{"id":60172,"date":"2015-06-29T12:00:42","date_gmt":"2015-06-29T11:00:42","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=60172"},"modified":"2017-01-24T18:15:51","modified_gmt":"2017-01-24T18:15:51","slug":"spies-hacked-computers-thanks-to-sweeping-secret-warrants-aggressively-stretching-u-k-law","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2015\/06\/spies-hacked-computers-thanks-to-sweeping-secret-warrants-aggressively-stretching-u-k-law\/","title":{"rendered":"Spies Hacked Computers Thanks to Sweeping Secret Warrants, Aggressively Stretching U.K. Law"},"content":{"rendered":"

22 Jun 2015 – <\/em>British spies have received government permission to intensively study software programs for ways to infiltrate and take control of computers. The GCHQ spy agency was vulnerable to legal action for the hacking efforts, known as \u201creverse engineering,\u201d since such activity could have violated copyright law.\u00a0But GCHQ sought and obtained a legally questionable warrant from the Foreign Secretary in an attempt to immunize itself from legal liability.<\/p>\n

\"Photo:<\/a>

Getty Images<\/p><\/div>\n

GCHQ\u2019s reverse engineering targeted a wide range of popular software products for compromise, including online bulletin board systems, commercial encryption software and anti-virus programs. Reverse engineering \u201cis essential in order to be able to exploit such software and prevent detection of our activities,\u201d the electronic spy agency said in a warrant renewal application.<\/p>\n

But GCHQ\u2019s hacking and evasion goals appear to have led it onto dubious legal ground and, at times, into outright non-compliance with its own procedures for staying within the bounds of the law. A top-secret document states that a GCHQ team lapsed in following the agency\u2019s authorization protocol for some continuous period of time. Meanwhile, GCHQ obtained a warrant for reverse engineering under a section of British intelligence law that does not explicitly authorize \u2014 and had apparently never been used to authorize \u2014 the sort of copyright infringement GCHQ believed was necessary to conduct such activity.<\/p>\n

The spy agency instead relied on the Intelligence Services Commissioner to let it use a law pertaining only to property and \u201cwireless telegraphy,\u201d a law that had never been applied to intellectual property, according to GCHQ\u2019s own warrant renewal application<\/a>. Eric King, deputy director of U.K. surveillance watchdog Privacy International said, after being shown documents related to the warrant, \u201cThe secret reinterpretation of powers, in entirely novel ways, that have not been tested in adversarial court processes, is everything that is wrong with how GCHQ is using their legal powers.\u201d<\/p>\n

GCHQ may have also circumvented a restriction on using the type of warrant it obtained for domestic purposes; the agency said in one memo that it has used reverse engineering to support \u201cpolice operations\u201d and the domestic policing-focused National Technical Assistance Centre.<\/p>\n

The agency also described\u00a0efforts to cozy\u00a0up to dozens of\u00a0government\u00a0staffers it believed could help obtain further warrants.<\/p>\n

The agency\u2019s slippery legal maneuvers to enable computer hacking call into question U.K. government assurances about mass surveillance. To assuage public concern over such activity, the government frequently says spies are subject to rigorous oversight, including an obligation to obtain warrants. As it turns out, such authorizations have, at times, been vague and routine, as demonstrated by top-secret memos prepared by GCHQ in connection with the reverse engineering warrant.<\/p>\n

The controversial path GCHQ took to authorize reverse engineering also seems likely to lend momentum to an ongoing push to reform the way surveillance warrants are issued in the U.K. Earlier this month, the U.K.\u2019s independent reviewer of terrorism legislation, David Anderson, issued a report<\/a> recommending that \u201call warrants should be judicially authorised\u201d and describing the current regulatory system as \u201cundemocratic, unnecessary and \u2014 in the long run \u2014 intolerable.\u201d<\/p>\n

This story is based on 22 documents from NSA whistleblower Edward Snowden, linked below. None have been published before. One was briefly described in a January story<\/a> in The\u00a0Guardian<\/em>.<\/p>\n

