Head of Britain's GCHQ Wants Tech Firms To Co-operate With Spy Agencies Over Encryption

The head of Britain's spy agency- the GCHQ has called for greater co-operation between spies and tech companies in dealing with challenges posed by encryption.

Cyberespionage: Enemy Spies 'Befriend', Recruit And Steal Intel From Targets Through LinkedIn - British MI5

The British intelligence agency - MI5 warns that ‘hostile intelligence services’ are clandestinely targeting Government employees and valuable contacts through the popular social networking site - LinkedIn.

United Kingdom Spy Oversight Court (IPT) Rules That GCHQ Acted Unlawfully Once Again

The U.K.’s Investigatory Powers Tribunal (IPT), the judicial oversight body which handles complaints relating to domestic intelligence agencies, has ruled that GCHQ acted unlawfully in the handling of intercepted communications data in another case brought by civil liberties groups, including Liberty, Privacy International and Amnesty International.

The IPT judged that GCHQ acted unlawfully and breached its own internal policies on interception, examination and retention of emails from two human rights organizations — the Egypt­ian Ini­tia­tive for Per­sonal Rights (EIPR) and the Legal Resources Centre (LRC) in South Africa — thereby breaching their human rights.

The court ruled only that “error” and “technical” failures led to the spy agency to break its internal interception policies.

In the case of the EIPR, the tribunal writes:

… the time limit for retention permitted under the internal policies of GCHQ, the
intercepting agency, was overlooked in regard to the product of that interception,
such that it was retained for materially longer than permitted under those policies.
We are satisfied however that the product was not accessed after the expiry of the
relevant retention time limit, and the breach can thus be characterised as technical

In its ruling pertaining to the LRC it writes that “the procedure laid down by GCHQ’s internal policies for selection of the communications for examination was in error not followed in this case”.

These internal policies are not detailed — with the IPT reiterating its “general duty” to avoid disclosing information that might be “contrary to the public interest or prejudicial to national security … or the continued discharge of the functions of any of the intelligence services”. Which of course has the convenient by-product of making it impossible to judge their judgement.

As regards the legality of intercepting emails from human rights groups, the IPT deems the communications in question were “lawfully and proportionately intercepted and accessed” — citing section 8(4) of RIPA.

However the recent independent review of U.K. surveillance legislation, conducted by David Anderson, condemned the Regulation of Investigatory Powers Act as an incomprehensible patchwork — calling for new oversight legislation to be drafted “from scratch”. The U.K. government has also said it intends to “modernise” surveillance legislation in a forthcoming Investigatory Powers Bill.

“A comprehensive and comprehensible new law should be drafted from scratch, replacing the multitude of current powers and providing for clear limits and safeguards on any intrusive power that it may be necessary for public authorities to use,” wrote Anderson in his review.

The shape of RIPA’s replacement remains to be seen. In the meanwhile the extent of law breaches by U.K. domestic intelligence agencies operating under a problematic patchwork of legislation and, prior to Snowden’s whistleblowing, without parliamentary scrutiny in a climate of near perfect secrecy, is still being determined.

Commenting on the latest IPT ruling in a statement, James Welch, Legal Director for Liberty, said: “Last year it was revealed that GCHQ were eavesdropping on sacrosanct lawyer-client conversations. Now we learn they’ve been spying on human rights groups. What kind of signal are British authorities sending to despotic regimes and those who risk their lives to challenge them all over the world? Who is being casual with human life now?”

It’s the second time the IPT has ruled against GCHQ in a matter of months. Back in February the court judged that data-sharing activities between the NSA and GCHQ had breached European Human Rights law, again after a challenge by civil rights groups.

Despite that ruling the IPT deemed data-sharing activities to have been put on a legal footing since December 2014 — owing to their disclosure (post-Snowden), and the subsequent yielding of details about data-sharing policies and how legal compliance is achieved (not that those details have been made public, of course).

The IPT has previously also ruled that mass surveillance is compatible with human rights principles — although civil rights groups are challenging that position at the European level, in the Court of Human Rights in Strasbourg.

