Police Oracle announced that Commissioner of the City of London Police Adrian Leppard has announced his retirement. Will this come in to effect before the Investigatory Powers Bill is scrutinised by Parliament in the autumn ?

City of London Police are supposed to be the UK National Policing lead for preventing economic crimes. They run two controversial private industry funded national units Police Intellectual Property Crime Unit (PIPCU) dealing with "intellectual property" and counterfeit goods and the
Dedicated Cheque and Plastic Crime Unit (DCPCU)

It is therefore very peculiar that Commissioner Adrian Leppard should put his name to this New York Times Op Ed article, attacking Apple and Google mobile phone handset encryption. How many billions of pounds of UK economic secrets are protected by such
encryption on mobile phones belonging to City of London financial industry workers ?

Commissioner Leppard should be collecting hard evidence of the numbers and types of of mobile phones his officers have actually seized as evidence and the numbers reported lost or stolen, with and without strong encryption enabled (N.B. only recent versions of Android can do this and the feature is not switched on by default)
so that he can inform the Investigatory Powers Bill scrutiny with some facts rather than cherry picked handwaving examples, which is the usual inadequate or deliberately deceitful Home Office and Police

Don't hold your breath though, as Commissioner Leppard is seemingly ignorant of some of the basics of today's internet protocols
UK Police: Enforcement won't work against a piracy

When Phone Encryption Blocks Justice

By CYRUS R. VANCE Jr., FRANÇOIS MOLINS, ADRIAN LEPPARD and JAVIER ZARAGOZAAUG. 11, 2015

Cyrus Vance Jr. , clearly the main author of this article, is the son of the Washington political insider Cyrus Vance who is associated with several US Foreign Policy disasters such as the end of the Vietnam war and the Iran hostage crisis.

Like previous New York public prosecutors (these are political appointments), he may well be trying to stir up political support for a future political career, like Rudy Guiliani

In June, a father of six was shot dead on a Monday afternoon in Evanston, Ill., a suburb 10 miles north of Chicago. The Evanston police believe that the victim, Ray C. Owens, had also been robbed. There were no witnesses to his killing, and no surveillance footage either.

With a killer on the loose and few leads at their disposal, investigators in Cook County, which includes Evanston, were encouraged when they found two smartphones alongside the body of the deceased: an iPhone 6 running on Apple's iOS 8 operating system, and a Samsung Galaxy S6 Edge running on Google's Android operating system. Both devices were passcode protected.

An Illinois state judge issued a warrant ordering Apple and Google to unlock the phones and share with authorities any data therein that could potentially solve the murder. Apple and Google replied, in essence, that they could not -- because they did not know the user's passcode.

The homicide remains unsolved. The killer remains at large.

Until very recently, this situation would not have occurred.

Last September, Apple and Google, whose operating systems are used in 96 percent of smartphones worldwide, announced that they had re-engineered their software with "full-disk" encryption, and could no longer unlock their own products as a result.

According to Apple's website: "On devices running iOS 8.0 ... Apple will not perform iOS data extractions in response to government search warrants because the files to be extracted are protected by an encryption key that is tied to the user's passcode, which Apple does not possess."

A Google spokeswoman said, "Keys are not stored off of the device, so they cannot be shared with law enforcement."

Now, on behalf of crime victims the world over, we are asking whether this encryption is truly worth the cost.

Not only is this strong encryption worth the cost, there should, in fact be much more of it, switched on by default.

Between October and June, 74 iPhones running the iOS 8 operating system could not be accessed by investigators for the Manhattan district attorney's office -- despite judicial warrants to search the devices. The investigations that were disrupted include the attempted murder of three individuals, the repeated sexual abuse of a child, a continuing sex trafficking ring and numerous assaults and robberies.

Criminal defendants have caught on. Recently, a suspect in a Manhattan felony, speaking on a recorded jailhouse call, noted that "Apple and Google came out with these softwares" that the police cannot easily unlock.

Apple, Google and other proponents of full-disk encryption have offered several rationales for this new encryption technology. They have portrayed the new policy as a response to the concerns raised by Edward J. Snowden about data collection by the National Security Agency. They say full-disk encryption makes devices generally more secure from cybercrime. And they assert that, if the companies had master encryption keys, then repressive governments could exploit the keys.

These reasons should not be accepted at face value. The new Apple encryption would not have prevented the N.S.A.'s mass collection of phone-call data or the interception of telecommunications, as revealed by Mr. Snowden. There is no evidence that it would address institutional data breaches or the use of malware. And we are not talking about violating civil liberties -- we are talking about the ability to unlock phones pursuant to lawful, transparent judicial orders.

The NSA is not the only threat to privacy and security, how would Vance & his co-signatories protect our privacy and financial information from criminals and terrorists and hostile foreign intelligence agencies who may steal or access such secrets held on mobile phone handsets ?

In the United States, Britain, France, Spain and other democratic societies, the legal system gives local law enforcement agencies access to places where criminals hide evidence, including their homes, car trunks, storage facilities, computers and digital networks.

Carved into the bedrock of each of these laws is a balance between the privacy rights of individuals and the public safety rights of their communities. For our investigators to conduct searches in any of our jurisdictions, a local judge or commissioner must decide whether good cause exists. None of our agencies engage in bulk data collection or other secretive practices. We engage in targeted requests for information, authorized after an impartial, judicial determination of good cause, in which both proportionality and necessity are tested.

Nonsense. There is is no independent judicial warrant involved in most UK mobile phone handset searches or seizures - these are self authorised by the UK police themsleves.

It is this workable balance that proscribes the operations of local law enforcement in our cities, and guides our residents in developing their expectations of privacy. But in the absence of laws that keep pace with technology, we have enabled two Silicon Valley technology companies to upset that balance fundamentally.

The Evanston case is just one example. In France, smartphone data was vital to the swift investigation of the Charlie Hebdo terrorist attacks in January, and the deadly attack on a gas facility at Saint-Quentin-Fallavier, near Lyon, in June. And on a daily basis, our agencies rely on evidence lawfully retrieved from smartphones to fight sex crimes, child abuse, cybercrime, robberies or homicides.

Note the weasel words "smartphone data" - this is not SmartPhone handset encrypted data held on the internal or external microSD card or in the local address book or locally saved SMS message which is what the rest of this article is talking about.

Over the air SmartPhone metadata may have been used in the hunt for the Charlie Hebdo murderers (who brazenly called TV news stations whilst on the run), but there are no reports of any mobile phone handset encryption being used at all.

The murderers had been under full telephone monitoring and intercept for months previously, with nothing to alert the authorities.

It turns out the wives of the murderers had been in contact with each other hundreds of times, but the murderers themselves had stuck to face to face meetings.

Full-disk encryption significantly limits our capacity to investigate these crimes and severely undermines our efficiency in the fight against terrorism. Why should we permit criminal activity to thrive in a medium unavailable to law enforcement? To investigate these cases without smartphone data is to proceed with one hand tied behind our backs.

Nonsense. None of the Mobile Phone network generated calling pattern or physical location metadata is affected by "full disk encryption" - none of it is actually stored on the SmartPhone handset anyway. This is all accessible to law enforcement with a judicial warrant, or, in the UK, without one at all.

The new encryption policies of Apple and Google have made it harder to protect people from crime. We support the privacy rights of individuals. But in the absence of cooperation from Apple and Google, regulators and lawmakers in our nations must now find an appropriate balance between the marginal benefits of full-disk encryption and the need for local law enforcement to solve and prosecute crimes. The safety of our communities depends on it.

Cyrus R. Vance Jr. is the Manhattan district attorney. François Molins is the Paris chief prosecutor. Adrian Leppard is the commissioner of the City of London Police. Javier Zaragoza is the chief prosecutor of the High Court of Spain.

Last week the US Government admitted to a second massive security failure within a year at the Office of Personnel Management, which holds human resources details on all 4 million or so current and former Federal Government employees.

These systems appear to have been hacked for over a year and most if not all of the data has been exfiltrated, allegedly to China (not a firm attribution, given how easy it is to leave fake clues in malware).

usopm_4_june_2015.png

As the OPM announcement of 4th June 2015 makes clear, this puts millions of people at risk of financial fraud via so called "identity theft".

However, things are much, much worse than mere "identity theft". It is now reported that the copied data includes the completed SF86 Questionnaire for National Security Positions forms (127 pages 7.4Mb .pdf also mirrored here in case you are blocked from accessing a US government website) and perhaps the results of Background Information interviews and checks for the highest levels of security clearances, not just for ordinary Federal bureaucrats, but also for Intelligence Agency personnel.

It should be obvious how a Foreign Intelligence agency could be assisted in finding potential sources / agents / traitors to suborn, through bribery or blackmail or appeals to ideology or religion, who have listed their financial, marital, medical or other personal details and problems on such forms.

It should be obvious how a Foreign Counter Intelligence Agency could use the information revealed in this form on relatives and contacts living abroad, as well as the Passport or ID Card numbers of the applicants for security clearance and those of their families.

Given the closeness of the Intelligence Agencies of the United Kingdom and the United States of America, it is not unreasonable to ask:

1) When was the UK government informed of the OPM security breach ? The admission came only last week, but the breach appears to have been discovered in April and the security breaches seem to have been active for over a year.

2) How many UK nationals holding US security clearances are affected ?

3) What is the UK government doing to protect them ?

4) Given the similar nature of United Kingdom security vetting systems i.e. an allegedly secure Web Portal, a long and complicated Security Vetting form submitted online (possibly insecurely due to the reliance on an Adobe plug-in which only worked in insecure versions of Microsoft Internet Explorer - only changed recently) and a back end Oracle database, what evidence rather than mere assertions, is there that UK systems like the Defence Business Services National Security Vetting Portal has not been attacked and similarly compromised ?

nsv.mod.png

5) Who, if anyone, has audited the UK systems in the light of the OPM disaster and when will their report be published ?

N.B. This should be a task that the Intelligence and Security Committee should have been working on, but they stopped working 2 months before the General Election and a new Committee has still not yet been appointed.

6) Given the push for cost savings and a possible rationalisation of the disparate GCHQ, Security Service MI5 and Secret Intelligence Service SIS/MI6 security vetting systems onto a common platform, as recommended by the Intelligence and Security Committee Annual Report 2011 pages 79 - 80, is it safe to do so ?

7) Why isn't the Government pro-actively reassuring the public about these National Security worries by ordering independent security penetration tests of these systems right now, and publishing the outcomes (but obviously not any detailed vulnerabilities found) instead of their lazy and corrupt policy of Neither Confirm Nor Deny ?

8) Why aren't professional journalists and Parliamentarians holding the Government to account by asking such questions instead of Spy Blog ?

This Royal Navy whistleblower is absent without leave, but claims he will give himself up to the police soon.

William_McNeilly_Passport_and_Royal_Navy_ID.png

My name is William McNeilly. I am an Engineering Technician
Submariner for the UK's Trident II D5 Strategic Weapons System.
I sent this report on the 05/05/15 to every major newspaper,
freelance journalists, and whistleblower I could find.
It is now the 12/05/15. Ive had one email reply

so he published it on scribd as a .pdf

http://www.scribd.com/doc/265119365/The-Sec-ret-Nuc-lea-r-Th-re-At

Creator : Microsoft® Word 2013
Modify Date : 2015:05:14 20:04:06+01:00
Author : William Mcneilly
Create Date : 2015:05:12 20:10:06+01:00

Clearly he was not thinking clearly or else nobody gave him any sensible whistleblowing advice:

Why did William McNeilly expect a reply from any UK newspapers etc. only 2 days before the General Election of the 7th of May ?

The Sunday Herald seems to be the first media outlet to publish the whistleblower allegations, early on Sunday 17th May2015:

Trident whistleblower says nuclear subs are insecure, unsafe and 'a disaster waiting to happen'

N.B. The story was mentioned on their Twitter feed on Saturday night

https://twitter.com/newsundayherald/status/599677536113729536
9:47 PM - 16 May 2015

WikiLeaks have jumped on the bandwagon by publishing their "exclusive" version of what he probably sent them on 5th May, some 20 hours after The Herald

https://www.wikileaks.org/trident-safety/

https://twitter.com/wikileaks/status/600046188851757056/photo/1
10:12 PM - 17 May 2015

and 10 hours after the Scottish National Party (which opposes Trident) had issued a press release.

"Safety blunders & security lapses" at Faslane
Sun, 17/05/2015 - 11:55

He has also updated his Facebook page, and published images of his UK passport and his Royal Navy ID Card.

This whistleblower has eschewed anonymity, but seems to be trying to keep his physical location secret for now.

The security and safety allegations need to investigated immediately by the Ministry of Defence, not just by the Navy on its own and a Minister needs to make a statement to Parliament and the public

McNeilly claims to have infiltrated the Trident program on purpose, to gather information on it, by working hard and passing the engineering courses with distinction.

I knew I had to get assigned to a boat and go on patrol as soon as possible in order to gather this information. Fast Track to a Leading Engineer was the answer. If I got fast tracked I would be on the first available boat after training. I worked hard day and night, and at the end of the 10 week course I had the achieved the highest test result on average out of a 20plus people on the SMQ course. At the end of SMQ dry training No-one received fast track. However the achievement went onto my JPA record. There was just one course left, one last shot.. The

Trident Training Facility (TTF). At the end the course I was told I had more SWS (Strategic Weapons System) knowledge than most of the supervisors onboard. It was a nice compliment but I doubt it. I was awarded Fast Track to Leading Engineering Technician and received an award for best student.

Just weeks after passing out of training I had a draft for HMS Victorious. My work mates started calling me a terrorist robot because I remembered everything and I have a Northern Ireland accent. This reputation would have undoubtedly made it difficult for me to gather information. I needed to create distance between them, and create a new persona; I aimed for mixture of dumbness and eagerness to learn for simple curios reasons. Within days of being on patrol I was no longer the terrorist robot, soaking up all the information for terrorist reasons. Playing dumb came easy for me, I've been doing it and been it most of life. It makes people open up and explain a lot more. If someone assumes you know something they might leave that part out of the conversation, meaning you've just lost information which might have been valuable. It also helps with getting out of certain situations. I watched a lot of Columbo when I was a kid.


Apart from the safety hazards he himself apparently witnessed, he seems to have collected reports and ancedotes from his ship mates about HMS Victorious on which he was posted, but also on the lucky / unlucky HMS Vanguard.


He warns about the lax checking of military ID cards, the lack of adherence to top secret security procedures and the lack of enforcement of the bans on prohibited items such as mobile phones with cameras, BlueTooth devices (in the Trident missile room) and e-cigarettes.

Clearly no effective crackdown on mobile phones (with cameras) has happened on Trident nuclear missile submarines since the 2012 spy case invovling Edward Devenney, a depressed, drunken HMS Vigilant Petty Officer, who like McNeilly, is also from also from Northern Ireland.

RN Trident submariner wannabe spy jailed for 8 years - used mobile phone to contact Russian Embassy, but caught in MI5 sting

Devenney stupidly phoned the Russian embassy offering to sell secrets, which he was able to photograph and smuggle onshore with his mobile phone. Thankfully the "Russians" he thought he was talking to were MI5 agents, although there are still unanswered questions why he was not spotted as a security risk - passed over for promation, depressed, drinking heavily.

