THE Guardian and Washington Post have revealed details of something that privacy experts have been worrying about for some time. The National Security Agency (NSA), the US signals intelligence organisation, can grab any data in the control of US corporations, regardless of Safe Harbour or other agreements. The new suggestion is that this happens on a massive scale, and has a name: Prism.
According to Glen Greenwald and Ewen MacAskill, “the Prism program allows the NSA […] to obtain targeted communications without having to request them from the service providers and without having to obtain individual court orders. With this programme, the NSA is able to reach directly into the servers of the participating companies and obtain both stored communications as well as perform real-time collection on targeted users.”
It is a complicated topic, and that description – if accurate – could cover all sorts of arrangements. We can’t really know what Prism does, or what combination of personnel, hardware and software might be involved. The leaked documents are partial, and plausibly contradicted by consistently-worded denials from the big internet firms. But we have recently had a glimpse of something that sounds very similar – of which more later.
It is a scandal for Americans that such wholesale trawling inevitably picks up citizens’ data alongside that of foreigners. There’s little issue with the NSA snooping on us, however. It seems Prism is authorised, in secret, under the Foreign Intelligence Surveillance Act (FISA), while surveillance of citizens inside the US has a more restrictive set of rules. This is one reason for the circumspection of internet companies’ denials: they cannot legally say if they have received such a warrant at all. Admirably, Google publishes annually a detailed breakdown of data requests from foreign governments, domestic courts and law enforcement. FISA warrants, however, are neither mentioned nor counted in that report.
If any of this black data has been shared with our own government, we won’t find out the details. Intelligence sharing rules are strict, and control of disclosure remains with the originator. Whether or not such information has been passed to UK or other governments, British businesses that rely on cloud services from the Silicon Valley giants (Amazon, Apple, Google, Microsoft and more) may be alarmed at the thought that their confidential files are in the hands of the US government, if only it wants them.
But while Prism and allied programmes are worrying, similar ideas seem to be working closer to home. Central to the Communications Data Bill – the “snoopers charter” dropped by the government after opposition from Nick Clegg, but which may now be revived – is the idea that communications service providers (CSPs) of all kinds (telecoms, internet or even postal carriers) would be required to expose their data to a “Request Filter”.
According to Parliament’s Joint Committee on the bill, this is “…a power to establish filtering arrangements to facilitate the acquisition of communications data. The Request Filter would be used for complex communications data inquiries that cover several CSPs [...] Rather than a public authority having to submit separate requests to several CSPs, it would submit one request through the Request Filter which would then interrogate the multiple CSP databases and automatically analyse the returns, providing investigators with only the relevant data.”
What’s the difference between that and the description of Prism? Two things. First, it wouldn’t slurp up stored files, but look only at how you communicated, what sort of thing you did, when, from where, and with whom. (Exposing all your activities, interests, contacts and movements.) Second, it would by no means be limited to foreigners or to national security.
For what the Communications Data Bill would do – though technical details are again murky – is centralise, automate, and extend to a wider range of data, existing UK law. The Regulation of Investigatory Powers Act 2000 provides for a fabulous range of public authorities to request communications data: intelligence agencies, government departments, police, HMRC, Ofcom, and so on. Between them, they already make well over 500,000 data requests a year. A Request Filter would make that process faster and more powerful, and less subject to challenge by the CSP.
At the turn of the century, US admiral John Poindexter suggested that the aim of government should be “Total Information Awareness”. GCHQ doesn’t have to look to America for the realisation of that dream. It will find its own way. If we let it.
Guy Herbert is general secretary of NO2ID.