Extraordinary Popular Delusions

"Men… think in herds … they only recover their senses slowly, and one by one."

Tag: surveillance

Liberty and Others v GCHQ

The legal challenges made by Liberty, Privacy International, Amnesty International, the ACLU and others in the wake of Edward Snowden’s revelations had their first hearing in the Investigatory Powers Tribunal today. The IPT is the tribunal set up under the Regulation of Investigatory Powers Act (RIPA).  It does not usually meet in public, so the announcement below is a bit of a souvenir.

20140214-133046.jpg

This is the first of two groups of challenges against GCHQ’s interception and information sharing practices. The other is an appeal direct to the ECtHR (Big Brother Watch v United Kingdom), which the Strasbourg court has decided to fast track.

Today’s hearing was a directions hearing, which means that none of the substantive claims were argued, but questions as to approach were tackled and dates were set. The full hearing has been scheduled for 14-18 July this year – which is rather earlier than the ECtHR will hear their case, even though they’ve decided to fast track. The July hearing will be open to the public, although it sounds like there may also be sections of argument that are closed (more on that below).

dramatis personae

There are three separate groups of claimants: Amnesty International (represented by Kirsty Brimelow of Doughty Street Chambers), Privacy International and Bytes For All (Ben Jaffey of Blackstone Chambers) and Liberty and the ACLU (Matthew Ryder of Matrix Chambers). As far as I am aware, the only groups to have made their initial documentation public are Privacy International and Bytes for All. Privacy International’s claim deals with two main issues: the extent to which information sharing is regulated under RIPA (lets’s broadly call that issue PRISM) and the legality of mass surveillance (that’s Tempora).

The first issue dealt with was Amnesty joining the proceedings. Today’s hearing isn’t quite the first time Snowden’s revelations have been brought before the IPT (even in public). On 30 January, Abdel Hakim Belhaj and Fatima Boudchar were granted a limited injunction against the use of any legally privileged information that may have been acquired by surveillance (the court did not rule on whether any surveillance had in fact happened). The violation of legal privilege in breach of article 6 of the ECHR appears to be part of Amnesty’s argument in this case too, so there was some discussion as to what should be discussed purely in relation to the Belhaj case and what should be included in July’s hearing.

“This tribunal is unique in being able to proceed on assumed facts”

The bulk of the morning hearing saw attempts to reach agreement on the hypothetical premises on which the argument could proceed. Part of the difficulty here is that the UK government is still adopting a strict ‘neither confirm nor deny’ policy when it comes to Tempora – to the extent of not even being willing to confirm or deny how the word is pronounced.  It became evident over the course of the morning that the government would have preferred to restrict the court to an assessment of whether the RIPA framework itself was in accordance with ECHR rather than adjudicating whether particular alleged actions would be legal under RIPA itself or the Human Rights Act.

That approach was decisively rejected (“surely if you’re not allowed to do it at all, we can say so?”) so we will be hearing arguments about whether Tempora activity would be lawful – although the points at issue will be presented as “claimants allegations” rather than “agreed premises”.

In the absence of authoritative advice to the contrary, by the way, Mr Justice Burton decided that the IPT would go with the ‘Latin’ rather than ‘Japanese’ pronunciation of tempora. That means an emphasis on the first, rather than the second syllable.

Metadata and communications data

An interesting question that came up was whether communications data and metadata is synonymous – as it transpired, this was brought up by Matthew Ryder as a result of David Omand asserting that there was a difference (listen back to the LSE debate to hear for yourself). It seems that the government has responded to the effect that there is no meaningful difference between the two terms.

Afternoon

The afternoon session confirmed dates for the main hearing in July and then returned to the main theme of the morning, this time in detailed discussion about how the main issues of the case should be framed. Should the government be able to limit discussion to an assessment of the compatibility of its legal framework with the ECHR or should the question be whether the alleged practices themselves are compatible with the law? Is it possible the alleged practices might not be wholly authorised by RIPA, making the first option too narrow?

The argument on these issues was quite dense: at one point, it appeared as though the government was saying that, if the alleged activities took place, they could only have been authorised by RIPA, but that was not conceded formally. The final formulation is still to be confirmed, but it looks like it will represent a bit of a compromise for both sides.

Neither confirm nor deny

As mentioned earlier, the UK government will still neither confirm nor deny that the Tempora programme exists, despite the amount of information now in the public domain. (PRISM is a bit of a different matter, because its existence has already been acknowledged on the other side of the Atlantic). On the basis of some of Ben Jaffey’s submissions today, it looks like this stance will be challenged in July, particularly if – as seems likely – the government moves to hold a closed session after the open one.

Advertisements

#GSOC: strange things are afoot in Ireland

GSOC is the Garda Ombudsman Commission, the independent authority charged with overseeing the Irish police force. The current furore centres around whether its activities have been subject to surveillance. This was the subject of a lengthy statement by the Irish Minister of Justice Alan Shatter yesterday (11 February), the content of which indicates that monitoring has probably occurred, despite the Minister’s assurances otherwise.

What is this about?

In late 2012, two garda whistleblowers  accused senior colleagues of quashing penalty points as a favour to friends. The whistleblowers went to members of the Irish Parliament with their concerns and an internal enquiry was launched. In the manner of many internal enquiries, the police probe did not find anyone culpable, but did recommend that procedures be tightened up. It is clear that significant concerns remained and further investigation has been carried out under the auspices of the Public Accounts Committee.

While I do not follow Irish politics closely, I think it is fair to say that this whole affair has been highly controversial and it is perceived that the reputation of the gardai has been damaged.

On 27 January this year, the Irish Justice Minister Alan Shatter finally referred the allegations to the police ombudsman, GSOC.

On 9 February, the Irish Sunday Times published an article by John Mooney alleging that GSOC was the subject of surveillance by a “government level” entity and that GSOC has been obliged to order a full security audit in September 2013. Unfortunately, a paywall prevents me from telling you much more about that article.

On 11 February, these allegations were the subject of a very long statement from the Minister of Justice. The GSOC chairman Simon O’Brien has said today that he believes his office was subjected to “some sort of surveillance.”

What is of concern in the statement?

The Minister of Justice’s statement describes some of the findings of the GSOC security audit.

“I am advised by GSOC that the sweep identified what they refer to as two technical anomalies which raised a concern of a surveillance threat to GSOC. I should emphasise that my understanding is that what was at issue were potential threats or vulnerabilities, not evidence that surveillance had, in fact, taken place. A subsequent sweep identified a third potential issue. There was no suggestion that there was any risk of unauthorised access to the GSOC databases and the documentation on them.

“The first identified issue arose from a wi-fi device, the property of GSOC acquired in 2007/2008 located in its Boardroom, which was found to have connected to an external wi-fi network. Access to this device was protected by a password, and in the absence of this password any connection should not have been possible. In any event, GSOC does not operate a wi-fi network, and had never therefore activated this device (and does not even know what the password is), but the fact of the connection was a concern. How this occurred is unknown and there is no suggestion by GSOC that it resulted in any information being accessed. I am also advised that the wi-fi device was unable to communicate with any of GSOC’s databases or electronic systems and that the boardroom is not generally used for meetings.

“The second potential issue related to the conference call telephone in the Chairman’s office which was subject to a number of tests. One of the tests involved sending an audio signal down the telephone line. Immediately after this transmission, the conference phone line rang. GSOC conducted a number of checks to establish the source of this telephone call, but was unable to do so. Further checks revealed no additional anomalies or matters of concern. There is no evidence of which I am aware from my meeting with the Chairman of GSOC of any phone call made or received being compromised.

“The third issue related to the security firm reporting the detection of an unexpected UK 3G network in the area in the locality of the GSOC offices which suggested that UK phones registered to that network making calls would be vulnerable to interception. Importantly, I am advised that neither the Chairman nor any other member of GSOC or its employees use UK-registered mobile phones, so that the presence of any such device in the locality would not seem to have posed a threat to the integrity of GSOC’s communications systems. There appears to be no evidence that what was detected had any direct relevance to GSOC.

“As I understand it those three issues represent the totality of the concerns which arose.

Much online comment has been generated around the third issue raised in the statement, which sounds very much like the fake phone towers (IMSI catchers) used to record phone details and intercept phone calls. This technology is not solely the preserve of “government level” actors. In fact, they used by many police forces, including those in the UK and the equipment is commercially available. There is precedent for IMSI catchers to be used without care being taken to configure them properly to the country they are being operated in.

It is probably worth noting that – while misconfigured IMSI catchers may be more visible to those they target – it isn’t true to say that they cannot be used to intercept phone details when they are so misconfigured. It is also unclear why Mr Shatter’s assurances as to the integrity of “databases” should have bearing on the possible interception of communications or metadata. For these two reasons at least, I share the concerns being expressed about this statement. At the very least, further investigation is clearly warranted to ascertain the origin and ownership of the equipment broadcasting that “unexpected UK 3G network.”

Updates

1.

GSOC Chair Simon O’Brien has been answering questions from the Oireachtas Petitions and Public Service Oversight Committee on this subject today. Proceedings are being liveblogged here – much of the questioning appears to focus on how the Sunday Times had word of the story, which evidently took much of the Irish government by surprise (although it seems that Alan Shatter did have advanced notice of the GSOC security audit).

