A British tribunal admitted on Wednesday that the U.K. government had spied on Amnesty International and illegally retained some of its communications. Sherif Elsayed-Ali, deputy director of global issues for Amnesty International in London, responds:
Just after 4 p.m. yesterday, Amnesty International received an email from the Investigatory Powers Tribunal (IPT), which hears cases related to U.K. intelligence agencies. The message was brief: There had been a mistake in the tribunal’s judgment 10 days earlier in a case brought by 10 human rights organizations against the U.K.’s mass surveillance programs. Contrary to the finding in the original ruling, our communications at Amnesty International had, in fact, been under illegal surveillance by GCHQ, the U.K.’s signals intelligence agency.
Incredibly, the initial judgment had named the wrong organization — the Egyptian Initiative for Personal Rights — and it took 10 days to correct the mix-up. The news brought an unexpected and bizarre sense of relief: We strongly suspected that we were being spied on by GCHQ, but having it confirmed in court meant we weren’t just being paranoid.
Of course, GCHQ and likely its U.S. counterpart, the NSA, spy on a range of organizations besides Amnesty. The same IPT judgment revealed GCHQ’s unlawful surveillance of the South African Legal Resources Centre. Leaks by NSA whistleblower Edward Snowden showed that GCHQ and the NSA have spied on Doctors of the World and UNICEF. And the fact that the IPT did not find in favor of the eight other organizations bringing the case does not necessarily mean their communications were left untouched — perhaps they were intercepted, but the tribunal considered it had been done legally.
This whole process brings to light the problem with the so-called “oversight” of U.K. surveillance programs. In the U.K., a government minister, not a judge, issues surveillance warrants; from the very start the executive branch of government authorizes its own spying.
As the only judicial body with authority to examine the practices of U.K. intelligence agencies, the IPT conducts nearly all of its deliberations in private. And it simply accepted the government’s position of refusing to publicly confirm or deny any specific surveillance practices or programs. As claimants against the British government, the 10 organizations, including Amnesty, did not see the secret policies governing surveillance practices, save for a tiny snippet.
The only reason we even found out that our communications had been intercepted, accessed and stored, was because GCHQ had stored these communications for longer than its internal guidelines allowed.
The IPT issues only two kinds of findings. It can find in favor of a claimant, like it did with Amnesty, where it considered that our communications were unlawfully intercepted. However, we do not know when this happened, what it was about, how many times it happened, what has been done with the information intercepted, whether it has been shared with other governments, and whether it is still happening. We’re still in the dark.
The other finding the IPT can make, which it did for eight of the 10 organizations, is “no determination of illegality.” So, either these organizations’ communications were not intercepted at all, or they were intercepted, but in a manner the tribunal deems lawful.
This bring us to the urgent need for reform of U.K. surveillance legislation. Last month, David Anderson, the U.K. government’s independent reviewer of terrorism legislation, slammed the Regulation of Investigatory Powers Act — the main law underpinning surveillance powers. In Anderson’s estimation, the law has been “obscure since its inception, [and] has been patched up so many times as to make it incomprehensible to all but a tiny band of initiates.” He’s called for a new law that is “comprehensible,” and judicial authorization of interception warrants.
The government response so far has not been encouraging: Prime Minister David Cameron apparently wants to keep the power to issue warrants within his cabinet. It seems that even one of the most basic principles of the rule of law, judicial warrants, is too much for the British government to accept.
Our concerns about mass surveillance are not limited to human rights organizations. Mass surveillance is invasive and a dangerous overreach of government power into our private lives and freedom of expression. In specific circumstances it can also put lives at risk, be used to discredit people or interfere with investigations into human rights violations by governments.
We have good reason to believe that the British government is interested in our work. Over the past few years we have investigated possible war crimes by U.K. and U.S. forces in Iraq, Western government involvement in the CIA’s extraordinary rendition program, and the callous killing of civilians by U.S. drone strikes in Pakistan. It was recently revealed that GCHQ may have provided assistance for U.S. drone attacks.
