency (NSA), the American signals intelligence organization, claims.

    Four-star General Keith Alexander — who is today the NSA director and America’s highest-ranking cyber warrior as the chief of the US Cyber Command — defined these challenges. Given the cumulative technological eavesdropping capacity, he asked during a 2008 visit to Menwith Hill, Britain’s largest listening station near Harrogate in Yorkshire, “Why can’t we collect all the signals all the time?”

    All the signals all the time. Wouldn’t that be the NSA’s ideal haystack? So what would the needle be? A trail to al-Qaida, an industrial facility belonging to an enemy state, plans prepared by international drug dealers or even international summit preparations being made by leading politicians of friendly nations? Whatever the target, it would be determined on a case by case basis. What is certain, however, is that there would always be a haystack.

    A Fiasco for the NSA

    Just how close America’s NSA got to this dream in cozy cooperation with other Western intelligence services has been exposed in recent weeks by a young American who, going by outward appearances, doesn’t look much like the hero he is being celebrated as around the world by people who feel threatened by America’s enormous surveillance apparatus.

    The whole episode is a fiasco for the NSA which, in contrast to the CIA, has long been able to conduct its spying without drawing much public attention. Snowden has done “irreversible and significant damage” to US national security, Alexander told ABC a week ago. Snowden’s NSA documents contain more than one or two scandals. They are a kind of digital snapshot of the world’s most powerful intelligence agency’s work over a period of around a decade. SPIEGEL has seen and reviewed a series of documents from the archive.

    The documents prove that Germany played a central role in the NSA’s global surveillance network — and how the Germans have also become targets of US attacks. Each month, the US intelligence service saves data from around half a billion communications connections from Germany.

    No one is safe from this mass spying — at least almost no one. Only one handpicked group of nations is excluded — countries that the NSA has defined as close friends, or “2nd party,” as one internal document indicates. They include the UK, Australia, Canada and New Zealand. A document classified as “top secret” states that, “The NSA does NOT target its 2nd party partners, nor request that 2nd parties do anything that is inherently illegal for NSA to do.”

    ‘We Can, and Often Do Target Signals’

    For all other countries, including the group of around 30 nations that are considered to be 3rd party partners, however, this protection does not apply. “We can, and often do, target the signals of most 3rd party foreign partners,” the NSA boasts in an internal presentation.

    According to the listing, Germany is among the countries that are the focus of surveillance. Thus, the documents confirm what had already been suspected for some time in government circles in Berlin — that the US intelligence service, with approval from the White House, is spying on the Germans — possibly right up to the level of the chancellor. So it comes as little surprise that the US has used every trick in the book to spy on the Washington offices of the European Union, as one document viewed by SPIEGEL indicates.

    But the new aspect of the revelations isn’t that countries are trying to spy on each other, eavesdropping on ministers and conducting economic espionage. What is most important about the documents is that they reveal the possibility of the absolute surveillance of a country’s people and foreign citizens without any kind of effective controls or supervision. Among the intelligence agencies in the Western world, there appears to be a division of duties and at times extensive cooperation. And it appears that the principle that foreign intelligence agencies do not monitor the citizens of their own country, or that they only do so on the basis of individual court decisions, is obsolete in this world of globalized communication and surveillance. Britain’s GCHQ intelligence agency can spy on anyone but British nationals, the NSA can conduct surveillance on anyone but Americans, and Germany’s BND foreign intelligence agency can spy on anyone but Germans. That’s how a matrix is created of boundless surveillance in which each partner aids in a division of roles.

    The documents show that, in this situation, the services did what is not only obvious, but also anchored in German law: They exchanged information. And they worked together extensively. That applies to the British and the Americans, but also to the BND, which assists the NSA in its Internet surveillance.

    Unimaginable Dimensions

    SPIEGEL has decided not to publish details it has seen about secret operations that could endanger the lives of NSA workers. Nor is it publishing the related internal code words. However, this does not apply to information about the general surveillance of communications. They don’t endanger any human lives — they simply describe a system whose dimensions go beyond the imaginable. This kind of global debate is actually precisely what Snowden intended and what motivated his breach of secrecy. “The public needs to decide whether these policies are right or wrong,” he says.