2.

Embarrassingly, the Irish Taoiseach Enda Kenny has had to ride back on comments which blamed GSOC for not reporting their suspicions of surveillance rather than tackling the subject of the surveillance itself.

3.

Tonight’s episode of Late Debate on RTE provides an excellent account of Simon O’Brien’s evidence and the likely next steps.

In brief, by mid-2013, GSOC had expressed dissatisfaction with the garda’s compliance with their procedures on more than one occasions. In June, concerns about “some public discourse appearing to be unexpectedly well informed” led to a security audit company being contracted.  Two security sweeps were carried out: one from 23-27 September and another on 19-20 October: it was on the second of these that the (likely) IMSI Catcher was detected. 

On 8 October, GSOC launched an investigation into potential garda misconduct based on the results of the security sweeps.

As Mark Kelly of the Irish Council for Civil Liberties points out in the programme, in his statement, Minister of Justice Alan Shatter have assurances on the existence of unauthorised surveillance:

It is important to say at the outset that the Garda Síochána Ombudsman Commission has informed me that, after an investigation, they concluded that no definitive evidence of unauthorised technical or electronic surveillance of their offices was found.

Whether surveillance of GSOC could have taken place on an authorised basis is an open question, one that appears on the front page of today’s Irish Examiner.

It looks like the Minister of Justice Alan Shatter will be called back to testify to the committee, which is also requesting an unredacted copy of the GSOC report resulting from the security audit. It also sounds very much like the Irish Sunday Times may be publishing more on this on Sunday.

4.

(17 Feb)

Richie Tynan has written a really good summary of the technical issues for Privacy International and the Irish Examiner has an account of the political reception and media reaction.

This week’s Irish Sunday Times has revealed that it was indeed a suspicion of surveillance by the garda which provided the impetus for GSOC to order a security audit. As the Sunday Times is behind a paywall, it’s also worth listening to John Mooney’s comments on RTE’s This Week:

This particular event has its roots in a collusion enquiry that GSOC ran between members of an elite garda unit in Dublin and a drugs trafficker called Kieran Boylan. That inquiry, which was a public interest inquiry, concluded late last year and had reached very damning findings about the activities of guards running black operations off the books outside of normal legislation.

That file was sent to the DPP with recommendations to charge a certain officer and Kieran Boylan. The DDP would not proceed with charges because in the national interest it would reveal too much about covert police operations. At that point…

What proof do you have that was the reason for the DPP not proceeding?

I know what I know. I’m aware that at that point GSOC made it very clear they were furnishing a special report to Alan Shatter and then they were going to release a report into the public domain raising their concerns about what had happened. At that point, and we published this on the front page of the Sunday Times today, there was a threat made by a senior garda officer to have analysts employed to find out how the Sunday Times in particular was obtaining information about what was going on.

5.

(19 Feb)

A recent article in the Irish Independent provided additional details about the security audit’s findings and questioned the legitimacy of some of them. This in turn ha prompted the company that performed the security audit, Verrimus, to make a statement (leading, in its turn to a hamfisted and unacknowledged edit in the original report). Richie Tynan has a great post on this for Privacy International.

Fourth European Parliament hearing on surveillance: special whistleblower edition

Monday’s fourth #EPInquiry hearing was relatively well-reported, largely because Edward Snowden supplied a statement, delivered to the inquiry by the Government Accountability Project’s Jesselyn Radack.

Audio of the full hearing is available here, thanks to Henrik Alexandersson, who has also posted the audio of the previous three hearings.

The speakers were Marc Rotenberg (EPIC), Catherine Crump (ACLU), Thomas Drake (NSA whistleblower), J. Kirk Wiebe (NSA whistleblower), Annie Machon (MI5 whistleblower), Jesselyn Radack (Government Accountability Project) and John Devitt (Transparency International). Video of the following presentations has been made available by the Government Accountability Project:

Jesselyn Radack

Thomas Drake

J. Kirk Wiebe

The next hearing is tomorrow, Thursday 3rd October and one of the subjects up for discussion will be GCHQ’s aggressive actions against the Belgian national telecoms company, Belgacom – whose clients include the European Parliament. Unfortunately, GCHQ’s director has declined the opportunity to justify himself in front of the Committee.

Missed my posts on the first three #EPInquiry hearings? Find them here (one, two, three).

Update (3/9)

Full video of the hearing is now available:

A few #EPInquiry-related updates

Next #EPInqury hearing tomorrow

In my last few posts, I’ve been tracking the European Parliament Inquiry into surveillance in and by EU member states (first hearing, second hearing).