McNeilly alleges;

This contains references to CB8890: The instructions for the safety and security of the Trident II D5 strategic weapon system. I'm sure all the Strategic Weapon System (SWS) personnel are scratching their heads and wondering how I'm writing this on my personnel laptop and referencing a book, which is contained within a safe in the Missile Control Centre (MCC). The MCC is the compartment used to control the launch of the nuclear missiles. It can only be accessed by people on the access list, and no personnel electronics are allowed. I was on the access list but how could I have gotten a copy of every single chapter on to my phone? A hidden camera? No. Smuggled the book out then filmed it? No. What I did was walk into a room were no recording devices are allowed. I sat down; took my Samsung Galaxy SII (white) out of my pocket, and recorded the entire book word for word. I held the phone still, about a foot in front of my face and anyone who looked at the screen or used common sense, would've seen I was recording. There were other SWS personnel in the room; in the video you can see a SWS JR about 3 feet in front of me talking to another SWS JR sitting right beside me. You probably think that's impossible but I've got the evidence to prove it. The complete lack of concern for security worries me. The fact is it would've been even easier for me to cause a nuclear catastrophe than to gather that information, and gathering that information was actually quite simple, due to the amount of ignorance.

McNeilly also notes a couple of crew mates who seem to be aggressive and unstable, so perhaps the psychological monitoring of Trident nuclear missile submarine crews has not improved since the Devenney case either.

McNeilly's own mental state is, of course, being questioned by the anonymous Royal Navy press briefings, but they do seem to confirm that he is a genuine Trident submariner, who has not yet revealed anything which damages national security.
e.g. BBC:

Navy probes leaked Trident safety claims

As one would expect, the Royal Navy is trying to downplay any security or safety issues with the Trident nuclear missile system, but, given the involvement of SNP politics, it is doubtful if they will be believed, unless there is a fully transparent independent inquiry.

Hopefully the Government will not try to prosecute this whistleblower.

When you write to your MP, sometimes they do sometimes elicit a response from Government Ministers (or at least their civil servants).

If only Spy Blog had the necessary skills and tools to hand, to use fingerprints and DNA analysis, to examine more closely what looks like an original letter from Theresa May, the Home Secretary, which has been forwarded to us:

Text:

Home Secretary

Home Office
2 Marsham Street, London SW1P 4DF
www.gov.ukhomeoffice

Rt Hon Dr Vince Cable MP
2A Lion Road
Twickenham
TW1 4JQ

RECEIVED 3 March 2015
26 FEB 2015

CTS Reference: M1775/15

Thank you for your letter of 30 January on behalf of your constituent,

[name & address redacted]

who wrote to you to express concerns about the Counter Terrorism and Security Act 2015 (CTSA).

It is the first duty of Government to protect the public. Our law enforcement and intelligence agencies must have access to the tools they need, subject to robust safeguards, to keep us safe from terrorists and organised criminals. Communications data -- the who, where, when and how of a communication, but not its content -- is a vital tool in the investigation of crime and safeguarding the public. It has been used in 95 per cent of serious and organised crime investigations handled by the Crown Prosecution Service and every major Security Service counterterrrism investigation over the last decade.

Note the weasel words " It has been used in 95 per cent... "

Grabbing Communications Data seems to be the Standard Operating Procedure for the Police etc., regardless of whether it is actually relevant to the case and regardless of the supposed tests of Necessity and Proportionality under RIPA.

Given that there are a quarter of a million Communications Data requests a year, why can't the Home Office give hundreds of examples of where this has provided the investigative breakthrough in identifying a criminal or in providing the critical evidence which convicts him ?

Instead they regularly trot out a tiny handful of serious cases which have grabbed the attention of the tabloid media, which, mostly, do not actually support their case for Communications Data Retention at all:

DRIP why can't Home Office cite any cases which support 12 months of Data Retention ? HO "freedom moles" ?

Communications technology and communication services are changing fast. More communications are now taking place on the internet. Internet Protocol (IP) address resolution is the process of uniquely identifying who used an IP address at a given point in time.

This is not technically correct.

Human beings do not have IP addresses, only computer or telecommunications devices do.

More than one individual can use such equipment, so an IP address cannot be guaranteed to identify a specific individual at any point in time.

There is also a big difference between Private and Public Internet Protocol Addresses, which this paragraph glosses over. Millions of people have home or office Routers with an IP Gateway Address of 192.168.0.1 or 192.168.1.1 or 192.168.0.254 or 192.168.1.254.

Communications service providers (CSPs) do not always keep the data necessary to do this. This means that it is not always possible for law enforcement and the intelligence agencies to find out who is engaging in illegal activity on the internet. That is why we brought forward proposals for IP address resolution in CTSA.

Where available, the police, and other public authorities with communications data access powers under the Regulation of Investigatory Powers Act 2000, use this data during investigations to identify suspects, victims or vulnerable people, where it is necessary and proportionate to do so. For example, IP address resolution could be used to identify who has accessed a server containing illegal child abuse images or who is plotting a terrorist attack.

CTSA received Royal Assent on 12 February. The Act has amended the Data Retention and Investigatory Powers Act 2014 (DRIPA) to include a provision, enabling the Government to require CSPs to retain the necessary information to enable the identification of which user of an IP address is responsible for sending a specific communication.

Your constituent has raised concerns about the range of companies that might be impacted by this provision. The provision only relates to domestic communications service providers that have been served a retention notice under the Data Retention Regulations 2014.

That may be the intention of the Home Office, but that is not what this badly drafted Act says. If the Home Office meant Communication Service Providers, why not use that term on the face of the Data Retention and Investigatory Powers Act 2014 instead of "telecommunications operator" ? Why does Counter Terrorism and Security Act 2015 part 3 introduce two new legally undefined terms "internet access service" and "internet communications service" ?

Notices are served on CSPs on a selective basis, where the Secretary of State considers the obligation to be necessary and proportionate, and these notices are kept under review. It is also the Governments policy to provide for full cost recovery of the additional costs that fall to communications service providers in connection with the retention, storage and provision of communications data. This ensures that the business interests of communications service providers are not adversely impacted by their obligations.

This distortion of the commercial market through state subsidies by the eminently unqualified Home Office, should be the subject of a European Union level investigation.

Previously, the Home Office has refused Freedom of Information Act requests to name the favoured companies being paid these Data Retention subsidies,

ICO Decision Notice FS50259480 - Names of Communications Service Providers forced into Mandatory Data Retention scheme by the Home Office

Since DRIPA repealed the old Data Retention Regulations, perhaps the Home Office will now lift the administrative secrecy, which has no statutory provision under any of the Acts, unlike, e.g. Interception warrants or Cryptographic Key disclosure notices

In relation to your constituents specific concerns in relation to the ongoing reviews into investigatory powers, DRIPA required the Independent Reviewer of Terrorism Legislation, David Anderson , to undertake a review into the operation and regulation of investigatory powers and report by 1 May 2015.

DRIPA, as amended by CTSA, contains a sunset provision to repeal it on 31 December 2016. The legal framework concerning the retention of communications data will therefore be reviewed again by Parliament before then. This will take place in the full context of the findings of David Anderson , as well as the other ongoing reviews, such as the Intelligence and Security Committees current review into the balance between privacy and national security.

Further, the IP resolution provisions in CTSA had previously been subject to public consultation and parliamentary scrutiny by the Joint Committee on the Draft Communications Data Bill in 2012. Your constituent might be interested to note that the Joint Committee stated in their report: 'We accept that if CSPs could be required to generate and retain information that would allow IP addresses to be matched to subscribers this would be of significant value to law enforcement. We do not think that IP address resolution raises particular privacy concerns.'

It is misleading of the Home Office to claim that the Joint Committee somehow scrutinised the same or even similar IP Address Resolution wording to that in Counter Terrorism and Security Act, when the Draft Communications Data Bill contained no such wording at all.

The Draft Communications Data Bill Joint Committee - First Report section on IP Address resolution and Web Logs:

73. As outlined in paragraph 65, Home Office officials eventually told us in public evidence that they would like clause 1 to enable them to access two specific types of data: subscriber data relating to IP addresses and web logs.

Regarding your constituents concerns about definitions in CTSA, both internet access service and internet communications service are defined in the Explanatory Notes to the Counter Terrorism and Security Bill, which are available at www.parliament.uk. An internet access service is a service that provides access to the internet and can include a home broadband connection, mobile internet or publicly available WiFi. An internet communications service is a communications service which takes place on the internet and can include internet telephony, internet email and instant messaging services.

If you read any Explanatory Notes for the CTSB or any other Bill, they all rightly contain warnings like:

They do not form part of the Bill and have not been endorsed by Parliament.

Therefore this paragraph does not refute the point being made that there are no proper legal definitions of "internet access service" or "internet communications service" in CTSA, DRIPA, RIPA or in any other legislation.

It is important to recognise that, although the IP address resolution provisions in CTSA are a step in the right direction, the other capability gaps that we sought to address in the Draft Communications Data Bill will remain. These continue to have a damaging impact on the capabilities of our law enforcement and intelligence agencies. It is therefore vital that we return to this issue in the next Parliament to ensure that our law enforcement and intelligence agencies maintain the capabilities they need to protect the public and keep us safe.

The Rt Hon Theresa May MP

Will the Home Office be able to present any quantifiable evidence of the scale of this alleged "capability gap" after the General Election ? They failed to do so back in 2012.

Who is scrutinising the activities of the United Kingdom's Intelligence Agencies ?

Not, it appears, Parliament's Intelligence and Security Committee according to this Press Release issued on Tuesday 24th February 2015:

INTELLIGENCE AND SECURITY COMMITTEE OF PARLIAMENT

PRESS RELEASE

At a meeting of the Intelligence and Security Committee of Parliament earlier today, the Rt.
Hon. Sir Malcolm Rifkind MP informed the Committee that he had decided to step down from the role of Chairman with effect from the end of the meeting, and Would be making a public statement to that effect.

The Committee accepted the Chairman's decision.

Regardless of whether it right for Members of Parliament to supplement their £67,000 a year plus expenses incomes, as Sir Malcolm Rifkind claimed the Intelligence and Security Committee and especially its public face, the Chairman, needs to be seen to be impartial and independent, both from the Government and from private sector lobbying influence.

N.B. it is still a bit unclear whether the passing of the Justice and Security Act 2013, making the ISC a statutory "Committee of Parliament", entitles the Chairman of the ISC to claim an extra £14,876 a year which Chairmen of Select Committees are paid.

He also needs to be competent and to be aware that he personally is a target of hostile and perhaps even of "friendly" government and private sector intelligence agencies.

The fact that Sir Malcolm fell for a journalistic sting involving an apparently Chinese communications company, really did bring his Operational Security judgement into question. He met representatives of an apparently Chinese company, within what should have been his secure office environment, without having done any background security checks first and without having them scanned to see if they were carrying surveillance electronics (which they were).

It is irrelevant that he thought that he was not discussing anything secret with these potential Chinese employers, he should have known that all intelligence agency recruitment plays start off with something innocuous. He and / or his office staff would have been more vulnerable to targeted email or phone malware attacks, coming from a "trusted" source i.e. his potential or actual Chinese employer. Even arranging for future meetings could betray the timing and perhaps the location of supposedly secret meetings with intelligence agency staff.


At the meeting, the Committee completed its major Inquiry into Privacy and Security, and its Report will now be sent to the Prime Minister.

Given that that concludes the substantive work of the Committee in this Parliament, and that the Committee has no further formal meetings scheduled before the prorogation of Parliament, the Committee decided that there was therefore no need for it to elect a new Chairman for the remaining few weeks.

All further matters which arise during the life of this Parliament will be dealt with by the
Committee as a whole.

NOTES TO EDITORS:

1. The ISC was established in 1994 under the Intelligence Services Act, and was reformed under the Justice and Security Act 2013. This legislation made the ISC a statutory committee of Parliament and strengthened its powers.

The Committee now has greater access to information, including primary material held within the Agencies. Its remit has also been expanded to include oversight of intelligence and security operations, and oversight of all intelligence and security activities of Government.

2. The ISC is a cross-party committee of nine parliamentarians from the Commons and the Lords. The Committee's membership is as follows:

The Rt. Hon. Lord Butler KG GCB CVO
The Rt. Hon. Hazel Blears MP
The Rt. Hon. George Howarth MP
The Most Hon.the Marquess of Lothian QC PC
The Rt. Hon.Sir Malcolm Rifkind MP
The Rt. Hon. Sir Menzies Campbell CH CBE QC, MP
Dr Julian Lewis MP
Mr Mark Field MP
Ms Fiona Mactaggart MP

Why is Sir Malcolm Rifkind still a Member of the Intelligence and Security Committee ?

The security risks and the impression of "cash for access" sleaze from the lobbying for a "Chinese" company sting, should have been enough for an "ordinary" Member to "step down".

Why has the ISC not bothered to elect even a temporary Chairman ?

Were they hoping not to have to answer questions from the media or the public, by pretending that convention that only the Chairman speaks for the ISC in public still applies ?

The reason for the convention i.e. possible public confusion, is clearly not working. There have been press quotations from both Sir Malcolm Rifkind (why doesn't he maintain a dignified silence until he is exonerated for everything except stupidity or vanity, by the Parliamentary Commissioner for Standards and by the Conservative party inquiry ?) and from Sir Menzies Campbell on the "Jihadi John" radicalisation and MI5 story.

3. The completion of the Committee's Inquiry into Privacy and Security marks the end of a major piece of work which began in July 2013.

The ISC has since taken evidence from a wide range of witnesses, from Ministers to academics and campaign groups, including in public sessions held in October 2014.

In line with its procedures, the completed report is now being sent to the Prime Minister and a version will be published before the end of March.

It is extraordinary that Malcolm Rifkind was so stupid or greedy to appear to be peddling influence / lobbying contacts for cash from a Chinese communications company (thankfully a journalistic fake.)

It is intolerable that there now appears that there will be no scrutiny whatsoever of the intelligence agencies by this Committee, for at least the next 2 months, until after the General Election.

Have ISIS, AL Quaeda and Putin all decided to go on holiday ? Of course not and hopefully neither have our intelligence agencies, so neither should the ISC.

There is a massive amount of scrutiny work which they simply have not done in the past, some of which they could certainly be working on before the General Election in May.

One feature of the ISC Reports under the Chairmanship of Malcolm Rifkind, compared with those under his predecessors, has been a lot less public reporting on the various dodgy building and information infrastructure projects upon which large sums of public money have been spent and in some cases, wasted.

At the very least the ISC could spend the next few weeks getting status reports on all the ongoing and planned building and IT and recruitment and training projects.

If they had been reviewing the monthly project management reports, which the intelligence agencies surely must compile internally, then perhaps they would actually have known about hugely controversial and dangerous schemes like GCHQ's TEMPORA, which took them by surprise when it was revealed as a result of the media revelations of Edward Snowden.

For the ISC not to have bothered to schedule any meetings on these ongoing oversight issues for the next 2 months, is a dereliction of their public duty.


I am spending too much time on @spyblog Twitter and not enough on this blog.

With Twitter, you can do very little with 140 characters (some of Spy Blog's blog post titles are that long !) but when a media article contains so many errors, one wonders if this is because of ignorance or if it is deliberate disinformation.

via @CasparBowden:

The supposedly right of centre magazine The Spectator has a tiny print readership (under 50,000 a week) compared to many blogs, but it has a venerable history and so is an influential part of the UK commentariat.

This article by @RobinSimcox Robin Simcox from the oddly named, for a controversial British think tank, Henry Jackson Society, is annoyingly wrong:

What are we willing to do to make our intelligence agencies' job easier ?
Robin Simcox 19 February 2015 16:45

Ottawa. Sydney. Paris. Copenhagen. Four major Western cities attacked in five months by Islamist terrorists and all committed by perpetrators with lengthy histories of criminal activity.

When the next terrorist attack occurs, there will be those that demand to know why intelligence agencies failed to watch the perpetrators closely enough (as was the case with the murder of Drummer Lee Rigby).

