A top UK spy reckons British intelligence can legally snoop on Brits' Facebook posts and tweets because they’re classed as “external communications” – though he wouldn't confirm outright that his g-men had done so.
Charles Farr, director general of the Office for Security and Counter Terrorism, said that the UK government runs a legal programme of mass surveillance on Facebook, Twitter, Google, YouTube and other site users because everything people said or posted on these sites were external comms based on platforms in the US.
That makes the sites fair game for snooping by the intelligence services under the Regulation of Investigatory Powers Act (RIPA), he said. That law says that internal communications can only be intercepted under a warrant for a specific person or address when there is some suspicion of illegal activities. But external comms can be picked up any time, even when there are no grounds for a warrant.
In practice, Farr said, that means that an email sent by a Google user to a Hotmail user both located in the UK is an internal communication, even though it may have passed through a server in another country. However, searching Google, tweeting, posting things on Facebook and other internet activities that end up stored on any server outside Blighty are classed as "external".
“Within the British Islands, the government has sufficient control and considerable resources to investigate individuals and organisations and it is feasible to adopt an interception regime that requires either a particular person, or a set of premises, to be identified before interception can take place,” Farr said in defence of the policy.
“Outside the British Islands, the government does not have the same ability to identify either relevant individuals or premises… the government is in many cases not aware of the precise location and online identities of members of Al-Qaeda around the world or of cyber criminals, Taleban insurgents, proliferators of weapons of mass destruction or precursor chemicals or of other similar individuals or organisations whose activities pose a threat to national security, the prevention and detection of serious crime or the economic well-being of the United Kingdom.”
The former MI6 man also said that electronic messages over the internet could go by a nearly infinite number of routes, so the only practical thing for the government to do was to slurp as much online info as possible. If the intelligence services happened to hoover up some internal communications accidentally, they could just not look at them without a warrant.
“The only practical way in which the government can ensure that it is able to obtain at least a fraction of the type of communication in which it is interested is to provide for the interception of a large volume of communications and the subsequent selection of a small fraction of those communications for examination by the application of relevant sectors,” he said.
Farr released the policy statement in response to a legal challenge from bodies including Privacy International, Amnesty and the American Civil Liberties Union, following the revelations from US whistleblower Edward Snowden about America’s PRISM surveillance programme and the alleged Brit equivalent Tempora.
The privacy campaigners argue the British government should reveal the full extent of Tempora, since the media has already made public documents about it. But Farr said that the alleged Tempora documents were no different to any other presumed leak, so he was sticking to the government’s policy of neither confirming nor denying them.
“I am not aware of any exceptional circumstances which would justify a departure from the neither confirm nor deny principle in relation to the alleged Tempora interception operation,” he said, adding that all he would say was that if it did exist, it would be legal.
But the campaigners said that by lumping platforms like Facebook, Twitter and YouTube into external comms, the government was denying UK citizens their rights.
“British residents are being deprived of the essential safeguards that would otherwise be applied to their communications - simply because they are using services that are based outside the UK,” Privacy International said in a statement.
It added that the some of the suggestions from Farr about why people shouldn’t be worried were laughable.
Farr said that folks shouldn’t be bothered about whether their communications were slurped up by spooks, only if they were then read or listened to or watched. He also said that even when analysts did happen to violate people’s privacy by accessing their internal communications in error, people shouldn’t worry because they’d probably forget what they saw anyway.
“Such an approach suggests that GCHQ believes it is entitled to indiscriminately intercept all communications in and out of the British Isles,” Privacy International said.
You can see Farr’s full statement hosted on the Privacy International website here (PDF). ®