#Miranda: Where is the UK Government getting its numbers from?
by Naomi Colvin
A few days ago I blogged on hints Glenn Greenwald made about witness testimony the UK Government was due to give in court about its grounds for continuing examination of electronic material confiscated from David Miranda.
In that blog, I suggested that if the UK Government really had only managed to decrypt “something like 75 documents”, it cast their assertions about the number of documents Miranda was carrying in a rather different light. Many news organisations have taken the “58,000 documents” figure as fact. But what is it really based on?
The court hearing was heard yesterday afternoon and, at its conclusion, Government lawyers released the testimony of Oliver Robbins, a senior civil servant who has held intelligence related positions in the Cabinet Office under the present and last governments. His is the securocrat’s voice par excellence.
At the outset, it should be noted that Robbins’ testimony isn’t the court filing Greenwald was referring to in the comment that prompted my last blog. That, it transpires, was a separate statement by Detective Superintendent Caroline Goode, from the Metropolitan Police’s Counter-Terrorism Command. Goode’s statement has not been released in full, but sections from it have been reported in the press. The fullest account of Goode’s statement, from which many of the others are drawn, is this Reuters piece.
Let’s look at what we know of Goode’s reported statement first.
Caroline Goode’s evidence
Use of TrueCrypt
Detective Superintendent Goode said that the information on the external hard drive was encrypted by a system called “True Crypt [sic],” which she said “renders the material extremely difficult to access.”
This is useful information. First of all, note the use of the word “access” to mean “access in readable form” and that Goode’s comments relate to just one of the devices taken from Miranda.
TrueCrypt is widely used encryption software that is free to use and download; many of those reading this blog will be familiar with its features. For those who aren’t, the TrueCrypt homepage describes what this software does (I’ve preserved the hyperlinks to more detailed resources on the Truecrypt website for those who want to read further):
Main features:
-
Creates a virtual encrypted disk within a file and mounts it as a real disk.
-
Encrypts an entire partition or storage device such as USB flash drive or hard drive.
-
Encrypts a partition or drive where Windows is installed (pre-boot authentication)
- (…)
-
Provides plausible deniability, in case an adversary forces you to reveal the password: Hidden volume (steganography) and hidden operating system.
Knowing what TrueCrypt does is useful because it gives us a good basis on which to assess the validity of subsequent statements. Note that TrueCrypt encrypts entire hard drives, or portions of them, rather than individual files. An area of a hard drive that has been encrypted with TrueCrypt is very much like a container you can drop files into. You need a password to open the container before you can access the files within it. This container is often called a TrueCrypt file but it can also be called a TrueCrypt volume.
60 GB of data and only a third of it “accessed”
Goode said the hard drive contained around 60 gigabytes of data, “of which only 20 have been accessed to date.” She said that she had been advised that the hard drive contains “approximately 58,000 UK documents which are highly classified in nature, to the highest level.”
Note first of all that Goode is still discussing only one of David Miranda’s electronic devices – an external hard drive . She then notes that only a 20GB portion of that external hard drive has been “accessed” – which either means that the remaining 40GB data is inaccessible (presumably because it is contained within one or more encrypted TrueCrypt volumes), or that the police simply haven’t got around to examining them. Given that Goode’s colleagues have now had access to that external hard drive for nearly two weeks, the former possibility is presumably the more likely of the two.
Incidentally, there is nothing in Goode’s statement to say that we’re dealing with a 60GB hard drive. The external hard drive could just as well be one of larger capacity holding only 60GB of data.
Finally, Goode “has been advised” about what the hard drive as a whole contains. This is not knowledge that she has determined herself, independently, from access to those 20GB of data. It seems odd that Goode’s reported statement about the content of the drive, including the 40GB of data she has not been able to “access”, does not rely to any extent on the 20GB she has.
“Only 75 documents have been reconstructed“
Goode said the process to decode the material was complex and that “so far only 75 documents have been reconstructed since the property was initially received.”
This is the statement that Glenn hinted at earlier this week.
“Reconstructed” is a strange word for Goode to use. The most natural interpretation is to see “reconstructed” as a synonym for “decrypted” or “put into a form that can be read”, although this doesn’t really fit in with the idea of a “complex” process. They may not have the technical nous of Edward Snowden, but I assume that Counter Terrorism Command are familiar with the process of mounting an encrypted TrueCrypt volume and typing in a password.
So what else could Goode mean here? It’s easy to exclude a few possibilities: even if the Met and GCHQ were trying very hard to open an encrypted volume by brute force, they wouldn’t be able to individually decrypt the files within it one by one.
What Goode could mean is that analysts have been able to recover deleted files from unallocated space on the hard drive (space that isn’t being used for data now, but may have been in the past). That, at least, is more of a fit for the idea of a “complex process.”