So what ? The securocrats and the Intelligence and Security Committee always either ignore these critics , or absolve the agencies of any blame retrospectively regardless.

There has never been any discplinary action against, or prosecution of, inept securocats.

However, should we not also ask what we, as a society, are willing to do to make our intelligence agencies' job easier?

There are several things which would make the job of our intelligence agencies easier:

  • Stop demanding that they protect us all, 100% of the time - they do not have magical abilities. They need and cannot be trusted with, 100% surveillance powers
  • Stop pretending that mass surveillance trawling of millions of innocent people's data, rather than narrowly focussed targeted investigations, somehow detects, let alone prevents, real terrorist attacks or serious crimes.
  • Stop wasting intelligence agency resources on trying to stop "lone wolves". Let the police rapid response teams deal with mad dog / lone wolf small scale terrorist attacks, but without creating huge collateral economic damage, by disrupting a whole city because of a single gunman, trapped in a siege, as happened in Sydney.
  • Put some real money and resources in to prisons to counter the radicalisation which turns petty criminal losers into suicidal murderers.
  • Stop converting mentally unstable religious extremists into actual terrorists by inept attempts to recruit them as informers on their family members, friends and associates.
  • Stop pretending that Terrorism Act 2000 s.58 Collection of information prosecutions for "thought crimes" under the are somehow effectively "disrupting" wannabe terrorists, who have no access to money or weapons
  • Simplify and repeal the horrendously complicated Terrorism and RIPA / DRIPA legislation
  • Repeal all thee terrorism and national security criminal offence legislation which pretends to have a global scope. When the Serious Crime Bill "national security of any country" amendments to the Computer Misuse Act become law, the Police and Intelligence Services will be forced to waste resources to investigate Distributed denial of Service attacks by Americans against North Korea or by Russians against Ukraine, with no hope of a prosecution.
  • Stop wasting resources on people planning to go to Syria or Afghanistan etc. to fight and die, or to be wounded or raped or robbed - concentrate on the survivors, if they ever come back to the UK.
  • Stop sharing Top Secret STRAP1 and STRAP2 documents with hundreds of thousands of United States people holding generic security clearances. Prosecute the UK securocrats under the Official Secrets Act 1989 s8 Safeguarding of information, who allowed such information to fall into the hands of whistleblower Edward Snowden and who know how many current or future Geoffrey Prime style Russian or Chinese etc. spies.

Consider the current debate surrounding communications data (the who, when, where, and how of a communication, but not the what - i.e. the content). Access to communications data is not so different to other long-standing forms of state interception. Imagine communications data being the equivalent to the interception of an envelope showing an address and a postmark containing a date and geographic location. The content data would be the actual letter inside the envelope.

No !

This paragraph espouses the sort of simplistic Home Office spin about Communications Data when they introduced the Regulation of Investigatory Power Act 2000 15 years ago i.e. before

  • The massive rise in the use of Mobile Phones etc. and Cell Site Location Data
  • USA based social media websites like FaceBook and Twitter even existed

In many cases, Communications Data is more "useful" and therefore more intrusive than the content of communications (which can entirely mundane, or obscured by jargon or pre-arranged codewords or rare foreign language dialects), especially that involving real time Location Tracking or when the "friendship tree" of a mobile phone or email account is traced automatically.

According to Home Secretary Teresa May, communications data 'played a significant role in every Security Service counter-terrorism operation over the last decade' and was 'used as evidence in 95 per cent of all serious organised crime cases handled by the Crown Prosecution Service'. It is also vital in preventing child abuse and exploitation; identifying and locating suicide risks; identifying rapists, kidnappers or threatening callers; and murder investigations. A Secretary of State signed warrant is required in order to access the data

This is a major factual error.

Any Secretary of State, usually the Home Secretary or the Foriegn Secretary (but also by their Officials) or only deal with Regulation of Investigatory Powers Act 2000 IPA Part 1 Interception warrants and Intelligence Services Act 1994 s5 overseas "licence to kill" warrants .

There are no Communications Data Warrants
.
Access to Communications Data is self authorised by the Police and Intelligence Agencies, and by the hundreds of other public bodies. Unlike other countries there is no independent judicial warrant system, only a medium ranking officials e.g. a Police Superindent or, even an Inspector (one rank above Sergeant) authorises access to Communications Data demands. Supposedly there is a "Chinese wall" between an investigatory team and their collegue who authorises the demand, but clearly this is open to abuse and to institutional groupthink.

and oversight is provided by independent commissioners (the extent to which this is oversight is sufficient is one of the subjects I explore in a soon-to-be-released Henry Jackson Society report on the impact that the Snowden disclosures have had on UK and US security).

The RIPA Commisioners are former Judges, without any power except to write Annual Reports, which are, with one execption (the latest report by the Interception of Communications Commissioner) , never made fully public. They are heavily restrained by the legislation and by a lack of resources and do not see their role to deal directly with the public at all.

The Interception of Communications Commissioner @iocco_oversight only looks at up to 10% of Communications Data requests / demands, but only as an audit after the fact.

The Intelligence Services Commisioner does not, so far as anyone can tell, do even this amount of scrutiny.

Just because grabbing Communications Data is part of the Standard Operating Procedure for Police investigations these days (as common as brewing cups of tea), does not mean that it actually contributes very much, in most cases.

The Home Office cannot, or does not dare to, provide any statistics for the number of serious crime or terrorism cases where Communications Data actually:

  1. Provided the initial investigative breakthrough in a case
  2. Was the crucial evidence leading to a conviction

With over 250,000 Communications Data requests a year, one would have expected there to be hundreds if not thousands of such examples ready to hand. Instead they cite a few headline grabbing cases, which, upon closer examination, did not actually rely on Communications Data, especially 12 months Retained Communications Data, at all.

c.f. DRIP why can't Home Office cite any cases which support 12 months of Data Retention ? HO "freedom moles" ?

To maximise its usefulness, communications data needs to be collected in bulk,

Nonsense ! To maximise its usefulness, Communications Data needs to be carefully targeted.

yet our intelligence agencies' access to it is declining. There are specific reasons for this. Previously, telephone communications and internet traffic traditionally took place via a fixed landline. Communications data - who was called, for what duration and the geographic location - was needed for billing reasons. Yet increasing amounts of people pay a fixed price monthly direct debit to their provider, making this data increasingly irrelevant to communication service providers (CSPs). As a result, CSPs have less need to generate - let alone retain - communications data. Furthermore, communications now increasingly take place via mobile networks and broadband. This has been accompanied by a growth in alternative communications methods: video messaging, instant messaging, Skype and social network platforms.

The government tried to address these challenges with the Communications Data bill in 2012

and was subsequently accused of trying to draw up a 'Snooper's Charter', not least by the Deputy Prime Minister Nick Clegg. The Parliamentary Joint Committee on the Draft Communications Data Bill concluded that the Bill paid 'insufficient attention to the duty to respect the right to privacy, and goes much further than it need or should for the purpose of providing necessary and justifiable official access to communications data'.

c.f. Report and evidence for the Draft Communications Data Bill

The Intelligence and Security Committee also encouraged more work to be done.

Even the securocrat biased Intelligence and Security Committee report, with a more limited, self imposed remit, was critical of this Draft Communications Data Bill.

Access to communications data by the intelligence and security Agencies (.pdf)

The bill was shelved and the issue temporarily kicked back into the long grass.

Yet the urgent need to fix the issues that gave rise to the first Communications Data bill meant that inevitably the issue has been raised again, most recently by the Prime Minister and Home Secretary. The 'Snooper's Charter' accusations have already resurfaced. We saw another glimpse into how this is going to play out in the media when David Cameron recently said that both communications and content data must be viewable if there is a signed warrant from the Home Secretary. Rather than this argument being taken on its merits, he was immediately accused of wanting to ban all encryption technology.

That is not what David Cameron said. Even the Daily Telegraph reported that:

General Election 2015: David Cameron to give more snooping powers to spies

Mr Cameron said any new law would be in force from next year.

He said: "If I am prime minister I will make sure that it is a comprehensive piece of legislation that does not allow terrorists safe space to communicate with each other.

"That is the key principle: do we allow terrorists safer spaces for them to talk to each other. I say no we don't - and we should legislate accordingly. And if I am in Government that is what you will get."

That can only be interpreted as an attack on end to end estrong encryption. Such a stupidpolicy would destroy the UK's internet economy and make us vulnerable to the Four Horsemen of the Infoclypse.

An Interception warrant for content already allows for the associated Communications Data to be demanded, without any extra authorisation. This has been so since the Regulation of Invesigatory Powers Act 2000 came into force.


We demand privacy, the right to decide what data we share and security.

We are not stupid enough to believe that we can have 100% "security", so there is no practical moral or legal case for 100% surveillance, especially of the vast majority of innocent people.

Yet if the government attempts to plug gaps in the law that makes it easier to track or prosecute terrorists, cries of 'police state' erupt. Politicians are often accused of hypocrisy; but on these issues the hypocrisy mainly lies with the rest of us.

Gathering more data on innocent people does not help to prevent terrorism.

The murderers of Drummer Lee Rigby were described as "extremely security aware". One of the Charlie Hebdo murderers had already been convicted on the basis of phone intercept evidence, so was completely aware of it, and subsequent French phone intercepts heard nothing incriminating for years.

My upcoming report makes the clear case that all this needs to change. The debate regarding liberty/security/privacy has become - in part down to Edward Snowden - hopelessly skewed.

There has been some debate in Germany and in USA, but there has not been any significant debate in the United Kingdom.

All we get is the cynical mockery of "everything we do is legal, trust us".

While all citizens should be concerned about freedom and privacy, agencies like GCHQ are allies in this, not enemies. They protect the nation from a host of hostile state and non-state actors and, in fact, have been doing so for decades. Constantly denigrating those that help keep us safe is no way to build a more liberal or more secure nation.

Perhaps that used to be the case during the old Cold War, but now in the internet and mobile phone areas, by attacking the very infrastrucure of electronic communications, for mass surveillance data trawling, rather than narrowly targeted investigations, these agencies are actually perceived as more of a security threat to their own private citizens and companies, than foreign intelligence agencies from Russia or China, or organised criminals like drug cartels, or terrorist groups like Al Quaeda or ISIS.

Until there is a lot more transparency and really effective oversight of UK intelligence agencies, they will not be given the benefit of the doubt, no matter how ethical or effective they claim to be in secret.

Robin Simcox is a Research Fellow at The Henry Jackson Society. His report will be published in March.

Hopefully there will be fewer mistakes and misconceptions in this report, than in this annoying article

The Daily Mail and the Mail on Sunday are very popular tabloid newspapers seem to influence the policies of British politicians. Now and then their stories and campaigns are spot on, often with more investigative detail than the increasingly shallow, dumbed down television news. Their online presence reaches far more people than that of supposedly "serious" newspapers like The Guardian, The Daily Telegraph, The Times and Financial Times combined

However The Daily Mail / Mail on Sunday editors appear not to bother to fact check the output of some of their Opinion Commentators who tend to spout utter nonsense, often as an unsourced "throwaway" aside to the main thrust of their opinion articles.

Is this because of the financial pressures of a modern newsroom or are the editors in awe of the "celebrity" journalists and commentators they employ ? The end result looks like collaboration in the odious Whitehall habit of political and bureaucratic media spin and anonymous briefing, or of external lobbying interests with their own hidden agenda.

The quotation by Humbert Wolfe always springs to mind when reading any British newspapers:

You cannot hope to bribe or twist, thank God! the British journalist. But, seeing what the man will do unbribed, there's no occasion to.

Spy Blog has been annoyed enough to be roused from blogging lethargy (too much @spyblog Twitter, not enough blogging) to comment on a couple of Mail on Sunday opinion pieces.

The first is from just before Christmas by Peter Hitchens in The Mail on Sunday. Spy Blog can agree with and disagree with Hitchens' various polemics, but this particular article deserves criticism:

Twitter:

Spy Blog ‏@spyblog Dec 21
10:44 AM - 21 Dec 2014
How best to counter Peter Hitchens @ClarkeMicah false @RT_com style #Putin appeasement propaganda in MoS ? http://www.dailymail.co.uk/debate/article-2882208/PETER-HITCHENS-Forget-evil-Putin-bloodthirsty-warmongers.html

Peter Hitchens ‏@ClarkeMicah Dec 21
@spyblog @RT_com you could try engaging with my argument.

Spy Blog ‏@spyblog Dec 21
Too many errors & omissions in MoS article to rebutt via twitter - perhaps a blog post, but I don't expect to change your mind @ClarkeMicah

Peter Hitchens ‏@ClarkeMicah Dec 21
@spyblog One would do. Otherwise one might be tempted to think you're a blowhard. My blog is open to reasoned argument.

The opinion article in the Mail on Sunday:

PETER HITCHENS: Forget 'evil' Putin - we are the bloodthirsty warmongers
By Peter Hitchens for The Mail on Sunday
Published: 00:23, 21 December 2014 | Updated: 10:33, 21 December 2014

[...]

This is all the most utter garbage. Since 1989, Moscow, the supposed aggressor, has - without fighting or losing a war - peacefully ceded control over roughly 180 million people, and roughly 700,000 square miles of valuable territory.

The EU (and its military wing, Nato) have in the same period gained control over more than 120 million of those people, and almost 400,000 of those square miles.

"the supposed aggressor, has - without fighting or losing a war"

Reads like as RT.com pro Putin propaganda:

List of NATO member countries

East Germany was merged with West Germany into Germany in 1990.

At present, NATO has 28 members. In 1949, there were 12 founding members of the Alliance: Belgium, Canada, Denmark, France, Iceland, Italy, Luxembourg, the Netherlands, Norway, Portugal, the United Kingdom and the United States. The other member countries are: Greece and Turkey (1952), Germany (1955), Spain (1982), the Czech Republic, Hungary and Poland (1999), Bulgaria, Estonia, Latvia, Lithuania, Romania, Slovakia, Slovenia (2004), and Albania and Croatia (2009).

Even if you ignore the facts that:

  1. the EU's "military wing" is not NATO (in what way does Brussels control the US or Canadian military ?) but a bureaucatic hodge podge under the Common Security and Defence Policy and the Synchronised Armed Forces Europe etc.
  2. NATO does not control any of the ex-Soviet occupied countries in anything approaching the way that the Communist dictatorships did

The numbers claimed by Peter Hitchens' article do not add up:

Since 1989 the new members of NATO were (square miles and population figures via Wikipedia):

CountryArea Sq MilesPopulation
1990
East Germany  41,82816,111,000/td>
1999
Czech Republic  30,45010,513,209
Hungary  35,9199,877,365
Poland  120,696.4138,483,957
2004
Estonia  17,4131,315,819
Latvia  24,9387,364,570
Lithuania  25,2121,990,300
Romania  92,04319,942,642
Slovakia  18,9325,415,949
Slovenia  7,8272,061,085
2009
Albania  11,1003,020,209
Croatia  21,8514,284,889
Total290,769103,031,394

Even if you pretend that the former Yugoslavian countries of Slovenia, Croatia and Albania were somehow "under the control" of Russia and that they were "peacefully ceded" to the European Union and NATO (ignoring the Yugoslav civil wars against Serbia) since 1989, the numbers quoted in Peter Hitchens' article are just wrong.

Total Square Miles = 290,769 (article claims 400,000) Total Population= 103,031,394 (article claims 120 million)

Hitchens' claim that since 1989 Russia was not "fighting or losing a war" conveniently also ignores:

Until a year ago, Ukraine remained non-aligned between the two great European powers. But the EU wanted its land, its 48 million people (such a reservoir of cheap labour!) its Black Sea coast, its coal and its whhttp://en.wikipedia.org/wiki/Useful_idioteat.
Why can't these resources be sold and bought freely on the international markets ? There is no way that that any EU country wants a flood of underpaid Ukrainians in their own labour markets

So first, it spent £300 million (some of it yours) on anti-Russian 'civil society' groups in Ukraine.

