29 November 2014

Report: GCHQ Not Able to Process Much of the Data It Intercepts Off the Internet

James Temperton
November 26, 2014

GCHQ has more data than it can handle — but UK gov ‘needs more’

GCHQ has direct access to “major internet cables” and has systems to monitor communications as they “traverse the internet” an official government report has revealed. The spy agency, which has been heavily criticised in the wake of the Snowden leaks, also admits that it has more data than it can handle. Despite these capabilities the government is being urged to massively expand its surveillance powers.

The details come from the Intelligence Security Committee’s inquiry (PDF) into the murder of the fusilier Lee Rigby by Michael Adebolajo and Michael Adebowale in Woolwich, London in 2013. While crucial details have been redacted for security reasons, the report still reveals the scale of the surveillance powers at GCHQ’s disposal.

"Detailing GCHQ’s capabilities it notes that the spy agency has access to around "*** percent of global internet traffic"

Detailing GCHQ’s capabilities it notes that the spy agency has access to around “*** percent of global internet traffic and approximately *** percent of internet traffic entering or leaving the UK”. Despite the redactions the report does reveal that GCHQ is currently overwhelmed by the amount of data it has to process:

"The resources required to process the vast quantity of data involved mean that, at any one time, GCHQ can only process approximately *** of what they can access."

The inquiry, which was set up to investigate what could have prevented Rigby’s murder, clears both M15 and M16 of any fault. It reveals that both Adebolajo and Adebowale were known to British security agencies, but that no action was taken. As both men were seen as low priority targets they were not subject to any specialist surveillance by GCHQ or any other agency.

The committee was far more damning in its assessment of an as-yet-unnamed US internet company. In December 2012 an exchange between Adebowale and an individual overseas revealed his intention to murder a soldier. The exchange was not seen by UK security services until after the attack. The report intimates that all overseas internet companies risk becoming a “safe haven for terrorists”.

"This company does not appear to regard itself as under any obligation to ensure that its systems identify such exchanges, or to take action or notify the authorities when its communications services appear to be used by terrorists."


GCHQ in Cheltenham, Gloucestershire

The report also lays bare gaping holes in the government’s ability to access communications data stored by companies outside the UK. With the likes of Facebook, Google and Twitter based in the US the government openly admits that the Regulation of Investigatory Powers Act 2000 (Ripa) is effectively useless. US companies complying with Ripa requests would also be in breach of the Wiretap Act for lawful interception.

US companies will only hand over customer data when presented with a valid US search warrant and do not recognise the government’s assertion that Ripa has implied jurisdiction overseas. Furthermore the US government will only accept requests from the UK to issue such search warrants when there is a clear and immediate threat to life.

"As the report admits, ‘lone wolf attacks’ are almost impossible to predict."

Jim Killock, Open Rights Group

The committee also expresses frustration at how major US technology companies fail to spot and report terrorist activity taking place on their networks. The committee explains that as Facebook, Google and Twitter don’t have systems in place to monitor their networks for communications between terrorists such chatter is “unlikely to be discovered”.

"The considerable difficulty that the Agencies face in accessing the content of online communications, both in the UK and overseas, from providers which are based in the US — such as Apple, Facebook, Google, Microsoft, Twitter and Yahoo — is therefore of great concern," the report states.

It calls on the US and UK to agree a “procedure” whereby communications held by either country could be accessed. But critics have called for restraint and argued that an expansion of current surveillance powers is not the answer:

"When the intelligence services are gathering data about everyone of us but failing to act on intelligence about individuals, they need to get back to basics, and look at the way they conduct targeted investigations," said Jim Killock, executive director of online privacy advocates the Open Rights Group.

"The committee is particularly misleading when it implies that US companies do not cooperate, and it is quite extraordinary to demand that companies pro-actively monitor email content for suspicious material. Internet companies cannot and must not become an arm of the surveillance state.

"As the report admits, ‘lone wolf attacks’ are almost impossible to predict — and therefore difficult to prevent. The security services should focus their efforts on the targeted surveillance of individuals like Michael Adebolajo rather than continuing to monitor every citizen in the UK."

No comments: