British spies are authorized to spy on British citizens' Internet communications transiting through servers outside the U.K., a civil rights group has discovered.
Privacy International uncovered the information as part of a lawsuit it filed against the U.K. government over its alleged involvement in mass surveillance programs. It filed the suit with the U.K.'s Investigatory Powers Tribunal, a court that can investigate complaints about any alleged conduct by or on behalf of the intelligence services.
On Tuesday the group published a witness statement from Charles Farr, director general of the Office for Security and Counter Terrorism at the U.K.'s Home Office, who is among the government officials and other witnesses who have made depositions in the case. His statement was published ahead of a hearing by the tribunal scheduled to take place between July 14 and 18.
Farr, one of the U.K.'s most senior security officials, said British spies have the right to intercept Internet communications even if they are from British citizens because the services often use Web servers located outside the U.K. Many messages "such as a Google search, a search of YouTube for a video, a 'tweet' on Twitter, or the posting of a message on Facebook," could be qualified as external by the intelligence services, he said.
Under British laws, the country's intelligence services require a special warrant to monitor communications of British residents located within the U.K., which can only be granted if there is reason to suspect the person is involved in unlawful activity. However, only a general warrant is required for external communications, sent or received outside of the U.K., the Isle of Man, or the Channel Islands, collectively known as the British Islands.
"A Google search by an individual located in the U.K. may well involve a communication from the searcher's computer to a Google web server, which is received outside the British Islands; and a communication from Google to the searcher's computer, which is sent outside the British Islands. In such a case, the search would correspondingly involve two 'external communications'," Farr said.
In the case of Twitter and Facebook the recipient of the communication is the platform itself since the message is not meant for a particular person but broadcast to a group, Farr said. "Thus a user located in the British Islands posting a message on Facebook will communicate with a Facebook web server, located in a Facebook data center. If the Facebook data center is outside the British Islands, then the message will be an 'external communication'," he said.
The matter is somewhat different for emails. An email sent from London to someone in Birmingham would qualify as an internal communication, Farr said. However, when the sender uses a webmail service such as Gmail or Yahoo, the email could be routed through servers outside of the U.K.
If this is the case, the message would still qualify as an internal one. However, it could still be intercepted since there is no way of filtering out the internal conversations from the external ones beforehand, Farr said. Such a selection would have to happen after the emails are intercepted.
Privacy International said the government is conducting mass surveillance by intercepting and scanning through communications in order to work out whether they are internal or external.
"Classifying communications as 'external' allows the Government to search through, read, listen to and look at each of them," the campaign group said. "They consider that such interception 'has less importance' than whether a person actually reads the communication, which is where the Government believes 'the substantive interference with privacy arises,'" the group said, adding that even when privacy violations happen, the government doesn't see it as an "active intrusion" because the analyst reading or listening to an individual's communication will inevitably forget about it anyway.
The group and its fellow plaintiffs called for an end to this "wholesale violation" of Britons' right to privacy.
Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to firstname.lastname@example.org
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.