Then EU and Nato politicians broke all the rules of diplomacy and descended on Kiev to take sides with demonstrators who demanded that Ukraine align itself with the EU.

Where does the figure of £300 million come from exactly ?

Note the Russian mindset spelling of the capital of Ukraine Kiev rather than the official Kyiv (even the UK Foreign Office spells it this way e.g. British Embassy in Kyiv Ukraine on Twitter . At least Peter Hitchens does not call it "the Ukraine", implying a province that is not an independent country. c.f. Ukraine, Not the Ukraine: The Significance of Three Little Letters

Even if accurate, £300 million only buys you a couple of oligarch palaces in London. Anybody who has looked at how administration overhead heavy such "civil society" groups are, will know that perhaps only a tenth of that money would ever find its way to the people on the ground in Ukraine.

To pretend that the money spent by Non Governmental Organisations is entirely funding foreign intelligence agency activities, is pure Putinism. The Putin regime has clamped down on such foreign funding within Russia, perhaps because it assumes that such activity must be the sort of front organisations that the Soviets used to fund in the Wes,t when Hitchens was a Trotskyite.

It is typical RT style propaganda by omission not to mention the massive Russian interference in the the "free elections" in Ukraine and then the supposed referendum in the Crimea

The fact that almost the entire Ukrainian Security Service (SBU) apparatus was infiltrated by Russian synpathisers, who then defected to Russia, is a lot more significant than any alleged Western NGO money or influence.

Ukraine's top intelligence agency deeply infiltrated by Russian spies

Hitchens seems to dismiss Putin as being merely a corrupt politcal leader, but in his eagerness to often correctly, criticise the failings of the British political elites, he has written an article full of distortions and omission and so gives the impression of being as much of a "useful idiot" for Putin's Russia, as his former sociiast "fellow travellers" were when influenced by Soviet Russia.

RIPA / DRIPA review evidence to @terrorwatchdog

|

 

 

 

 

Evidence for Investigatory Powers Review

Via email to: independent.reviewer@brickcourt.co.uk

 

Contents

"Evidence for Investigatory Powers Review". 1

This Review needs access to all the RIPA Commissioners' Annual Report Confidential Annexes. 3

Technology used for snooping has changed since 2000.. 3

DRIP Act - flawed Regulations could actually reduce amount of useful Mobile Phone Location Data which can be legally retained.. 4

Stingray IMSI catcher interception is not covered by RIPA.. 5

Confusion and buck passing between the RIPA Commissioners' Offices. 6

SS7 Mobile Phone Location.. 7

SMS silent pings. 8

Global Positioning Satellite data. 9

Accelerometer data. 9

SmartPhone tracking without involving Communications Service Providers. 10

Biometric tracking. 11

Google Glass and Augmented Reality heads up displays, FR & ANPR.. 11

Different types of Communications Data, especially Location Data, should be restricted to different Public Bodies  12

Why are there no Criminal Penalties for abuse of Communications Data ?. 13

IoCC inspection of Prisons has no statutory basis under RIPA or DRIPA.. 13

Why are the RIPA Commissioners still not designated as Public Bodies in Schedule 1 of the Freedom of information Act 2000 ?. 13

Amended RIPA should repeal non-RIPA statutory powers. 14

RIPA Part III access to Cryptographic Keys. 15

Financial Regulators and Cryptographic keys. 15

Tipping Off Secrecy and Warrant Canaries. 16

 

 

 

This Review must be given access to all of the Regulation of Investigatory Powers Commissioners' Annual Reports, including their Confidential Annexes, if it is to have any public credibility.

 

 

GCHQ Tempora - mass surveillance tapping of undersea fibre optic communications cables 

- "full take" 3 days

- MetaData  / Communications Data 30 days

 

Mobile Phones have become SmartPhones i.e. also powerful hand held computers connected to the internet and other non-telephony related radio networks like WiFi, BlueTooth, NFC and (listen only) GPS. They can also include physical sensors such as accelerometers and fingerprint readers, which may generate personal data.

 

 

 

 

 

 

 

 

You may have read the Spy Blog post with this title.

 

http://spyblog.org.uk/ssl/spyblog/2014/07/19/drip-act---flawed-regulations-actually-reduce-amount-of-useful-mobile-phone-loca.html

 

In the stupid, rush to pass the Data Retention and Investigatory Powers Act, without proper scrutiny, the Home Office and Parliament appear to have legally crippled the Retention of Mobile Phone Location Data, by only including the Start Cell ID and not any Intermediate or End Cell IDs  in in the "strict" Schedule of Relevant Communications:

 

Mobile Phone Call Detail Records / Charging Detail Records both the Cell ID at the Start of a communication and the Cell ID at the End of the mobile phone communication.

Some systems actually record the Start and End Cell IDs of both the Recipient of a voice call or SMS text message and that of the Sender if they are also using a mobile phone.

We think therefore, that these new Regulations make it illegal for Mobile Phone Network Operators to hand over the "Cell ID at the End of a communication", or any of the potentially dozens of Intermediate Cell ID locations which a mobile phone on the move is likely to generate between the Start and the End of the communication.

If Spy Blog worked for the Police or the Intelligence Agencies, we would be furious with the Home Office for such legislative bungling, which actually reduces the useful Communications Location data from Mobile Phones, which they have access to at present.

It is also unclear if this error applies to not only 12 month old Retained Communications Data (which the Home Office have never been able to cite a single criminal case where this led to the investigative breakthrough in identifying the criminals c.f. the previous Spy Blog article) but to any demand for Communications Location Data. even narrowly targeted, very recent or real time Location Data demands.

Perhaps the Home Office sophists will try to claim that this is all still somehow covered by the broader 2009 Regulations definitions, but these are repealed by the 2014 Regulations and the new more restricted Schedule in the Provisional Regulations (if passed) must be what "Parliament intended".

 

 

 

https://en.wikipedia.org/wiki/IMSI-catcher

 

N.B. If these "fake mobile phone base stations" are used for "man-in-the-middle" interception attacks, they can and do interfere not just with telephony Voice calls, but also with Data e.g.

 

·        SMS text messages

 

·        Internet IP connectivity which is possible even with "old" tech GSM phones and is certainly so with 3G or 4G SmartPhones or data dongles

 

i.e. their "legal" use falls foul of the amendments brought in to the Computer Misuse Act 1990 by the Serious Crime Act 2006 which criminalise Denial of Service attacks, even "reckless" ones

 

Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc.

http://www.legislation.gov.uk/ukpga/1990/18/section/3

 

3A.Making, supplying or obtaining articles for use in offence under section 1 or 3

http://www.legislation.gov.uk/ukpga/1990/18/section/3A

 

These devices also seem to be radio devices operating without a licence on heavily regulated parts of the radio spectrum reserved for the Mobile Phone Network monopolies i.e. their use is an offence under the Wireless Telegraphy Act 2006

 

The Metropolitan Police have so far refused FOIA requests on the topic of IMSI catchers using the "Neither Confirm Nor Deny" trick

 

https://www.whatdotheyknow.com/request/105696/response/277159/attach/html/3/Redacted%20c090377%20230420120248%20001.pdf.pdf.tif.pdf.html

 

 

The refusal by the Police to answer any questions about IMSI catchers gives rise to the suspicion that they are being operated illegally, without a proper Licence in contravention of the

 

Wireless Telegraphy Act 2006

http://www.legislation.gov.uk/ukpga/2006/36/contents

 

 

 

Incredibly the Interception of Communications Commissioner's office claims that IMSI catchers (which can only work by actively intercepting the communications between a Mobile Phone network Base Station and a mobile phone handset) is somehow the responsibility of the

Office of the Chief Surveillance Commissioner

 

c.f. the twitter thread:

 

https://twitter.com/josephfcox/status/499870790507331585

 

especially

 

Spy Blog@spyblog Aug 14

@josephfcox @rj_gallagher the @metpoliceuk could be breaking #RIPA & #CMA (DoS) Where is @iocco_oversight inspection of IMSI catchers ?

 

Jo Cavan@JoCavan Aug 19

@spyblog @josephfcox @rj_gallagher such equipment (if used) would not be authorised under P1 RIPA - so not IOCCO role to oversee

 

@spyblog @JoCavan @rj_gallagher @iocco_oversight Jo told me it was the office of surveillance commissioners under RIPA 2

 

 

The use and authorisation of such powerful interception and denial of service technologies, which are not operated by the Communications Service Providers but by the Police and others themselves directly, needs to be brought within a revised RIPA.

 

In the very few, narrowly defined circumstances where these IMSI Catchers need to be used operationally (e.g. in a real time, tactical hunt for suspected Mobile Phone activated explosive devices), then a revised RIPA needs to amend the Computer Misuse Act and the Wireless Telegraphy Act accordingly and there needs to be:

 

1.   Proper, proportionate authorisation, for the Police, intelligence agencies and the UK Military

2.   A ban on Foreign (allied) Military or (friendly ?) Intelligence Agency or Police IMSI catcher snooping in the UK unless under the control and responsibility of named UK officials.

3.   A Statutory Code of Practice

4.   Auditing of every use of IMSI Catchers by a RIPA Commissioner, ideally before they are used, but with the provision for immediate notification after their emergency tactical deployment and use.

5.   Reporting on any collateral damage effects e.g. disruption of 999 Emergency Service telephony or the Mobile Phone Internet service of people not being specifically targeted

6.   Financial compensation for such disruption

 

N.B. flying IMSI Catchers in aircraft or drones in secret, like the Metropolitan Police Service appear to do, is not proportionate, even for terrorism investigations.

 

 

The SS7 worldwide telecommunications standards allow mobile phone locations to be tracked in secret, from anywhere in the world, with a little cooperation from telecommunications companies.

 

http://motherboard.vice.com/en_uk/read/inside-ss7-the-insecure-global-cell-network-thats-used-to-track-phones

 

http://berlin.ccc.de/~tobias/25c3-locating-mobile-phones.pdf

 

There are also commercial companies which offer this service.

 

The RIPA Interception of Communications Commissioners' public Reports do not mention this at all, so the public and Parliament do not know to what extent the Police and Intelligence Agencies and other Public Bodies try to get around or evade the supposed Single Point of Contact (SPoC) system and automated gateways for handling official requests for Communications Data.

 

 

 

The Police in Germany and the Netherlands use the technique of sending "silent SMS pings" to locate target mobile phones, hundreds of thousands of times a year.

 

http://en.wikipedia.org/wiki/Short_Message_Service#Silent_SMS

 

https://translate.google.com/translate?sl=de&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.heise.de%2Fnewsticker%2Fmeldung%2FZoll-BKA-und-Verfassungsschutz-verschickten-2010-ueber-440-000-stille-SMS-1394593.html&edit-text=

 

 

It is inconceivable that the UK Police and Intelligence agencies do not do the same.

 

This is not the same as the RIPA Communications Data record requests for Retained Call Detail Records which are partially audited by the Interception of Communications Commissioner.

 

The public must assume that this practice is used to evade and circumvent the very narrow RIPA audit criteria used by the Interception of Communications Commissioner, who has never reported on these practices in public.

 

 

 

Technology has moved on since 2000 and there are now millions of Global Positioning Satellite devices in the hands of ordinary consumers, be they dedicated GPS devices for hikers or sportsmen, or in car navigation systems or are built in to various models of SmartPhone etc.

 

There does not seem to be any laws or regulations which cover the use or abuse of GPS devices or data.

 

Vehicle attached GPS bugs are used by the Police and by Private Investigators and by jealous ex-spouses, stalkers and other criminals to track their targets or victims.

 

There is no clarity from the Chief Surveillance Commissioners' public Annual Reports as to how often such devices are used, or if their use is audited at all.

 

There are no criminal penalties for the abuse of GPS tracking data, which there should be.

 

 

SmartPhone Apps can make use of the Accelerometers built in to many models of handset , used primarily to flip the display between portrait and landscape, depending how you orientate the phone.

 

However they are also used by the health conscious in the form of running or cycling Apps often linked to online maps and to GPS.

 

The potential for intrusion and tracking of innocent people is illustrated by the aggregated data from one of these Apps which was published in the aftermath of the recent earthquake near San Francisco, which showed thousands of subscribers being woken up early in the morning.

 

http://www.wired.com/2014/08/fitness-trackers-show-how-many-people-woke-up-during-the-bay-area-quake/

 

 

The Police or other investigators must not be allowed to exploit such data without a framework of regulation, which RIPA currently does not provide.

 

 

·        WiFi MAC addresses tracking

·        WiFi Access Point automatic connection attempts

·        BlueTooth MAC address tracking

·        NFC tracking

·        IMSI tracking via Software Defined Radios

 

These radio based technologies are built in to many models of SmartPhone and they can all be time, date, location tracked and mapped.

 

e.g. The City of London had to ban the enterprising scheme by Renew London which tracked and mapped (without their explicit prior permission) the MAC addresses and movements of SmartPhone users passing by  200 or so WiFi enabled rubbish / recycling bins

 

http://www.bbc.co.uk/news/technology-23665490

 

http://qz.com/112873/this-recycling-bin-is-following-you/

 

 

The tracking of SmartPhone handsets using these technologies should not be a "legal grey area", it should be clearly defined by an amended RIPA

 

 

 

Fingerprints are used on some models of Mobile Phones and Laptop Computers as an extra locking mechanism.

 

Where such biometrics are used they may sometimes be checked against a central data base via data communications protocols. e.g. the Police's own Project Lantern roadside fingerprint scanners

 

RIPA & DRIPA must be amended to make it very clear that access to any non-telephonic Communications built in to SmartPhone hardware or downloadable software Apps, should not be treated as Communications Data but as Intercept.

 

 

Google Glass demonstrates the power of internet connected wearable computers with built in camera , microphone and other sensor technology.

 

The public rightly objects to the sneaky use of such Body Worn Video for personal privacy and for commercial copyright reasons.

 

The technology also has the potential for Facial Recognition and Automatic Number Plate Recognition, but RIPA is incapable of dealing with such multi-use technology , especially if the systems are pointed at crowds of people

- is a Direct or Intrusive Surveillance authorisation needed ?

 

The RIPA Surveillance Commissioners themselves have raised, in more than one Annual Report, the question of whether Directed Surveillance authorisations are required for CCTV traffic cameras and those fitted with Automatic Number Plate Recognition software

 

RIPA needs to be amended to provide clarity, backed up by legal penalties for misuse, which the powerless (non-RIPA) Surveillance Camera Commissioner does not provide.

 

https://www.gov.uk/government/organisations/surveillance-camera-commissioner

 

 

 

Mobile Phone Location Data is immensely privacy intrusive, it is exactly the technology used by the Home Office in electronic tagging of offenders on bail etc.

 

Some Public Bodies such as Fire and Rescue Services should be allowed to have instant, real time access to Mobile Phone Location Data to locate genuine 999 emergency callers and to try to filter out or alert themselves to fake 999 calls. Fire engine crews all too often come under physical attack, either from bored "ASBOids" or by criminals especially during riots.

 

However Fire & Rescue Services should not be allowed to have access to the back history of locations which can be revealed by Mobile Phone Location Data, as used by electronic tags etc.

 

RIPA is currently all or nothing in this regard: either a Public Body has full access to every kind of Communications Data, including Location Data and Friendship Trees or it is restricted to just Subscriber Details or to no access at all.

