GCHQ, the Government Communication Headquarters, is the UK Intelligence organisation responsible for Signals and Communications Intelligence (SIGINT). GCHQ has been running communications monitoring programmes for over a decade.
Whilst GCHQ use a mixture of tradecraft, the organisation is generally successful in intercepting and collecting mass data. The scope of such monitoring is enormous; GCHQ was able to capture around 50 billion online ‘events’ per day by 2012 [source].
In addition, GCHQ and the NSA have successfully decrypted encrypted data, allowing for further analysis of the collected communications that users may believe to be completely private [source]. Such monitoring programmes aim to identify key individuals or communications that may harm domestic and international security.
Moreover, GCHQ frequently collaborates with international intelligence organisations, in particular the NSA. Much of this activity is sanctioned under the Five Eyes Agreement or the USUSA Agreement [source]. Under this agreement, the ‘Five Eyes’ – the UK, US, Australia, Canada, and New Zealand – can share all collected SIGINT data and methodologies.
How Do We Know?
The stories of mass communication monitoring came to light due to a whistleblower, Edward Snowden. Snowden worked for the NSA but released documents to media outlets in 2013. These documents outlined the methods and scope of such monitoring programmes [source]. Since this time, there has been much public debate surrounding the methods used by National Intelligence organisations to achieve their aims.
Timeline of GCHQ Monitoring Programmes
KARMA POLICE
- Beginning as early as 2007
- GCHQ collects mainly metadata through interception of communications via data cables travelling internationally through Cornwall
- The data collected includes records of sites visited, usernames and passwords, and the use of tracking cookies to find other accounts held by the user
- Looked at data from many major websites, such as Facebook, Amazon, YouTube, and major news organisations
- Data is stored in a repository called the ‘black hole’, which GCHQ and NSA analysts can access
- KARMA POLICE led to several variant programmes which ran concurrently, such as ‘Social Anthropoid’, ‘Memory Hole’, and ‘Infinite Monkeys’. There is significantly less publicly-available information about these programmes
PRISM Programme
- As early as 2010 – A US-led monitoring programme
- An NSA programme which allows the NSA to collect mass data on internet communications, and GCHQ to access this data
- Whilst this remains uncorroborated, PRISM is believed to be done through knowing collaboration with internet companies, such as Google, Facebook, Microsoft, Apple, Yahoo!, and Skype [source]
- Data suggests that in 2012, GCHQ produced over 197 intelligence reports from PRISM data alone
- This is believed to be done through the legal obligation of internet companies to disclose any private communications that match court-approved key terms pertaining to national security
Tempora Programme
- Late 2011 to June 2013 – A mass communication monitoring programme
- The NSA and GCHQ place interceptors within fibre optic cables both domestically and internationally.
- Data is sifted for relevancy through a mixture of automatic filtering and human analysis by around 300 dedicated GCHQ staff [source]
- Data collected can be stored for 3 days, and metadata stored for up to 30 days
- Analysts at GCHQ can access data and metadata stored within GCHQ Servers and create intelligence reports based on information gathered
- The data is also available to the NSA
MUSCULAR Programme
- December 2012 to January 2013 – A communication interception programme aimed at Google and Yahoo! Servers, run by both the NSA and GCHQ
- From undisclosed interception points, GCHQ and NSA intercept communications via fibre optic cables and copy it to their servers
Implications
The ethical and legal implications of such GCHQ monitoring programmes vary.
In 2014, the Investigatory Powers Tribunal ruled that both the PRISM and Tempora programmes were under the 2000 Regulation of Investigatory Powers Act (RIPA) law [source]. Under such regulation, the Foreign Secretary can issue a certificate allowing for broad interception if deemed necessary for national security.
In 2016, to restore public approval of national Intelligence agencies introduced the Investigatory Powers Act. This act aims to hold organisations more accountable for the data they collect and force GCHQ and other agencies to gain judicial approval prior to communication monitoring [source].
However, since 2013 there have been several legal challenges against GCHQ’s conduct by human rights groups and privacy activists. Subsequently, in May 2021, the European Court of Human Rights ruled that GCHQ is guilty of violating data privacy laws through its mass monitoring programmes [source]. This is likely to change the nature of operations for GCHQ going forward [source].
Summary
GCHQ Monitoring Programmes are widespread and collect an unprecedented amount of data. Although this raises debates regarding the privacy of individual users, analysis of such activity suggests that the raw volume of data collected means GCHQ is highly unlikely to look at individual users’ logs without prior reason [source].
Similarly, such whistleblowing activities alert suspects to monitoring, meaning that malicious actors are more likely to go off the grid. In the words of anonymous GCHQ employees:
“What Snowden did was very bad. Targets we were interested in, we lost track of completely”.
Therefore, the debate on the legality and ethics of GCHQ monitoring programmes is highly likely to continue indefinitely.