The obfuscation, secrecy and determination to avoid any meaningful oversight is worthy of a tin-pot dictatorship. It is time for serious public scrutiny of the behavior of the British government. We need to know what surveillance programs the government is operating, what spying they consider to be fair game, and why.
We urgently need legislative reform to avoid future excesses by the government and its intelligence agencies.
But there must also be accountability for past actions: How did the government of a country that’s a self-professed champion of human rights and democracy allow its spooks to run a huge mass surveillance program, and with almost no meaningful oversight? How did it allow spying on medical charities, children’s charities and human rights organizations?
The U.K. government must establish an independent inquiry, and quickly.
Photo of Sherif Elsayed-Ali by Bilal Hussein/AP
The post Amnesty International Responds to U.K. Government Surveillance appeared first on The Intercept.
Von SEBASTIAN RANGE, 2. Juli 2015 -
In Spanien trat zum 1. Juli das „Gesetz zum Schutz der Bürger“ in Kraft, das jedoch in Kontrast zu seinem Namen bürgerliche Grundrechte, wie das Recht auf Versammlungsfreiheit und freie Meinungsäußerung, erheblich einschränkt.
Viele Spanier erinnert es an die Zeiten der Franco-Diktatur – entsprechend umstritten ist der Reformakt, der landläufig als Knebel- bzw. Maulkorbgesetz bezeichnet wird. Mit ihrer Mehrheit im Parlament hatte die regierende konservative Partido Popular (Volkspartei) das Gesetz im März durchgedrückt.
Kritiker sehen darin vor allem den Versuch der Volkspartei, die Protestbewegung mundtot zu machen, die seit Jahren gegen die antisoziale Kahlschlagpolitik der Regierung
Second in a series. Part 1 here.
The sheer quantity of communications that XKEYSCORE processes, filters and queries is stunning. Around the world, when a person gets online to do anything — write an email, post to a social network, browse the web or play a video game — there’s a decent chance that the Internet traffic her device sends and receives is getting collected and processed by one of XKEYSCORE’s hundreds of servers scattered across the globe.
In order to make sense of such a massive and steady flow of information, analysts working for the National Security Agency, as well as partner spy agencies, have written thousands of snippets of code to detect different types of traffic and extract useful information from each type, according to documents dating up to 2013. For example, the system automatically detects if a given piece of traffic is an email. If it is, the system tags if it’s from Yahoo or Gmail, if it contains an airline itinerary, if it’s encrypted with PGP, or if the sender’s language is set to Arabic, along with myriad other details.
This global Internet surveillance network is powered by a somewhat clunky piece of software running on clusters of Linux servers. Analysts access XKEYSCORE’s web interface to search its wealth of private information, similar to how ordinary people can search Google for public information.
Based on documents provided by NSA whistleblower Edward Snowden, The Intercept is shedding light on the inner workings of XKEYSCORE, one of the most extensive programs of mass surveillance in human history.How XKEYSCORE works under the hood
It is tempting to assume that expensive, proprietary operating systems and software must power XKEYSCORE, but it actually relies on an entirely open source stack. In fact, according to an analysis of an XKEYSCORE manual for new systems administrators from the end of 2012, the system may have design deficiencies that could leave it vulnerable to attack by an intelligence agency insider.
XKEYSCORE is a piece of Linux software that is typically deployed on Red Hat servers. It uses the Apache web server and stores collected data in MySQL databases. File systems in a cluster are handled by the NFS distributed file system and the autofs service, and scheduled tasks are handled by the cron scheduling service. Systems administrators who maintain XKEYSCORE servers use SSH to connect to them, and they use tools such as rsync and vim, as well as a comprehensive command-line tool, to manage the software.
John Adams, former security lead and senior operations engineer for Twitter, says that one of the most interesting things about XKEYSCORE’s architecture is “that they were able to achieve so much success with such a poorly designed system. Data ingest, day-to-day operations, and searching is all poorly designed. There are many open source offerings that would function far better than this design with very little work. Their operations team must be extremely unhappy.”
Analysts connect to XKEYSCORE over HTTPS using standard web browsers such as Firefox. Internet Explorer is not supported. Analysts can log into the system with either a user ID and password or by using public key authentication.