 

 

 

Communications Data is at least as intrusive / useful as Intercept and sometimes even more so, especially against real criminal or terrorist or spy targets who use pre-arranged verbal codes or rare foreign dialects.

 

The 2 years in prison criminal penalty for illegal Intercept should also apply to abuse of Communications Data. There must be no automatic exemption from this for Police or Intelligence Agency or Military or other Central or Local Government or other Public Body officials.

 

 

 

The Interception of Communications Commissioner spends considerable time and resources inspecting various Prisons, and so he should.

 

However there is no statutory basis whatsoever for him to do so under RIPA or DRIPA, it is just mission creep which started when Gordon Brown was Prime Minister.

 

IoCC inspections of Prisons and Detention Centres should also, by law, report on the numbers of illegal Mobile Phones seized in each Prison and on and on the effectiveness of any visitor and staff body scanners and on any phone jamming systems installed. They should also report on any collateral damage to the surrounding areas, especially regarding emergency 999 calls, which such jamming or shielding may cause. 

 

 

It is no wonder that there is little or no public confidence in the transparency of the secretive RIPA Commissioners i.e.

 

Intelligence Services Commissioner

Interception of Communications Commissioner

Chief Surveillance Commissioner

Surveillance Commissioners

 

when they are exempt from the Freedom of Information Act,  in spite of meeting not just one, but both of the Conditions for listing in Schedule 1 of the FOIA.

 

http://www.legislation.gov.uk/ukpga/2000/36/section/4

 

There are massive exemptions under FOIA which would allow them to protect any sources and methods which need to remain confidential, but there are plenty of non-sensitive FOIA requests about e.g. their own budget and staff resources etc. and number of complaints dealt with etc. which the public should be allowed to request under FOIA.

 

 

The Freedom of Information Act should also apply to the secretive Investigatory Powers Tribunal

 

 

 

Other Government Departments have continued to use or abuse their own Statutory Powers when conducting Investigations.

 

The most notorious example is the Department for Work and Pensions, which uses the

 

Social Security Fraud Act 2001 (passed after RIPA)

http://www.legislation.gov.uk/ukpga/2001/11/contents

 

to gather Communications Data, mostly Subscriber Details, without going through the Single Point of Contact (SpoC) system set up for the Police and other consumers of Communications Data.

 

They seem to do this out of sheer bureaucratic empire building and to avoid having to pay the small handling fee which the CSPs charge.

 

It is vital that DWP and others are forced to use RIPA and the hopefully new, better Regulation and Audit scheme which your Review will precipitate.

 

Amended RIPA should forbid DWP from using the Social Security Fraud Act 2001 and force it to use RIPA instead, as they refuse to do this voluntarily.

 

 

 

 

 

 

Before they were abolished, the Financial Services Authority head was supposed to be "consulted" if a lowly Police Constable threatened the "economic wellbeing of the United Kingdom" (i.e. a threat to National Security) by disproportionately issuing a RIPA section 49 Notice for the secret cryptographic key(s) of say an Internet Bank 's secure web server.

 

These have thousands or millions of customers whose details would be affected, leading to loss of business confidence, a possible run on the bank and perhaps large scale financial fraud.

 

This cannot be proportionate, even for a potential mass murder plot terrorism investigation.

 

The current replacement Financial Regulators, the Financial Conduct Authority and the Prudential Regulation Authority should be formally given a role and a veto in such RIPA Part III section 49 Notices aimed at regulated financial institutions.

 

Astonishingly, the RIPA Commissioners' Reports, where they do deal with

 

RIPA Part III Investigation of electronic data protected by encryption etc.

http://www.legislation.gov.uk/ukpga/2000/23/part/III

 

 

never seem to be able to compile up to date figures for the (rare) use of this power, there is always some delay or the Prosecution or the Court system does not pass on the details in time etc.

 

This is not the way to instil public trust in the RIPA system.

 

All the RIPA Commissioners should publish running totals monthly of their statistics, on their public websites, which they can then revise if necessary, just like the Financial Regulators do.

 

 

Your Review should take expert evidence about the RIPA section 49 secrecy powers and the section 54 Tipping Off offences

 

http://www.legislation.gov.uk/ukpga/2000/23/section/54

 

and the implications of the extension of territoriality brought in by the rushed "emergency"  DRIPA legislation, which do not seem to me to be limited to just RIPA Part 1, but also apply to RIPA Part III Encryption keys.

 

Foreign companies, especially those in the USA , may operate a Warrant Canary

 

http://en.wikipedia.org/wiki/Warrant_canary

 

RIPA / DRIPA needs to provide legal clarity as to the legality of this in the UK or else we will suffer economic damage.

 

    

The Computer Misuse Act 1990 was controversially and ineptly amended by the police and Justice Act 2006 to try to curb Denial of Service attacks and a new "Making, supplying or obtaining articles" offence. The territorial scope of this Act was broadened to include the whole world, regardless of whether you are a British citizen or not and the penalties were increased so that they were serious enough for Extradition to the UK to apply.

Spy Blog used to think that the House of Lords did a better job of scrutinising the detail of Bills, especially in regard to technical details, than the House of Commons, but now there are doubts, judging by the Serious Crime Bill.

Perhaps it is because this typical Home Office "Christmas tree" Bill covering lots of topics was, for no good reason, introduced in the Lords rather than the Commons, that the standard of detailed scrutiny regarding the Computer Misuse Act amendments seems to be as poor as if it the Commons had had first crack at cocking things up.

The Computer Misuse Act is a vital in safeguarding "the economic wellbeing of the UK", but like the Regulation of Investigatory Powers Act is showing its age due to fast moving technological change. We deserve a full new Act, with proper public consultation and detailed pre-legislative scrutiny, not just a few stupid amendments sneaked in as part of a wider Bill, without any public consultation at all..

The Serious Crime Bill is making major changes to the Computer Misuse Act to combat "cyber attacks", without any public consultation or any actual evidence of need.

It also risks legally crippling the activities of GCHQ and SIS / MI6 and their computer software and hardware suppliers with the stupid criminalisation (with a penalty of up to imprisonment for life and or an unlimited fine) of "serious damage to the national security ofany country" - even enemy countries !

"Cyber attacks" are not just directed at the UK, they could originate from the UK against the "economy" or "national security" of other enemy countries

The Home Office pretends in its Serious Crime Bill computer misuse policy documents especially the CMA Aggravated Offence Impact Assessment document that:

"Although to date no cyber attacks have had an impact of this nature, a longer maximum sentence should be available should such an attack occur in future"

"There is no evidence that cyber criminals will necessarily be deterred by a longer sentence, but there may be deterrence benefits and/or benefits in public confidence."

No ! There will be a further reduction in public confidence in the Home Office and the Government in general as a result of s
stupid legislation

"A full public consultation will not be taken due to the tight time frame if the 4th session"

Only Ministry of Justice, Crown Prosecution Service, Scotland Office, Northern Ireland Office, GCHQ, Police and National crime Agency
were consulted as "stakeholders".

Note that no NGOs, Regulators, RIPA Commissioners, Information Commissioner industry, or the general public were consulted at all.

Note that there is no published Privacy Impact Assessment, something which they probably also never bothered with.

The Serious Ccrime Bill was introduced in June and after the Summer Recess, the House of Lords is set complete the Report stage next week. However they "considered" the Computer Misuse Act amending clauses on 14th October 2014
and passed 3 Amendments, none of which addressed the important bits.

14 Oct 2014 : Column 142

Clause 40: Unauthorised acts causing, or creating risk of, serious damage

Amendment 17

Moved by Baroness Williams of Trafford

17: Clause 40, page 30, line 40, leave out "country" and insert "place"

[...]
we have given further consideration to the position of installations such oil rigs, ships and so on that are located outside the territorial waters of any country. Although I acknowledge that this scenario is extremely unlikely, it is not clear that the offence as currently drafted would capture an attack that caused serious damage to the human welfare of those living and working on such an installation, or to the surrounding environment.

To provide greater clarity on this point, therefore, Amendment 17 replaces the reference to damage to human welfare in any country with a reference to damage to human welfare in any place. Amendment 18 similarly replaces the reference to damage to the environment in any country with a reference to damage to the environment of any place.

Once these changes are made, there is no longer any need to extend the meaning of "country" to include its territorial seas. References to damage to the economy or national security of any country will remain, as either the economy or national security of a country has been damaged or it has not. In these cases, it is not necessary to include territorial seas within the definition of a country, so Amendment 19 removes this reference.
[...]

Amendment 17 agreed.

Amendments 18 and 19

Moved by Baroness Williams of Trafford

18: Clause 40, page 31, line 1, leave out "in any country" and insert "of any place"

19: Clause 40, page 31, leave out line 23

Amendments 18 and 19 agreed.

So the Lords have broadened the territorial scope of the probably unenforceable new "b) damage to the environment of any place" offence to cover offshore oil rigs and pipelines outside of any country's national territorial waters.

At this point their Lordships collective minds seem to have wandered as they should also have looked at the very next two lines of the Bill

(c) damage to the economy of any country; or (d) damage to the national security of any country.

Why did they not think to apply exactly the same argument for changing "any country" to "any place" in respect of international telecommunications cables, physical or "cyber" damage to which would clearly " damage to the economy of any country" and which are even more than oil pipelines likely to be further out to sea than being merely adjacent to to national coastlines or territorial waters ?

As it stands, this criterion is far to broad and is likely to be unenforceable internationally or only selectively enforced, bringing the whole law into disrepute.

Even worse is the next line

(d) damage to the national security of any country.

Imprisonment for life and / or an unlimited fine for serious damage to the national security of any country ? Even Russia, China, Iran, Syria, Cuba etc. ?

Did nobody (including GCHQ) notice that this makes much of what GCHQ and SIS/MI6 do, or could do, illegal if it involves computers at all (which is very likely) ?

It will certainly make the

Intelligence Agencies' staff are not Constables (i.e. Police Officers) or Enforcement Officers (i.e. Court appointed Bailiffs, or even Civilian Enforcement Officers i.e. Traffic Wardens) so none of the Computer Misuse Act section 10 Saving for certain law enforcement powers applies, regardless of the Serious Crime Bill amendment to this section to include any Act in England, Wales, Scotland and Northern Ireland.

If the worldwide scope of these stupid Computer Misuse Act amendments is not removed before the Bill is enacted then Spy Blog predicts:

  • Whitehall control freaks will try to use the "national security" offences of the amended Computer Misuse Act against journalists and whistleblowers, instead of the Official Secrets Act. Even if nobody is ever actually prosecuted, it will have a chilling effect on UK investigative journalism and reporting of e.g. Manning, Assange or Snowden sourced stories all of which involve potential direct Computer Misuse Act offences or the "Making, supplying or obtaining articles for use" offence, or conspiracy to commit any of these.

  • Foreign Countries will issue Mutual Legal Assistance Treaty requests or, in Europe, simply issue a European Arrest Warrant for the extradition of GCHQ or SIS/MI6 staff who may be implicated in breaches of the "national security of any country.

  • Activists and non-governmental pressure groups will make formal complaints to the British Police, regarding the activities of UK companies who supply GCHQ and SIS/MI6 or the Ministry of Defence etc. with software of hardware which could be used to help "damage the national security of any country". N.B. there does not have to be any actual use of such articles, only a belief that they are" likely to be used to commit, or to assist in the commission of, an offence" which will now also apply to the new "economy" or "national security" "of any country" offences.

N.B. unlike the Official Secrets Act etc. the Computer Misuse act has no involvement of the Attorney General who might stop "national security" prosecutions from grinding their way through the Police & Crown Prosecution Service & Extradition proceedings.

GCHQ Sir Iain Lobban's valedictory speech

|

A few comments, in context, on:

Sir Iain Lobban's valedictory speech - as delivered
Full transcript of the speech given by Sir Iain Lobban, Director GCHQ, at the Cabinet War Rooms on 21 Oct 2014.

Weirdly, the GCHQ website no longer seems to support the use of https:// SSL / TLS encryption at all, unlike Security Service MI5 and Secret Intelligence Service SIS / MI6

In the middle of the summer, when I resolved to give this talk, the following events were taking place around the world:

  • A commercial airliner flying at over thirty thousand feet over eastern Ukraine was shot down with a sophisticated surface-to-air missile system, with the loss of 298 lives, 80 of them children
  • Fierce fighting on the ground continued after Russia's annexation of Crimea
  • ISIL advances in Syria and Iraq continued, treating local populations with devastating savagery, and the video of the beheading of the first western hostage spread across the internet
  • the American, Canadian and British embassies suspended operations in Tripoli due to armed clashes between Libyan militias in the country
  • the National Crime Agency carried out further arrests of predators involved in child exploitation

  • thirty-five adults and children, one of whom died, were discovered in a lorry, illegally trafficked from Afghanistan
  • £100 million pounds-worth of cocaine was seized off the coast of Ireland
  • Nearly 200 cyber incidents against the UK's networks of national significance were detected and responded to.


As my teams pivoted to tackle such intelligence and security requirements, and I marvelled yet again at their dedication and tenacity, I decided I wanted to use the occasion of my departure from this post to reflect publically on the profession to which I've devoted the past 31 years: to explain why people like me are motivated to do what we do. After all, it's sometimes called the second oldest profession in the world, and like the oldest, you tend not to talk about it as a career choice. But that's exactly what I want to do now. That career choice is one of the best decisions I've ever made, and I want to tell you why.

I also want to think aloud about the place of intelligence in national life, which makes this exactly the right place for this final public speech. Has there ever been a politician who was so comprehensively focused on intelligence, and on the policy and processes underpinning the production of intelligence, as Winston Churchill?

I joined GCHQ in what felt like the dark days of the Cold War. The majority of my early postings in the department were focused on the Warsaw Pact: a massive challenge. And as I leave, once more we look towards and beyond the Urals. Perhaps I needn't have bothered... Certainly the bookends of my career illustrate how the world continues to be a dangerous and unpredictable place.

But there's a longer timespan in which we should situate the work that GCHQ does today.

UK Signals Intelligence celebrates its centenary this year. There was no Sigint organisation in this country on 4 August 1914, but in November 1914 the First Sea Lord, Winston Churchill, issued a Charter. That Charter prescribed the operating model for Room 40, the section in the Admiralty which had started producing intelligence from intercepted and decrypted messages, would operate. Churchill oversaw the birth of British Sigint, and was instrumental in the creation in 1919 of GCHQ, under its former name of GC&CS.

In another dark time, a sparkling generation radiated their genius from dingy huts at Bletchley to defend a beleaguered nation against the Nazi onslaught:

  • They sent the intelligence to leaders right here in these War Rooms
  • Just as today, GCHQ continues to supply our National Security Council with the intelligence necessary to make the right strategic decisions.

It was here that Churchill applied the lessons he had learned during the First World War about keeping the use and the protection of Sigint in balance: intelligence is of no use if you can't use it, but it will quickly disappear if those using it do not protect its source.

In his Charter for Room 40, Churchill proposed that his Sigint staff should study intercepts, past and present, and compare them with what actually happened in order to penetrate the German mind. This process of traffic analysis was further developed at Bletchley Park, where analysts built a picture of hostile activity by analysing communications for patterns, connections and abnormalities.

  • Today, we continue to look for the patterns, connections and abnormalities that indicate of illuminate hostile capability and intent.

Bletchley Park saved the lives of numerous seamen and the shipping, materiel, and other supplies criss-crossing the Atlantic and the Arctic, all the while stalked by enemy submarines, providing intercepts on which evasive action could be taken. They kept those vital supply routes open.

  • Today, we continue to use intelligence to safeguard the electronic networks on which our trade, our finance, our way of life, now depend.

