Original URL: https://www.theregister.com/2003/03/09/arrest_at_uks_spook_station/

Arrest at UK's spook station after NSA UN bugging claim

More expected, says paper

By John Lettice

Posted in Legal, 9th March 2003 14:05 GMT

An employee at the UK's top secret listening post, GCHQ (Government Communications Headquarters) has been arrested following the Observer newspaper's publication of what it claimed was a leaked 'dirty tricks' email from the US NSA last Sunday. Today's paper reports the arrest by Gloucestershire police of a 28 year old woman, and says that more arrests are expected.

The Observer's initial report has been fairly widely-questioned, of which more anon, but its follow-up stories make it clear that the paper is confident that the email was not faked, and give further information on the source of the leak. It was "passed to this newspaper by British security sources who objected to being asked to aid the American operation. The leak marks a serious breach between the Blair government and elements of the intelligence community opposed to using British security resources to help the US drive towards war."

The UK government has been subject to a string of leaks from the security services, these being intended to counter what they see as misuse of their data, the most recent concerned the claimed Iraq-Al Aqaeda connection. The UK government said it had intelligence data proving such a connection, and these claims were swiftly grabbed at by the US government, which cited this UK intelligence data. Appalled UK intelligence sources, apparently offended by this slur on their professionalism, promptly counter-briefed the press, claiming the data they'd given the government showed precisely the opposite.

Today's Observer has some background on this spin war, but suffice it here to say that it is established that there are objectors within the British security services who are prepared to risk jail for their principles.

If the original email was, as the Observer insists, genuine and leaked from the UK, the leaker would surely have understood that there was a strong likelihood of being caught. The paper's original story said the leak came from a friendly intelligence agency, and these being somewhat thin on the ground at this moment in history, it would not take a rocket scientist to suspect the UK. The paper today says that the email was sent to GCHQ, and then leaked (although note that it does not specify that it was leaked from GCHQ), which narrows the field further, and surely makes it less likely that any leaker could escape identification.

This was one of the objections made to The Register after we reported the story last Monday. Among these objections we have had several demands, based on the presumption that the email was a fake, that we accept that we were 'had.' We propose to deal with these matters at some length now, so should you find the going getting tedious, you have our permission to stop reading.

True or false?
Overall, The Register itself is in no position to say absolutely that the email was genuine. Nor indeed is the Observer. And nor, in all probability, are you. The paper does however say that it spent three weeks verifying the email, and that it stands by the story. The story was written by professional, experienced, journalists and our inclination is to take them at their word pending the arrival of concrete proof that the email was a fake.

Now, about the 'proof' that's been put forward so far. The near-inevitability of identification is perhaps explained if an opposition willing to risk this for principle exists within the British security services. The evidence is in favour of this, and should you need more, there is the example of would-be whistleblower David Shayler to consider. So that's quite possibly explicable.

The objection most have run with, however, was the use of British spellings and the introduction of a couple of mispellings in the email as originally published. This is the main plank used to support several US follow-ups saying the authenticity of the email had been questioned (example).

These reports do not seem to us to have considered why the spelling changes might have been introduced in what is otherwise a pretty detailed and convincing looking document (at least to the layman - see below); why go to all that trouble, then screw it up with an obvious blunder? Not considering this and not asking the Observer for further clarification seems to us a serious lapse of professionalism by certain news outlets, particularly when you consider that the likeliest explanation is something that should spring immediately to the mind of the merest rookie on the newsdesk.

Newspapers everywhere have 'house styles' and style books which dictate spellings, styles and formats (e.g. date formats) that should be used. This causes endless confusion on those occasions when you hand the subs desk a piece of copy whose meaning depends on a deliberate mispelling, or which for any reason depends on its maintenance of, say, American spelling. Try getting something with British spelling published in the New York Times.

So if you've got something that's dependent on non-standard spelling, you're well advised to take steps to shepherd it through the production process making sure no sub editor pounces on it and standardises it. And - something else most journalists should know - quite often you look away for a moment and pow, there it is on the front page with standardised spelling.

We've asked Observer foreign editor Peter Beaumont if our suppositions are correct, but as he appears to be in Iraq we think we can see one reason why he hasn't got back to us. Whatever, the Observer's explanation today says the email was "typed into our computer system and a spell check run against it... [and the date] was also changed from the US style."

Which supports our theories so far. If the text gets into the system, then the likelihood is that the system will 'standardise' (note spelling) it. The retyping explains the spelling, and also explains how a couple of spelling mistakes were introduced. But as yet we do not have a clear explanation of why the retyping took place.

We've asked Peter about this too, and maybe somebody else from the Observer would care to fill us in, but for the moment, we'll put forward a couple of possibilities. Some sensitive documents have a layer of protection at punctuation and spacing level. If a journalist suspects that a sensitive document has been sent to a limited distribution list, then they should as a matter of course retype it, hopefully killing at least some of the individual identifiers, then destroy the original. This kind of security is most frequently used in printed documents, and is clearly not entirely compatibile with email, but nevertheless it's a good precaution to take, just in case the author is employing some form of email equivalent you don't know about.

Even if you're not worried about security of this kind, you certainly ought to be munging the document sufficiently to remove header information, although this can be done without a complete retype. But two other, largely mechanical, possibilities attract us. The presentation of an email so that it looks like an email is tricky for the printed media. You'd inevitably want to illustrate a leaked email story with a graphic of the email, but as printed out emails in this day and age never look like what the art department thinks they ought to, other things get done after you hand them the printout. Often, the illustration will turn out to be something we know barely exists these days, a sort of symbolic graphic representation of an email complete with dot matrix typeface and unripped fanfold. The print version of the Observer used the email as an illustration, by it had clearly typeset it first, and in a burst of realism did not put black holes down the margins.

One other possibility occurs to us. We're not sure what kind of computer system the Observer uses, but we know that its sister paper, the Guardian, at least used to run on an electronic publishing system from hell where sometimes retyping really was the quickest way to get something into the system. ('You've got it on a Mac disk? A what disk?')

Small addition: A reader points out an explanation that is obvious if you're not a journalist seeking the answer in the production process. "If I were to leak or obtain information that I should not have, forwarding it via electronic means is the very last thing I'd do. I'd print the email out, possibly photocopy said printout a couple of time and give that to the journos. Anything to remove my association with it and introduce doubt as to how the material was obtained." Thanks, Russ - you'd make a very good leaker.

Note that we're not saying that any of the above explanations are what happened in this case, simply that the existence of an explanation is both possible and plausible. The document cannot be automatically deemed a fake on the strength of non-American spelling or because it was retyped.

The final objection we've received so far is not one we are in a position to dismiss. Several readers have suggested that some of the terminology used would not have been appropriate in the context, and that the email was therefore produced by someone aware of structures, units and staff within the NSA, but without inside knowledge of how or whether the NSA would prepare and distribute such a communication. They also generally said that of course the NSA got up to this sort of stuff, but that it would put it in a different way, if it were to put it at all. The Observer today suggests the email went out via Echelon, and quotes Wayne Madsen of the Electronic Privacy Information Centre (yes, the paper does spell it like that - see?) on the subject. As Madsen is himself ex-NSA, there would at least seem to be room for two opinions on authenticity.

As we said at the outset, we are in no position to state categorically that the email was genuine. There is however as far as we can see no evidence of substance that it is faked. Most of those who judged it as such so swiftly did so, in our view, without justification, on slight and inadequate grounds. We are, as always, prepared to stand corrected, but will await the emergence of more concrete evidence one way or the other. ®

Observer stories:
GCHQ arrest over Observer spying report
The Observer on spelling and retyping