Widely used commercial software is targeted<\/strong><\/p>\n

One document describing the warrant, a 2008 warrant renewal application, identifies numerous commercially available products in which GCHQ identified vulnerabilities through reverse engineering. These include widely used encryption software such as Exlade\u2019s CrypticDisk and Acer\u2019s eDataSecurity. Exlade\u2019s products are used by \u201cthousands of companies and government agencies,\u201d including tech giants IBM, Intel, GE, HP and Seagate, according to the company\u2019s website. Also successfully targeted were popular web forum services vBulletin and Invision Power Board. VBulletin says its users include Sony Pictures, NASA, Electronic Arts and Zynga. Invision Power Services, the maker of Invision Power Board, said<\/a> around the time of the warrant renewal application that its users included Yahoo, AMD and Sony. GCHQ also targeted CPanel, software used by large hosting companies like GoDaddy for configuring servers, and PostfixAdmin, used to manage Postfix, popular<\/a> email server software.<\/p>\n

Invision Power Services said in a written statement that it monitors its software and external sources closely for information on vulnerabilities and issues fixes quickly. \u201cThere are currently no open vulnerabilities in our software of which we are aware,\u201d it added. vBulletin and Acer did not provide comment by press time. The maker of CPanel did not respond to a request for comment.<\/p>\n

Particularly important to GCHQ was the ability to hack anti-virus programs, an offensive operation that would typically come after using reverse engineering to discover vulnerabilities. Interfering with such programs would allow the opportunity to breach a computer\u2019s defenses in order to exploit the computer without detection. GCHQ cited as a particular target Kaspersky Labs, a prominent Moscow-based maker of anti-virus software that claims more than 270,000 corporate clients. (For details on the targeting of Kaspersky, see this accompanying piece<\/a> by Andrew Fishman and Morgan Marquis-Boire.)<\/p>\n

\u201cPersonal security products such as the Russian anti-virus software Kaspersky continue to pose a challenge to GCHQ\u2019s CNE [computer network exploitation] capability and SRE [software reverse engineering] is essential in order to be able to exploit such software and to prevent detection of our activities,\u201d the 2008 document says.<\/p>\n

Also targeted by the agency\u2019s warrants are hardware products such as large computer network routers, critical pieces of infrastructure. Hacking Cisco routers \u201chas been good business for us and our 5-eyes<\/a> partners for some\u00a0time now,\u201d boasts a 2012 NSA document<\/a> previously published by The Intercept. <\/em><\/p>\n

The warrant memo describes GCHQ\u2019s \u201ccapability against Cisco routers,\u201d specifically that \u201cGCHQ\u2019s [hacking] operations against in-country communications switches (routers) have also benefited from SRE.\u201d That has enabled the agency not only to access \u201calmost any user of the internet\u201d inside the entire country of Pakistan \u2014 but also \u201cto re-route selective traffic across international links toward GCHQ\u2019s passive collection systems.\u201d The Guardian <\/em>previously described<\/a>, but did not publish, this memo.<\/p>\n

Cisco did not comment specifically on the warrant document, saying in a written statement only that its products are securely developed and tested, that the company has a \u201crobust\u201d process for handling vulnerabilities, and that \u201cCisco does not work with any government, including the U.K. Government, to weaken or compromise our products.\u201d<\/p>\n

Stretching the law<\/strong><\/p>\n

To support its efforts to probe and compromise software systems, GCHQ appears to have aggressively stretched Britain\u2019s Intelligence Services Act, failed to comply with its own guidelines based on that law for a continuous period, and even intentionally cozied up to staff in the Foreign and Commonwealth Office, or FCO, to get warrants approved. The apparent success of these efforts highlights the illusory nature of surveillance oversight, despite repeated government statements that the U.K. spy machine is tightly controlled.<\/p>\n

GCHQ needed warrants, according the documents, to protect itself from potential claims of\u00a0copyright infringement or of breaching a licensing agreement. The practice of reverse engineering is frequently barred in the terms and conditions attached to the copying and use of particular software by the makers of that software.<\/p>\n