The U.K. government has generally taken a far more hawkish stance on surveillance than European institutions, post-Snowden. Earlier this year Europe’s top rights body, the Parliamentary Assembly of the Council of Europe, adopted a resolution against mass surveillance, characterizing it as a threat to democracy and human rights. And last year the European Court of Justice struck down blanket data retention powers as disproportionate.

The U.K. government responded to the ECJ ruling by fast tracking emergency surveillance legislation. A new Conservative majority government is also now pushing to legislate to expand data capture investigatory powers, even as the NSA’s domestic surveillance capabilities are being curtailed over the pond in the U.S.

The latest IPT judgement confirms GCHQ intercepted the communications of human rights groups — something that U.S. intelligence agencies have also done, according to NSA whistleblower Edward Snowden, who provided details last year in his testimony to the Council of Europe during their enquiry into mass surveillance.

Also last year Snowden spoke out against the ‘anything goes’ privacy intrusions of GCHQ — characterizing U.K. intelligence agencies as having “really no limits on their capabilities”. And when a domestic spy agency is found to have broken its own laws by its own oversight court in multiple instances it seems pretty clear that better limits are needed.

Culled from:
Tech Crunch

How The Dark Web Morphed Into A Virtual Battlefield For Terrorists, Spy Agencies

It's a technological arms race, pure and simple. That's how Jamie Bartlett, author of The Dark Net, sums up the constantly evolving battle in cyberspace between terrorists and the intelligence agencies trying to discover their hidden communications.

U.K. Intelligence Watchdog Defends Nation’s Bulk Data Spying As Necessary

LONDON — A British intelligence watchdog defended U.K. security agencies’ bulk online data collection on Thursday but called for a new law to clarify the agencies’ “intrusive powers” to help improve public trust.

U.K Spy Court Declares Information Sharing Between NSA And GCHQ Illegal

The UK's Investigatory Powers Tribunal (IPT) has ruled that the information sharing between the NSA and GCHQ was unlawful up until December 2014.

The Great SIM Heist: How Spy Agencies Stole Encryption Keys Protecting Privacy of Cellphones

SIM Cards

AMERICAN AND BRITISH spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden.

British Security Services Capable Of Bypassing Encryption, Draft Code Reveals

Britain’s security services have acknowledged they have the worldwide capability to bypass the growing use of encryption by internet companies by attacking the computers themselves.

Western Spy Agencies Secretly Rely on Hackers for Intel and Expertise

The U.S., U.K. and Canadian governments characterize hackers as a criminal menace, warn of the threats they allegedly pose to critical infrastructure, and aggressively prosecute them, but they are also secretly exploiting their information and expertise, according to top secret documents.

Operation Auroragold: How The NSA Hacks Cellphone Networks Worldwide

In March 2011, two weeks before the Western intervention in Libya, a secret message was delivered to the National Security Agency. An intelligence unit within the U.S. military’s Africa Command needed help to hack into Libya’s cellphone networks and monitor text messages.

Anti-Terrorism Algorithms: How Your Name, Internet Activity Could Make You A Terror Suspect

Anti-terrorism algorithms - Photograph: David Gunn/Getty Images

Does the stuff you post on the internet make you look like a terrorist? Is the rhythm of your typing sending the wrong signals? The government wants sites such as Google and Facebook to scan their users more closely. But if everything we do online is monitored by machines, how well does the system work?

Should our future robot overlords decide to write a history of how they overcame their human masters, late 2014 will be a key date in the timeline. Last week, an official report from the parliamentary intelligence and security committee handed over responsibility for the UK’s fight against terrorism, or at least part of it, to Facebook’s algorithms – the automated scripts that (among other things) look at your posts and your networks to suggest content you will like, people you might know and things you might buy.

Assessing the intelligence failures that led to the murder of Fusilier Lee Rigby at the hands of two fanatics, the committee absolved MI5 of responsibility, in part because the agency was tracking more than 2,000 possible terrorists at the time – far more than mere humans could be expected to follow. Instead, they placed a share of the blame on Facebook – which busily tracks its one billion users on a regular basis – for not passing on warnings picked up by algorithms the company uses to remove obscene and extreme content from its site. David Cameron agreed, and promised new laws, so it’s possible that soon Google, Facebook and co won’t just be scanning your messages to sell you stuff – they will be checking you are not plotting the downfall of western civilisation too.

