European Parliament starts investigation into surveillance
The first hearing of the European Parliament’s LIBE (Civil Liberties, Justice and Home Affairs Committee) Inquiry into the electronic surveillance of EU citizens was held last Thursday, 5 September. The session is the first of twelve which are scheduled to take place before the end of 2013, with two further hearings to be held this month on 12 and 24 September. Claude Moraes has been appointed as Rapporteur. The Committee will vote on a resolution on December with a plenary vote following in January.
Thursday’s meeting was divided into two sessions, the first focusing on the reporting of surveillance programmes and how those programmes might change the way journalists and media organisations go about their work. The second session, the “Follow-up of the Temporary Committee on the ECHELON Interception System” covered very related ground, giving a historical perspective to Edward Snowden’s disclosures. Investigative journalist Duncan Campbell’s description of Swedish complicity with the NSA – “a big surprise… GCHQ’s biggest partner outside the English speaking countries… is Sweden” – has already been reported in the local press.
Full video of the hearing is available courtesy of Henrik Alexandersson.
Glenn Greenwald was scheduled to participate in the hearing from Brazil, but did not for logistical reasons. The full list of speakers were as follows:
Jacques Follorou, Le Monde (video, transcript)
Jacob Appelbaum, Tor Project (video, transcript below)
Alan Rusbridger, The Guardian (video, transcript)
Gerhard Schmid, ex-MEP (video)
Carlos Coelho MEP (video)
Duncan Campbell (video, see update for transcript)
I’m still working my way through the presentations and may well have more to add in future updates. For now, it’s worth noting that Jacob Appelbaum’s presentation gave some indications of future stories to come from the Snowden files. He certainly seemed to indicate that further information on the scope of the NSA’s tactical interception (ie. overt hacking) operations was on its way:
where they are targeting specific types of software, where they are targeting specific kinds of people and where they are specifically doing it for people who are not terrorists.
(…)
I’ve become familiar with a programme that has not been revealed in public where they instruct agents of the NSA to be able to go to an urban area to penetrate people’s house networks, their home wireless networks.
I’m reproducing the statement in full below – not least because it’s one of the clearest explanations you’ll find of what PRISM and TEMPORA are and how they relate to other programmes.
Jacob Appelbaum, (video)
Thanks for having me. It’s quite an honour to be here. It’s my first time at the European Parliament.
I wanted to take the broad view of someone who has some experience with this. I’ve spent the last decade working in the censorship resistance field. I work on the Tor Project, which is an anonymity network that people can use so as to not be surveilled and to bypass censorship. It’s actually funded by the US State Department, the Swedish International Development Agency and it’s a free software project.
However I’m here more in my capacity as an independent journalist, an investigative journalist, but someone who has also been subject to extreme scrutiny under these types of surveillance programmes.
I definitely want to talk about the NSA and I will, but I wanted to have a broader view. Part of what we’ve learned from Snowden and his whistleblowing in the public interest is that the NSA has an all-encompassing spy programme. But what is not really well described in public yet is how it is the case that the FBI and the Central Intelligence Agency of the United States also have similar access programmes.
When people talk about these PRISM-like programmes, or PRISM itself, what that name actually means is a programme where people in corporations or perhaps non-profits of any kind or organisations, are complicit in helping the government, [partly] because they are forced under the FISA Amendments Act – FAA 702. In this case Google or Yahoo or Skype or Microsoft have either systems inside their networks or attached to their networks where they are willingly and knowingly assisting secret interception. That would be the PRISM programme.
Or there are more significant business-record like legal instruments that don’t really have a name. The FBI has a thing called a National Security Letter, which I believe I am actually a subject of. These are generally deemed to be unconstitutional in the United States and judges have ruled that. It appears that each branch, each agency has something like a National Security Letter. In the case of business records, it seems to be significantly worse than a National Security Letter – so it’s not just metadata, it’s actual business records: any record a business creates, or that you create with a business.
So if we consider PRISM and we consider that they have hardware inside these networks or attached to those networks, that means it’s really everything unless there is significant pushback from within these companies. This we could call PRISM, but it’s more than one programme. PRISM is one programme, but there are many that are like this.