    The facts, which are now a part of the public record thanks to Snowden, disprove the White House’s line of defense up until now, which has been that the surveillance is necessary to prevent terrorist attacks, as President Barack Obama said during his recent visit to Berlin. NSA chief Alexander has sought to justify himself by saying that the NSA has prevented 10 terrorist attacks in the United States alone. Globally, he says that 50 terrorist plots have been foiled with the NSA’s help. That may be true, but it is difficult to verify and at best only part of the truth.

    Research in Berlin, Brussels and Washington, as well as the documents that have been reviewed by the journalists at this publication, reveal how overreaching the US surveillance has been.

    Germany, for its part, has a central role in this global spying system. As the Guardian newspaper, which is working together with Snowden, recently revealed, the NSA has developed a program for the incoming streams of data called “Boundless Informant.” The program is intended to process connection data from all incoming telephone calls in “near real time,” as one document states. It doesn’t record the contents of the call, just the metadata — in other words, the phone numbers involved in the communication.

    It is precisely the kind of data retention that has been the subject of bitter debate in Germany for years. In 2010, the Federal Constitutional Court in Karlsruhe even banned the practice.

    “Boundless Informant” produces heat maps of countries in which the data collected by the NSA originates. The most closely monitored regions are located in the Middle East, followed by Afghanistan, Iran and Pakistan. The latter two are marked in red on the NSA’s map of the world. Germany, the only country in Europe on the map, is shown in yellow, a sign of considerable spying.

    Spying on the European Union
    An NSA table (see graphic), published for the first time here by SPIEGEL, documents the massive amount of information captured from the monitored data traffic. According to the graph, on an average day last December, the agency gathered metadata from some 15 million telephone connections and 10 million Internet datasets. On Dec. 24, it collected data on around 13 million phone calls and about half as many Internet connections.

    On the busiest days, such as Jan. 7 of this year, the information gathered spiked to nearly 60 million communications processes under surveillance. The Americans are collecting metadata from up to half a billion communications a month in Germany — making the country one of the biggest sources of streams of information flowing into the agency’s gigantic sea of data.

    Another look at the NSA’s data hoard shows how much less information the NSA is taking from countries like France and Italy. In the same period, the agency recorded data from an average of around 2 million connections, and about 7 million on Christmas Eve. In Poland, which is also under surveillance, the numbers varied between 2 million and 4 million in the first three weeks of December.

    But the NSA’s work has little to do with classic eavesdropping. Instead, it’s closer to a complete structural acquisition of data. Believing that less can be extrapolated from such metadata than from intercepted communication content would be a mistake, though. It’s a gold mine for investigators, because it shows not only contact networks, but also enables the creation of movement profiles and even predictions about the possible behavior of the people participating in the communication under surveillance.

    According to insiders familiar with the German portion of the NSA program, the main interest is in a number of large Internet hubs in western and southern Germany. The secret NSA documents show that Frankfurt plays an important role in the global network, and the city is named as a central base in the country. From there, the NSA has access to Internet connections that run not only to countries like Mali or Syria, but also to ones in Eastern Europe. Much suggests that the NSA gathers this data partly with and without Germany’s knowledge, although the individual settings by which the data is filtered and sorted have apparently been discussed. By comparison, the “Garlick” system, with which the NSA monitored satellite communication out of the Bavarian town of Bad Aibling for years, seems modest. The NSA listening station at Bad Aibling was at the center of the German debate over America’s controversial Echelon program and alleged industrial espionage during the 1990s.

    “The US relationship with Germany has been about as close as you can get,”American journalist and NSA expert James Bamford recently told German weekly Die Zeit. “We probably put more listening posts in Germany than anyplace because of its proximity to the Soviet Union.”

    Such foreign partnerships, one document states, provide “unique target access.”