Let’s leave the vagueness about where the files came from to one side for the moment. Are there any other insights we can draw from Goode’s statement?
The first thing to note is that 75 documents out of an estimated total of 58,000 is an absolutely tiny proportion. It is difficult to see how such a minute sample could give a true indication of the entire collection of material held unless one or more of those decrypted files served as a kind of index to the whole. Indeed, if the files have been reconstructed from unallocated space – meaning they had previously been deleted – then they may tell you even less about what is currently on the drive.
There’s a further ambiguity when Goode talks about “the property” – is she referring to the external hard drive here, or Miranda’s confiscated belongings as a whole? If the latter is the case, then it is by no means certain that the “accessed” 20GB portion of the external hard drive contains any documents at all – those 75 could have been obtained from elsewhere.
If we take the opposing view and suppose that Goode’s “the property” means only the external hard drive discussed previously, then those 75 documents came from the “accessible” 20GB portion of the external hard drive or were recovered from unallocated space. Caroline Goode’s evidence could just as easily mean one of these scenarios as the other: it is remarkable for the range of possibilities it does not exclude.
Summary of Caroline Goode’s evidence
Caroline Goode’s evidence suggests that David Miranda’s hard drive contains a TrueCrypt volume or volumes of a total size of 40GB that UK police have no access to. The 20GB encrypted portion of Miranda’s external hard drive that the police have been able to access contains, at most, 75 files. It is possible that some – or even all – of those files came from other devices, or from unallocated space on the same device.
Goode’s statements about the remainder of the documents do not seem to be based on insights gained from the 75. This would tend to support Glenn Greenwald’s assertion that UK police have not been able to access anything sensitive. It certainly does not clarify how the total figure of 58,000 documents the Home Office has asserted is on Miranda’s external hard drive has been arrived at.
Oliver Robbins’ evidence
What follows is a close analysis of Oliver Robbins’ testimony – and I do think it deserves to be looked at very closely indeed. There is much in Robbins’ statement that deserves detailed analysis but, for the purposes of this blog post, I will restrict my attention to Robbins’ comments on the UK Government’s access to, and analysis of, the Miranda data.
Indefinite room for ambiguity.
[in justifying why the Government needs “continuing access” to the material seized from Miranda] … no information that has so far been analysed by Her Majesty’s Government (“HMG”) has identified a journalist source or has contained any items prepared by a journalist with a view to publication. The information that has been accessed consists entirely of misappropriated material in the form of approximately 58,000 highly classified intelligence documents. [para 6]
The first thing to note here is that Robbins’ use of the word “accessed” is different from Goode’s. As we saw above, when Goode talks about data “accessed” she means data that can be accessed in readable form. Robbins’ use of the word is broader because his witness statement is making an argument about the Government’s need for “continuing access” [para 5] to all the material seized from Miranda, including that which has not been decrypted. Robbins’ use of “access” therefore more closely corresponds to the idea of physical access to the devices themselves. This is confusing.
Robbins goes on to talk about a subset of the information that has been “analysed.” We are not told whether this means analysis of encrypted information, but given that he goes on to make statements as to the content of this information, it is likely to be the case that this information can be read in some form. What Robbins says about this analysed material is that none of it “has identified a journalist source” and neither does it contain “items prepared by a journalist with a view to publication.”
Of course, Robbins’ purpose here is to reject the idea that the Miranda material contains anything that should be withheld from examination, but It’s worth noting that the category of data which meets those two stipulations of his is quite a wide one: it includes shopping lists, youtube videos of cats and many other items of limited relevance to national security.
What Robbins says next is interesting: he moves straight from a limited description of a small subset of data to make a claim about the entirety of the Miranda material (“that has been accessed”). Putting to one side for the moment the ambiguity about whether Robbins is really talking about Goode’s external hard drive here or the Miranda devices in total, It is not at all clear on what he is basing this rather striking claim.
Let’s think about this situation in a different context. Imagine if you had a bookcase that, apart from a couple of volumes, consisted only of books with unopened pages. What Robbins says would be like asserting that all the books in the bookcase are illustrated, purely on the basis that, of the two books you can examine without a penknife, neither was printed in London or inscribed with the owner’s name. It is certainly a claim that can be made, but not one that deserves to be taken particularly seriously.
Wait, so it’s not your assertion after all?
I am advised that the data recovered from the claimant is almost certain to contain some of the material passed by Mr Snowden to Ms Poitras and Mr Greenwald. Much of the material is encrypted. However, among the unencrypted documents recovered from the claimant was a piece of paper that included the password for decrypting one of the encrypted files on the external hard drive recovered from the claimant. I have been briefed that the authorities have therefore been able to examine the data contained in this file. They have been able to determine that the external hard drive contains approximately 58,000 highly classified UK intelligence documents. Work continues to access the content of the other files on the hard drive and the USB sticks. [para 13]
There’s a lot in this paragraph, so let’s take it line by line. The first sentence seems to answer the question posed in the previous section: Robbins’ assertion about the content of the Miranda data is second hand after all (“I am advised”). It is also indefinite (“almost certain”) which seems to contradict the conclusive phrasing (“the data that has been accessed… consists entirely of”) of the previous paragraph.