There’s another word which has been used for companies that don’t fit exactly to that mould and that word is upstream. UPSTREAM is more of a description of how they’re doing it technologically. It suggests that there is a little less complicity with the companies they’ve targeted, but it also suggests that if they can’t reach inside of an organisation, they monitor any communication with that organisation. That is they monitor upstream of those entities.
The TEMPORA system, which is the full take collection system operating in the United Kingdom by GCHQ, it’s full take in that it takes in the full internet running in and out of the United Kingdom. Any packet, any piece of data coming into the United Kingdom, goes into TEMPORA where it is stored for three full days. That’s every single thing, it’s not just metadata.
That kind of thing combined with PRISM is a surveillance apparatus the like the world has never seen before. When Duncan Campbell revealed ECHELON to the world, it was pretty terrifying, it was an impactful thing for me. But when he revealed ECHELON to the world, I never imagined it could get so much worse.
ECHELON by comparison is the kids’ stuff that hackers create these days. The systems Snowden has revealed through Glenn Greenwald and Laura Poitras are so advanced. They work through a three stage approach. The first is complicity with so-called legal instruments, the second is through surveillance and spying (UPSTREAM) and the third is what has recently been talked about as the GENIE programme, which was revealed in the Washington Post.
GENIE is just one of many of programmes developed for tactical exploitation. That is to say, they want to know what you are doing. They can’t monitor you upstream and they can’t go to Google to get your information, so they break into your computer system. According to the Washington Post there are tens of thousands of systems that have been compromised by the NSA in an active way, just under the GENIE Programme.
There are other programmes that I am familiar with that haven’t yet been revealed in public, that will be revealed in good time, where they are targeting specific types of software, where they are targeting specific kinds of people and where they are specifically doing it for people who are not terrorists.
In fact in some of the things that are clearly noted in these documents, it is clear that the terrorists are the exception. If they have 30 cases, one might be a terrorist. This is something that’s very concerning because with a full take collection, you necessarily have something that has every single person surveilled. Naturally one or two of them may be terrorists – accused, suspected, not convicted, certainly not indicted. These people have not formally been charged, but they have been painted in this way – so in fact, for the most part, people who are targeted in this way and surveilled in this way – none of them are really terrorists.
It’s very boring just to talk about technology and, in fact, since almost no-one understands the technology, it’s a waste of time. Instead we can talk about the things that people do understand. With the ‘Five Eyes’ programme, that is the Defence Signals Directorate of Australia, CSE of Canada, GCSB from New Zealand, GCHQ of the United Kingdom and NSA from the United States, they have formed a partnership such that – despite the American Revolution against the British – GCHQ can query the United States’ databases of American citizens, where they have similar full take collection systems. How that’s legal is completely beyond me. How that is democratic, how it upholds my country… to me it’s quite a dumbfounding thing and I’m sure the British feel the same way when the NSA queries their system. I would be quite upset about this as well.
Those are what is called first tier partners. GCHQ and NSA first tier partners, the others are second tier partners. BND is a third tier partner. My understanding is that it’s not unlike bittorrent file piracy sites in that you have a quota to fill, so if you’re a third tier partner you have to produce some information in order to query some data out. I’m not totally clear on how this works but it is an interesting distinction between the different tiers.
This ultimately comes together to be used in egregious ways. There exist signals emission databases and fingerprint databases where you have a particular signature for your voice a selector or series of selector-like objects for your email address, your phone number, things like that. Every time you pick up a new device and enter one of these selector like objects, that device becomes linked to you by this database.
What this means is that there is an emergent pattern-based identity system of the entire planet and every person that is on the planet. This data is fed into geographic tracking systems. The NSA and the CIA have a system where they track people and the slogan is “We track ’em, you whack ’em.” This was published in the Washington Post.
The evidence is that the surveillance data is tied directly into flying robots that kill people, regardless of process. The surveillance has a huge impact on people in a very literal sense, with rockets.
