Five Eyes’ quest for security has given us widespread insecurity

News & Analysis
cracked phone screen

Between 15th-19th of September, in the week leading up the first year aniversary of the 13 Necessary and Proportionate Principles, Privacy International and the coalition behind the 13 Principles will be conducting a Week of Action explaining some of the key guiding principles for surveillance law reform. Every day, we'll take on a different part of the principles, exploring what’s at stake and what we need to do to bring intelligence agencies and the police back under the rule of law. You can read the complete set of posts at: https://necessaryandproportionate.org/anniversary. Let's send a message to Member States at the United Nations and wherever else folks are tackling surveillance law reform: surveillance law can no longer ignore our human rights. Follow our discussion on twitter with the hashtag: #privacyisaright

You do not have to choose between privacy and security. With robust communications systems, we can have both. Yet intelligence agencies such as GCHQ and the NSA have severely injured both, interfering with our privacy rights while simultaneously jeopardizing our security. Over the past year we have learnt how they try to master the internet by hacking into telecommunications providerssabotaging encryption standards and deploying malware on our devices.

By infiltrating our communications technologies, governments, who have an obligation to respect and strengthen the integrity of these technologies, have instead eroded the possibility of secure systems. Their activities violate the key principle of “Integrity of Communications and Systems” of the “International Principles on the Application of Human Rights to Communications Surveillance”.

The Five Eyes’ quest for security has given us widespread insecurity.

Exploiting our devices

Documents released by whistle-blower Edward Snowden have revealed that GCHQ and the NSA work together to intrude on computers and mobile devices. They have developed diverse methods to covertly install malware on devices for surveillance, including tricking internet users to click on a malicious link or injecting malicious data into the transmissions received while browsing common websites.

GCHQ and the NSA gain total control over the device once the malware is installed. They can use it to surreptitiously record conversations and take pictures with the device’s camera and microphone. They can also capture all data on the device, including keystrokes, internet browsing history and passwords.

Apparently dissatisfied with this extent of intrusion, GCHQ and the NSA developed an automated system named TURBINE, which “allow the current implant network to scale to large size (millions of implants) by creating a system that does automated control implants by groups instead of individually”.

There is no clear or accessible legal regime governing the hacking by either country, so it is unclear how many devices are infected and if any safeguards are in place to limit this system’s scale.

Breaking the Internet

Going beyond targeting individual computers, GCHQ and the NSA attack and exploit the companies that maintain core communications infrastructure. Der Spiegel revealed that GCHQ deployed attacks against the employees of Belgacom, a Belgium telecommunications company. The employees did not pose any legitimate national security concern. They simply had “good access” to critical parts of Belgium’s telecommunications infrastructure that GCHQ wanted to exploit.

It was later revealed that GCHQ and the NSA targeted three German internet exchange points. In addition to collecting internet traffic passing through these points, GCHQ agents looked to identify “important customers” and “future technical trends in their business sector”.

The destructive practices of GCHQ and the NSA make all network users­ vulnerable–and not just intelligence agency targets­­.

  • By inserting surveillance or lawful interception backdoors in hardware and software through secret collaborations, the potential for a “catastrophic loss of communications confidentiality” is increased significantly.
  • Deliberately weakening an encryption standard makes all encrypted information using that standard vulnerable. Encryption is used everywhere in daily life: in our conversations on Skype, electronic medical records, Google searches and financial statements.
  • Breaching the security of a telecommunications system leaves the infrastructure open to further exploitation. For example, by compromising routers and switches, a third party– like a foreign government or a criminal–can infiltrate, shut down or monitor the network.
  • Third parties can exploit the same security flaws that GCHQ and the NSA use. Since the agencies do not disclose the existence of zero day vulnerabilities, other parties can use them undetected to gain access to the device.

Intelligence agencies are trying to subvert the internet into a tool for surveillance. They have undermined our trust in the privacy of our own communications and in the process, endangered the security of the internet.

Taking Action

These practices are not only destructive, but also contrary to the rule of law. This is why Privacy International is challenging GCHQ’s abuses on multiple fronts.

Privacy International in July filed a case in the Investigatory Powers Tribunal (IPT) that demands an end to the unlawful hacking and exploitation of internet service and communications providers. This comes shortly after two other cases filed by Privacy International: one challenges GCHQ’s indiscriminate collection and storage of personal data through the TEMPORAPRISM and UPSTREAM programs while the second is against GCHQ’s hacking of computers and mobile devices.

While the seven internet service and communications providers in third case were not mentioned in the Snowden disclosures, the malice of GCHQ’s surveillance and the threat it poses to communications networks and customers grants them standing in the IPT.

The providers assert that the GCHQ attacks have undermined the goodwill that they rely on, and the trust in the security and privacy of the internet. Together, they are demanding protections for their customers and employees, and an end to GCHQ’s destructive exploitations of the internet.

The providers’ claims are based on the following:

  • By interfering with network assets and computers belonging to the internet and communications service providers, GCHQ has contravened the UK Computer Misuse Act and Article 1 of the First Additional Protocol (A1AP) of the European Convention of Human Rights (ECHR), which guarantees the individual’s peaceful enjoyment of their possessions;
  • Conducting surveillance of the network providers’ employees is in contravention of Article 8 ECHR (the right to privacy) and Article 10 ECHR (freedom of expression);
  • Surveillance of the network providers’ customers that is made possible by exploitation of their internet infrastructure, is in contravention of Arts. 8 and 10 ECHR; and
  • By diluting the internet and communications service providers’ goodwill and relationship with their customers, members and users, GCHQ has contravened A1AP ECHR.

The effects of these destructive practices must be weighed with their benefits. The GCHQ and NSA have failed to assess the effectiveness of their actions in improving security and have yet to demonstrate any credible benefit.

Less, not more, secure

Faith and trust have been lost in both governments and communication networks, thanks to the behaviour of the Five Eyes.

Modern communications technologies have allowed people around the world to connect to one another on an unprecedented scale. Any actions that undermine the integrity of these networks, or that conduct invasive surveillance on individual devices, does long-lasting harm to our security.

Given the interconnectivity of today’s communications, any attacks on systems administrators, internet service and communications providers, or our phones and laptops are an attack on us all. Democratic and legal principles must not be circumvented in the name of security alone. The public must be included in this important debate that negotiates our rights, freedoms and systems. It is time to challenge the presumed effectiveness– and legality­– of the Five Eyes’ destructive practices and weigh their proportionality.