    ‘Privacy of Telecommunications’ Is ‘Inviolable’

    But the US does not share the results of the surveillance with all of these foreign partners, the document continues. In many cases, equipment and technical support are offered in exchange for the signals accessed. Often the agency will offer equipment, training and technical support to gain access to its desired targets. These “arrangements” are typically bilateral and made outside of any military and civil relationships the US might have with these countries, one top secret document shows. This international division of labor seems to violate Article 10 of Germany’s constitution, the Basic Law, which guarantees that “the privacy of correspondence, posts and telecommunications shall be inviolable” and can only be suspended in narrowly defined exceptions.

    “Any analyst can target anyone anytime,” Edward Snowden said in his video interview, and that includes a federal judge or the president, if an email address is available, he added.

    Just how unscrupulously the US government allows its intelligence agencies to act is documented by a number of surveillance operations that targeted the European Union in Brussels and Washington, for which it has now become clear that the NSA was responsible.

    A little over five years ago, security experts discovered that a number of odd, aborted phone calls had been made around a certain extension within the Justus Lipsius building, the headquarters of the European Council, the powerful body representing the leaders of the EU’s 27 member states. The calls were all made to numbers close to the one used as the remote servicing line of the Siemens telephone system used in the building. Officials in Brussels asked the question: How likely is it that a technician or service computer would narrowly misdial the service extension a number of times? They traced the origin of the calls — and were greatly surprised by what they found. It had come from a connection just a few kilometers away in the direction of the Brussels airport, in the suburb of Evere, where NATO headquarters is located.

    The EU security experts managed to pinpoint the line’s exact location — a building complex separated from the rest of the headquarters. From the street, it looks like a flat-roofed building with a brick facade and a large antenna on top. The structure is separated from the street by a high fence and a privacy shield, with security cameras placed all around. NATO telecommunications experts — and a whole troop of NSA agents — work inside. Within the intelligence community, this place is known as a sort of European headquarters for the NSA.

    A review of calls made to the remote servicing line showed that it was reached several times from exactly this NATO complex — with potentially serious consequences. Every EU member state has rooms at the Justus Lipsius building for use by ministers, complete with telephone and Internet connections.

    Unscrupulous in Washington

    The NSA appears to be even more unscrupulous on its home turf. The EU’s diplomatic delegation to the United States is located in an elegant office building on Washington’s K Street. But the EU’s diplomatic protection apparently doesn’t apply in this case. As parts of one NSA document seen by SPIEGEL indicate, the NSA not only bugged the building, but also infiltrated its internal computer network. The same goes for the EU mission at the United Nations in New York. The Europeans are a “location target,” a document from Sept. 2010 states. Requests to discuss these matters with both the NSA and the White House went unanswered.

    Now a high-level commission of experts, agreed upon by European Justice Commissioner Viviane Reding and US Attorney General Eric Holder, is to determine the full scope of the routine data snooping and discuss the legal protection possibilities for EU citizens. A final report is expected to be released in October.

    The extent of the NSA’s systematic global surveillance network is highlighted in an overview from Fort Meade, the agency’s headquarters. It describes a number of secret operations involving the surveillance of Internet and international data traffic. “In the Information Age, (the) NSA aggressively exploits foreign signals traveling complex global networks,” an internal description states.

    Details in a further, previously unpublished document reveal exactly what takes place there. It describes how the NSA received access to an entire bundle of fiber-optic cables, which have a data-transfer capacity of several gigabytes per second. It is one of the Internet’s larger superhighways. The paper indicates that access to the cables is a relatively recent development and includes Internet backbone circuits, “including several that service the Russian market.” Technicians in Fort Meade are able to access “thousands of trunk groups connected worldwide,” according to the document. In a further operation, the intelligence organization is able to monitor a cable that collects data flows from the Middle East, Europe, South America and Asia (see graphic).

    But it is not just intelligence agencies from allied nations that have willingly aided the NSA. Revelations related to the Prism program make it clear that agents likewise access vast quantity of data from US Internet companies.

    NSA ‘Alliances With Over 80 Major Global Corporations’
    Heads of these companies have vociferously denied that the NSA has direct access to their data. But it would seem that, outside of the Prism program, dozens of companies have willingly worked together with the US intelligence agency.

