Updated: Government policy reveals UK snooping on Facebook, Google users

A once-secret government policy has been published and provides eye-opening detail on the UK's legal reasoning behind spying on residents using Facebook, Google and other web services.

GCHQ 'harvesting Yahoo webcam sex images'
GCHQ 'harvesting Yahoo webcam sex images'

This policy was released publicly today after a legal challenge from Privacy International, Liberty, Amnesty International, the American Civil Liberties Union, Pakistani organisation Bytes for All and five other national civil liberties organisations.

In a statement as part of the 50-page document, Charles Farr, director general of the Office for Security and Counter Terrorism, documents how mass government surveillance can be carried out on Facebook, Google, Yahoo and other web services as these are all defined as ‘external communications' using web-based ‘platforms' based in the United States.

This means that government agencies can collect and examine web searches from Google, communications from Facebook and other social networking sites, and conversations from webmail services such as Hotmail and Yahoo. At the time of writing, there were said to be 31 million Facebook users and 15 million Twitter users in the UK, with one in 20 web visits in the country going via Google.

The definition ‘external communications' is the key to the collection of this data. Under section 8 (paragraph 1) of The Regulation of Investigatory Powers Act (RIPA) 2000, which regulates surveillance of public bodies, ‘internal' communications can only be intercepted under warrant if the agencies suspect a specific individual is carrying out unlawful activity, but the rules are much less stringent for ‘external communications'.

These are still subject to law enforcement obtaining a ‘general warrant' to section 8 (paragraph 4) of RIPA but having done so, details can be collected even when there are no grounds to suspect any wrongdoing.

“The only restriction on what they do with communications that they classify as “external” is that they cannot search through such communications using keywords or terms that mention a specific British person or residence,” reads Privacy International's assessment.

The announcement is significant because it marks the first time the British government has commented publicly on the legality underpinning TEMPORA, the mass interception programme run by the GCHQ to collect data by tapping fibre optic cables.

“Intelligence agencies cannot be considered accountable to Parliament and to the public they serve when their actions are obfuscated through secret interpretations of Byzantine laws,” said Privacy International director Eric King in a statement.

“Moreover, the suggestion that violations of the right to privacy are meaningless if the violator subsequently forgets about it; it not only offends the fundamental, inalienable nature of human rights, but patronises the British people, who will not accept such a meagre excuse for the loss of their civil liberties”.

James Welch, legal director of Liberty, added: “The security services consider that they're entitled to read, listen and analyse all our communications on Facebook, Google and other US-based platforms. If there was any remaining doubt that our snooping laws need a radical overhaul there can be no longer. The Agencies now operate in a legal and ethical vacuum; why the deafening silence from our elected representatives?”

Shamik Dutta, a solicitor at Bhatt Murphy – which represents Privacy International – later told SCMagazineUK.com: “What we're hoping is that the Investigatory Powers Tribunal (IPT) will determine that the current legislative framework doesn't offer adequate protection to UK residents,” he said, adding that RIPA is ‘unworkable' in a digital age where messages fly between different countries.

Dutta went onto say it will argue that GCHQ's activities are unlawful not only based on RIPA and the Human Rights Act but also historical British common laws designed to protect privacy rights.

“There certainly needs to be a change in the domestic regime,” said Dutta, who suggested that the groups would consider appealing to the European Court if the IPT claim is unsuccessful.

Bruce Schneier, cryptography expert and now CTO at Co3 Systems, added in an email with SC UK: "It's no surprise. Many countries use the justification of their citizens data crossing their borders are legal justification to spy on them.  

"But while this might have made sense decades ago, when the only reason you would send data outside your borders is to communicate with a foreigner.  But in today's global internet, when so much of our data moves between countries as a matter of course, it's an excuse for mass surveillance."

Bob Tarzey, analyst and director at Quocirca, took a different view however, emailing SC UK: "Governments will always reserve the right to investigate the activities of citizens and do-gooders will always berate them for doing so. Business as usual."

This legal challenge has been brought forward by the anti-surveillance bodies following Edward Snowden's leaks on the activities of NSA and GCHQ and Farr is the government's star witness in the case, which will be heard by the Investigatory Powers Tribunal between 14 and 18 July 2014.

Facebook, Google, Microsoft and Yahoo did not respond immediately to our requests for comment.

Update: While Facebook declined the opportunity to respond, Google has come back to us with the following statement:

"We cannot say this more clearly -- government does not have access to Google servers--not directly, or via a back door, or a so-called drop box," said a spokesperson. "Nor have we received blanket orders of the kind being discussed in the media. It is quite wrong to insinuate otherwise. We provide user data to governments only in accordance with the law. Our legal team reviews each and every request, and frequently pushes back when requests are overly broad or don't follow the correct process. And we have taken the lead in being as transparent as possible about government requests for user information."

"Google cares deeply about the security of our users' data. We disclose user data to governments in accordance with the law, and we review all such requests carefully. Google has not joined any programme that would create a ‘back door' for government to access private user data.”