Tomorrow (Tuesday), the Civil Liberties Committee (LIBE) holds its third hearing, which it trails as follows:

There are five sessions foreseen in the programme focusing on “Allegations of NSA tapping into the SWIFT data used in the TFTP programme”, “Exchange of views with US Administration”, “Feedback of the meeting of the EU-US Transatlantic group of experts on data protection of 19/20 September 2013″, “Exchange of views with US Civil Society (part I)” and “Presentation of the study on the US surveillance programmes and their impact on EU citizens’ privacy”.

The study referred to on US surveillance programmes and their impact on EU citizens’ privacy, prepared by Caspar Bowden is available here.
 The hearing will be broadcast live from 8am UK Time.

More on The Athens Affair

Jacob Appelbaum’s presentation to the first #EPInquiry hearing used an incident in Greece in 2004-5 as a potential example of NSA interference abroad which is not subject to any meaningful limits whatsoever:

the NSA is not bound by European laws and they don’t care what your laws say. So when you say it would be proportionate and balanced to wiretap people for the purposes of terrorism, you are also tacitly endorsing the NSA to wiretap everyone in your country without any judicial process or any proportionality whatsoever.

This is what happened in Greece with the Athens affair, almost certainly – we don’t know it was the NSA, but it was an actor with sufficient capabilities. They were able to wiretap the Prime Minister as well as Members of Parliament. It also moves the risk from a world that was military to one where someone operates a computer and they’re your last line of defence between your Prime Minister being wiretapped or not.

In the case of the Vodafone incident in Greece, the person in charge of that telephone switch was found hanged to death in his apartment. And the reason is he wasn’t trained to do these things or defend an entire nation in that way. So it[NSA impunity] changes the balance of power in a very serious fashion.

Most of the reporting on the Athens Affair in the English-language media appeared in 2007 when the news initially broke. Greekemmy has now updated the story at WikiLeaks-press.org with information on the evidence turned up by a subsequent public inquiry in 2010-11. This inquiry identified the US Embassy in Athens as the agency responsible for the interception. An announcement of a criminal investigation into US embassy employees followed, but this seems to have been quietly dropped.

European Parliament holds second surveillance inquiry hearing

Following on from my last post, I’m just catching up with the second hearing of the European Parliament’s Civil Liberties Committee into surveillance in and by EU countries. This was held on Thursday 12th September and, like the first hearing, was divided into two sessions.

The first, private, session saw MEPs briefed on the results of a meeting between EU and US data protection experts back in July. There were two strands to the EU’s response to PRISM in mid-June; one was the public inquiry arranged by the European Parliament and the other was the ad hoc working group formed by the Council Presidency and Commission doing the reporting in this closed session.

The second session included a briefing from the Chair of the Article 29 Working Party, Jacob Kohnstamm, on the impact of surveillance on privacy and US-EU Data Protection Agreements. Audio of this second session has been released on the EU website  – although it’s not the most user friendly interface I’ve ever encountered.

Documents from the meeting are also available here.  Of these, Kohnstamm’s letter to EU Commissioner Viviane Reding forms the basis of his presentation to the Inquiry and is certainly worth looking at.

It also needs to be clarified if these American intelligence programs are in line with European and international law. This includes the International Covenant on Civil and Political Rights, which lays down the right to privacy in a general way. More importantly, the necessity and proportionality of these programs according to the Council of Europe Convention 108 needs to be further assessed. WP29 therefore considers it is likely that the current practice of apparent large-scale collection and accessing of personal data of non-US persons is not covered by the Council of Europe Cybercrime Convention. This is particularly relevant in light of the on-going discussion within the Council of Europe Cybercrime Convention Committee (T-CY) on the preparations for an additional protocol meant to facilitate trans-border data flows in this field.

Documents relating to the first #EPInquiry hearing have also been released.

The next #EPInquiry hearing is scheduled for 24th September:

There are five sessions foreseen in the programme focusing on “Allegations of NSA tapping into the SWIFT data used in the TFTP programme”, “Exchange of views with US Administration”, “Feedback of the meeting of the EU-US Transatlantic group of experts on data protection of 19/20 September 2013”, “Exchange of views with US Civil Society (part I)” and “Presentation of the study on the US surveillance programmes and their impact on EU citizens’ privacy”.

Update (19/9)

Kohnstamm does not understate the importance of the Snowden revelations (this from the audio clip):

Based on the reports… it is highly likely that the fundamental rights of human beings have indeed been infringed on… The fundamental trust between government and citizens is at stake.

He also makes clear that the surveillance activities of EU member states will also need to be assessed for their compliance with international law and EU standards, which may themselves need to change to offer better protection for individuals’ privacy.