This is almost all passive. The third part of what I talked about, tactical exploitation, is not passive. I want to dismiss the myth of the passive NSA, that it’s just some mathematicians with cute pocket protectors just doing math and breaking codes and they’re the heroes in these world war movies. There are some people like that in the NSA and there are some really incredible people who work there who are good people. Many of them have left to blow the whistle like Bill Binney and Thomas Drake and Ed Snowden.
In actuality though, these people are doing active operations. I’ve become familiar with a programme that has not been revealed in public where they instruct agents of the NSA to be able to go to an urban area to penetrate people’s house networks, their home wireless networks.
This kind of technique is like the modern black bag job. To go and break into someone’s house is the kind of thing you’d see in a Cold War movie and they have training slides showing how to do exactly that electronically when they can’t get in another way.
These kinds of programmes are extremely terrifying because they are not democratic by their very nature. They are secret, they are without oversight… what oversight does exist is almost meaningless because those doing the oversight have so much trust and so little education. This is the key thing. Most of the people in the US Congress I have become familiar with have other people print their email for them. They don’t really understand how the electronic world works. None of them can tell you what TCP/IP is, very few of them understand what wiretapping is in actuality.
What we’re seeing here is that the architecture of these systems is left vulnerable on purpose. So there exist encrypted fax machines: we know the European Parliament was intercepted from a Crypto AG encrypted fax machine. They did what we call a tempest attack in that they looked for electronic emissions from the encrypted device and from that they were able to recover the pre-encrypted fax data, which is to say they didn’t break the encryption, they went around the encryption.
There are some architectural changes that change the type of attack. It changes the economic scale and it changes the ability to carry out the attack in some cases.
In this case when we have so-called lawful interception programmes, what we need to recognise is that the NSA is not bound by European laws and they don’t care what your laws say. So when you say it would be proportionate and balanced to wiretap people for the purposes of terrorism, you are also tacitly endorsing the NSA to wiretap everyone in your country without any judicial process or any proportionality whatsoever.
This is what happened in Greece with the Athens affair, almost certainly – we don’t know it was the NSA, but it was an actor with sufficient capabilities. They were able to wiretap the Prime Minister as well as Members of Parliament. It also moves the risk from a world that was military to one where someone operates a computer and they’re your last line of defence between your Prime Minister being wiretapped or not.
In the case of the Vodafone incident in Greece, the person in charge of that telephone switch was found hanged to death in his apartment. And the reason is he wasn’t trained to do these things or defend an entire nation in that way. So it changes the balance of power in a very serious fashion.
With that said, there exists a series of sensors around the entire planet. Visualise a globe – now visualise electronic emissions from this globe. The NSA’s job is to capture all of it, including what goes into space – and they do. Where there are interesting communications satellites, there exist communications satellites behind those satellites. What do you suppose those satellites do? Interesting things to look into.
But if we look at the internet and we look at telephone systems, when the NSA is unable to get access to a system through complicity or some kind of data sharing programme, they re-purpose things that are already there. When we look at things like XKeyScore we see coverage in areas where we would expect the state concerned would not give that data willingly. So how do they have that? The answer is that they have a plant or a rootkit to these systems and they extract that data.
When they do searches, they are able to do real-time searches with that selector or selector-type objects to pull that whole globe of electronic signals and feed it back into massive data repositories. In Bluffdale, Utah there’s a facility which is meant to store more than a hundred years of data.
So if we think about these systems as a whole, we have a planetary surveillance system that is not accountable to the people, that is used for extra judicial assassination in addition to other things. One of the only hopes we have is to use encryption to change the way and change the value of such interception. We can’t stop people from spying but we can lower the value of that spying.
Update (8/9)
The transcript of Duncan Campbell’s presentation follows below.
Duncan Campbell
I think it is hugely ironic that it is precisely 12 years to the day, the 5th September 2001, that 44 recommendations in the report prepared by Gerhard Schmid and adopted unanimously by the Parliament were passed. It is indeed the tragedy and the lasting legacy of the vile attacks on Washington and New York that the terrorists managed to do so much damage to our civil liberties and our concerns for our own civil rights by their actions.