    According to the documents seen by SPIEGEL, a particularly valuable partner is a company which is active in the US and has access to information that crisscrosses America. At the same time, this company, by virtue of its contacts, offers “unique access to other telecoms and (Internet service providers).” The company is “aggressively involved in shaping traffic to run signals of interest past our monitors,” according to a secret NSA document. The cooperation has existed since 1985, the documents say.

    Apparently, it’s not an isolated case, either. A further document clearly demonstrates the compliance of a number of different companies. There are “alliances with over 80 major global corporations supporting both missions,” according to a paper that is marked top secret. In NSA jargon, “both missions” refers to defending networks in the US, on the one hand, and monitoring networks abroad, on the other. The companies involved include telecommunications firms, producers of network infrastructure, software companies and security firms.

    Such cooperation is an extremely delicate issue for the companies involved. Many have promised their customers data confidentiality in their terms and conditions. Furthermore, they are obliged to follow the laws of the countries in which they do business. As such, their cooperation deals with the NSA are top secret. Even in internal NSA documents, they are only referred to using code names.

    “There has long been a very close and very secret relationship between a number of telecoms and the NSA,” Bamford, the expert on the NSA, told Die Zeit. “Every time it gets discovered it stops for a while and then starts up again.”

    The importance of this rather peculiar form of public-private partnership was recently made clear by General Alexander, the NSA chief. At a technology symposium in a Washington, DC, suburb in May, he said that industry and government must work closely together. “As great as we have it up there, we cannot do it without your help,” he said. “You know, we can’t do our mission without the great help of all the great people here.” If one believes the documents, several experts were sitting in the audience from companies that had reached a cooperation deal with the NSA.

    In the coming weeks, details relating to the collaboration between Germany’s BND and the NSA will be the focus of a parliamentary investigative committee in Berlin responsible for monitoring the intelligence services. The German government has sent letters to the US requesting additional information. The questions that need to be addressed are serious. Can a sovereign state tolerate a situation in which half a billion pieces of data are stolen on its territory each month from a foreign country? And can this be done especially when this country has identified the sovereign state as a “3rd party foreign partner” and, as such, one that can be spied on at any time, as has now become clear?

    So far, the German government has made nothing more than polite inquiries. But facts that have now come to light will certainly increase pressure on Chancellor Angela Merkel and her government. Elections, after all, are only three months away, and Germans — as Merkel well knows — are particularly sensitive when it comes to data privacy.

    The NSA’s Library of Babel

    In a story written by the blind writer Jorge Luis Borges, the Library of Babel is introduced as perhaps the most secretive of all labyrinths: a universe full of bookshelves connected by a spiral staircase that has no beginning and no end. Those inside wander through the library looking for the book of books. They grow old inside without ever finding it.

    If an actual building could really approach this imaginary library, it is the structure currently being erected in the Utah mountains near the city of Bluffdale. There, on Redwood Road, stands a sign with black letters on a white background next to a freshly paved road. Restricted area, no access, it reads. In Defense Department documents, form No. 1391, page 134, the buildings behind the sign are given the project No. 21078. It refers to the Utah Data Center, four huge warehouses full of servers costing a total of €1.2 billion ($1.56 billion).

    Built by a total of 11,000 workers, the facility is to serve as a storage center for everything that is captured in the US data dragnet. It has a capacity that will soon have to be measured in yottabytes, which is 1 trillion terabytes or a quadrillion gigabytes. Standard external hard drives sold in stores have a capacity of about 1 terabyte. Fifteen such hard drives could store the entire contents of the Library of Congress.

    The man who first made information about the Utah center public, and who likely knows the most about the NSA, is James Bamford. He says: “The NSA is the largest, most expensive and most powerful intelligence agency in the world.”

    Since the 9/11 terror attacks, the NSA’s workforce has steadily grown and its budget has constantly increased. SPIEGEL was able to see confidential figures relating to the NSA that come from Snowden’s documents, though the statistics are from 2006. In that year, 15,986 members of the military and 19,335 civilians worked for the NSA, which had an annual budget of $6.115 billion. These numbers and more recent statistics are officially confidential.