By June 1944, Sigint could tell General Eisenhower about the German Order of Battle in Normandy, about German perceptions on where the Second Front would be opened, on German intentions to respond to it, and on the success of his deception plan.

  • I am not going to tell you the details of the way we support the UK military today, but let me assure you that our aim is to ensure that every British or allied Commander has the same complete Information Superiority that Eisenhower had. The stakes of our mission today engage life and death as compellingly now as they did then. We are fiercely proud of the work we do to support troops in the front line, foiling attacks on British and allied forces deployed anywhere in the world.

But today's ask is in some ways broader than that of Bletchley Park:

  • With our partners at Mi5 and SIS we apply all our skills to keep our streets safe from terrorists
  • We work to stop the spread of destructive weapons across the world
  • We strain sinews to locate hostages imprisoned in dark and dangerous places, tragically not always with success
  • With the National Crime Agency we battle serious and organised crime
  • We counter internet fraudsters and their malware to save the taxpayer hundreds of millions of pounds.

We counter internet fraudsters and their malware to save the taxpayer hundreds of millions of pounds

GCHQ appear to be spectacularly unsuccessful in this regard, given the estimates of billions of pounds of attempted internet fraud each year.

Perhaps this is because the same "phishing" and malware techniques used by fraudsters seem to be used by GCHQ themselves, according to the Snowden revelations.

How many malware authors and distributors have been prosecuted and convicted in the UK ? Almost none. How many were caught by GCHQ ? Zero.

How many foreign cyber attackers have been extradited to the UK ? Zero

And we also battle to save something upon which nobody can place a value: we strive to protect our children from terrible abuse.

Wars, terrorism, fraud, child sexual exploitation - nothing new in that, you might think. Until you recall that we're witnessing the biggest migration in human history. In the six years since I took up this post, almost one and half billion people have joined the enormous exodus to the internet. That's a doubling of the people accessing information and communicating online. There are over six and a half billion mobile subscribers in the world, nearly two billion active social network users.

We all know that the beautiful dream of the internet as a totally ungoverned space was just that - a beautiful dream. Like all utopian visions, it was flawed because it failed to account for the persistence of the worst aspects of human nature. Alongside the amazing benefits - the comprehensive information, education, health, the communities of interest, the commercial opportunities and efficiencies - there are the plotters, the proliferators and the paedophiles. From what we know of ungoverned spaces in the real world, do we really believe that the world would be a better place if the internet becomes an ungoverned space where anybody can act freely with impunity?

the other impractical utopian vision is the myth that the state can or should provide absolute security.

Those who would do us harm don't want to be found. They choose certain routers or applications to hide in the darkest places of the internet. We have to enter that labyrinth to find them. We work to crack their defences. We have to understand what adversaries seek to do to us, and dedicate ourselves to preventing them from realising their plans. And the vast majority of those criminal threats to the UK are posed by groups or individuals based overseas. So we need strong intelligence and cyber capabilities to identify them and, where international law enforcement doesn't work, to disrupt them directly. This combination is increasingly essential.

where international law enforcement doesn't work, to disrupt them directly

"Disruption" is particularly evil concept, as it does not seem to require any actual evidence or proportionality or regard for collateral damage to the innocent or an appreciation of the economic damage to the UK.


But how to find them in the first place? We used to map the frequencies of the Warsaw Pact's naval, ground, and air forces, just as our predecessors at Bletchley Park tracked the frequencies used by U boats and panzer divisions. But now most of the time there's no tell-tale frequency to intercept, and our adversaries use a diverse range of complex comms methods. Unfortunately, there's no 'badguy.com' for us to log onto and to find terrorists or serious criminals: instead we have to search for them in the vast morass of the internet.

N.B. of course there is already a is a badguy.com domain name and website registered, but hopefully GCHQ are not targeting it "just in case".

Again, I reach back to the First World War. The reason that there was no Sigint on 4 August 1914 was that the members of the Royal Navy's signal staff who had, from time to time, looked at foreign use of radio, had looked at random messages and had found little or nothing of interest. When they saw a message saying "Proceed to Grid 1596 by 0830 hours" it was dismissed as of no interest. It was only the collection and examination of many such messages that led to an understanding that such items were like tiny fragments of a mosaic: Sigint's job is to reveal the big picture. In the first few weeks of the war, those in Room 40 began to look at what today we would call the network,
focussing on the bigger patter of message traffic which produced intelligence about German intentions.

Today, of all the communications out there globally - the emails, the texts, the images - only a small percentage are within reach of our sensors.

  • Of that, we only intercept a small percentage
  • Of that, we store a miniscule percentage for a limited period of time
  • Of that, only a small percentage is ever viewed or listened to, as permitted by our legal framework, and self-evidently, constrained by resource.

TEMPORA snooping on fibre optic communications cables - "full take" cached for 3 days, "metadata" stored for 30 days, as revealed by Edward Snowden, appears to contradict these claims.

We access the internet at scale so as to dissect it with surgical precision. Practically, it is now impossible to operate successfully in any other way. You can't pick and choose the components of a global interception system that you like (catching terrorists and paedophiles), and those you don't (incidental collection of data at scale): it's one integrated system.
That process has other benefits beyond obtaining the intelligence needed by our nation and its allies. By understanding the technicalities of obtaining intelligence, we can help government, businesses and citizens to protect their systems and their data. And by understanding trends in both the technology itself and how it's used, we can help to build the kind of skilled workforce that our country will need in order to flourish in the future.

It is the duty of the state to protect its citizens and to develop a system of capabilities to ensure that its protection is as complete as it can be: the question becomes how we use that system in a way that is consistent with the law, and with values you and I are determined to uphold.

It's a process of intelligence-gathering laid down by law, pored over by parliament, inspected by independent commissioners and under the supervision of a Tribunal. And we wouldn't have it any other way. We've even implemented certain internal safeguards beyond what is required. We've done so because we want to belong to a society that can have confidence in its intelligence services. And so, even when we hear fellow citizens saying things like: "I don't mind being watched because I've nothing to hide" or "I don't mind because it's the price of security," that's depressing for us. The people who work at GCHQ would sooner walk out the door than be involved in anything remotely resembling 'mass surveillance'.

"mass surveillance" does not mean total blanket surveillance i.e. billions or trillions of events a day. It is still "mass surveillance" if only hundreds or thousands of people are caught up in it directly or indirectly.

I want to make it absolutely clear that the core of my organisation's mission is the protection of liberty, not the erosion of it. And that presenting our activities as some sort of binary option - security or privacy - is to represent a false choice: we are committed to doing our utmost to deliver security at the same time as protecting privacy to the greatest extent possible.

GCHQ's compliance regime, like those of our sister Agencies, is supported by a strong culture and ethos of personal accountability. My staff undertake mandatory policy and legalities training before they can access operational data. And we underpin all this internally with a series of processes to uphold not just the letter, but the spirit, of the relevant laws and policies. We respect privacy and take utterly seriously our obligations under Article 8 of the European Convention on Human Rights. We actively seek to minimise intrusion into everyday lives, working in accordance with the principles of necessity and proportionality. By definition, the acquisition, aggregation, usage, sharing and retention of information involve varying degrees of interference with, or intrusion into, the privacy rights of individuals. So those activities can only be undertaken if judged to be necessary in the interests of our statutory purposes - national security, economic wellbeing, or the prevention and detection of serious crime - and proportionate in what we seek to achieve.

This is perhaps the most interesting part of the speech, which seems to contradict the repeated questioning of the witnesses giving oral evidence in public to the Intelligence and Security committee last week about "balance" and "is privacy engaged at the point of collection ?" :

  • And so, even when we hear fellow citizens saying things like: "I don't mind being watched because I've nothing to hide" or "I don't mind because it's the price of security," that's depressing for us.
  • And that presenting our activities as some sort of binary option - security or privacy - is to represent a false choice: we are committed to doing our utmost to deliver security at the same time as protecting privacy to the greatest extent possible.
  • By definition, the acquisition, aggregation, usage, sharing and retention of information involve varying degrees of interference with, or intrusion into, the privacy rights of individuals

Why did the ISC waste so much time on these topics, when even Sir Iain agrees with the human rights activists and lawyers and academics on these points ?

Those principles of necessity and proportionality are fundamental to the functions and ethos of the Agencies, and are critical components of the legal framework within which the Agencies strictly operate. They are applied within every investigation, and are subject to multiple layers of scrutiny and controls.



From the Snowden revelations, it seems that none of this applies to NSA or other 5 Eyes partners (Australia, Canada and New Zealand) when they target UK citizens in the UK or overseas, or their internet or telecommunications traffic routed in transit overseas. They then share the raw data or the processed analyses with GCHQ and other UK intelligence agencies, in secret, with little or no effective UK oversight.

On top of that, GCHQ has an Ethical Framework, setting out our approach to ethical decision-making, applying objectivity and professionalism to those principles.

So why doesn't GCHQ publish this "Ethical Framework" so that the public can be reassured ? Surely this does not contain any "sources and methods" details ?

It's not for me to act as a cheerleader for the system of oversight and scrutiny that apply to GCHQ and my sister intelligence and security Agencies. But I will say that it is the most coherent and well-developed system of which I am aware in relation to such agencies around the world, with its triple lock of:

  • Authorisations by a Secretary of State
  • Informed, rigorous scrutiny by the Intelligence Services Commissioner and by the Interception of Communications Commissioner - and I commend Sir Anthony May's 87-page open report from April this year to the interested reader
  • Review by the parliamentary Intelligence and Security Committee, as strengthened by the recent Justice and Security Act.

2013 Annual Report of the Interception of Communications Commissioner (.pdf)

And that triple lock is supplemented by the Investigatory Powers Tribunal which can hear, and indeed is hearing, legal challenges against our activities, with access to secret material.

This "triple lock" is worse than useless for investigating real or imagined abuses of the system against individuals or groups - it is all too secret and relies on public trust in government bureaucracies which simply does not exist.

And some things do need to remain secret. Let me reflect on the relationship between the intelligence profession and the journalism profession. That relationship may be complex, but let me be clear: we may get frustrated when our efforts are undone, our enemies advantaged, and our integrity questioned, but we're not frustrated by the free press itself. We do what we do precisely to safeguard the kind of society that has a free press.

Why can't GCHQ and the other intelligence agencies have official spokesmen, just like in the USA, to correct the misreporting in the press ?

"Neither confirm nor deny" is a counter-productive policy which literally insults the intelligence of the public, fuels conspiracy theories and destroys public trust, not just of GCHQ but of the UK government in general.

I wonder if it's worth musing upon the shared motivations between our professions. I don't just mean the mutual concern with sources and methods. I mean something more fundamental: at the height of their professions, intelligence officers and journalists both care deeply about knowledge; we are scrupulous about the integrity of the analysis that our reporting depends upon; we both seek the truth; and to get it, we both have to shine a light into dark and often dangerous places, places where we aren't exactly welcome. The difference is what happens to the truth we find. For journalists, the public interest is served by publicity itself; for us, the public interest is served by some things remaining secret.

Over my three decade career I've spent about half of it in roles where it's been necessary to consider whether, and if so how, to use Sigint, to employ it outside the ring of secrecy, to 'disclose' it. The trick is to release the facts so action can be taken if necessary, but to avoid risk to the sources and methods involved. These are, for the most part, very finely balanced judgements made by deep professionals with an instinctive feel for what needs to be released so it can be used, at the same time as applying structured tests so as not to throw away the fragile 'edge' of knowledge secured by intelligence penetration. Back to Churchill again! It's crucial that the targets whose communications we seek to exploit for the purposes of our national security do not know what we can and can't do.

Presumably Sir Iain is talking about the Police and (secret) Courts and the censored RIPA Commisioners' and Intelligence and Security Committee reports when he talks about disclosing Sigint "outside the ring of secrecy" because GCHQ has never bothered to give any useful information to the public, even at a general policy level, without exposing any tactical details.

Secret does not have to equal sinister. The idea that it does is perhaps inspired by the portrayal of uncontrolled intelligence operations in popular films and TV programmes. The reality is more mundane, but contrary to what you might expect, it's also more inspiring. GCHQ staff are drawn from the British population. Yes, we have people with diverse skills and talents, and geniuses from our past, like Alan Turing, remind us that neuro-diverse conditions can frequently unlock exceptional contributions. But basically they are normal, decent human beings - people who spend their lives outside work shopping at Sainsbury's or the Co-op, watching EastEnders and Spooks, listening to Radio 4 and TalkSport, drinking in pubs, wine bars and Cotswold tea rooms, and worrying about their kids, the weather, the football, cricket, and rugby, and what to have for tea. They give their time to charitable causes and help children in local schools.

N.B. No mention of Geoffrey Prime the KGB Communist spy, who was not detected by GCHQ counter-intelligence, but by the local Police ,who arrested him for paedophile sex attacks on local children in the Cheltenham area.

"Prime constructed a system of 2,287 index cards bearing details of individual girls; each card contained information on their parents routines and detailed when they were alone at home"

Imagine what such a cunning spy and paedophile could do with GCHQ insider access to the internet, regardless of any laws or internal policies.

It is the potential unauthorised abuse of powerful state surveillance systems by corrupt or fanatical privileged insiders which is the worry and which is not alleviated by "neither confirm, nor deny" or "it's all legal with oversight" platitudes.

Outside work, we are the people that the inhabitants of Cheltenham, Gloucester and the surrounding area regard as friends, neighbours and customers. We don't suddenly lose our souls the moment we swipe into the Doughnut. My staff are ordinary people doing an extraordinary job.

...Ordinary people, but their extraordinary job can demand extraordinary sacrifices.

Sometimes those sacrifices are economic. My staff choose public service even where they possess astonishing skills prized by the market.

Sometimes those sacrifices are social. Intelligence professionals can't share the details of their work with family and friends. Imagine having no chance to share the good days and download the difficult days. And the same goes for the gratitude of the wider population: it's a rewarding form of public service, but more often than not, the thanks are received behind closed doors.

Their enemies don't stop, so neither can they - the analyst who misses their Christmas dinner to rush in for an urgent task; the teams mounting a 24/7 operation to find a fellow citizen taken hostage overseas. They miss sleep and family commitments over days, weeks and sometimes months, working against the clock, trying to save someone they've never met. They scour far-flung networks for clues and identifiers, feeling the thrill of a breakthrough and, sometimes, despair if they are unsuccessful and people are harmed. One of my saddest duties is to talk to teams devastated by such an outcome.

And the psychological sacrifices can be severe. Like the police or the military, British "spies" have to deal with the worst of human behaviour. Have no doubt that dealing with that is emotionally arduous. They have to look at some highly disturbing images of grotesque things being done to children, at graphic videos of beheadings. They examine such things carefully for clues to the perpetrators. You can imagine the potential effect of looking at such images day-in and day-out, and so we have mechanisms to support people in these roles. I can assure you viewing of such material at GCHQ is not taken lightly. We do it because our job is to protect your loved ones.

So I believe - passionately - that intelligence and security work in the United Kingdom is a noble profession. It helps good decision-taking. It can prevent wars and disrupt the proliferation of weapons of mass destruction. It does prevent terrorist attacks. It pursues criminals who threaten the most vulnerable. A monument in the National Memorial Arboretum honours those who have dedicated their careers to the pursuit of Signals Intelligence.

And, as I complete my own journey from Iron Curtain to Final Curtain, and give way to a distinguished successor waiting in the wings, I cherish my choice of career. My colleagues and I joined the intelligence services to protect others from those who would do them harm. That has always been the passion of our profession. It was our passion when we resisted the Wehrmacht, the Kriegsmarine and the Luftwaffe; it was our passion during the Cold War when we wrestled the Soviet machine; and it's our passion today.