The years before 9/11 saw confirmations even before what we learned from Edward Snowden. The decades since has seen the admission of the UK-USA Agreement between the United Kingdom’s GCHQ and the United States’ National Security Agency and the three other English-speaking partners. We can go on to some wider agreements that have been revealed or are about to be revealed.
Even in the year we were reporting it was discovered that the United Kingdom had built an interception facility in the northwest of England to tag all of the communications – again, the totality, not just the metadata but the voice and other communications – they’ve been building a tower, you see them building a tower there, to collect the radiowaves behind opaque panels and below that eight floors of high capacity processing equipment.
In some ways the ECHELON system was easier to track down and prove because it created highly visible artefacts, things that you could see: satellite tracking stations and towers like this, compared to the situation now. This is the GCHQ Bude Station which is now Remote Processing Station One for the collection of all the internet communications that they can get for three days.
Originally the satellite dishes were fairly obvious, pointed up at the satellites as part of the ECHELON system, but you also see in the upper top corner buildings that were added for the Project TEMPORA that Snowden has revealed and we have heard so much about.
In the mid noughties there were also revelations that told us something of what was to come from the United States. An American technician provided plans and documents and pictures showing how optical fibres were being spliced into the American internet exchanges in the American West coast.
Many of us then started looking for secret rooms, secret rooms that might be being used at exchanges throughout the world, trying to document it. But it was not in fact until 2008 that one journalist at The Register in Britain discovered what is now called the Mastering the Internet project, a very strong and powerful name, that is found now to have been spawned into Project Tempora with numerous other stations now being linked in.
The ECHELON system itself is not only still in being, but it has got bigger and it has changed its name . There’s the name – it’s just called FORNSAT now. That is from one of Edward Snowden’s slides, published in Brazil just over a month ago and it’s a map of all the ECHELON stations around the world. It’s possibly a year or two out of date because it shows one in Germany that we believe now has closed, but it reveals there are new stations in India, in Thailand, in Kenya, in Brazil – all part of the same collection system and run by the United Kingdom with the United States and its allies.
There is also a station in Oman covering the Middle East. So that’s how the systems in this single part of the communications network has gone up, but it’s only a tiny part and now we know how tiny the information coming through ECHELON was compared to the technical development when this Parliament met and reached its conclusion in that fateful year of 2001.
There’s an example now confirmed: it’s come off Snowden’s map but you will find the very same station in Japan, a station on the back cover of the Interception Capabilities 2000 report. This is the ECHELON report that I did for the Committee that Mr Schmid then looked into, validated and leading to the conclusions.
More stations in the United States. But what is perhaps most interesting to understand is the collection of the different inputs that we now see being integrated together into a total internet usage analysis system that basically spans the planet. This is the system that’s already been mentioned by Jake Appelbaum and briefly alluded to by others called XKeyScore or Cross Key Score. It produces a familiar kind of data for those who work in the forensics of computers, as I now do as I had a kind of second career after working on ECHELON here. But it covers everything – not just one computer, but everyone’s computer.
The inputs to this system are threefold. As you can see from the bottom (page 4), they’re in obscure code. One of them of course is FORNSAT, which you’ve just seen is the new name for ECHELON and the satellites that collect commercial communications. The second one, on the right hand side is SSO or Special Source Operations. This is the standard name the services now use for access to commercial cables, optical fibre cables and sometimes internet or telephone switches, by reason of secret or coerced agreements with telecommunications companies.
And the third input – and this is quite an interesting revolution – is down there as F6, which is just a division of the National Security Agency. But it’s a division also known as the Special Collection Service and that service runs interception centres in United States embassies and diplomatic premises around the globe, some 75 or 80 sites according to different documents.
The critical input for this system, though, is to get access to the optical fibre cables, the submarine cables that carry out most of the world’s business and commerce. Everything goes that way now. ECHELON, covering satellites, is now the minor player. As we know from the Snowden revelations, the United Kingdom has taken a particularly strong role in simply scooping up all of the internet, or attempting to do so.