    In other words, there is a good reason why NSA head Keith Alexander is called “Emporer Alexander.” “Keith gets whatever he wants,” says Bamford.

    Still, Bamford doesn’t believe that the NSA completely fulfills the mission it has been tasked with. “I’ve seen no indications that NSA’s vastly expanded surveillance has prevented any terrorist activities,” he says. There is, however, one thing that the NSA managed to predict with perfect accuracy: where the greatest danger to its secrecy lies. In internal documents, the agency identifies terrorists and hackers as being particularly threatening. Even more dangerous, however, the documents say, is if an insider decides to blow the whistle.

    An insider like Edward Joseph Snowden.

    07/01/2013 11:11 AM
    By Laura Poitras, Marcel Rosenbach, Fidelius Schmid, Holger Stark and Jonathan Stock

    Find this story at 1 July 2013

    © SPIEGEL ONLINE 2013

    NSA Accused of Spying on EU; President of the European Parliament demands “Full Clarification” From the U.S.

    BRUSSELS—Senior European politicians demanded explanations from Washington of allegations that the National Security Agency spied on European Union institutions, risking a corrosion of trust as the EU and U.S. embark on negotiations over a free-trade accord.

    The German weekly magazine Der Spiegel reported over the weekend that the U.S. placed listening devices in EU offices in Washington, infiltrated computers there and electronically spied on EU bodies elsewhere. It cited secret documents obtained by former NSA contractor Edward Snowden as the basis for its report.

    Reuters

    A former NSA base in Germany. A German politician criticized allegations the U.S. spied on European officials.

    The allegations come at a sensitive time. The EU in June gave the go-ahead for the start of trade negotiations with the U.S., which are likely to start soon. Though the talks are expected to take at least two years, the European Parliament, where many lawmakers are highly sensitive to privacy issues, will need to approve any accord.

    “Partners do not spy on each other,” EU Justice Commissioner Viviane Reding said at a public forum in Luxembourg. “We cannot negotiate over a big trans-Atlantic market if there is the slightest doubt that our partners are carrying out spying activities on the offices of our negotiators. The American authorities should eliminate any such doubt swiftly.”

    Snowden on the Run

    U.S. authorities sought to catch Edward Snowden before he reached his next goal: political asylum in Ecuador.

    French Foreign Minister Laurent Fabius said his country had formally requested clarification from Washington. “These facts, if confirmed, would be absolutely unacceptable,” he said.

    Germany’s Justice Ministry also called for the U.S. to clarify the matter, and for European Commission President José Manuel Barroso to act. “If the media reports are true, it’s reminiscent of the approaches of enemies during the Cold War. It’s beyond any stretch of the imagination that our friends in the U.S.A. see the Europeans as enemies,” German Justice Minister Sabine Leutheusser-Schnarrenberger said in a statement.

    “Comprehensive spying by the Americans on Europeans cannot be allowed,” she said, adding that it is unlikely the U.S. could justify bugging European diplomacy offices as part of the global fight on terrorism.

    The European External Action Service, the foreign policy arm of the EU whose premises were an alleged target of U.S. surveillance, said the issue “is clearly a matter of concern.” It said the U.S. authorities “have told us they are checking on the accuracy of the information…and will come back to us as soon as possible.”

    The U.S. Office of the Director of National Intelligence said the U.S. is responding to the European Union privately about the allegations.

    The U. S. “will respond appropriately to the European Union through our diplomatic channels,” the office said. “We will also discuss these issues bilaterally with EU member states.”

    The office’s statement didn’t address the specific allegations but said, “We have made clear that the United States gathers foreign intelligence of the type gathered by all nations.”

    In a separate report Sunday, the Guardian newspaper in Britain said an NSA document lists 38 embassies and missions as “targets” for the agency’s spying, among them the French, Italian and Greek embassies. The article cited information leaked by Mr. Snowden as it source.

