Investigation Shows GCHQ Using US Companies, NSA To Route Around Domestic Surveillance Restrictions

Late last year, UK Parliament members held an "emergency debate" over the GCHQ's surveillance programs after learning that [gasp] their data and communications could be legally hoovered up as if they were mere commoners. Of course, were there any actual oversight of GCHQ's activities, this shock would have been blunted by years of foreknowledge. But the GCHQ, like other intelligence agencies, preferred to keep its overseers in the dark about its access to the NSA's PRISM firehose.

The mortified Parliament members claimed the GCHQ's decision to include them in its data haul violated a long-held "gentlemen's agreement" between the two entities -- one that had no legitimate legal basis. Supposedly, this "agreement" forbade GCHQ from targeting Parliament members for surveillance. (Any incidental collection was considered unavoidable.) A panel review found GCHQ's targeting of Parliament members to be completely legal, if a bit on the rude side.

Duncan Campbell and Bill Goodwin of Computer Weekly have performed their own examination of MP's communications, finding that both GCHQ and the NSA have access to intercepted emails sent to and from Parliament members, including communications with their constituents.

GCHQ wouldn't normally have access to these emails as it is not supposed to be collecting information about purely domestic communications. But thanks to the software Parliament uses and the location of data centers used to route the emails, it can comply with its surveillance restrictions while still collecting email data/communications sent from UK email addresses to other UK email addresses.

Part of the process involves Microsoft's willing assistance in past domestic spying efforts, which preceded both Snowden's document dumps and its current, more combative stance.

The controversial decision by Parliament to replace its internal email and desktop office software with Microsoft's Office 365 service in 2014, means that parliamentary data and documents constantly pass in and out of the UK to Microsoft's datacentres in Dublin and the Netherlands, across the backbone of the internet.

Computer Weekly performed forensic analysis of emails it had received from MPs, using header info to trace its path across the internet. It found that nearly two-thirds of "domestic" emails actually left the country on their way to local email addresses, allowing GCHQ -- through its "Tempora" program -- to intercept data and communications using its NSA-provided PRISM hookup.

Microsoft's above-and-beyond assistance makes its widely-used Office products a valuable contributor to the agencies' data haul.

The NSA's Prism system offers access to all parliamentary documents and email through Microsoft Office 365 software, as a result of secret directives given to Microsoft under controversial US 2008 surveillance laws. The directives were implemented at the same time as Microsoft was selling its cloud system, Office 365, to the Houses of Parliament.

Post-Snowden, Microsoft is far more reluctant to continue acting as Little Brother. As Computer Weekly points out, leaked documents have led to the company's hasty erection of two UK data centers in order to protect its UK users from GCHQ's exploitation of normal communication routing techniques to bypass restrictions on domestic surveillance.

Microsoft isn't the only US company assisting the UK intelligence agency in its harvesting of domestic data/communications.

Computer Weekly's investigation also confirmed that MPs' incoming and outgoing emails are automatically scanned through a network run by MessageLabs, a subsidiary of another US corporation, Symantec, which has been contracted by Parliament to provide services including spam filtering and malware detection.

MessageLabs provides GCHQ with direct access to parliamentary emails, through a secret cyber security network called Haruspex, according to GCHQ's "Cyber Defence Operations" legal policy instructions disclosed by Edward Snowden. The scanning system has been in operation for at least a decade.

MessageLabs scans for keywords to prevent the circulation of spam and malware. But it also can be configured to flag other terms and return those results to intelligence agencies.

Once again, officials are not amused their positions do not exclude them from GCHQ surveillance.

Labour deputy leader Tom Watson MP told Computer Weekly: "This will shock many of my parliamentary colleagues and provides a further illustration of why it is right for the government to give additional protections in law to MPs, lawyers and journalists. Theresa May has the opportunity to do this during the passage of the IP Bill in Parliament."

There's a nice nod to a few other citizens not in elected positions contained in that statement, but there needs to be a solid, unified push from UK legislators during the debate over the Investigatory Powers Bill if this domestic surveillance loophole is going to be closed. As Computer Weekly notes, amendments have been made to the bill which prevent law enforcement agencies from accessing MPs' communications data, but that concession would not apply to GCHQ.