The news is that they haven’t yet got everybody to take part in this operation. As of about 2010 only 18 or so of the major submarine cables coming into the United Kingdom were being spliced into the interception system. Some commercial companies may have held out and may not have been compromised as yet. But the system that has been adopted at the remote processing centre is to connect from the cable termination points – you can see there where Bude is in the southwest of England. So either with the consent of the companies the cables are intercepted with an additional optical cable, which is taken to the processing centres of Bude or Cheltenham. Or, without the consent or knowledge, secret taps are inserted in the companies which aren’t playing ball, which aren’t playing the game and, to use the language of the industry, are back-holed into the interception centres.
And there’s a surprise for this Parliament and this Union because a new organisation has joined the Five Eyes in providing major interception arrangements and is deemed, according to the documents, to be the biggest collaborating partner of GCHQ outside the English speaking countries. And it’s Sweden, where the Försvarets radioanstalt has had satellite interception facilities for many years, also passed new internet laws to allow access to the submarine cables.
That is one of FRA’s satellite interception stations at a place called [?] near Göteborg. The importance to the UK-USA Five Eyes organisation of a Swedish participant of course is that they have access to cables that nobody else can get. So the global surveillance system, if not curtailed is spreading through the EU with the participation of my country, the United Kingdom, but with the very active collaborative participation of a second member state, Sweden.
The arrangements for cooperation seem to be extremely varied and that is a point that perhaps might be noted by national representatives. So the secret codenames are used within the system to hide the participants in the United States and the United Kingdom. And when a cable is tapped, or internet or telephony switch is made the subject of interception, it is usually given its own ultra-secret codename and designated as a SIGINT activity, much like bases that you can actually see.
The XKeyScore slide is an eye-opener because it relates to a complete, planet-wide internet surveillance system wherein, as it has been suggested by other speakers, you simply sit at your analyst’s console, plug in the selectors – this is now the technical term, replacing what we used to know as the dictionary at the time of the ECHELON work. And that is able to bring up all the traffic on the thing that is being harvested for analysis.
This is another collection centre extending the global reach in the Red Sea area. And again, there’s another ECHELON centre allied to it to which the capacity has been added.
The in-city type of collection, the F6 or Special Collection Service, is done from most commonly United States embassy premises. And its done rather similarly to that tower that was discovered in 1999 in the north of England, with opaque panels mounted high up concealing the radio interception equipment behind it.
The presence of towers like this within the United States embassy premises in Geneva have always been very obvious when passing by and if you look closely you can see just how a rather odd structure with opaque panels is stuck at the top of the premises. I’ve heard it suggested – I don’t know if it’s correct – that Edward Snowden was actually employed in this interception facility a few years earlier.
Similar facilities are observable at Nicosia in Cyprus and, just for the sake of balance, the same is also true of the Russian Federation embassy. Everybody’s at it, everywhere. The United States embassy in Brussels, which we can almost see – at least from this podium – looks innocuous enough from its frontage. But take a look from above and you can see superstructure that has been added. One could almost be looking at it now and it could be listening to us.
So you have in all of that a huge integrated capacity feeding into the collection systems and the analysis. It’s put together so that where we thought we just had one major system when we looked at this in 1999-2001, there were now five overlapping systems that collect simultaneously. Collecting on the intercepted cables upstream, collecting from satellites if it goes by that, collecting from what’s called deep packet inspection inside exchanges, using what in plain language terms we call hacking or tactical access to compromised computers and networks, also known as computer network exploitation or CNE.
And at the end of this story of many ways of getting at our data and our companies’ data and our governments’ data is PRISM, the system that is forced onto United States internet service providers to create databases to be accessed by law enforcement agencies.
For those who have had the time or the interest to look in depth at the diagrams that have been provided and published say in the Washington Post as part of Snowden’s revelations, would see that PRISM isn’t even run by the NSA but is an FBI collection effort to which the NSA, along with CIA, FBI and others are merely customers or clients.
Not everything that we might want to know or suspect is out there seems to be in Mr Snowden’s papers. Or if it is, it’s not out yet. Little or nothing has been published about whether satellites are impactful on our civil and commercial communications now, although it’s well established that signals intelligence satellites operating at geostationary orbit have a very very close look at what can happening on the earth’s surface and can fill in gaps that can’t be collected in other ways.
