The forthcoming BBC Panorama television documentary Omagh - What The Police Were Never Told scheduled to be broadcast on Monday 15 September on BBC1 at 8.30pm might be of interest to regular Spy Blog readers.
The Sunday Telegraph article
The words that might have saved Omagh
Could a coded message intercepted by intelligence have prevented the biggest atrocity of the Irish Troubles, in which 29 people died? Despite two trials, and millions of pounds spent, still no one is in prison for the Omagh bombing. In a special investigation, John Ware asks why covert monitoring failed - and why this and other pieces of evidence were not passed on to police hunting the killers
By John Ware
Last Updated: 1:32PM BST 14 Sep 2008
This does ask some hard questions about the inept or deliberate lack of communications between the Government Communications Headquarters (GCHQ), the Security Service MI5, and the Special Branch of the Royal Ulster Constabulary (called the Police Service of Northern Ireland since 2001).
The article, and presumably the documentary, does, however, include some technical nonsense about mobile phone tracking .
The article and documentary appear to publish the details of actual Intercept transcripts and some of the Communications Traffic Data details,
The article also claims that 6.4 million telephone records were trawled through by the Police. What exactly has happened to that data, almost all of which has nothing to do with the investigation ? When, if ever, was it destroyed ? Or has it already been lost or stolen on an unencrypted hard disk or other portable memory device or media ?
Will the former senior Police officers who have been talking to Panorama now be treated like other whistleblowers by this Labour Government, with criminal prosecutions under the Regulation of Investigatory Powers Act 2000 section 19 Offence for unauthorised disclosures. which is currently in force, or the Interception of Communications Act 1985 Schedule 2 Disclosure of messages etc., which was in force in 1998, or failing that, under the Official Secrets Act 1989 ?
Why did GCHQ not react immediately? It is possible that no one was listening; the conversations could have been recorded automatically. "Live" monitoring was, however, specifically what Special Branch sources say they had asked for and expected. Given the Gardai warning and risk of another incident like the bomb in Banbridge, this qualified as a "Priority One" (threat to life) investigation.
We have no problem with GCHQ being used for such a focussed, "threat to life" investigation.
Perhaps if they and the other police and intelligence agencies spent less time and resources snooping on millions of innocent people, they would be able to staff the real time interception , tracking, analysis and the vital communications with the security forces and emergency services at the sharp end, which this article ad documentary appears to show was lacking.
The bomb began its final journey near the Co Monaghan border. Recognising what was happening as a bomb-run was made more difficult for GCHQ's monitors (supposing that they were listening "live") by the fact that the mobiles used by the bombers in the scout car and the bomb car itself were registered to Eircell, a mobile provider then owned by the Irish government. GCHQ needed to crack their coded electronic signatures in order to listen and track the phones.
No they did not need to "crack" anything to simply track the approximate position of the mobile phone handset, and therefore the approximate position of the moving vehicle.
See the previous Spy Blog article on the Path Intelligence mobile phone location technology, which uses the TMSI, the IMSI and could use the IMEI. - Path Intelligence FootPath(tm) mobile phone tracking - a few more details
Once the Eircell phones were using Cell Phone masts in Northern Ireland, then GCHQ could listen in to any conversation or read any SMS text messages through the UK Mobile Telephone Communications Provider's infrastucure. On a GSM mobile phone network, everything is in the clear apart from the deliberately weak A5 encryption over the airwaves between the GSM Mobile Phone handset and the Mobile Phone Cell base station transmitter(s).
This is most efficiently done with the assistance of the mobile network provider; the signature includes a complex mathematical algorithm in the hardware of the phone. Mobile manufacturers are required to give the algorithm of each new model to the Government, which passes it on to GCHQ.
No they are not - it is a worldwide telecommunications industry standard.
But it seems highly unlikely that Eircell was party to that arrangement. Irish security sources have made it clear that although they often worked closely with MI5, they had no relationship with GCHQ.
GCHQ is thought to have cracked only the electronic signature for the mobile in the scout car. This mobile had previously crossed into the United Kingdom when it was used to co-ordinate the Banbridge bombing. Having decrypted the mobile, GCHQ could listen to it when it returned to the Irish Republic. But GCHQ is not thought to have had the signature for the mobile in the bomb car.
One would have thought that a mobile phone previously identified weeks befire, as being associated with a bomb attack, would have been on the GCHQ and UK Mobile Phone Network watchlists.
What else were GCHQ doing ? Back in 1998, there was no emphasis on tracking potential Al Quaeda terrorists.
GCHQ may therefore only have seen one vehicle - the scout car - moving from mast to mast along the southern side of the border. On the morning of August 15, 1998, that car was moving away from the North-South corridor where previous car bombings had been targeted. That fact, and the short coded messages, may explain why it failed to alert anyone at GCHQ.