Once again, this is confusing – so let’s try to resolve the contradiction. Is it possible that, when Robbins talks about “the data that has been accessed” in paragraph 6 he is slipping between the broad interpretation of the word “accessed” he has used in his previous sentences and the narrower sense – that of data that can be read and analysed – used by Caroline Goode? It’s much easier, after all, to be definite about the content of documents you’re able to read than ones you cannot.
I’m not sure this works either. Goode testified that the material “accessed” in the sense that it could be “analysed” amounted to a 20GB portion of an external hard drive, which may contain all, or maybe only some, of a total of 75 documents. To say this consists “entirely of misappropriated material in the form of approximately 58,000 highly classified intelligence documents” is just a nonsense. Robbins must therefore be using the word “accessed” in his usual sense and what he says is inconsistent with his previous paragraph.
Does the rest of paragraph 13 make things any clearer? Certainly, the next three sentences are straightforward. We know that “much of the information” carried by Miranda was encrypted and that Caroline Goode and her colleagues were able to decrypt one encrypted file on the external hard drive. By Goode’s own account, she and her colleagues were able to examine the data contained within this file. These sentences are consistent both with Robbins’ own statement and those of others.
What follows is much more troublesome. “They [the authorities] have been able to determine that the external hard drive contains approximately 58,000 highly classified UK intelligence documents.” The analysis of Goode’s statement shows that she and and her colleagues could not derive the presence of “58,000… documents” from what she found – and she didn’t claim to have done.
But have I missed something here? Could it be that Robbins’ “they” isn’t referring to Goode and her police colleagues at all? Could he be referring to different “authorities” altogether? Might they be the same authorities who “advised” both Robbins and Goode of “58,000 documents” figure and on whom both rely? I think that is likely and, although a casual reader may feel that the two sentences below bear a logical connection, in fact they do not:
I have been briefed that the authorities have therefore been able to examine the data contained in this file. They have been able to determine that the external hard drive contains approximately 58,000 highly classified UK intelligence documents.
In my opinion, this comes close to being a misleading statement. Oliver Robbins could equally well have expressed himself as follows:
I have been briefed that the authorities have therefore been able to examine the shopping lists and pictures of cats contained in this file. Independently of this, others have been able to determine that the external hard drive contains approximately 58,000 highly classified UK intelligence documents.
GCHQ’s assessment
And what of that troublesome “58,000… documents” claim? The source for Robbins’ second authority becomes clearer in his next paragraph:
On the basis of GCHQ assessments, the totality of UK intelligence documents that would potentially have been accessible to Mr Snowden while we was working at the NSA is consistent with the volume of documents which we know to be on the external hard drive. [para 14]
This appears to be the best candidate for what the “58,000 documents” figure is actually based on. But what does it amount to? Let’s turn to “the volume of documents which we know to be on the external hard drive” first.
What we know about the external hard drive is that it is divided into at least two encrypted files, one of 20GB which the police are able to access and a further encrypted file (maybe more than one) of 40GB size. Because the police have access to the decrypted 20GB file, they can make an assessment about the number of documents within it (a maximum of 75). All that can be said about the other file(s) is that they have a total size of 40GB.
An encrypted file’s size is not dependent on the amount of data it contains. A 10GB encrypted file could contain 10kb data or 6 GB data – unless you can decrypt the file, you have no way of telling which is the case.
As such, GCHQ’s statement is almost meaningless. You could say that the maximum volume of documents an encrypted file could contain is 40GB – but that’s something you could say of any 40GB encrypted file. GCHQ’s assertion about “the volume of contents which we know to be on the external hard drive” appears to play on an ambiguity in the word volume (one can talk about a volume of documents, but it’s also a synonym for an encrypted file) in order to hide that it has no basis in fact.
In essence, what GCHQ seems to be saying here is that what it assesses to be “the totality of UK intelligence documents… potentially accessible to Mr Snowden” would fit on a 40 GB hard drive. That logic, if applied widely, could lead to an awful lot of Schedule 7 detentions at our airports and it’s an assessment made entirely independently of the Miranda data.
So, where does that leave the “58,000 documents” figure? Nowhere good. It looks like nothing more than a worst-case scenario GCHQ based on guesswork but presented as indubitable fact.