It is also clear that the US government has claimed somewhat strangely that they haven’t lost all their secrets because what they call ECI or extremely compartmented intelligence has not been lost – or so they say.
What has happened in the twelve years is that the risks and damage have been hugely exacerbated by the growth of massive collection and storage systems. Some of the ways that are clearly powerful to use and analyse and therefore bring the impact on civil society of these data have not been well understood by people and actors outside the intelligence community.
It is perfectly clear now that network analysis using the metadata of who calls who and degrees of separation of people has become a map into the existence, the socialisation and connection of the whole of humanity. Effects, frankly, unknown. It is breathtaking, the audacity of the GCHQ Mastering The Internet project: to seek authority for, justification for and simply to collect everything and to store it, basically once selected, forever.
The scale of computer hacking, deliberate intervention into networks and computers has long since been suspected but is new as to its scale.
So the problems that then confront us on a fundamental level are also alluded to. The United States Constitution and its Bill of Rights – a fantastic document and especially the Fourth Amendment – has been carefully interpreted since the time of the Church Committee to say that human rights belong only to citizens of the United States. The whole power of the apparatus we’ve been talking about is untrammelled when it comes directed towards us, as European citizens. No constraints, no limits.
Marvellous, quite effective, quite serious constraints seem to have failed in respect of those who are American citizens who are sensible enough to communicate only in the United States.
United States NGOs along with the government organisations have been slow to recognise the importance of universal human rights. We’re all signed up to it, most countries are to the Charter of Human Rights, the Declaration… the United States was invited by your committee to consider signing the Additional Protocol to the Charter on Civil and Political Rights and did not do so.
We are also seeing and have heard here how information in France, there are attempts in the United Kingdom and the United States, from these pervasive surveillance systems is being laundered into the law enforcement process. Now, for all its faults law enforcement is a system of open checks and balances that tries to get it right in accordance with established norms. Its infiltration by information selectively fed from secret pervasive surveillance systems must be a major threat to the integrity of justice and the proper functioning of the criminal law.
The most stunning aspect of this to my mind is when you look back. ECHELON began in 1968 in fact. It was brought out of the closet in 1988 by myself, then put back in the closet until the [European] Parliament showed an interest ten to twelve years later. But at that time computers were utterly primitive, they had valves. They ran a system called the dictionary, which was quite prominent in our studies ten years ago but is now as utterly irrelevant as looking up a manual dictionary would be to conducting a search on Google, which we all do all of the time.
The most stunning thing of all is that the justification for the automatic collection of everything without prior suspicion or prior cause is being justified by the work being done by automated or robotic processes. A new concept seems to have come in through the march of technology, that somehow or other it is safe to assign the surveillance and selection of information about our private lives to robots programmed by humans working with the much laxer controls that are imposed on metadata communications data in place of human agents. That is new, an ideological and I think sociological thing that many of us are trying to grapple with in the months ahead, both here and in the United Kingdom.
My final remark about checks and balances would be this, because we’re not going to persuade them I suspect to undo all of these optical fibre taps. And there will be those cases in an imperfect society where it has helped deal with terrorism as well as acknowledgement that it undermines civil liberties. But if one thing has been demonstrated in the last three months it is that checks and balances and bringing the public to knowledge of what is going on is the most important thing that can be done for democratic societies. The best thing that Europe could do, in my suggestion, would be to give sanctuary to Edward Snowden, the whistleblower who has given us so much knowledge, insight and understanding.
Update II (9/9)
Those wishing to investigate Sweden’s role further should also take a look at this piece from Rick Falkvinge, which traces the country’s increasing collaboration with the United States since 2007. The State Department cables released by WikiLeaks have more on this, although I do not have the exact references to hand right now.
Update III (9/9)
Some MEPs have called for the suspension of the Terrorist Finance Tracking Programme following the revelation that the European banking data that is shared under the agreement is being obtained at source through NSA surveillance programmes.
Extraordinary Popular Delusions 