A mobile phone handset is periodically checking signal strength and quality, not just with the Cell Transmitter Mast with the strongest signal with which it has established a time slot reservation, but, since this could change at any time, with all the other Cell Masts within range, even those belonging to rival Mobile Phone Networks or those networks just across the international border,. It should therefore have been possible for GCHQ and UK Mobile Phone Operators to watch the movements of these handsets a few kilometres to the south of the Irish border, something which the Irish Mobile Phone Operators and intelligence agencies could also do in the other direction..
Despite several references to exact times and lengths of calls in this article, It is unclear whether the Eircell mobile phones were both continuously switched on, before, during and after the bomb attack, or if they were only switched on to send or receive a call or SMS message. which would have made tracking their locations them more difficult.
At 1.30pm, phone logs show the scout car crossed the border in Northern Ireland around Aughnacloy. The words "We're crossing the line" were picked up by GCHQ.
As both mobiles crossed the border, they went over to the British-owned network Vodafone, on which GCHQ can monitor and track calls. So instead of just one mobile inching north on the screen of the GCHQ monitors, there would now have been two.
The Eircell Call Information Records would also have the Cell ID location of these phones roaming on the Vodafone network across the border in Northern ireland.
The detectives were left to work out that the bombers had used mobiles for themselves. For months they trawled through phone records - 6.4 million of them - trying to identify the mobiles used. Eventually, this "cell site" analysis showed 22 suspects' phones active in Omagh and four other bombings linked to it. Although this was evidence that pointed to the fact that the mobiles had been in Omagh when the bomb was planted, prosecutors needed proof of who had been using them to bring murder charges.
Why exactly did they need to snoop on 6.4 million phone records to do this ?
What has happened to the vast bulk of that data which has got nothing to fo with the Omagh bomb investigation ?
When were these excessive phone records destroyed, or are they still being "data mined" ?
GCHQ had this in the form of voice recordings. But the detectives were not given them, or even informed that they existed. Off the record, ex-Special Branch sources say they were heavily restricted by GCHQ in what they could disclose to the detectives. When I asked the Police Service of Northern Ireland (PSNI) if this was correct, I was told that no one from the PSNI could discuss "specific questions about intelligence issues because to do so would be a breach of the law and PSNI policy".GCHQ's recordings could not, of course, be used in court: British law rules all such evidence inadmissable. But there was no law to stop the GCHQ material from being shared with the detectives as they laboured month after month to try to identity the mobiles used - some of those mobiles whose numbers, owners and users were known all along to GCHQ, MI5 and presumably Special Branch.
By the time detectives had completed their own laborious analysis, it was June 1999. Nine months had passed since the bombing and the trail was going cold.
The current Regulation of Investigatory Powers Act 2000, and the previous Interception of Communications Act 1985 (which was in force in 1998) and even the Irish Republic's Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993,
all prevent the use of Intecept material as evidence in a court of law. (see the Spy Blog article on Privy Council Chilcot Review report on Intercept Evidence - more ***
However, the Questions about why the Police seem to have had to duplicate some or all of the work already done by GCHQ and MI5 etc., is very valid.
Why this blanket secrecy? That remains the most perplexing question. It has been suggested to me by senior police sources that the intelligence services decided that it was more important to ensure that the details of GCHQ's technology and methodology were kept secret than to risk the possibility that they might be compromised by sharing some of their fruits with detectives investigating the Omagh bomb.
What if there are secret GCHQ physical and / or software taps into the Irish telecommunications network infrastructure ?
What if there are British agents or Confidential Human Intelligence sources with privileged access to parts of that Irish telecommunications infrastructure ?
Would such intelligence assets be valuable enough for some faceless bureaucrat to decide to allow the Omagh bomb murderers to go unprosecuted ?
Your what-ifs are all almost certainly true - and I would have some sympathy with an assessment that they would not be worth compromising for a prosecution, however understandably important the families of the victims of the bombers feel that would be.
@ Ian - if GCHQ and MI6 are not totally incompetent, one would hope that they have at least attempted to gain privileged access to the Irish telecommunications system, at least near the Northern Irish border.
In the past, GCHQ did, of course, snoop on the main Irish international microwave telecommunications link to the UK, via the (now demolished) Capenhust Phone Tap Tower, sited in a corner of a British Nuclear Fuels factory.
Helping out with the "6.4 million telephone records" sifting by the Police, in the months after the Omagh bomb, should not have compromised any such intelligence assets though, so the petty bureaucratic empire building and rivalry, and blame shifting between intelligence agencies and the Police etc. must have been a factor.
Would it be possible for you to grant our website a reciprocal link our website was set up as an Information/News website and includes UK/US/NATO/UN/Coalition-Military Many Thanks
Mr Allan Dawling(GSM/bar)