Conclusion
Neither of the witness statements presented by the UK Government in Home Office v Miranda are adequately precise about the matters they raise. Cryptographers have developed a vocabulary that is adequate to expressing these subjects with clarity – when they talk about “plain text” and “cypher text”, others understand what they mean. In contrast, when Caroline Goode and Oliver Robbins use terms like “access” and “analysis” in their statements, there is significant ambiguity in what they mean. This ambiguity leaves real potential for confusion; it also presents unacceptable opportunities for others to be misled.
I am concerned by the extent of the ambiguity in the statements presented in Home Office v Miranda. The UK Government has represented itself in language that is so vague that it may not have a case at all, yet it has presented its case in the strongest way possible – and has been accepted as such, without much demur, in much of the media.
I think it’s worth taking a moment to reflect on this. If a group of witness statements took a similar approach to legal issues as these have to technical ones, if they had eschewed technical terms in favour of ambiguous natural language and took advantage of that fact to obfuscate as these have, I think those imaginary witness statements would have received a much more critical reception. I am concerned that our courtrooms and our newsrooms may not be equipped to cut through some of this confusion and dubious statements may be allowed to stand without receiving proper scrutiny. It is not difficult to see how parties could take advantage of this, if they wished to do so.
Disclaimer
While I know what TrueCrypt is, I am by no means a technical expert. My intention in this piece is to show how ambiguous the UK Government’s statements are, rather than put together a definitive account of what happened – I’m not sure that’s even possible on the evidence available.
The Q&As that follow below are an outlet for some of the fun speculative stuff I couldn’t justify putting in this post.
If there’s something you think I’ve got wrong in this piece, I’d be very interested to hear about it. Please email me or leave a comment below.
Q&A
Have Greenwald, Miranda and Poitras been guilty of “very poor judgement in their security arrangements”?
Travelling with a password written on a piece of paper isn’t great. Transiting through Heathrow may have been inadvisable. But, if – as seems very possible – nothing of significance has been compromised you have to say that, on the face it it, not really.
Given that the Cabinet Office expressed its worries to the Guardian in terms of their ability to protect information from cyber attack, I think it’s relatively clear why the Government would like to cast doubt on others’ security practices if possible.
Is the 20GB encrypted file on the external hard drive a dummy volume intended to be surrendered without cost?
The thought has crossed my mind: it would certainly make it easier to explain why David Miranda was found in possession of an encryption key in a UK transit area. I am not sure it is possible to say for sure on the evidence of the statements presented, but I think this falls within the range of possibilities.
Is it possible that one of the 75 files the police have is an index to the rest?
It is possible – and if the case would make the “58,000 documents” figure much more credible – but I think on the balance of probabilities it is unlikely.
Were GCHQ just plucking a number out of the air with that “58,000 documents” thing?
Not entirely. One possibility is that they’ve plucked a number out of the Guardian.
On 2 August, the Guardian printed a fascinating feature article that is based partly on GCHQ’s internal “GCWiki”, making reference to this and many other GCHQ documents. That, and the discussions we know the Cabinet Office have had with the Guardian may have formed the starting point for GCHQ’s worst-case estimate.
Are you sure? They must know what Snowden has!
If the NSA doesn’t know what Snowden has, there’s no reason why GCHQ should.
Oh come on. if we’ve learned anything from the Snowden files it’s that GCHQ and the NSA have other ways of acquiring this kind of information.
Of course. Whether surveillance information is admissible in court is another matter, though, and one we should probably leave to David Miranda’s capable legal team.
Have the media been negligent in reporting the “58,000 documents” figure as fact?
Undoubtedly.
Update (2/9)
This post proved to be quite a popular one, with 7250 page views yesterday alone. It also provoked quite a bit of discussion – I’d like to thank all of those whose contributions prompted me to make the following additions to my Q&A section.
Do you think Miranda was using a hidden volume?
It’s certainly a possibility and the first (pre-publication) draft of this post did in fact make that suggestion. Why did I leave it out? Because while the facts in Goode and Robbins’ statements do not exclude the possibility of a hidden volume, they also do not exclude a number of other possibilities. There’s nothing in the statements analysed to rule out the possibility that, for instance, police found a 20GB .tc file and a 40GB .tc file on that external hard drive but can only open the former.
Of course, this is yet another example of how the two witness statements are not adequately precise.
Why do you rule out the possibility that one of the files police have been able to access is an index to the rest?
I don’t rule it out, I say that – on the balance of probabilities – it is unlikely. Some of the reasons why I continue to think this are covered in this storify. Other very relevant points have been made in the comments section below.
Which media sources have used the 58,000 documents claim?
That’s an easy question to answer. A very cursory examination of articles published on this subject will reveal sources which take the “58,000 documents” claims as fact without even mentioning that they originated from a government witness statement (one, two, three, four). The number of sources which note the origins of the claim without subjecting it to any critical assessment is even higher. Critical scrutiny of the Government claims has in fact been strikingly absent, until now.
Has anyone else cast doubt on the Government’s story?
