By Eric King and Carly Nyst
We have learnt a lot in the last year about the dirty games GCHQ and NSA are playing to infiltrate the networks, tools and technologies we all use to communicate. This includes forcing companies to handover their customers' data under secret orders, and secretly tapping fibre optic cables between the same companies' data centers.
Not content with that, we know now GCHQ are targeting companies systems administrators, exploiting the routers and switches in their networks to spy on us all, corrupting the internet and turning it against us into something it was never meant to be: a panopticon.
The companies and organizations that provide and maintain the internet we love are under attack from GCHQ. Today [2 July 2014], they are fighting back.
Seven internet and communications service providers, including companies, social justice organizations and hacking collectives, Riseup (US), GreenNet (UK), Greenhost (Netherlands), Mango (Zimbabwe), Jinbonet (Korea), May First/People Link (US), and the Chaos Computer Club (Germany) are standing with Privacy International to bring a legal case against GCHQ that demands an end to the unlawful attacking and exploiting of internet and communications service providers.
The case, filed in the Investigatory Powers Tribunal today, comes on the heels of two other cases filed by Privacy International in the aftermath of the Snowden revelations - the first against the mass surveillance programmes TEMPORA, PRISM and UPSTREAM, and the second against the deployment by GCHQ of computer intrusion capabilities and spyware.
The attacks by GCHQ not only damage the groups, their employees, members and users, and their networks. These are attacks on the internet itself.
Time to take a stand
Intelligence agencies are attacking internet and communications service providers to get access to and exploit their routers, switches, and servers in order to spy on and control the communications handled or passed through their networks. In the process, they are not only getting unrestrained and unlawful access to potentially millions of individuals' private communications and data, they are harming the layers of security and decentralised control that has enabled the internet to flourish.
Activists and academics across the world as a result have expressed outrage at the destructive activities of British and American intelligence services, imploring GCHQ and the NSA not to “break the internet” and to guarantee “a secure web for all”. Some companies responsible for maintaining these have been frustrated and spoken up against the increased spying of intelligence agencies (see Vodafone, Cisco, FB, Google, etc.). But action is needed, not just words.
The seven providers assert that GCHQ attacks on internet service and network providers are not only illegal, they are destructive, undermining the goodwill the companies and groups rely on, and the trust in security and privacy that makes the internet such a crucial tool of communication and empowerment. Each of these organisations are committed to the privacy, freedom of expression and security of their users, and a free and open internet. Together, they are demanding an end to GCHQ exploitation of internet services, the targeting of their systems administrators and protections for their customers and users whose rights may have been infringed.
Global in scope
Many of the surveillance practices revealed by Edward Snowden are premised on weakening, even breaking, the infrastructure of the internet. These include compromising encryption standards through the NSA's BULLRUN programme, tampering with routers, and exploiting “leaky” phone applications.
GCHQ and the NSA have also developed devastating capabilities that enable them to infect potentially millions of individuals' laptops and mobile phones with malware as a means to spying on users through their own devices.
The most concerning of such activities is arguably the targeting, attacking and exploitation of the companies that maintain core communications infrastructure, and their employees. Der Spiegel was the first to reveal these illicit activities by GCHQ, reporting on the intelligence agency's attack on Belgacom, the Belgian telecommunications company, and noting:
According to the slides in the GCHQ presentation, the attack was directed at several Belgacom employees and involved the planting of a highly developed attack technology referred to as a "Quantum Insert" ("QI"). It appears to be a method with which the person being targeted, without their knowledge, is redirected to websites that then plant malware on their computers that can then manipulate them. Some of the employees whose computers were infiltrated had "good access" to important parts of Belgacom's infrastructure, and this seemed to please the British spies, according to the slides.
Subsequent disclosures, published by The Intercept on 12 March 2014, provide further information about the range of network exploitation and intrusion capabilities available to GCHQ. A joint presentation by GCHQ and NSA, entitled “Quantum Theory”, depicts the process by which GCHQ exploited network infrastructure for targeted infection of users' devices.
The presentation clarifies that, rather than deploying Man in the Middle attacks, GCHQ and NSA employ a “Man on the Side” technique, which covertly injects data into existing data streams in order to create connections that will enable the targeted infection of users. The technique utilises an automated system – codenamed TURBINE. This system “allow[s] the current implant network to scale to large size (millions of implants) by creating a system that does automated control implants by groups instead of individually,” according to documents released by The Intercept on 12 March 2014.
Further articles published by Der Spiegel revealed that other companies - including three German internet exchange points - were targeted by GCHQ.
The operation, carried out at listening stations operated jointly by GCHQ with the NSA in Bude, in Britain's Cornwall region, is largely directed at Internet exchange points used by the ground station to feed the communications of their large customers into the broadband Internet. In addition to spying on the Internet traffic passing through these nodes, the GCHQ workers state they are also seeking to identify important customers of the German teleport providers, their technology suppliers as well as future technical trends in their business sector.”
Legal redress for illegal activities
Based off this information on the widespread scale of the attacks, the network providers' claims in this case are based on the following:
- By interfering with network assets and computers belonging to the internet and communications service providers, GCHQ has contravened the UK Computer Misuse Act and Article 1 of the First Additional Protocol (A1AP) of the European Convention of Human Rights (ECHR), which guarantees the individual’s peaceful enjoyment of their possessions;
- Conducting surveillance of the network providers’ employees is in contravention of Article 8 ECHR (the right to privacy) and Article 10 ECHR (freedom of expression);
- Surveillance of the network providers’ customers that is made possible by exploitation of their internet infrastructure, is in contravention of Arts. 8 and 10 ECHR; and
- By diluting the internet and communications service providers’ goodwill and relationship with their customers, members and users, GCHQ has contravened A1AP ECHR.
- The attacks are not just simply on the networks and companies named in the slide, but on anyone who uses the internet and any business that provides services for it.
Riseup, Greennet, Greenhost, Mango, Jinbonet, May First/People Link and Chaos Computer Club uniquely understand that GCHQ's activities cripple the internet, and that these attacks undermine the trust and our ability to communicate on the most powerful tool for democracy and free expression.
It must end, and today, some of those who bring the internet to you, are striking back.