from the I-mean,-they'll-still-use-both... dept
UK spies are changing their minds. Rapidly. Sure, bulk data collection is cool. But you know what’s really cool? Mass interference with electronic devices.
At the time the Investigatory Powers Bill was passing through Parliament – it was signed into law in 2016 – EI [Electronic Interference] hadn’t been used, but it was already seen an alternative to bulk interception.
However, it was expected to be authorised through targeted or targeted thematic warrants; as then-independent reviewer of terrorism David Anderson wrote at the time, “bulk EI is likely to be only sparingly used”.
During the passage of the Investigatory Powers legislation, he said, the government anticipated bulk EI warrants would be “the exception”, and “be limited to overseas ‘discovery’ based EI operations”.
But with encryption increasingly commonplace, the spies want the exception to edge towards becoming the rule.
“Used sparingly” is now “used by default.” Why? The good old baddie, encryption. A letter [PDF] written by security minister Ben Wallace says encryption is making bulk data collections less useful.
Following a review of current operational and technical realities, GCHQ have revisited the previous position and determined that it will be necessary to conduct a higher proportion of ongoing overseas focused operational activity using the bulk EI regime than was originally envisaged.
The lawfulness depends on the “double lock” process. The government alone can’t give GCHQ permission to engage in bulk EI. There’s a judge involved now, making this more of a warrant process than a subpoena process, to make a somewhat clumsy analogy. According to this report, bulk EI is still waiting in the wings. If true, it’s a good thing because the double-lock process didn’t actually go into effect until the end of November.
What bulk EI is remains somewhat of a mystery. But some of what’s described in a 2016 report [PDF] containing several hypotheticals sounds like a lot of large-scale intrusion, ranging from Stingray-esque device location to tactics that have been left up to the imagination thus far.
This sounds a bit like the FBI’s child porn hunting Network Investigative Technique: serving up malware to collect information on devices and their users.
Intelligence from sources including bulk interception identified a location in Syria used by extremists. However the widespread use of anonymisation and encryption prevented GCHQ from identifying specific individuals and their communications through bulk interception. GCHQ then used EI under an ISA authorisation (under the Bill this would be done using a targeted thematic EI warrant) to identify the users of devices in this location.
This may be a theoretical Stingray deployment:
A group of terrorists are at a training camp in a remote location overseas. The security and intelligence agencies have successfully deployed targeted EI against the devices the group are using and know that they are planning an attack on Western tourists in a major town in the same country, but not when the attack is planned for. One day, all of the existing devices suddenly stop being used. This is probably an indication that the group has acquired new devices and gone to the town to prepare for the attack. It is not known what devices the terrorists are now using. The security and intelligence agencies would use bulk EI techniques to acquire data from devices located in the town in order to try to identify the new devices that are being used by the group.
Whatever bulk electronic interference ends up being when it’s actually deployed, GCHQ is sure of one thing: the less it knows about its targets, the more justified it is using it in bulk.
As the cell members can only be identified following considerable target discovery effort, a bulk EI warrant is suitable.
Whatever civil liberties concerns this program raises will probably be dismissed quickly. GCHQ’s hypotheticals involve terrorism suspects overseas and child porn site operators — the least sympathetic targets available. Foreigners are fair game for bulk anything and no one wants to side with child exploiters, even if they technically share the same civil liberties/rights.
The exception is the rule. This is how it works for those who promise the most worrying aspects of surveillance programs will be saved for the edge cases. Sooner or later, the edge cases are just cases, and no one is interested in walking anything back.