They have – although, as far as I am aware, mine is the only account which goes through the Government witness statements in detail. Links which I could have included in my original post include this piece from Alan Rusbridger and Friday’s statement from David Miranda’s legal team.
nice job. easy to follow. I think youre reading and suggestions make sense. This sort of detailed examination of the language used by authorities is def appreciated
A horrendously roundabout and meandering article that repeats itself many times. At the end I get the impression someone who doesn’t know much about tech and legal documents is writing a lot of words about lawyers who don’t know much about tech. When it comes down to it, yes the legal documents are inexact and ambiguous, but why not when the lawyers involved have no clue what they are discussing (as noted by the use of “True Crypt”). Look at many other legal docs that talk about hi-tech and you will see the same ambiguity.
The authorities appear to be serving snake oil.
As you noted, the language used is confusing. I sense that it is deliberately so.
Given what we know of Poitras and her history of being detained at airports, it is highly unlikely that any sensitive data would be exposed is the manner that is implied.
A reasonable explanation of the pieces of paper is that the instructions, the password and the one encrypted file referred to are simply a tutorial.
This perfectly innocent situation is then misrepresented.
The misrepresentation would be intended to raise a scare that classifed information is in the possession of unauthoried people who have demonstrated very lax security.
“I have here a piece of paper.” That suggests some rather casual note, which is nothing at all like the way the phrase was used in 1938. We can be sure that this one doesn’t have Herr Hitler’s signature, but it could be something other than something small and hidden.
I can imagine it being an A4 sheet from an office inkjet, with a brief outline of the TrueCrypt system, a password, and list of assorted files, video clips, scripts, and the like, to let Greenwald know how the latest documentary is going.
If that piece of paper is in Miranda’s pocket, that protects the information from casual luggage theft.
It’s a different level of protection.
Video clips? Oh pish-tush!
You see, if you took the 58,000 NSA documents related to the UK ( these being the ones that the UK know about – as oppsed to …) and then sort of encrypt them, you would end up with the order of megabytes encrypted on one of Miranda’s devices.
It is therefore certain (or possibly ‘almost certain’) that Miranda was
1) carrying a list of names and addresses of UK agents and assets in deep cover in enemy terroritory
2) Had no more protection of this than a Post-It note stuck on a drive with the password written in big red letters
I think that the documents have to be UK secrets in order to qualify as espionage, so they *must* be UK docs.
We should also mention agents whose lives and whose familes would be endangered. This makes the matter really, really serious.
Unfortunately, we can’t specify even the general nature of any files deciphered. Even to mention that one related in some way to GHCQ operations would endanger national security. To mention that one related to a recipes would make us look silly.
That’s about the size of it, yep. All claims should be assessed critically, I get confused when some suggest that claims made by government are somehow exempt from that principle.
Just in case anybody thinks I give any credence to “58,000 files” being counted on Miranda’s devices..
the (non-)calculation of Mb was just mischief on my part.
I would guess that the number is simply something taken out of the air in order to give an impression that they actually have something damming.
“58,000” is so much more convincing than “lots”.
“58,000” – might be good number with which to pimp ‘indiscriminate’.
If there were actually 58,000 files that can be counted by the spooks, but not decrypted, what would that mean?
58,000 separate passwords? 🙂
58,001 counting the encrypted file for which the password was written on a piece of paper.
Come along now!
Thanks for your analysis. Yes, with people who make a profession of being “economical with the truth” it’s very important to look very carefully at what they didn’t say.
I think we can assume that after their meetings with Snowden in Hong Kong, Poitras and Greenwald each took complete copies of the documents back to Berlin and Rio respectively. So the obvious questions would be a) why Miranda would need to take a further copy from Berlin to Rio now that the story is partially out and they and their associates are under close examination and are well aware of the possibility of being stopped at borders and b) why he’d just happen to be carrying UK documents through Heathrow.
If Miranda had an encrypted partition which is just the size to hold a certain portion of the documents (e.g., those from UK sources) then it’s just as likely to be because he created it by followed instructions Poitras, or even Snowden, originally wrote for that data rather than because it necessarily actually held the data.
I wonder why, though, you think the index idea is unlikely. It seems quite plausible to me that Poitras or somebody working with her had created an index (be handy to have with 58’000 documents, I’d think) and that Greenwald would also find it useful so it would be something worth transferring from Berlin to Rio.
Heya,
Thanks for this – you raise some very pertinent points.
I didn’t want to go into depth about the index issue in this piece because – well, for one thing it was long enough already but also because I wanted to separate out my speculation from all the textual analysis stuff. It looks like it’s probably worth my while writing a separate post on the index theory, though, so I’ll probably do that this week.
Naomi
But why would an index be left in an outer layer of encryption? Why wouldn’t it be in the remaining encrypted volume?