    The allegations are the latest to emerge in U.S. and European media about surveillance activities by the U.S. and its closest allies based on Mr. Snowden’s disclosures. Mr. Snowden is at a Moscow airport, arriving there from Hong Kong in a bid to travel to Ecuador, where he has applied for political asylum.

    The lead author of Der Spiegel’s report was Laura Poitras, an American documentary filmmaker who created a video interview with Mr. Snowden, distributed online, in which he described why he released information from some of the NSA documents.

    Ms. Poitras also was co-author of an article in the Washington Post, based on Mr. Snowden’s leaks, about an NSA program to gain access to U.S. Internet companies’ computers in an effort to track online activities of foreigners suspected in terrorist activity.

    Julian Assange, founder of the antisecrecy site WikiLeaks, said Sunday there would be no halting future disclosures from Mr. Snowden. “Look, there is no stopping the publishing process at this stage. Great care has been taken to make sure that Mr. Snowden can’t be pressured by any state to stop the publication process,” he said in an interview with the ABC network from the Ecuadorean embassy in London, where he is seeking refuge.

    According to intelligence specialists, the activities alleged in Der Spiegel’s report are similar to previously reported spying efforts among friendly countries. While allies have no intention of attacking one another, they seek information on decision-making within each other’s governments, and as a way to tell whether those governments might be spying on them.

    The NSA raised concerns in 2006 about the merger of French-owned phone-equipment company Alcatel with U.S.-based Lucent because U.S. officials feared the deal would provide the French extraordinary access to U.S. telecommunications systems.

    The NSA raised similar issues more recently over Chinese telecom-gear company Huawei Technologies’ efforts to expand in the U.S.

    The president of the European Parliament, Martin Schulz, said in a statement he was “deeply worried and shocked about the allegations of U.S. authorities spying on EU offices.”

    The statement added: “If the allegations prove to be true, it would be an extremely serious matter which will have a severe impact on EU-U.S. relations…on behalf of the European Parliament, I demand full clarification and require further information speedily from the U.S. authorities with regard to these allegations.”

    A spokesman for the German Foreign Ministry declined to comment on the allegations.

    According to Der Spiegel, an NSA document dated September 2010 showed that the Washington embassy of the European Union was bugged and its computer network infiltrated. Similar measures were taken at the European mission to the United Nations in New York. The document described the Europeans as “targets.”

    In addition, the U.S. bugged EU conversations in Brussels, spying on theJustus Lipsius building, headquarters of the Council of the European Union, according to the report.

    The magazine reported that the NSA saves information on about a half billion phone or Internet connections from Germany every year through its “Boundless Informant” program.

    Only a few countries labeled as close friends by the NSA are largely exempt from its monitoring: the U.K., Australia, Canada and New Zealand, the magazine said. An additional 30 countries are classified as “third party,” with an internal NSA presentation saying the agency is able to intercept signals from these countries and often does, Der Spiegel reported.

    The controversy over the new allegations is reminiscent of the furor ignited in Europe in 2000 by disclosures about the NSA’s so-called Echelon project, which included commercial organizations among its alleged targets, prompting an investigation and report from the European Parliament.

    The report drew a distinction between spying for national-security reasons and for commercial advantage, saying the latter could breach EU law.

    European lawmakers have also expressed disquiet about the sharing of European financial data with U.S. authorities.

    The reports about the NSA’s alleged activities already have prompted Ms. Reding, the EU justice commissioner, to organize, together with U.S. Attorney General Eric Holder, a panel of experts to find out how much data about Europeans was shared.
    —Stacy Meichtry in Paris and Siobhan Gorman in Washington contributed to this article.

    Write to Stephen Fidler at stephen.fidler@wsj.com, Frances Robinson at frances.robinson@dowjones.com and Laura Stevens at laura.stevens@wsj.com

    A version of this article appeared July 1, 2013, on page A4 in the U.S. edition of The Wall Street Journal, with the headline: Officials Slam Alleged NSA Spying on the EU.