As of 2009, XKEYSCORE servers were located at more than 100 field sites all over the world. Each field site consists of a cluster of servers; the exact number differs depending on how much information is being collected at that site. Sites with relatively low traffic can get by with fewer servers, but sites that spy on larger amounts of traffic require more servers to filter and parse it all. XKEYSCORE has been engineered to scale in both processing power and storage by adding more servers to a cluster. According to a 2009 document, some field sites receive over 20 terrabytes of data per day. This is the equivalent of 5.7 million songs, or over 13 thousand full-length films.
When data is collected at an XKEYSCORE field site, it is processed locally and ultimately stored in MySQL databases at that site. XKEYSCORE supports a federated query system, which means that an analyst can conduct a single query from the central XKEYSCORE website, and it will communicate over the Internet to all of the field sites, running the query everywhere at once.
There might be security issues with the XKEYSCORE system itself as well. As hard as software developers may try, it’s nearly impossible to write bug-free source code. To compensate for this, developers often rely on multiple layers of security; if attackers can get through one layer, they may still be thwarted by other layers. XKEYSCORE appears to do a bad job of this.
When systems administrators log into XKEYSCORE servers to configure them, they appear to use a shared account, under the name “oper.” Adams notes, “That means that changes made by an administrator cannot be logged.” If one administrator does something malicious on an XKEYSCORE server using the “oper” user, it’s possible that the digital trail of what was done wouldn’t lead back to the administrator, since multiple operators use the account.
There appears to be another way an ill-intentioned systems administrator may be able to cover their tracks. Analysts wishing to query XKEYSCORE sign in via a web browser, and their searches are logged. This creates an audit trail, on which the system relies to assure that users aren’t doing overly broad searches that would pull up U.S. citizens’ web traffic. Systems administrators, however, are able to run MySQL queries. The documents indicate that administrators have the ability to directly query the MySQL databases, where the collected data is stored, apparently bypassing the audit trail.AppIDs, fingerprints and microplugins
Collecting massive amounts of raw data is not very useful unless it is collated and organized in a way that can be searched. To deal with this problem, XKEYSCORE extracts and tags metadata and content from the raw data so that analysts can easily search it.
This is done by using dictionaries of rules called appIDs, fingerprints and microplugins that are written in a custom programming language called GENESIS. Each of these can be identified by a unique name that resembles a directory tree, such as “mail/webmail/gmail,” “chat/yahoo,” or “botnet/blackenergybot/command/flood.”
One document detailing XKEYSCORE appIDs and fingerprints lists several revealing examples. Windows Update requests appear to fall under the “update_service/windows” appID, and normal web requests fall under the “http/get” appID. XKEYSCORE can automatically detect Airblue travel itineraries with the “travel/airblue” fingerprint, and iPhone web browser traffic with the “browser/cellphone/iphone” fingerprint.
PGP-encrypted messages are detected with the “encryption/pgp/message” fingerprint, and messages encrypted with Mojahedeen Secrets 2 (a type of encryption popular among supporters of al Qaeda) are detected with the “encryption/mojaheden2” fingerprint.
When new traffic flows into an XKEYSCORE cluster, the system tests the intercepted data against each of these rules and stores whether the traffic matches the pattern. A slideshow presentation from 2010 says that XKEYSCORE contains almost 10,000 appIDs and fingerprints.
AppIDs are used to identify the protocol of traffic being intercepted, while fingerprints detect a specific type of content. Each intercepted stream of traffic gets assigned up to one appID and any number of fingerprints. You can think of appIDs as categories and fingerprints as tags.
If multiple appIDs match a single stream of traffic, the appID with the lowest “level” is selected (appIDs with lower levels are more specific than appIDs with higher levels). For example, when XKEYSCORE is assessing a file attachment from Yahoo mail, all of the appIDs in the following slide will apply, however only “mail/webmail/yahoo/attachment” will be associated with this stream of traffic.