Back to Winston Churchill: he was responsible for two momentous decisions which transformed GCHQ, and which mark it to this day.

  • He personally approved the proposal to share every single one of Bletchley Park's secrets with the United States, a decision which led to what is the most enduring intelligence partnership in history.
  • And he personally answered the urgent appeal made to him by Turing, Alexander, Welchman and Milner-Barry for more resources: "Action this day: Make sure they have all they want on extreme priority and report to me that this has been done". This decision transformed GCHQ: it became the organisation it is today, enabled by technology to produce intelligence at scale and at pace.

And even earlier than that, when he became Chancellor of the Exchequer in 1924, he demanded access to Sigint reporting, writing to the Prime Minister, Stanley Baldwin: "In the years I have been in office since Room 40 began in the autumn of 1914, I have read every one of these flimsies and I attach more importance to them as a means of forming a true judgement of public policy in these spheres than to any other source of knowledge at the disposal of the State". He shared our passion, and our predecessors recognised it and responded to it.

When I joined GCHQ, there were still veterans of Bletchley Park working in Cheltenham. They had worked alongside those who had started Sigint in 1914, learning not just how to do their jobs, but learning too why they did their work the way they did, and how GCHQ had grown and adapted as new sources became available, or productive sources were turned off. I learned from them, and eventually, as the Director of GCHQ, have had the responsibility of ensuring that the thread of continuity that links us to our past continues to extend into the future.

I won't pretend that I've enjoyed every minute of the media attention, but the only thing worse than being in the eye of the storm would have been to be anywhere else. Had that been so, I'd be unable to bear witness now to my fellow professionals, ordinary men and women whose integrity has been insulted time and again, and whose response to such provocation has not been a noisy retort but a quiet resolve - a resolve to continue doing extraordinary things for others. I will miss them, the friends who made the same career choice: their skill, their sacrifice, their silence.

I said this to the parliamentary committee in a closed evidence session, and I'll say it again now:

  • My staff are the embodiment of British values, not a threat to them.

Most current GCHQ staff are probably not a threat to British values, but the automated infrastructure of snooping is a huge threat to us all, including such privileged insiders themselves.

  • What if an extremist government takes power ?
  • What if a weak government fails to prevent the ponderous bureaucracy from sleep walking us into a repressive surveillance state on autopilot, as officials and politicians try to deflect blame and protect their budgets and empires, by seeking to "leave no stone unturned" in their surveillance activities ?

What will Sir Iain Lobban do next ? Will he enjoy a quiet retirement or will he magically appear as a Director or Consultant in the "revolving door" world of Defence / Intelligence / Lobbyist companies ?

How different, if at all, will his successor Robert Hannigan as Director of GCHQ ?

About this blog

This United Kingdom based blog attempts to draw public attention to, and comments on, some of the current trends in ever cheaper and more widespread surveillance technology being deployed to satisfy the rapacious demand by state and corporate bureaucracies and criminals for your private details, and the technological ignorance of our politicians and civil servants who frame our legal systems.

The hope is that you the readers, will help to insist that strong safeguards for the privacy of the individual are implemented, especially in these times of increased alert over possible terrorist or criminal activity. If the systems which should help to protect us can be easily abused to supress our freedoms, then the terrorists will have won.

We know that there are decent, honest, trustworthy individual politicians, civil servants, law enforcement, intelligence agency personnel and broadcast, print and internet journalists etc., who often feel powerless or trapped in the system. They need the assistance of external, detailed, informed, public scrutiny to help them to resist deliberate or unthinking policies, which erode our freedoms and liberties.

Email & PGP Contact

Please feel free to email your views about this blog, or news about the issues it tries to comment on.

blog@spy[dot]org[dot]uk

Our PGP public encryption key is available for those correspondents who wish to send us news or information in confidence, and also for those of you who value your privacy, even if you have got nothing to hide.

We wiil use this verifiable public key (the ID is available on several keyservers, twitter etc.) to establish initial contact with whistleblowers and other confidential sources, but will then try to establish other secure, anonymous communications channels, as appropriate.

Current PGP Key ID: 0xE08E882B13FC89C which will expire on 30th September 2015.

pgp-now.gif
You can download a free copy of the PGP encryption software from www.pgpi.org
(available for most of the common computer operating systems, and also in various Open Source versions like GPG)

We look forward to the day when UK Government Legislation, Press Releases and Emails etc. are Digitally Signed so that we can be assured that they are not fakes. Trusting that the digitally signed content makes any sense, is another matter entirely.

Hints and Tips for Whistleblowers and Political Dissidents

Please take the appropriate precautions if you are planning to blow the whistle on shadowy and powerful people in Government or commerce, and their dubious policies. The mainstream media and bloggers also need to take simple precautions to help preserve the anonymity of their sources e.g. see Spy Blog's Hints and Tips for Whistleblowers - or use this easier to remember link: http://ht4w.co.uk

BlogSafer - wiki with multilingual guides to anonymous blogging

Digital Security & Privacy for Human Rights Defenders manual, by Irish NGO Frontline Defenders.

Everyone’s Guide to By-Passing Internet Censorship for Citizens Worldwide (.pdf - 31 pages), by the Citizenlab at the University of Toronto.

Handbook for Bloggers and Cyber-Dissidents - March 2008 version - (2.2 Mb - 80 pages .pdf) by Reporters Without Borders

Reporters Guide to Covering the Beijing Olympics by Human Rights Watch.

A Practical Security Handbook for Activists and Campaigns (v 2.6) (.doc - 62 pages), by experienced UK direct action political activists

Anonymous Blogging with Wordpress & Tor - useful step by step guide with software configuration screenshots by Ethan Zuckerman at Global Voices Advocacy. (updated March 10th 2009 with the latest Tor / Vidalia bundle details)

Links

Watching Them, Watching Us

London 2600

Our UK Freedom of Information Act request tracking blog

WikiLeak.org - ethical and technical discussion about the WikiLeaks.org project for anonymous mass leaking of documents etc.

Privacy and Security

Privacy International
United Kingdom Privacy Profile (2011)

Cryptome - censored or leaked government documents etc.

Identity Project report by the London School of Economics
Surveillance & Society the fully peer-reviewed transdisciplinary online surveillance studies journal

Statewatch - monitoring the state and civil liberties in the European Union

The Policy Laundering Project - attempts by Governments to pretend their repressive surveillance systems, have to be introduced to comply with international agreements, which they themselves have pushed for in the first place

International Campaign Against Mass Surveillance

ARCH Action Rights for Children in Education - worried about the planned Children's Bill Database, Connexions Card, fingerprinting of children, CCTV spy cameras in schools etc.

Foundation for Information Policy Research
UK Crypto - UK Cryptography Policy Discussion Group email list

Technical Advisory Board on internet and telecomms interception under RIPA

European Digital Rights

Open Rights Group - a UK version of the Electronic Frontier Foundation, a clearinghouse to raise digital rights and civil liberties issues with the media and to influence Governments.

Digital Rights Ireland - legal case against mandatory EU Comms Data Retention etc.

Blindside - "What’s going to go wrong in our e-enabled world? " blog and wiki and Quarterly Report will supposedly be read by the Cabinet Office Central Sponsor for Information Assurance. Whether the rest of the Government bureaucracy and the Politicians actually listen to the CSIA, is another matter.

Biometrics in schools - 'A concerned parent who doesn't want her children to live in "1984" type society.'

Human Rights

Liberty Human Rights campaigners

British Institute of Human Rights
Amnesty International
Justice

Prevent Genocide International

asboconcern - campaign for reform of Anti-Social Behavior Orders

Front Line Defenders - Irish charity - Defenders of Human Rights Defenders

Internet Censorship

OpenNet Initiative - researches and measures the extent of actual state level censorship of the internet. Features a blocked web URL checker and censorship map.

Committee to Protect Bloggers - "devoted to the protection of bloggers worldwide with a focus on highlighting the plight of bloggers threatened and imprisoned by their government."

Reporters without Borders internet section - news of internet related censorship and repression of journalists, bloggers and dissidents etc.

Judicial Links

British and Irish Legal Information Institute - publishes the full text of major case Judgments

Her Majesty's Courts Service - publishes forthcoming High Court etc. cases (but only in the next few days !)

House of Lords - The Law Lords are currently the supreme court in the UK - will be moved to the new Supreme Court in October 2009.

Information Tribunal - deals with appeals under FOIA, DPA both for and against the Information Commissioner

Investigatory Powers Tribunal - deals with complaints about interception and snooping under RIPA - has almost never ruled in favour of a complainant.

Parliamentary Opposition

The incompetent yet authoritarian Labour party have not apologised for their time in Government. They are still not providing any proper Opposition to the current Conservative - Liberal Democrat coalition government, on any freedom or civil liberties or privacy or surveillance issues.

UK Government

Home Office - "Not fit for purpose. It is inadequate in terms of its scope, it is inadequate in terms of its information technology, leadership, management systems and processes" - Home Secretary John Reid. 23rd May 2006. Not quite the fount of all evil legislation in the UK, but close.

No. 10 Downing Street Prime Minister's Official Spindoctors

Public Bills before Parliament

United Kingdom Parliament
Home Affairs Committee of the House of Commons.

House of Commons "Question Book"

UK Statute Law Database - is the official revised edition of the primary legislation of the United Kingdom made available online, but it is not yet up to date.

FaxYourMP - identify and then fax your Member of Parliament
WriteToThem - identify and then contact your Local Councillors, members of devolved assemblies, Member of Parliament, Members of the European Parliament etc.
They Work For You - House of Commons Hansard made more accessible ? UK Members of the European Parliament

Read The Bills Act - USA proposal to force politicians to actually read the legislation that they are voting for, something which is badly needed in the UK Parliament.

Bichard Inquiry delving into criminal records and "soft intelligence" policies highlighted by the Soham murders. (taken offline by the Home Office)

ACPO - Association of Chief Police Officers - England, Wales and Northern Ireland
ACPOS Association of Chief Police Officers in Scotland

Online Media

Boing Boing

Need To Know [now defunct]

The Register

NewsNow Encryption and Security aggregate news feed
KableNet - UK Government IT project news
PublicTechnology.net - UK eGovernment and public sector IT news
eGov Monitor

Ideal Government - debate about UK eGovernment

NIR and ID cards

Stand - email and fax campaign on ID Cards etc. [Now defunct]. The people who supported stand.org.uk have gone on to set up other online tools like WriteToThem.com. The Government's contemptuous dismissal of over 5,000 individual responses via the stand.org website to the Home Office public consultation on Entitlement Cards is one of the factors which later led directly to the formation of the the NO2ID Campaign who have been marshalling cross party opposition to Labour's dreadful National Identity Register compulsory centralised national biometric database and ID Card plans, at the expense of simpler, cheaper, less repressive, more effective, nore secure and more privacy friendly alternative identity schemes.

NO2ID - opposition to the Home Office's Compulsory Biometric ID Card
NO2ID bulletin board discussion forum

Home Office Identity Cards website
No compulsory national Identity Cards (ID Cards) BBC iCan campaign site
UK ID Cards blog
NO2ID press clippings blog
CASNIC - Campaign to STOP the National Identity Card.
Defy-ID active meetings and protests in Glasgow
www.idcards-uk.info - New Alliance's ID Cards page
irefuse.org - total rejection of any UK ID Card

International Civil Aviation Organisation - Machine Readable Travel Documents standards for Biometric Passports etc.
Anti National ID Japan - controversial and insecure Jukinet National ID registry in Japan
UK Biometrics Working Group run by CESG/GCHQ experts etc. the UK Government on Biometrics issues feasability
Citizen Information Project feasability study population register plans by the Treasury and Office of National Statistics

CommentOnThis.com - comments and links to each paragraph of the Home Office's "Strategic Action Plan for the National Identity Scheme".

De-Materialised ID - "The voluntary alternative to material ID cards, A Proposal by David Moss of Business Consultancy Services Ltd (BCSL)" - well researched analysis of the current Home Office scheme, and a potentially viable alternative.

Surveillance Infrastructures

National Roads Telecommunications Services project - infrastruture for various mass surveillance systems, CCTV, ANPR, PMMR imaging etc.

CameraWatch - independent UK CCTV industry lobby group - like us, they also want more regulation of CCTV surveillance systems.

Every Step You Take a documentary about CCTV surveillance in the Uk by Austrian film maker Nino Leitner.

Transport for London an attempt at a technological panopticon - London Congestion Charge, London Low-Emission Zone, Automatic Number Plate Recognition cameras, tens of thousands of CCTV cameras on buses, thousands of CCTV cameras on London Underground, realtime road traffic CCTV, Iyster smart cards - all handed over to the Metropolitan Police for "national security" purposes, in real time, in bulk, without any public accountibility, for secret data mining, exempt from even the usual weak protections of the Data Protection Act 1998.

RFID Links

RFID tag privacy concerns - our own original article updated with photos

NoTags - campaign against individual item RFID tags
Position Statement on the Use of RFID on Consumer Products has been endorsed by a large number of privacy and human rights organisations.
RFID Privacy Happenings at MIT
Surpriv: RFID Surveillance and Privacy
RFID Scanner blog
RFID Gazette
The Sorting Door Project

RFIDBuzz.com blog - where we sometimes crosspost RFID articles

Genetic Links

DNA Profiles - analysis by Paul Nutteing
GeneWatch UK monitors genetic privacy and other issues
Postnote February 2006 Number 258 - National DNA Database (.pdf) - Parliamentary Office of Science and Technology

The National DNA Database Annual Report 2004/5 (.pdf) - published by the NDNAD Board and ACPO.

Eeclaim Your DNA from Britain's National DNA Database - model letters and advice on how to have your DNA samples and profiles removed from the National DNA Database,in spite of all of the nureacratic obstacles which try to prevent this, even if you are innocent.

Miscellanous Links

Michael Field - Pacific Island news - no longer a paradise
freetotravel.org - John Gilmore versus USA internal flight passports and passenger profiling etc.

The BUPA Seven - whistleblowers badly let down by the system.

Tax Credit Overpayment - the near suicidal despair inflicted on poor, vulnerable people by the then Chancellor Gordon Brown's disasterous Inland Revenue IT system.

Fassit UK - resources and help for those abused by the Social Services Childrens Care bureaucracy

Former Spies

MI6 v Tomlinson - Richard Tomlinson - still being harassed by his former employer MI6

Martin Ingram, Welcome To The Dark Side - former British Army Intelligence operative in Northern Ireland.

Operation Billiards - Mitrokhin or Oshchenko ? Michael John Smith - seeking to overturn his Official Secrets Act conviction in the GEC case.

The Dirty Secrets of MI5 & MI6 - Tony Holland, Michael John Smith and John Symond - stories and chronologies.

Naked Spygirl - Olivia Frank

Blog Links

e-nsecure.net blog - Comments on IT security and Privacy or the lack thereof.
Rat's Blog -The Reverend Rat writes about London street life and technology
Duncan Drury - wired adventures in Tanzania & London
Dr. K's blog - Hacker, Author, Musician, Philosopher

David Mery - falsely arrested on the London Tube - you could be next.