Between the NSA’s automatic systems, social media tracking and more, everything you do is being overseen by the machines – but what might make you look suspect? Here are just a few examples.

Say the wrong thing

We already know that saying something stupid on social media can bring unwanted attention from the law. In 2010, a trainee accountant called Paul Chambers tweeted: “Crap! Robin Hood airport is closed. You’ve got a week and a bit to get your shit together otherwise I’m blowing the airport sky high!!” Those 134 characters, seen by an airport worker, led to arrest by anti-terror police, a conviction and three appeals, and cost Chambers two jobs before a crowdfunded legal campaign got the conviction quashed.

With the capability – and maybe soon the legal requirement – for algorithms to scan every social media post for problematic phrases, the potential for trouble increases exponentially. One way a machine might assess your content is through lists of keywords: a message containing one or two of these might not trigger an alert, but too many, too close together, and you are in trouble. Take a message such as: “Hey man, sorry to be a martyr, but can you get round to shipping me that fertiliser? I really do need it urgently. Thanks, you’re the bomb! See you Friday, Insha’Allah.”

An algorithm designed to flag content that might be inappropriate – triggering perhaps automated deletion, or account suspension – would have a much lower threshold than one sending a report to an intelligence officer suggesting she spend the rest of her day (or week) tracking an individual. How should the tool be tuned? Too tight and it will miss all but the most obvious suspicious messages. Too lax and the human operators will be drowning in cases.

In practice, algorithms designed to police content are set far more loosely than those to catch terrorists: keywords for intelligence agencies are more likely to be focused: names of particular individuals, or phrases picked up from other suspects.

Algorithms can get far cleverer than simply using keywords. One way is to pick up subtle ways in which messages from known terror suspects vary from the main population, and scan for those – or even to try to identify people by the rhythm of their typing. Both are used to a degree now, but will spread as they become better understood.

However sophisticated these systems are, they always produce false positives, so if you are unlucky enough to type oddly, or to say the wrong thing, you might end up in a dragnet.

Data strategist Duncan Ross set out what would happen if someone could create an algorithm that correctly identified a terrorist from their communications 99.9% of the time – far, far more accurate than any real algorithm – with the assumption that there were 100 terrorists in the UK.

The algorithm would correctly identify the 100 terrorists. But it would also misidentify 0.01% of the UK’s non-terrorists as terrorists: that’s a further 60,000 people, leaving the authorities with a still-huge problem on their hands. Given that Facebook is not merely dealing with the UK’s 60 million population, but rather a billion users sending 1.4bn messages, that’s an Everest-sized haystack for security services to trawl.

GCHQ, in Cheltenham, Gloucestershire. The British government, like the US, has data on millions of ordinary people. Photograph: EPA

Share the wrong link

It’s pretty hard for machines right now to know exactly what we mean when we talk, so it is much easier for them to look for some kind of absolutely reliable flag that content is suspect. One easy solution is to use databases of websites known to be connected to extremists, or child abuse imagery, or similar. If you share such a link, then it is a pretty reliable sign that something is awry. If you do it more than once, even more likely that you are a terrorist. Or a sympathiser. Or a researcher. Or a journalist. Or an employee of a security agency …

If the database is accurate, this system works (sort of). The problems come if they are crowdsourced. Many major sites, such as YouTube, work in part through user-led abuse systems: if a user flags content as inappropriate, they are asked why. If enough people (or a few super-users) flag content for the same reasons, it triggers either suspension of the content (or user), or review by a human moderator. What happens when the pranksters of 4chan decide, en masse, to flag your favourite parenting website? Other systems rely on databases supplied by NGOs or private companies, which are generally good, but far from infallible.

Anyone who has got an “adult content warning” browsing the internet on their mobile – where first world war memorials, drug advice sites, and even Ada Lovelace Day have fallen foul of O2 filters, for example – might be a little alarmed.