If a 40GB volume held 58,000 documents they would average 750MB each. Seems unlikely, so it’s doubtful that they were simply estimating.
Also, as you point out, there is no way that any of the parties involved would transport any sort of data this way. They would send it via safe drop boxes or some such before they would fly around the world with it in hand.
Let’s not forget that Greenwald told Miranda he was sending him a laptop from Hong Kong. He never sent it, but a few days later Miranda’s laptop was stolen from their home. They are *quite* aware of the security risks here…
Re: 750MB average file size
One of the cool things about TrueCrypt is that the volume size doesn’t tell you anything about how much data is in the volume, so you could put 1MB of data in a 40GB volume and an observer would have no idea whether the 40GB was full or completely empty. That’s one of the reasons the 58,000 number has to have come from somewhere else (assuming they haven’t actually cracked open the volume somehow) – there’s just no way to estimate the content of the volume without correctly decrypting it first.
An even cooler thing about TrueCrypt is that in a 40GB volume you could store 1MB of data, then also store a DIFFERENT 10MB which would be recovered with a different password, with no way of an observer finding out that the addtional 10MB even exists. Not that I think it’s relevant in this case, but it’s really neat technology.
“If a 40GB volume held 58,000 documents they would average 750MB each.”
No, 750 KB.
around 700K average per document (if full).
As a spitball sanity check on your figures:
750MB is almost 1Gig… so we would be in the ballpark of 40 documents at that size in 40Gig…
So 750Meg/doc is quite far out…
Obviously I have maths problems LOL – yes, 750kb – so just ignore my 2nd paragraph…
To get a basic understanding of TrueCrypt for the normal computer user, I advise you watch TWIT TV’s How To video: http://twit.tv/show/know-how/43
Not giving your passwords to government authorities is a crime in the UK.
As Miranda wasn’t arrested, one should assume he has revealed the encryption keys to the UK government. “Plausible deniability” or “hidden volumes” wouldn’t be of help here, as they knew what they were looking for, and they would have been stupid to not arrest him if Miranda didn’t give them access to documents.
One could say Miranda didn’t know the encryption keys at all, but in this case the UK government could have arrested him as a “precaution”.
And about this article’s analysis, why should the quoted people want to tell (or even know) the truth?
Just because someone “knows what they are looking for” doesn’t mean it is on your encrypted drive. You can’t be serious.
The way Truecrypt works, the whole drive, even the “empty” space can (should) be encrypted. So you CAN give a “dummy” key that decrypts part of the drive, leaving the “empty” “unused” portion still encrypted.
Here is the tricky part. You CAN NOT prove that the “empty” or “unused” portion may or may not contain additional data encrypted with a different key. Psuedorandom bits created by encrypting “empty” space look just like psuedorandom bits created by encrypting Gov’t secrets.
YOU ABSOLUTELY CAN give a password that only decrypts part of the drive, and PLAUSIBLY claim that it is the ONLY password.
This is how the Plausible Deniability “feature” works in Truecrypt.
P.S. Julian Assange was into this stuff for good reason.
https://en.wikipedia.org/wiki/Rubberhose_(file_system)
https://en.wikipedia.org/wiki/Deniable_encryption
http://embeddedsw.net/doc/physical_coercion.txt
I know how TrueCrypt works. TrueCrypt only supports one hidden volume, and so the questioners could pretty much assume Miranda (or whoever encrypted the drive) made use of it.
I’m pretty sure government authorities in the UK wouldn’t care if you can prove if there’s a hidden volume or not, they’d just assume it.
Note that you could also claim that the partition in question isn’t an encrypted partition at all, but that you overwrote that partition with random data because you were bored. Still no one would believe you that.
And if you didn’t use full system encryption, TrueCrypt should have left enough traces in the OS so there should be even hints on the data contained, e.g. file names.
Greenwald tweeted that MIranda did not have the keys to give, but gave up his personal passwords under the treat of arrest, FWIW.
We actually know a little more than that. From my last post on the subject (https://auerfeld.wordpress.com/2013/08/28/buried-in-the-comments-greenwald-miranda-clegg-and-an-indefinite-number-of-documents/):
I wonder if they have an idea of what should be there based on wiretaps of Glenn and other forms of intel. Maybe it’s based on what the NSA told them should be there. Surely everyone in regular contact with Greenwald is being heavily surveilled. I’ve never spoken with Glenn or contacted him, I’m just someone who followed him on twitter, and I myself had a very odd experience which might suggest the links they’re willing to go to. Perhaps eight weeks before the story broke I had deleted all my tweets (over a thousand), changed my twitter name and other identifying info, removed most of the people I had been following and everyone who followed me, and set my tweets to private. My intent was to just use twitter to follow people I was interested in. Well, the night Snowden was revealed I ended up sending Barton Gellman of the Washington Post a critical tweet- I felt his story unfairly implied Snowden suffered from delusions of grandeur. Probably within a minute of sending that tweet info from my previous twitter incarnation started appearing- tweets that had been deleted not just a couple months earlier but a year or more reappeared, an old avatar reappeared, as well as my old username, people who had followed me, etc- it looked as if everything I had ever done on twitter was there. I probably wouldn’t have thought much of it but the fact it happened right after that tweet made me suspicious. After a few days my twitter account went back to normal. There have been other odd things that might be nothing, still it wouldn’t surprise me if they’ve looked closely at the people who have the most minimal of contact with Glenn. You heard the story about Glenn’s laptop being stolen?