To tie it all together, when an Arabic speaker logs into a Yahoo email address, XKEYSCORE will store “mail/yahoo/login” as the associated appID. This stream of traffic will match the “mail/arabic” fingerprint (denoting language settings), as well as the “mail/yahoo/ymbm” fingerprint (which detects Yahoo browser cookies).
Sometimes the GENESIS programming language, which largely relies on Boolean logic, regular expressions and a set of simple functions, isn’t powerful enough to do the complex pattern-matching required to detect certain types of traffic. In these cases, as one slide puts it, “Power users can drop in to C++ to express themselves.” AppIDs or fingerprints that are written in C++ are called microplugins.
Here’s an example of a microplugin fingerprint for “botnet/conficker_p2p_udp_data,” which is tricky botnet traffic that can’t be identified without complicated logic. A botnet is a collection of hacked computers, sometimes millions of them, that are controlled from a single point.
Here’s another microplugin that uses C++ to inspect intercepted Facebook chat messages and pull out details like the associated email address and body of the chat message.
One document from 2009 describes in detail four generations of appIDs and fingerprints, which begin with only the ability to scan intercepted traffic for keywords, and end with the ability to write complex microplugins that can be deployed to field sites around the world in hours.
If XKEYSCORE development has continued at a similar pace over the last six years, it’s likely considerably more powerful today.
Illustration for The Intercept by Blue Delliquanti
Documents published with this article:
- Advanced HTTP Activity Analysis
- Analyzing Mobile Cellular DNI in XKS
- ASFD Readme
- CADENCE Readme
- Category Throttling
- CNE Analysis in XKS
- Comms Readme
- DEEPDIVE Readme
- Email Address vs User Activity
- Free File Uploaders
- Finding and Querying Document Metadata
- Full Log vs HTTP
- Guide to Using Contexts in XKS Fingerprints
- HTTP Activity in XKS
- HTTP Activity vs User Activity
- Intro to Context Sensitive Scanning With XKS Fingerprints
- Intro to XKS AppIDs and Fingerprints
- OSINT Fusion Project
- Phone Number Extractor
- RWC Updater Readme
- Selection Forwarding Readme
- Stats Config Readme
- Tracking Targets on Online Social Networks
- TRAFFICTHIEF Readme
- Unofficial XKS User Guide
- User Agents
- Using XKS to Enable TAO
- UTT Config Readme
- VOIP in XKS
- VOIP Readme
- Web Forum Exploitation Using XKS
- Writing XKS Fingerprints
- XKS Application IDs
- XKS Application IDs Brief
- XKS as a SIGDEV Tool
- XKS, Cipher Detection, and You!
- XKS for Counter CNE
- XKS Intro
- XKS Logos Embedded in Docs
- XKS Search Forms
- XKS System Administration
- XKS Targets Visiting Specific Websites
- XKS Tech Extractor 2009
- XKS Tech Extractor 2010
- XKS Workflows 2009
- XKS Workflows 2011
- UN Secretary General XKS
Es ist doch längst heraus, dass nicht nur die Staaten der islamischen Welt Human Ressourcen für den Islamischen Staat (IS) liefern, sondern auch andere Länder. So wurden in der letzten Zeit die ehemaligen sowjetischen Republiken zu den Hauptlieferanten der potentiellen IS-Terroristen. Wie bekannt ist, sind die Nichtregierungsorganisationen (NGOs) dort sehr aktiv, die unter US-Kontrolle stehen.
Die Filmvorführung der Dokumentation „Dobrovol'ci Bozhoi Choti" (Freiwillige der Armee Gottes), der zurzeit unter dem englische Titel „The Ukrainians“ durch die Welt tourt und am 10. Juli 2015 im Bürgersaal des Berliner Rathaus Charlottenburg gezeigt werden sollte, wurde abgesagt. Damit bleiben vorerst zumindest die Berliner von der patriotischen Propaganda der Freiwilligen der Einheit „Dobrvol'cheskij Ukrainskij Korpus“ (DUK), dem militärische Arm der rechten Partei und Bewegung Pravij Sektor (Rechter Sektor) verschont. Es steht aber zu befürchten, dass ein Ausweichort für die Filmvorführung gesucht wird.