Know the wrong people

Everyone knows that hanging out with the wrong crowd can get you in trouble. Online, the crowd you hang out with can get pretty big – and the intelligence agencies are willing to trawl quite a long way through it.

We know, post-Snowden, that the NSA will check up to “three hops” from a target of interest: one hop’s your friends, two hops is friends of friends, and three hops drags in their friends too. Given that, thanks to Kevin Bacon, we know six hops is enough to get to pretty much anyone on the planet, three hops is quite a lot of people. If the NSA decided I was a target of interest, for example, that could drag in 410 Facebook friends, 66,994 friends of friends, and 10.9 million of their pals. Sorry, guys.

Obviously no agency on the planet would manually review 66,994 of anyone’s contacts (let alone nearly 11 million), but if a few of those second- or third-degree contacts happened to also be in the networks of other people of interest to the NSA, then their odds of being scrutinised rockets.

The potential of these huge, spiderlike networks-of-networks is an exciting one for the agencies. They don’t always live up to the hype, though. According to Foreign Policy magazine, General Keith Alexander, the former head of the NSA, was an enthusiastic advocate for bulk surveillance programmes. In his bid to convince colleagues of their worth, he could be seen giving briefings in the Information Dominance Center, pointing to complex diagrams showing who knew who – including some places being called by dozens of people in the network. Maybe the data had found the kingpin?

“Some of my colleagues and I were sceptical,” a former analyst told the magazine. “Later, we had a chance to review the information. It turns out that all [that] those guys were connected to were pizza shops.”

Have the wrong name

With all the talk of “smart analytics” and “big data”, it is easy to forget that a lot of automatic systems will unthinkingly dive on anything that looks like a target. If you are unlucky enough to have the same name as a major terror suspect, your emails, messages and more will almost certainly have ended up in at least one intelligence agency database.

Things get even worse with no-fly lists: because of clerical errors, false flags on names or similar, for the first few years after 9/11, some unfortunates were detained on dozens of occasions flying around the US, and even imprisoned. These included Stanford academic (and US citizen) Rahinah Ibrahim, who uses a wheelchair. She had been flagged when someone hit the wrong checkbox on an online form, as she learned only years later through a court challenge. Only after several court battles was the system tidied up, and some people still need to fly with letters – to show to humans – stating that they are absolutely, definitely, not a terrorist, no matter what the computer says.

The National Security Agency’s HQ in Fort Meade, Maryland. Photograph: Greg E Mathieson/Rex Features

Act the wrong way

It is possible that, mindful of companies tracking you for ads, governments tracking you to keep you safe, and schoolfriends tracking you down to show baby pictures, you have decided to try to use the internet a bit more privately.

One way might have been to install software such as Tor, which, when used properly, anonymises your internet browsing. The US navy helped develop the software, which receives public money to this day for its role in protecting activists in dictatorships around the world. At the same time, though, British and US spies decry the hiding place it offers to terrorists, serious criminals and others. According to the Snowden files, GCHQ and the NSA constantly attempted to break and track the network, created special measures to save traffic of Tor users, and even constructed some malware tools that would target any Tor users who happened upon a site hosting the virus. The sophisticated attack used problems in browser software to allow almost total access to any compromised computer.

Do nothing at all

In the online era, there is every possibility that you could fall into surveillance without ever posting, acting or associating suspiciously. With so much traffic flowing across the internet, it is sometimes easier for intelligence agencies to collect everything they see rather than targeting particular people – so sometimes even merely using the most innocuous or esoteric web services can get your pictures into agency databases. It is unlikely to lead to your impending arrest, and could well never be read by an actual human – but it would be there all the same.

One example is a GCHQ system codenamed OPTIC NERVE that was designed to capture images from every Yahoo webcam chat picked up by GCHQ’s bulk-intercept system. The capability was created, Snowden documents suggested, because some GCHQ targets used the webcam software – and so the agency picked up everything it could. Our poor spies quickly discovered that lots of people – up to 11% of users – rely on such webcam services to exchange “adult” moments, and staff had to be issued with advice on how to avoid seeing such smut. Such are the hazards of snooping: you set out to find terrorists, and end up building (probably) the world’s largest porn collection.