    Updated June 30, 2013, 7:26 p.m. ET
    By STEPHEN FIDLER, FRANCES ROBINSON and LAURA STEVENS

    Find this story at 30 June 2013

    Copyright 2012 Dow Jones & Company, Inc.

    New NSA leaks show how US is bugging its European allies

    Exclusive: Edward Snowden papers reveal 38 targets including EU, France and Italy

    Berlin accuses Washington of cold war tactics

    One of the bugging methods mentioned is codenamed Dropmire, which according to a 2007 document is ‘implanted on the Cryptofax at the EU embassy, DC’. Photograph: Guardian

    US intelligence services are spying on the European Union mission in New York and its embassy in Washington, according to the latest top secret US National Security Agency documents leaked by the whistleblower Edward Snowden.

    One document lists 38 embassies and missions, describing them as “targets”. It details an extraordinary range of spying methods used against each target, from bugs implanted in electronic communications gear to taps into cables to the collection of transmissions with specialised antennae.

    Along with traditional ideological adversaries and sensitive Middle Eastern countries, the list of targets includes the EU missions and the French, Italian and Greek embassies, as well as a number of other American allies, including Japan, Mexico, South Korea, India and Turkey. The list in the September 2010 document does not mention the UK, Germany or other western European states.

    One of the bugging methods mentioned is codenamed Dropmire, which, according to a 2007 document, is “implanted on the Cryptofax at the EU embassy, DC” – an apparent reference to a bug placed in a commercially available encrypted fax machine used at the mission. The NSA documents note the machine is used to send cables back to foreign affairs ministries in European capitals.

    The documents suggest the aim of the bugging exercise against the EU embassy in central Washington is to gather inside knowledge of policy disagreements on global issues and other rifts between member states.

    The new revelations come at a time when there is already considerable anger across the EU over earlier evidence provided by Snowden of NSA eavesdropping on America’s European allies.

    Germany’s justice minister, Sabine Leutheusser-Schnarrenberger, demanded an explanation from Washington, saying that if confirmed, US behaviour “was reminiscent of the actions of enemies during the cold war”.

    The German magazine Der Spiegel reported at the weekend that some of the bugging operations in Brussels targeting the EU’s Justus Lipsius building – a venue for summit and ministerial meetings in the Belgian capital – were directed from within Nato headquarters nearby.

    The US intelligence service codename for the bugging operation targeting the EU mission at the United Nations is “Perdido”. Among the documents leaked by Snowden is a floor plan of the mission in midtown Manhattan. The methods used against the mission include the collection of data transmitted by implants, or bugs, placed inside electronic devices, and another covert operation that appears to provide a copy of everything on a targeted computer’s hard drive.

    The eavesdropping on the EU delegation to the US, on K Street in Washington, involved three different operations targeted on the embassy’s 90 staff. Two were electronic implants and one involved the use of antennas to collect transmissions.

    Although the latest documents are part of an NSA haul leaked by Snowden, it is not clear in each case whether the surveillance was being exclusively done by the NSA – which is most probable as the embassies and missions are technically overseas – or by the FBI or the CIA, or a combination of them. The 2010 document describes the operation as “close access domestic collection”.

    The operation against the French mission to the UN had the covername “Blackfoot” and the one against its embassy in Washington was “Wabash”. The Italian embassy in Washington was known to the NSA as both “Bruneau” and “Hemlock”.

    The eavesdropping of the Greek UN mission was known as “Powell” and the operation against its embassy was referred to as “Klondyke”.

    Snowden, the 30-year-old former NSA contractor and computer analyst whose leaks have ignited a global row over the extent of US and UK electronic surveillance, fled from his secret bolthole in Hong Kong a week ago. His plan seems to have been to travel to Ecuador via Moscow, but he is in limbo at Moscow airport after his US passport was cancelled, and without any official travel documents issued from any other country.

    Ewen MacAskill in Rio de Janeiro and Julian Borger
    The Guardian, Sunday 30 June 2013 21.28 BST

    Find this story at 30 June 2013

    © 2013 Guardian News and Media Limited or its affiliated companies. All rights reserved.

    << oudere artikelen