Industrial espionage by TLA's

Peter Fairbrother zenadsl6186 at zen.co.uk
Wed Jan 29 16:43:41 GMT 2014 

On 29/01/14 12:37, Brian L Johnson wrote:
> On Wed, 29 Jan 2014 12:28:58 -0000, Peter Fairbrother
> <zenadsl6186 at zen.co.uk> wrote:
>
>> On 28/01/14 22:36, Brian L Johnson wrote:
>>>
>>> Tom Watson recently posted this on Twitter:
>>>
>>> tom_watson @tom_watson 2h
>>>
>>> "Huge swath of GCHQ surveillance is illegal, says top lawyer":
>>> http://www.theguardian.com/uk-news/2014/jan/28/gchq-mass-surveillance-spying-law-lawyer
>>>
>>> … I'd appreciate your help in sharing this story.
>>>
>>
>> Got a link for the opinion please?
>>
>> Jemima Stratford is quoted as saying Ripa does not allow mass
>> interception of contents of communications between two people in the
>> UK, even if messages are routed via a transatlantic cable. I agree
>> with her conclusion, but I'd like to see her reasoning.
>
> http://www.tom-watson.co.uk/wp-content/uploads/2014/01/APPG-Final.pdf

Thanks Brian.

I find the opinion a bit lacking - here I'll only comment on paragraphs 
1 to 26 as I haven't read it all, and I don't know much about EU law 
anyway, just a bit about RIPA.


Jemima Stratford QC goes through the law, some comments by Lord Bassam, 
and the statutory CoP and concludes, in para 26:

"In summary therefore, RIPA only entitles the UK security services to 
intercept bulk contents data where at least one party to the 
communication is located outside the British Isles.



I have some doubts about quite what this means. The relevant wording in 
RIPA is "" external communication” means a communication sent or 
received outside the British Islands".

In other definitions in RIPA, eg in the definition of interception in 
subsection 2(2), the wording "intended recipient" is frequently used - 
here the wording is different, and is such that if the communication is 
actually received outside the UK, whether by the intended recipient or 
by another, the communication is external.

As an example, suppose Alice in the UK sends Bob in the UK an email to 
Bob's Hotmail address. To deny that the email is actually received by a 
Hotmail server in the US email is fairly specious.

For synchronous communications like telephone calls the situation is 
somewhat less obvious, but eg if the call goes via satellite it is at 
some point received by the satellite - if it wasn't the satellite would 
not be able to forward it.




Miss Stratford continues:
"Thus the activities described in scenario (a) are unlawful as contrary 
to RIPA."

Scenario a is: "The Government Communications Headquarters (‘GCHQ’) have 
intercepted bulk electronic data sent between two persons located in the 
UK, but transmitted along fibre-optic cables which run between the UK 
and the United States. The electronic data arise from internet, email 
and telephone use"

This is a little wooly. If the word "bulk" is excluded then it makes 
sense, otherwise not. I thinks she means GCHQ intercepted bulk data on 
the cable, which included messages sent between two persons located in 
the UK.



Again I have doubts about what Miss Stratford means. The the description 
of the communications which can be intercepted in a RIPA ss.8(4) 
certificated warrant cannot include internal communications - but under 
  ss.5(6) a warrant also allows "(a) all such conduct (including the 
interception of communications not identified by the warrant) as it is 
necessary to undertake in order to do what is expressly authorised or 
required by the warrant".





As a matter of practicality, suppose GCQH are intercepting some or all 
communications on a cable under a certificated ss8(4) warrant to 
intercept external communications of some type. They will obviously need 
to look at the actual traffic on the cable in order to to this.

Let's consider Alice's email to Bob at hotmail.com. Even if messages meant 
for persons in the UK are not to be intercepted, how are GCHQ to know 
whether Bob is in the UK? Or Alice for that matter?

The traffic data attached to the email won't tell them - Bob could be 
anywhere. He could be in the UK when the message was sent, and outside 
the UK when he picked it up from the US Hotmail web server.


In fact if GCHQ do not already know who Bob is, he could be anybody, as 
well as anywhere. He could be Bob in Dagenham, or Roberto in Spain, or 
Ali Robber Baron in Afghanistan. There is simply no way for GCHQ to tell 
from the traffic data whether the email is meant for a person in the UK 
or not.


Next, consider an email where a standard hop goes outside the UK but 
both the sender and the intended recipient's initial and final mail 
servers are in the UK. GCHQ will be able to tell this from the routing 
information, in many but not all cases - it is trivial to forge "from" 
addresses on emails, and this is often done for legitimate privacy purposes,

GCHQ may sometimes be able to tell that the persons are in the UK, but 
in most cases they will not be able to with any degree of surety - in 
general the intended recipient of an email can collect it from anywhere 
in the world.


As far as synchronous communications are concerned, the situation is not 
much better. For fixed line telephony it is fairly easy to tell where 
the sender and intended recipient are - sometimes. At other times it 
can't be done, for instance the use of cheap phone cards where the 
caller calls a UK number in order to call a foreign number.

[Sorry, I got called away - an example for hard to identify origin and 
destination country for internet traffic should go in here]

The initial point is, GCHQ has a warrant to intercept traffic on some 
cable, and it is genuinely very hard, and often impossible, for them to 
tell whether the traffic they are intercepting is external or not.



As the warrant allows them to do " all such conduct (including the 
interception of communications not identified by the warrant) as it is 
necessary to undertake in order to do what is expressly authorised or 
required by the warrant" they are legally allowed to intercept (and 
analyse) internal traffic as well as external traffic.

In part they can do this to determine whether it is internal or external 
traffic, but also as they cannot determine (or cannot be certain) 
whether traffic is external or not, they most likely just run all the 
traffic through their analyses. They will claim it is too much work to 
sort it, and unreasonable to ask them to.


So then they will have, in practice, intercepted and analysed the 
internal traffic on the cable quite lawfully under RIPA. All of the 
internal traffic on the cable.



I don't quite know what they do after the analysis if the traffic is 
later shown to be internal. However I don't think they chuck it away - I 
think it could legally be used as intelligence (but not as evidence, as 
evidence from interceptions is excluded from the Courts), but I am not a 
lawyer.


While I am in no way certain that I am correct in what I say above 
(actually I disagree with much of it), these lines of thought do deserve 
to be followed.

And I am of the opinion that in practice and as a general measure, GCHQ 
do intercept and analyse all the traffic which enters or leaves the UK 
on the cables they monitor.

-- Peter Fairbrother

More information about the ukcrypto mailing list