«

»

How to run an administrative denial of service attack on a spy agency

gchq-kelseyBy Simon Davies

There are very few informed people left in Britain who don’t worry that there’s something rotten about the national communications spy agency, the Government Communications Headquarters (GCHQ). Some would say only a fool or a blind patriot would believe that the organisation is in any healthy state.

GCHQ – a richly resourced SIGINT (signals intelligence) organisation with 6,000 staff – is the NSA’s principle partner, and in many cases operates directly under US instructions. This includes a right to spy on Americans and to hand over that data without the incumbrance of legal safeguards on either side of the Atlantic.

Mesmerised perhaps by both the James Bond movies and the Oxbridge nepotism that infects Whitehall, the UK has been historically lame in terms of instituting safeguards over its spy agencies.

Concerned US persons should have been far more exercised about this situation, but of even greater significance is the reality that the US can instruct GCHQ how to spy on UK and EU citizens. Such arrangements are of course shrouded in secrecy. Unlike the NSA, however, GCHQ never saw the need to even pay lip service to the concept of accountability.

The dysfunction in GCHQ comes down to two aspects. First, the agency is conducting interception at a level that sometimes even surpasses the NSA. Earlier this year it was revealed that the it had spied over several years on the webcams of millions of innocent Yahoo! users and stored those images – including images of a sexual nature. The agency has also engaged in numerous deep interception and subversion exercises.

But of perhaps even greater concern is the almost blanket legal immunity given to GCHQ, which includes everything from a wholesale exemption to collect child porn images (s.46 of the Sexual Offences Act), to the conducting of mass surveillance in the name of “research” (the justification given for the webcam exercise).

Mesmerised perhaps by both the James Bond movies and the Oxbridge nepotism that infects Whitehall, the UK has been historically lame in terms of instituting safeguards over its spy agencies. Even as recently as November 7th, during a rare public inquiry by the UK Parliament’s Intelligence and Security Committee, peppered with patriotism and intrigue, GCHQ Director Sir Iain Lobban was allowed to peddle the same party line that had been trotted out to Parliament by agencies for more than twenty years.

“We do not spend our time listening to the telephone calls or reading the e-mails of the majority, of the vast majority. That would not be proportionate, it would not be legal. We do not do it.”

Not one member of the oversight committee responded meaningfully to Lobban’s obvious skirting of issues such as mass metada surveillance and backdoor access to private companies. It was as if the key issues identified in the US were not relevant to Britain.

This deception cannot end well. Obfuscation and denial by British spy chiefs has become a disgrace to public trust. The official position on mass surveillance by these agencies has been an orchestrated lie for more than half a century – even more so than in the US. Until as recently as ten years ago British spy chiefs had systematically lied to the public and to Parliament about their involvement with the NSA.

What can concerned victims of surveillance do about this situation? There are few avenues. Indeed there are no processes outside higher courts that would permit a challenge against the operations of the agency – only mechanisms such as the Interception of Communications Commissioner that only deal with individual grievances.

The agency is wholly exempt from both the Freedom of Information Act and the Data Protection Act – except in one respect. You can ask the agency if it holds any information about you.

The agency is wholly exempt from both the Freedom of Information Act and the Data Protection Act – except in one respect. You can ask the agency if it holds any information about you.

This surprising right exists under the Data Protection Act and is called a “Subject Access Request” (SAR). It means you can send the agency a request for any information it has on you and the agency is then required by law to conduct a “case by case” assessment to determine whether to give you that information. Of course on most occasions the agency will use the “neither confirm nor deny” excuse, but the mere fact of an SAR creates administrative headaches for the agency. This situation offers a range of tantalising opportunities to concerned people.

SAR is a right that extends to all EU residents, and more people should strongly consider exercising this right. In the early days of CCTV when the surveillance industry was exploiting the community’s fear of crime to reap their sales, privacy advocates conducted mass-SAR’s on local government agencies that were indiscriminately using the technology. By simultaneously issuing hundreds of demands for visual images of applicants, the local authorities went into meltdown. The exercise had the effect of sensitising government officials to the issue of privacy and proportionality.

This was, at one end of the spectrum, an entirely legitimate enactment of legal rights. At the other end it was an administrative denial of service action (ADSA). At a personal level, most rights advocates rather preferred the latter expression. 10,000 ADSA’s to an organisation like GCHQ involve a collective 210 working days to execute but require at least fifteen man-years to process (calculated at three hours per request).

The time has arrived to do the same to GCHQ and other agencies. This will not impede their interception capability, but if conducted in sufficient volume will paralyse sections of their administrative arms. The message will permeate.

It should not escape the notice of anyone that GCHQ makes no mention on its site of this right.

This is a template SAR form relating to GCHQ (though it can be adapted across the EU simply by adding the appropriate address and name). The exercise will take you ten minutes. Ironically, you should include some form of identity, such as a photocopy of a drivers licence or passport together with your address and phone details. Of course if you forget to do this you’ll impose more workload on the agency, and it will drag out the process.

And please do send any positive responses to us via here and let us know if you’d be happy for the Privacy Surgeon to reproduce their response (minus your personal details).