I believe it was David Miranda’s laptop that was stolen, from the home he shares with Glenn in Brazil.
Wow.
Taking this blog post as inspiration, here is just one possible interpretation of what the government actually meant in its witness statements, adding in what it pointedly didn’t say.
Thanks for that, just trashed my own post to the same effect 😉
I’d particularly like to hightlight this:
Why would 58,000 docs be ferried between Poitras and Greenwald, who already have access to them?
Lots of things to infer from Greenwald himself when he retweeted this post. He said “On the lies told by the UK government about passwords and “58,000 documents” ”
So he’s claiming that the 58,000 document number is a lie, and possibly that they aren’t even classified documents. Or something like that. Also the part about passwords. He’s limited in what he can say, but it would seem that he is hinting that there is little to trust in what GCHQ is feeding to the public.
My guess is that GCHQ were expecting 58k documents and the whole incident was a bluff by Greenwald to make GCHQ tip their hand. I’m hoping for lolcats. Please let it be lolcats.
By the way, I started paying attention to this the other day when The Independent ran a story implying that they had a leak from Snowden but which on careful reading didn’t say that at all (this one).
The casual reading was “See here for Snowden’s irresponsible revelation of the secret UK intelligence base in the Middle-East” but in fact the story was “We’ve been told that Snowden has unreleased documents which would reveal this secret base. Not told by Snowden, just told. By someone. Someone who knows.”
I’d be interested if anyone knows of any followup or fallout from that story. I don’t know the British media very well and I was surprised to see such a biased and misleading piece on the front page of a mainstream newspaper.
It’s made me very interested in the precise statements appearing in the press – they seem to add up to a campaign of select details being leaked by the UK authorities to imply that Snowden et al are irresponsibly revealing state secrets to damage the nation.
Snowden flat-out denied ever giving anything to the Independent. Details here http://news.firedoglake.com/2013/08/23/snowden-denies-talking-to-independent-for-middle-east-intelligence-station-story/
I know nothing of the sourcing for the Independent other than to note that Duncan Campbell (https://en.wikipedia.org/wiki/Duncan_Campbell_%28journalist%29), one of the journalists on the byline, has an amazing track record of challenging the GCHQ secrecy – to the extent of having his doors kicked in by special branch, making the security state look silly in celebrated trials etc. He’s an interesting guy.
One thing I would say, though, is that there are explanations for how the Independent came by that material other than that the UK Government gave it to them.
Imagine this scenario: a journalist at the Guardian (motivated perhaps by outrage at the official pressure being applied, or for another reason altogether – who knows) has a word with a friend at the Independent. Maybe he wasn’t really supposed to do that but the Independent wants to run the story. The Guardian doesn’t feel able to comment – maybe it would compromise their relationship with Snowden, but the UK Government, when asked for comment, is only too happy to take that opportunity to spin the story as they wish.
Now, I don’t know if that’s a more or less likely scenario than the one Glenn proposed, but I think either fit the limited facts we have.
The stuff about the Independent story “threatening national secrecy” is obvious nonsense though. As Craig Murray pointed out on Friday (http://www.craigmurray.org.uk/archives/2013/08/the-troodos-conundrum/), the fact the UK has a large SIGINT base in Cyprus to monitor Middle Eastern comms is really not much of a secret. It’s been the case for about 50 years if not longer.
The Cyprus base might not be ‘much of a secret’, but if it’s Classified, then it’s actually a secret.
In the US,
The Collateral Murder video is still a secret.
All the NSA leaks are secret.
http://www.techdirt.com/articles/20130614/23254623483/congressional-staffers-told-to-pretend-nsa-leak-docs-dont-exist-so-how-are-they-supposed-to-respond.shtml
Shhhhhhhssssss!
Keep in mind, Jacob Applebaum also lives in Berlin. Between him and Poitrus, I sincerely doubt anyone has access to anything they want protected.
I had no idea Appelbaum was involved! I just read the Der Spiegel interview on Cryptome.
http://cryptome.org/2013/07/snowden-spiegel-13-0707-en.htm
Appelbaum’s involvemnent seriously makes me doubt the UK got anything sensitive off the drives / media. He does this kinda thing for a living. Appelbaum and Poitras are used to having all their digital media searched / seized at airports. No way they send this guy through a UK airport without a plan.