James Hammerton
White Rose - a thorn in the side of Big Brother
Big Blunkett
Into The Machine - formerly "David Blunkett is an Arse" by Charlie Williams and Scribe
infinite ideas machine - Phil Booth
Louise Ferguson - City of Bits
Chris Lightfoot
Oblomovka - Danny O'Brien

Liberty Central

dropsafe - Alec Muffett
The Identity Corner - Stefan Brands
Kim Cameron - Microsoft's Identity Architect
Schneier on Security - Bruce Schneier
Politics of Privacy Blog - Andreas Busch
solarider blog

Richard Allan - former Liberal Democrat MP for Sheffield Hallam
Boris Johnson Conservative MP for Henley
Craig Murray - former UK Ambassador to Uzbekistan, "outsourced torture" whistleblower

Howard Rheingold - SmartMobs
Global Guerrillas - John Robb
Roland Piquepaille's Technology Trends

Vmyths - debunking computer security hype

Nick Leaton - Random Ramblings
The Periscope - Companion weblog to Euro-correspondent.com journalist network.
The Practical Nomad Blog Edward Hasbrouck on Privacy and Travel
Policeman's Blog
World Weary Detective

Martin Stabe
Longrider
B2fxxx - Ray Corrigan
Matt Sellers
Grits for Breakfast - Scott Henson in Texas
The Green Ribbon - Tom Griffin
Guido Fawkes blog - Parliamentary plots, rumours and conspiracy.
The Last Ditch - Tom Paine
Murky.org
The (e)State of Tim - Tim Hicks
Ilkley Against CCTV
Tim Worstall
Bill's Comment Page - Bill Cameron
The Society of Qualified Archivists
The Streeb-Greebling Diaries - Bob Mottram

Your Right To Know - Heather Brooke - Freedom off Information campaigning journalist

Ministry of Truth _ Unity's V for Vendetta styled blog.

Bloggerheads - Tim Ireland

W. David Stephenson blogs on homeland security et al.
EUrophobia - Nosemonkey

Blogzilla - Ian Brown

BlairWatch - Chronicling the demise of the New Labour Project

dreamfish - Robert Longstaff

Informaticopia - Rod Ward

War-on-Freedom

The Musings of Harry

Chicken Yoghurt - Justin McKeating

The Red Tape Chronicles - Bob Sullivan MSNBC

Campaign Against the Legislative and Regulatory Reform Bill

Stop the Legislative and Regulatory Reform Bill

Rob Wilton's esoterica

panGloss - Innovation, Technology and the Law

Arch Rights - Action on Rights for Children blog

Database Masterclass - frequently asked questions and answers about the several centralised national databases of children in the UK.

Shaphan

Moving On

Steve Moxon blog - former Home Office whistleblower and author.

Al-Muhajabah's Sundries - anglophile blog

Architectures of Control in Design - Dan Lockton

rabenhorst - Kai Billen (mostly in German)

Nearly Perfect Privacy - Tiffany and Morpheus

Iain Dale's Diary - a popular Conservative political blog

Brit Watch - Public Surveillance in the UK - Web - Email - Databases - CCTV - Telephony - RFID - Banking - DNA

BLOGDIAL

MySecured.com - smart mobile phone forensics, information security, computer security and digital forensics by a couple of Australian researchers

Ralph Bendrath

Financial Cryptography - Ian Grigg et al.

UK Liberty - A blog on issues relating to liberty in the UK

Big Brother State - "a small act of resistance" to the "sustained and systematic attack on our personal freedom, privacy and legal system"

HosReport - "Crisis. Conspiraciones. Enigmas. Conflictos. Espionaje." - Carlos Eduardo Hos (in Spanish)

"Give 'em hell Pike!" - Frank Fisher

Corruption-free Anguilla - Good Governance and Corruption in Public Office Issues in the British Overseas Territory of Anguilla in the West Indies - Don Mitchell CBE QC

geeklawyer - intellectual property, civil liberties and the legal system

PJC Journal - I am not a number, I am a free Man - The Prisoner

Charlie's Diary - Charlie Stross

The Caucus House - blog of the Chicago International Model United Nations

Famous for 15 Megapixels

Postman Patel

The 4th Bomb: Tavistock Sq Daniel's 7:7 Revelations - Daniel Obachike

OurKingdom - part of OpenDemocracy - " will discuss Britain’s nations, institutions, constitution, administration, liberties, justice, peoples and media and their principles, identity and character"

Beau Bo D'Or blog by an increasingly famous digital political cartoonist.

Between Both Worlds - "Thoughts & Ideas that Reflect the Concerns of Our Conscious Evolution" - Kingsley Dennis

Bloggerheads: The Alisher Usmanov Affair - the rich Uzbek businessman and his shyster lawyers Schillings really made a huge counterproductive error in trying to censor the blogs of Tim Ireland, of all people.

Matt Wardman political blog analysis

Henry Porter on Liberty - a leading mainstream media commentator and opinion former who is doing more than most to help preserve our freedom and liberty.

HMRC is shite - "dedicated to the taxpayers of Britain, and the employees of the HMRC, who have to endure the monumental shambles that is Her Majesty's Revenue and Customs (HMRC)."

Head of Legal - Carl Gardner a former legal advisor to the Government

The Landed Underclass - Voice of the Banana Republic of Great Britain

Henrik Alexandersson - Swedish blogger threatened with censorship by the Försvarets Radioanstalt (FRA), the Swedish National Defence Radio Establishement, their equivalent of the UK GCHQ or the US NSA.

World's First Fascist Democracy - blog with link to a Google map - "This map is an attempt to take a UK wide, geographical view, of both the public and the personal effect of State sponsored fear and distrust as seen through the twisted technological lens of petty officials and would be bureaucrats nationwide."

Blogoir - Charles Crawford - former UK Ambassodor to Poland etc.

No CCTV - The Campaign against CCTV

Barcode Nation - keeping two eyes on the database state.

Lords of the Blog - group blog by half a dozen or so Peers sitting in the House of Lords.

notes from the ubiquitous surveillance society - blog by Dr. David Murakami Wood, editor of the online academic journal Surveillance and Society

Justin Wylie's political blog

Panopticon blog - by Timothy Pitt-Payne and Anya Proops. Timothy Pitt-Payne is probably the leading legal expert on the UK's Freedom of Information Act law, often appearing on behlaf of the Information Commissioner's Office at the Information Tribunal.

Armed and Dangerous - Sex, software, politics, and firearms. Life’s simple pleasures… - by Open Source Software advocate Eric S. Raymond.

Georgetown Security Law Brief - group blog by the Georgetown Law Center on National Security and the Law , at Georgtown University, Washington D.C, USA.

Big Brother Watch - well connected with the mainstream media, this is a campaign blog by the TaxPayersAlliance, which thankfully does not seem to have spawned Yet Another Campaign Organisation as many Civil Liberties groups had feared.

Spy on Moseley - "Sparkbrook, Springfield, Washwood Heath and Bordesley Green. An MI5 Intelligence-gathering operation to spy on Muslim communities in Birmingham is taking liberties in every sense" - about 150 ANPR CCTV cameras funded by Home Office via the secretive Terrorism and Allied Matters (TAM) section of ACPO.

FitWatch blog - keeps an eye on the activities of some of the controversial Police Forward Intelligence Teams, who supposedly only target "known troublemakers" for photo and video surveillance, at otherwise legal, peaceful protests and demonstrations.

Other Links

Spam Huntress - The Norwegian Spam Huntress - Ann Elisabeth

Fuel Crisis Blog - Petrol over £1 per litre ! Protest !
Mayor of London Blog
London Olympics 2012 - NO !!!!

Cool Britannia

NuLabour

Free Gary McKinnon - UK citizen facing extradition to the USA for "hacking" over 90 US Military computer systems.

Parliament Protest - information and discussion on peaceful resistance to the arbitrary curtailment of freedom of assembly and freedom of speech, in the excessive Serious Organised Crime and Police Act 2005 Designated Area around Parliament Square in London.

Brian Burnell's British / US nuclear weapons history at http://nuclear-weapons.info

Syndicate this site (XML):

Follow Spy Blog on Twitter

For those of you who find it convenient, there is now a Twitter feed to alert you to new Spy Blog postings.

https://twitter.com/SpyBlog

Please bear in mind the many recent, serious security vulnerabilities which have compromised the Twitter infrastructure and many user accounts, and Twitter's inevitable plans to make money out of you somehow, probably by selling your Communications Traffic Data to commercial and government interests.

https://twitter.com/SpyBlog (same window)

Recent Comments

  • wtwu: NetIDMe seems to be in process of being wound up read more
  • wtwu: The House of Lords have approved the Regulations, without a read more
  • wtwu: Data Retention and Investigatory Powers Bill Government Note on the read more
  • wtwu: The former Customs Officer and the others involved in dealing read more
  • wtwu: BBC reports the password was $ur4ht4ub4h8 http://www.bbc.co.uk/news/uk-25745989 When Hussain was read more
  • wtwu: "only" an extra 4 months in prison for failing to read more
  • wtwu: Although not confirmed as part of the Wilson Doctrine per read more
  • wtwu: For now (just before Christmas 2013) it appears that the read more
  • wtwu: As expected, the ISC did not give the intelligence agency read more
  • wtwu: N.B. the Intelligence & Security Committee is now legally consituted read more

Categories

Monthly Archives

August 2015

Sun Mon Tue Wed Thu Fri Sat
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31          

UK Legislation

The United Kingdom suffers from tens of thousands of pages of complicated criminal laws, and thousands of new, often unenforceable criminal offences, which have been created as a "Pretend to be Seen to Be Doing Something" response to tabloid media hype and hysteria, and political social engineering dogmas. These overbroad, catch-all laws, which remove the scope for any judicial appeals process, have been rubber stamped, often without being read, let alone properly understood, by Members of Parliament.

The text of many of these Acts of Parliament are now online, but it is still too difficult for most people, including the police and criminal justice system, to work out the cumulative effect of all the amendments, even for the most serious offences involving national security or terrorism or serious crime.

Many MPs do not seem to bother to even to actually read the details of the legislation which they vote to inflict on us.

UK Legislation Links

UK Statute Law Database - is the official revised edition of the primary legislation of the United Kingdom made available online, but it is not yet up to date.

UK Commissioners

UK Commissioners some of whom are meant to protect your privacy and investigate abuses by the bureaucrats.

UK Intelligence Agencies

Intelligence and Security Committee - the supposedly independent Parliamentary watchdog which issues an annual, heavily censored Report every year or so. Currently chaired by the Conservative Sir Malcolm Rifkind. Why should either the intelligence agencies or the public trust this committee, when the untrustworthy ex-Labour Minister Hazel Blears is a member ?

Anti-terrorism hotline - links removed in protest at the Climate of Fear propaganda posters

MI5 Security Service
MI5 Security Service - links to encrypted reporting form removed in protest at the Climate of Fear propaganda posters

syf_logo_120.gif Secure Your Ferliliser logo
Secure Your Fertiliser - advice on ammonium nitrate and urea fertiliser security

cpni_logo_150.gif Centre for the Protection of National Infrastructure
Centre for the Protection of National Infrastructure - "CPNI provides expert advice to the critical national infrastructure on physical, personnel and information security, to protect against terrorism and other threats."

SIS MI6 careers_logo_sis.gif
Secret Intelligence Service (MI6) recruitment.

gchq_logo.gif
Government Communications Headquarters GCHQ

logo-nca.gif
National Crime Agency - the replacement for the Serious Organised Crime Agency

da_notice_system_150.gif
Defence Advisory (DA) Notice system - voluntary self censorship by the established UK press and broadcast media regarding defence and intelligence topics via the Defence, Press and Broadcasting Advisory Committee.

Foreign Spies / Intelliegence Agencies in the UK

It is not just the UK government which tries to snoop on British companies, organisations and individuals, the rest of the world is constantly trying to do the same, regardless of the mixed efforts of our own UK Intelligence Agencies who are paid to supposedly protect us from them.

For no good reason, the Foreign and Commonwealth Office only keeps the current version of the London Diplomatic List of accredited Diplomats (including some Foreign Intelligence Agency operatives) online.

Presumably every mainstream media organisation, intelligence agency, serious organised crime or terrorist gang keeps historical copies, so here are some older versions of the London Diplomatic List, for the benefit of web search engine queries, for those people who do not want their visits to appear in the FCO web server logfiles or those whose censored internet feeds block access to UK Government websites.

Campaign Button Links

Watching Them, Watching Us - UK Public CCTV Surveillance Regulation Campaign
UK Public CCTV Surveillance Regulation Campaign

NO2ID Campaign - cross party opposition to the NuLabour Compulsory Biometric ID Card
NO2ID Campaign - cross party opposition to the NuLabour Compulsory Biometric ID Card and National Identity Register centralised database.

Gary McKinnon is facing extradition to the USA under the controversial Extradition Act 2003, without any prima facie evidence or charges brought against him in a UK court. Try him here in the UK, under UK law.
Gary McKinnon is facing extradition to the USA under the controversial Extradition Act 2003, without any prima facie evidence or charges brought against him in a UK court. Try him here in the UK, under UK law.

FreeFarid_150.jpg
FreeFarid.com - Kafkaesque extradition of Farid Hilali under the European Arrest Warrant to Spain

Peaceful resistance to the curtailment of our rights to Free Assembly and Free Speech in the SOCPA Designated Area around Parliament Square and beyond
Parliament Protest blog - resistance to the Designated Area restricting peaceful demonstrations or lobbying in the vicinity of Parliament.

Petition to the European Commission and European Parliament against their vague Data Retention plans
Data Retention is No Solution - Petition to the European Commission and European Parliament against their vague Data Retention plans.

Save Parliament: Legislative and Regulatory Reform Bill (and other issues)
Save Parliament - Legislative and Regulatory Reform Bill (and other issues)

Open_Rights_Group.png
Open Rights Group

The Big Opt Out Campaign - opt out of having your NHS Care Record medical records and personal details stored insecurely on a massive national centralised database.

Tor - the onion routing network
Tor - the onion routing network - "Tor aims to defend against traffic analysis, a form of network surveillance that threatens personal anonymity and privacy, confidential business activities and relationships, and state security. Communications are bounced around a distributed network of servers called onion routers, protecting you from websites that build profiles of your interests, local eavesdroppers that read your data or learn what sites you visit, and even the onion routers themselves."

Tor - the onion routing network
Anonymous Blogging with Wordpress and Tor - useful Guide published by Global Voices Advocacy with step by step software configuration screenshots (updated March 10th 2009).

irrepressible_banner_03.gif
Amnesty International's irrepressible.info campaign

anoniblog_150.png
BlogSafer - wiki with multilingual guides to anonymous blogging

ngoiab_150.png
NGO in a box - Security Edition privacy and security software tools

homeofficewatch_150.jpg
Home Office Watch blog, "a single repository of all the shambolic errors and mistakes made by the British Home Office compiled from Parliamentary Questions, news reports, and tip-offs by the Liberal Democrat Home Affairs team."

rsf_logo_150.gif
Reporters Without Borders - Reporters Sans Frontières - campaign for journalists 'and bloggers' freedom in repressive countries and war zones.

committee_to_protect_bloggers_150.gif
Committee to Protect Bloggers - "devoted to the protection of bloggers worldwide with a focus on highlighting the plight of bloggers threatened and imprisoned by their government."

Icelanders_are_NOT_Terrorists_logo_150.jpg
Icelanders are NOT terrorists ! - despite Gordon Brown and Alistair Darling's use of anti-terrorism legislation to seize the assets of Icelandic banks.

nocctv.gif
No CCTV - The Campaign Against CCTV

phnat-logo-black-on-white_150.jpg

I'm a Photographer Not a Terrorist !

power2010_132.png

Power 2010 cross party, political reform campaign

Cracking_the_Black_Box_black_150.jpg

Cracking the Black Box - "aims to expose technology that is being used in inappropriate ways. We hope to bring together the insights of experts and whistleblowers to shine a light into the dark recesses of systems that are responsible for causing many of the privacy problems faced by millions of people."

surveillance_72.jpg

Open Rights Group - Petition against the renewal of the Interception Modernisation Programme

wblogocrop_150.jpg

WhistleblowersUK.org - Fighting for justice for whistleblowers