Another place the agencies saw some of their targets was in the world of online gaming. Noticing suspects playing online role-playing games, or messing with Angry Birds, the agencies responded to cover those areas of the internet too. GCHQ documents show the agency analysed how to read and collect information sent back and forth from that and other online games, including how to extract and store text in bulk from some game chatrooms. Other GCHQ analysts managed to wangle the geek’s dream assignment of becoming human agents in online games, including Second Life and World of Warcraft.

One way to avoid such unwanted attention might be to stick with console shoot-’em-ups: play this sort of game on Xbox Online, and you are more likely to see a GCHQ hiring advert than fall foul of surveillance. If you can’t beat ’em, why not join ’em?

Source:

The Guardian, UK

UK Prime Minister - David Cameron Wants Google, Facebook an WhatsApp To Monitor Terrorist Threats

The report into the death of Lee Rigby makes it clear that the British security services wants to force companies like Google, Facebook and Whatsapp to co-operate with investigations, but lack the legal tools to enforce requests.

WhatsApp Starts Encrypting Messages

WhatsApp has turned on an encryption system to protect messages sent with the Android version of its app.

To Fight Terrorism, Follow The Money – And Stop It _ David Blunkett

We must be proactive in investigating and penalising all those who are funding terrorist organisations.

Beware Of Free Wi-Fi In Public Places; 'DarkHotel' Hackers Are On The Loose

A popular saying goes thus: 'nothing is absolutely free in life, not even in Freetown'. Individuals and corporate organizations are been warned about ongoing hack attacks that target hi-tech entrepreneurs and other corporate executives in their hotel rooms.

UK Government 'Routinely' Spies OnLawyers

Legal policies which allow the UK intelligence agencies MI5, MI6 and GCHQ to access confidential privileged communications between lawyers and clients were disclosed in court today.

Britain's Spy Chief Accuses United States Tech Firms Of Aiding Terrorism

GCHQ Director - Robert Hannigan

Technology giants such as Facebook and Twitter have become "the command and control networks of choice" for terrorists and criminals but are "in denial" about the scale of the problem, the new head of GCHQ has said.

ISPs Take Legal Action Against British Spy Agency - GCHQ for 'Attacking International Infrastructure'

A coalition of international internet service providers (ISPs) and European hackers have filed a legal complaint against GCHQ for their “attacking and exploitation of network infrastructure”.

The complaint, lodged with the Investigatory Powers Tribunal, claims that the British spy agency’s actions are “not only illegal, but are destructive [and] undermine the goodwill the organisations rely on.”
The complaint has been filed by Riseup (US), GreenNet (UK), Greenhost (Netherlands), Mango (Zimbabwe), Jinbonet (Korea), May First/People Link (US), the Chaos Computer Club (Europe’s largest association of hackers) and Privacy International.

Citing a number of articles from Der Spiegel and the Intercept, the companies accuse GCHQ of a number of damaging activites, including:
Targeting employees of Belgian telecommunications company Belgacom with malware through a highly developed attack named “Quantum Insert”
Using a number of “man on the side” attacks in collaboration with GCHQ to covertly inject data into existing connections to infect users
Creating an automated system named Turbine to control “millions of implants” by groups instead of as individuals Targeting three German internet exchange points with the NSA to spy on “all internet traffic coming through the nodes, and identify ‘important’ customers”
While the claimants were not named as direct targets in the Snowden leaks, they claim that “given the interconnectedness of the internet, the surveillance being carried out by GCHQ and NSA detailed in the articles could be carried out against any internet and communications providers."

Eric King, deputy director of Privacy International, said: "These widespread attacks on providers and collectives undermine the trust we all place on the internet and greatly endangers the world's most powerful tool for democracy and free expression."
Privacy International has previously filed two other cases against GCHQ, with the most recent forcing the government to issue a 48-page statement defending its mass surveillance practices.

The Independent