\u201cIn 2008, there was no real authority on this issue in the EU or the U.K.,\u201d says Indra Bhattacharya, a U.K. solicitor with the firm Jones Day who\u00a0specializes in intellectual property law.\u00a0A 2012 EU court ruling<\/a> and a related 2013 U.K. court ruling<\/a> allow greater latitude toward specific reverse engineering practices as long as there is no copying of code, he explains, but case law is \u201cvery fact-specific\u201d and \u201cdeals mostly with commercial situations,\u201d making it difficult to determine how it might apply to a government agency and\u00a0whether it would obviate the need for GCHQ\u2019s warrant.<\/p>\n

But at the time of the warrant renewal application, GCHQ was clear on its legal position. \u201cReverse engineering of commercial products needs to be warranted in order to be lawful,\u201d one agency memo<\/a> states. \u201cThere is a risk that in the unlikely event of a challenge by the copyright owner or licensor, the courts would, in the absence of a legal authorisation, hold that such activity was unlawful.\u201d Even if warrants shielded GCHQ from domestic law, the agency believed the warrant would not protect it under international law, noting that such warrant-based immunity would be \u201climited,\u201d given that \u201cit only covers us under U.K. law.\u201d<\/p>\n

GCHQ obtained its warrant under section 5\u00a0of the 1994 Intelligence Services Act, which covers interference with property and \u201cwireless telegraphy\u201d by the Security Service (MI5), Secret Intelligence Service (MI6) and GCHQ. Section 5\u00a0of the ISA does not <\/em>mention interference in intellectual property, which the intelligence agency believed was necessary to reverse engineer software, but a top-secret memo states that the intelligence services commissioner approved such use in 2005.<\/p>\n

This stretching of the law was dubious, says King, of Privacy International.<\/p>\n

\u201cIt is not the Commissioner\u2019s function to provide the authoritative interpretation of any law,\u201d King says.<\/p>\n

GCHQ did not need to go to an independent court or focus the scope of the warrant on a specific target to obtain the reverse engineering authorization. The warrant, like many\u00a0surveillance warrants in the U.K., was granted by a cabinet minister, a practice harshly criticized in a just-issued report<\/a> by the U.K.\u2019s \u201cterrorism\u00a0watchdog.\u201d<\/p>\n

The warrant renewal request for reverse engineering published today was addressed to the official that oversees GCHQ, the foreign secretary, then David Miliband, as well as two other FCO officials. The warrant is subject to renewal twice a year.<\/p>\n

Cozying up to the Foreign and Commonwealth Office<\/strong><\/p>\n

While it was trying to hack software, GCHQ actually had efforts targeting FCO as well. Documents reveal the spy agency made a concerted effort to build personal relationships<\/a> with key FCO staff with the goal of getting GCHQ warrants approved. One GCHQ document marked \u201cRestricted\u201d stated, under the heading \u201cFCO,\u201d that \u201ctop five objectives in 08-09\u201d included moves to provide a \u201cgreater level of routine contact between GCHQ and FCO seniors, and map members of FCO SLF [Senior Leadership Forum] to their SI\/IA [Signals Intelligence\/Information Assurance] interests.\u201d Another objective was to \u201censure that GCHQ and FCO warrantry and submission procedures are fit for purpose given increasing complexity and need for pace in our work.\u201d<\/p>\n

Then followed a list of dozens of named FCO staff members and a corresponding list of \u201cmajor issues and targets for 09-10\u201d for each, with goals like \u201cwin confidence by following his diary and briefing at key times,\u201d \u201cbuild strong relationship with successor,\u201d \u201cPositive about intelligence, build relationship,\u201d \u201cColin is new \u2014 Build relationship,\u201d and \u201cGenerally supportive of submissions but could be more so.\u201d<\/p>\n

https:\/\/www.documentcloud.org\/documents\/2107835-fco-relationships-amp-goals-08-09-gchq.html<\/p>\n