Mr. Appelbaum is also capable of setting up a secure internet file transfer (I don’t think you’re gonna man-in-the-middle this guy). Ms. Poitras may have felt that a certain amount of outbound internet packets would bring the black helicopters, even if (especially if) gov’t forces could not decrypt it.
I think it was video from her not yet released documentary.
[…] cei care au stat in lagare si cat de frumos si-au cerut scuze 'muricanii. Inapoi la subiect: #Miranda: Where is the UK Government getting its numbers from? | Extraordinary Popular Delusions CPU: Intel Core i5 2500K + Enermax ETS-T40-VD| MB: Asus P8P67-LE | RAM: 2 x 4096 MB DDR3 […]
Greenwald already has Snowden’s stuff, so it is very unlikely it was being ferried over.
It is also worth mentioning that, for files like PDFs and powerpoints, there are secure ways to transport those via internet.
With the above two bits of observation, I think it is likely that that what was being ferried was something too large to be sent over the internet. Poitras is making a documentary, so video footage of interviews or similar would be my guess.
This is what i have been thinking. Also how can they possibly know content of files. If what they got was an index it would be very foolish not to encrypt this with the rest.
I see no reason for David Miranda to be transporting NSA docs, the editor of the Guardian already said he as happy to destroy computers because there were copies (plural) in other countries. we should be able to assume this includes Rio & Berlin, which is where the 2 main reporters live.
The benefit they get from these ‘wide sweeping statements’ is to simply make Miranda look as negligent and as criminal as possible.
It would not surprise me one bit if the content was simply journalistic output, which is legal to print and can’t think of a reason why it not legal to transport either.
I think this article nails it a indicated by @ggreenwald twitter a/c yesterday
Surely the internet provides many far easier and more secure methods of transfering and sharing documents over booking a flight and carrying an external drive on the plane?
One thing about file(s) carried by a trusted person on a drive is that you know for sure who sent it and where it has been since it left them.
Absent detention and inspection en route, there is very little meta data to be collected by interested parties.
If information is transferred over the Net, observers can have knowledge of the end points, the frequency and the volume of data. It may be possible to work out the process that the communicators are going through.
e.g. A sends a large message to B. B responds after a time with a short message. This pattern repeats, etc.
The same document/collection encryped in the same way might have a ‘signature’. An observer could determine the parties who had been sent (probably) the same file. etc.
A courier might also have in their head a password, which they know does not relate to any encrypted files that might be in their possession. They might have other information in their head.
Miranda was found to be carring ‘whatever’ on his way back from Berlin. What might he have been carrying on his way there? It could have been “58,000 documents” or hundreds of gigabytes or maybe nothing.
I suspect that this whole drama was the most successful publicity stunt in publicity. Glenn got a huge amount of publicity from this; way more than from the original NSA stories, and he brought much-needed attention to the issue. The TrueCrypt volume most likely contains copies of the US Constitution or some such nonsense. http://albertsblog.stickypatch.org/2013/08/25/did-glenn-greenwald-pull-a-fast-one-on-nsa-and-gchq.aspx
It’s truly bizarre that you are “moderating” comments on a story like this. Why not leave the censorship to the NSA and GCHQ?
You’ve come at it a long way round, but it is a standard misdirection technique in official statements for two sentences to be placed next to one another that amount to distinct claims from different sources but that the casual reader will take to be connected and one in some way derived from or justified by the other. Reading securocrat and policy announcements with this in mind saves a lot of time. Once you are looking for the join, the lies jump out.
With practice you can even see it second-hand – where the journalist has jumped to a conclusion as intended from disjoint assertions. It’s the way it hangs in air, wholly based on confidence in the authorities’ honesty, I think.
[…] no donar la contrasenya a un policia pot ser un delicte. Per a qui li interessi, tot plegat està prou ben analitzat i discutit en aquest extens article, i òbviament també en un breu article de Schneier i els seus […]
[…] #Miranda: Where is the UK Government getting its numbers from? | Extraordinary Popular Delusions"A few days ago […] I suggested that if the UK Government really had only managed to decrypt “something like 75 documents”, it cast their assertions about the number of documents Miranda was carrying in a rather different light. Many news organisations have taken the “58,000 documents” figure as fact. But what is it really based on?" (security prism cryptography government dopost politics ) […]
[…] Miranda: Where is the UK Government getting its numbers from? […]
In my experience, Occams Razor when applied to people and organisations and what they do and say usually turns out to be correct, and that stupidity and ignorance are always far more likely to be present than cunning. Press statements are very often rushed and generally bungled with basic internal miscommunication. Its just as easy to overestimate the UK police and GCHQ as underestimate them. They are human, they poo, they are not magical super-beings.