10 Jun 2013

Prism and online spying: who is watching you?

So the government’s watching you. Or is it? In the United States, the National Security Agency has apparently been tracking people using data gathered from online companies such as Facebook and Google through its “Prism” programme.

Now there are reports that the UK government has also used information gathered in that way. But what does that mean for you and me?

Did the UK government’s listening post GCHQ breach the rules in accepting information from the US National Security Agency (NSA)?

The Regulation of Investigatory Powers Act says that if law enforcement or intelligence services want the actual content of UK communications, they must get a warrant signed by a secretary of state. If they just want the so-called “meta-data” (who emailed who, where and when, for example), they need a senior police officer’s permission.

In his interview with Radio 4 this morning, the chairman of the Intelligence & Security Committee Malcolm Rifkind MP seemed to say that, even if GCHQ did not solicit fresh information from the NSA, and only accepted information already gathered by the US, that would still put them in breach of UK intercept laws.

What’s the legal framework for the NSA having gathered this info?

The Protection of America Act (PAA) allows the US government to monitor communications traffic in and out of the US, so long as at least one party to the communications is a non-US citizen.

The government needs a court order to do this, but that court order can be very wide – in fact it can cover an entire programme. So for example if the NSA is working on jihadis in Yemen, the court order could allow it to ask firms like Google, Facebook and Yahoo to hand over large amounts of data about that subject. As long as the communications company is convinced non-US citizens are involved, it’s likely to comply with the request under the PAA.

How can the US tech companies, like Google and Facebook, deny giving the NSA blanket access to their systems?

The responses from the companies generally say they comply only with specific requests, but if those specific requests are very broad it could be equivalent to granting large-scale access.

How much do we have to worry about?

Interestingly, when talking to the general public about this, the response is fairly consistent: most people are unnerved and uneasy about the US government having direct access to the communications they conduct through the likes of Google, Facebook, Apple and Yahoo. But when asked whether they’re concerned about their own, specific data, the response is usually: “No, I’ve done nothing wrong.”

Billions of people worldwide have struck a deal with the online communications companies: they have handed over their most personal data, in exchange for the convenience of accessing and sharing it easily. They have now been confronted with the costs of that deal: ceding control of your data means that the government in whose jurisdiction the companies are based can exert control over it too.

What’s interesting is the number of people who still feel the deal is worth maintaining.

Does the surveillance help prevent wrongdoing?

Anyone committing crime for whom technology is critical will have been alive to the danger of interception for some time. The idea that tech-savvy criminals were relying on Gmail, Facebook and Skype is unlikely in the extreme. Instead they will use encrypted internet connections and so-called “bullet-proof hosting” – computer servers based in territories for beyond the reach of the US government.

Yet the NSA claims the Prism programme has generated massive amounts of useful intelligence data – so clearly there are enough suspects using these services to make it worthwhile..

So what does “signing up to PRISM” mean?

It seems it’s basically installing software to make it easier for law enforcement/intelligence services to access information. By agreeing to take part in the NSA’s programme, the major US tech companies have simply saved themselves the headache of having to trawl their servers to come up with the data requested by US government.

Instead, the NSA can securely log in, find what it wants, and extract it in an easy-to-use format. The big question is: who’s supplying the software? (It could be made by the NSA itself but given the scale of the work and the number of IT systems it would have to be compatible with, it seems more likely to have been contracted out).

Of course, all of this would have to be done under US law. But the Foreign Intelligence Surveillance Act allows the president to sign off surveillance without a court order. And even if a court order is sought, it seems very few of them are turned down.

Follow @geoffwhite247 on Twitter.