Oversight issues<\/strong><\/p>\n

For all its efforts to win aggressive warrants clearing its reverse engineering as legal, GCHQ may well have failed to stay even with the broad boundaries it was given. When Snowden first came forward, he said part of his motivation was that there was so little monitoring of the searches NSA analysts could conduct, ensuring that abuse would often go undetected. GCHQ documents indicate there are similar problems of oversight at the British agency.<\/p>\n

One agency memo about the reverse engineering warrants notes that, for a length of time that can\u2019t be ascertained from the document, internal authorization procedures were not adhered to by the Intrusion Detection\u00a0team. When the error was discovered, the actions were simply retroactively approved.<\/p>\n

\"gchq<\/a><\/p>\n

Previously published news accounts<\/a> have shown that the intelligence services commissioner works only part-time, and as of last year, had a staff of one.\u00a0It was the ISC who approved the stretching of the Intelligence Services Act section 5 for use in GCHQ\u2019s software reverse engineering warrant. The ISC is also responsible for \u201cindependent external oversight\u201d\u00a0of the intelligence community. The current ISC, Sir Mark Waller, told the House of Commons\u2019 Home Affairs Committee that in 2012 he saw approximately 6 percent of more than 2,800 total warrants, with the percentage rising to roughly 12 percent the following year.<\/p>\n

In a detailed and scathing 2014 report<\/a>, the committee\u00a0challenged the rigor of the ISC\u2019s oversight, citing as evidence Waller\u2019s\u00a0own words:<\/p>\n

\"nsa<\/a><\/p>\n

The committee\u2019s report concluded, in boldface type: \u201cWe do not believe the current system of oversight is effective and we have concerns that the weak nature of that system has an impact upon the credibility of the agencies accountability, and to the credibility of Parliament itself.\u201d<\/p>\n

Did\u00a0GCHQ improperly use the warrant to \u201cenable police operations?\u201d<\/strong><\/p>\n

GCHQ may have improperly used the reverse engineering warrant for certain police-related activities, judging from language in the renewal document.<\/p>\n

The reverse engineering warrant appears to have been used by GCHQ to support domestic law enforcement agencies and also appears to mirror existing authorizations for \u201cactivities where the effect is overseas,\u201d as one GCHQ memo put it.<\/p>\n

The GCHQ warrant renewal application states that a number of the software exploitation efforts conducted \u201cunder the terms of this warrant \u2026 enable police operations.\u201d<\/p>\n

The application also indicates that the warrant was used to subvert software on behalf of the National Technical Assistance Centre, or NTAC. NTAC is much more focused on domestic and law enforcement matters than on GCHQ\u2019s wider intelligence and security mission. The application says that GCHQ, on behalf of NTAC, reverse engineered Acer eDataSecurity encryption and unlocked \u201cmaterial relating to a high profile police case.\u201d It says it similarly thwarted CrypticDisk for NTAC, \u201callowing for the decryption of material relating to a child abuse investigation.\u201d<\/p>\n

The GCHQ memo on the warrant renewal states:<\/p>\n

\"nsa<\/a><\/p>\n

The full extent of how GCHQ has applied the section 5\u00a0warrant authority to \u201cenable police operations\u201d is unknown. But the limitations of ISA are clear: GCHQ and MI6 cannot directly use a section 5 warrant to interfere with \u201cproperty in the British Islands\u201d if their function is \u201cin support of the prevention or detection of serious crime,\u201d which falls under the purview of traditional law enforcement. \u201cGCHQ should not be obtaining section 5 warrants if the purpose of the warrant is to prevent serious crime domestically,\u201d says\u00a0King. The citation of police cases right in the application to justify renewal of the warrant would seem to make it difficult for GCHQ to argue that use by the police is incidental.<\/p>\n

GCHQ refused to comment on the record about any of these matters, instead providing its boilerplate response about how it complies with the law.<\/p>\n

___________________________<\/p>\n

Documents published with this article:<\/em><\/p>\n