Of mice, the NSA, GCHQ and data protection

There are some things we NEED to know about...

High performance access to file storage

Comment Suppose you see a mouse in your house: is it likely to be the only mouse in your house? The relevance of the question will come apparent when we dig deeper into those infamous “black boxes” allegedly used by the USA’s National Security Agency1, the latest GCHQ mass interception fandango, and the responsibilities of the UK Information Commissioner.

With respect to the “black boxes”, I am surprised that no one has linked the latest machinations with the SWIFT (Society for Worldwide Interbank Financial Telecommunication)2 debacle back in 2006. In summary, a clearing house “data processor” in the US was required to provide “black box” access to USA national security authorities.

The banks in the UK, for instance - which are also data controllers - were kept totally in the dark about the scale of this backdoor access.

When the scandal broke, the Working Party of Data Protection Commissioners issued a strongly worded criticism2, which said that the “data processor” had assumed the mantle of “data controller”. UK banks were deemed to be disclosing personal data to another data controller and breaching the data protection rules, left right and centre.

It is not surprising therefore that the processing was eventually shifted to a data processor in Switzerland (which is deemed to have an adequate level of protection), unlike the US.

Given the current furore over “national security” and the bugging/tapping into the European Commission’s institutions, it is interesting to note the possible role of any national security agency. Are you really assuming that that the US bugged others but the Russians or Chinese did not try? And are the Europeans so innocent that they did not know this might happen?

So could the British bug these European institutions under current UK law? I don’t know, obviously, but you make your own mind up. The Intelligence Services Act 1994 defines the functions of the Intelligence Service to be exercisable only:

(a) in the interests of national security, with particular reference to the defence and foreign policies of Her Majesty’s Government in the United Kingdom; or
(b) in the interests of the economic well-being of the United Kingdom; or
(c) in support of the prevention or detection of serious crime”.

Note the last two conditions and ask yourself a few questions. Is it in the “interests of the economic well-being of the United Kingdom” or in support of “the prevention or detection of serious crime” to:

  • know what is happening to monetary policy in the Euro zone?
  • know UKIP’s policy towards how it would withdraw from the European Union?
  • identify serial child abusers who use child porn and chat sites?
  • identify political extremists who threaten violence in their email traffic?
  • know what Google’s policy towards its future global internet services?

And that is why I think that Edward Snowden is only confirming actions which, if one thinks about it, are to be expected. The only issue is not whether such surveillance occurs, but rather the authorisation and supervision of such surveillance as being a “necessary interference” in the context of Article 8 of the Human Rights Act (a subject that I have discussed before).

In this regard, the real problems are:

  1. The Courts already defer to the Home/Foreign Secretary on national security issues.
  2. The Courts are unlikely to challenge Article 8 interference and second guess national security issues because Article 8 is a qualified right.
  3. Both main Parties are considering fettering judicial discretion in national security cases.
  4. Scrutiny by Parliament of national security issues is currently limited.
  5. There are too many Commissioners in the national security protection business.
  6. The current complaints system concerning national security does not appear to be credible.
  7. There is uncertainty in the borders between policing and national security.

Notice also that all the data protection authorities huffed and puffed over SWIFT. There is an deafening silence when personal data are captured by similar black boxes, assuming they are attached to the servers of Facebook, Google and Microsoft etc (which these companies deny).

If GCHQ has intercepted vast amount of personal data, there should be a certificate under Section 28 of the DPA (as well as authorisation under RIPA). If one does not exist, then the ICO can exercise his powers until that Certificate is produced. For instance in the case SSHD v The Information Tribunal3, one department told the ICO that:

As you are aware, section 28 of the Data Protection Act limits the extent to which we are able to assist you in this case. We will obtain a Ministerial Certificate signed by the Home Secretary should we be required to do so, but would first like to provide you with as much information as we possibly can give the limits imposed on us by the Act.

So in other words, the ICO and in fact all of Europe’s Data Protection Commissioners should not remain so silent (all there appears to be is a one-page letter4 from the Working Party; see references). They can ask certain questions - and should do so to the limit of their powers. After all the allegations relate to disproportionate interception of personal data and processing that is not necessary for the statutory functions of certain bodies.

Note also that if SWIFT gets a black box, if Google, Microsoft, AOL, Skype etc are linked to other alleged “black boxes”, and the GCHQ intercepts by some “black box” all internet traffic leaving to UK, what will happen with all those cloud based services which involve USA companies and internet communications which leave the UK?

Should all such cloud using data controllers having seen reference to "black boxes" elsewhere assume that there are no black boxes are attached to their cloud communications? Or is it when you see a mouse in the house do you assume that there is only one mouse?


1 Slide show re the NSA interceptions

2 Article 29 Working Party report (PDF) on SWIFT

3SSHD v The Information Tribunal Neutral Citation Number: [2006] EWHC 2958 (Admin).

4 One-page letter from WP29 (PDF)

Relevant reference documents

Evidence: Human Rights Legislation and Government Policy towards national security – 2006. - Explores data protection in the context of Parliamentary scrutiny, data protection, human rights terrorism and national security Ebidence to the Joint Committee of Human Rights

Nine principles for assessing whether privacy is protected in a surveillance society (Part 1) (Part 2) – 2008. - The article sets out nine principles that rectify the problems identified by the UK’s inadequate regime and promotes specific Principles to improve the data protection/human rights regime. (Part 1 goes into why data protection and human rights regime in the UK is deficient.)

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

3 Big data security analytics techniques

More from The Register

next story
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Whoever you vote for, Google gets in
Report uncovers giant octopus squid of lobbying influence
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
prev story


Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.