nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Evil US web giants shield terrorists? Evil spies in net freedom crush plot?

Calm Down and Carry On

By John Lettice, 28 Nov 2014

Analysis Evil US Internet companies are shielding terrorists plotting our destruction! Woo! Evil Tory bastards are using the Woolwich Report as an excuse for a further crackdown on the Internet, muslims and ultra-left Guardian columnists.* Woo!

Or, perhaps, neither of the above? All the shouting is based on the parliamentary Intelligence and Security Committee's report, looking into the matter of whether the British intelligence agencies could have prevented the murder of Fusilier Rigby by muslim extremists in Woolwish last year.

The Woolwich report (available here) certainly uses language likely to displease US Internet companies: but quite a bit of what it says is true, and the entire report presents a much more nuanced picture than the grandstanding of some politicians and the ranting of some newspapers might suggest.

Did anyone actually read this?

Here's part of the statement issued by the Committee authors on the report's publication:

We have examined whether the [British intelligence] Agencies could have discovered this intelligence before the attack, had they had cause to do so: it is highly unlikely. What is clear is that the one party which could have made a difference was the company on whose system the exchange took place. However, this company does not regard themselves as under any obligation to ensure that they identify such threats, or to report them to the authorities. We find this unacceptable: however unintentionally, they are providing a safe haven for terrorists.

Our Report considers the wider relationship between law enforcement authorities and Communications Service Providers. None of the major US companies we approached proactively monitor and review suspicious content on their systems, largely relying on users to notify them of offensive or suspicious content. We also found that none of them regard themselves as compelled to comply with UK warrants obtained under the Regulation of Investigatory Powers Act 2000.

Therefore, even if MI5 had sought information - under a warrant - before the attack, the company might not have responded. They appear to accept no responsibility for the services they provide. This is of very serious concern: the capability of the Agencies to access the communications of their targets is essential to their ability to detect and prevent terrorist threats in the UK.

That might have been more tactfully put, but it is not entirely nonsense. The company in question is not named in the report, but is generally understood to be Facebook. For brevity we'll refer to it as that. In December 2012 one of the killers, Michael Adebowale, was involved in an online exchange where he expressed "in the most graphic terms" his intention to murder a soldier. Had the security services been aware of this at the time his status as a low level SoI (Subject of Interest) would have been escalated dramatically and there would have been "a significant possibility that MI5 would have been able to prevent the attack."

Which seems perfectly reasonable. It is however unreasonable to conclude that US web companies, or CSPs (Communications Service Providers, as the report styles them) are totally OK about terrorists crawling all over their systems plotting jihad. Quite the reverse - they undoubtedly do host various and varied stews of villainy, but that's not entirely good for business (or relations with governments). Terrorist content is one of the reasons they kill accounts (at least four of Adebowale's accounts were disabled by the company for terrorist-related reasons) and hey, if you can randomly zap pictures of women breastfeeding then you can also zap stuff that at least sounds like it might be a tad more dangerous.

But it appears you can't always zap the right ones all of the time. The particular exchange in question seems not to have been reported or to have tripped any automated triggers, and Facebook only found it after the event. Adebowale had a total of 11 accounts, seven of them disabled by Facebook and one by himself, but it's not clear if Facebook knew about his multiple accounts prior to the attack.

Not spotting the "kill a soldier" exchange was undoubtedly a fail on Facebook's part, but it was a shit-happens kind of fail, the sort that Facebook is undoubtedly going to be looking at to see if its systems could be improved. As we say, this sort of stuff is bad for business, and it's absolutely in the interests of the US CSPs to get some kind of lid on it.

Does that mean they should "proactively monitor and review suspicious content on their systems"?

Well, the proactively bit is a big ask and I'm not sure that's what the ISC is really asking. Accurately and effectively crunching vast numbers of posts before they go live simply is not possible. Using automated systems to flag suspicious posts is kind of possible, but setting this up so you don't drown in false positives is tricky, and what you then do with the information after you catch a post like Adebowale's is not as straightforward as your honest Daily Mail leader writer might think.

The Regulation of Investigatory Powers Act

None of the major US companies regards itself as compelled to comply with UK RIPA warrants. And a jolly good thing this is too, you might think. But this isn't a case of them taking any kind of moral stand, and it isn't a case that they take a cavalier attitude to local law. It's because they can't comply with RIPA warrants.

The Woolwich report quotes the Home Office as saying "complying with RIPA would leave US companies in breach of US legislation (including the Wiretap Act in relation to lawful interception)". US companies can and do comply with requests from Britain's NTAC (National Technical Assistance Centre, a body largely staffed by GCHQ) if under the US Electronic Communications Privacy Act (ECPA) the company believes in good faith "that an emergency involving immediate danger of death or serious physical injury to any person requires disclosure of the information without delay".

But that clearly only works if the UK spooks are aware of that immediate danger of death, and in this case they weren't. Say Facebook had spotted the message - would it have been reported? Not necessarily, because it's clearly going to be rather difficult to distinguish between random nutjobs making daft threats and actual homicidal maniacs who really are going to kill somebody in a few months' time.

But say it was spotted, say it was reported. Probably, the FBI would be the first stop, and then the threat might have made its way across the Atlantic via various channels until it was in the hands of MI5 and GCHQ. One might speculate that this would take a while, and that there would be plenty of opportunity for someone along the chain to write "no further action" on the message.

Note also that it's reasonable for US CSPs to be nervous about proactively passing information on their users to foreign law enforcement agencies. Say they'd found this post, say they'd been absolutely certain that this was a British (or at least non-US) citizen talking about a crime he proposed to commit in the UK, then they probably wouldn't be laying themselves open to trouble with the US authorities if they tipped off the British spooks. But if they weren't sure about these things? Neither the US CSPs nor the security agencies will want to do anything that would put them in breach of US law - they've quite enough trouble in that department already.

That's clearly not ideal, but it's about the best you're going to get at the moment. In the absence of an obvious and immediate threat to life, the Brit spooks' best bet is the US-UK Mutual Legal Assistance Treaty. An MLAT request for assistance in an investigation is made via the US authorities, and it gives the US company in question authority to share information with the UK. From the point of view of the US CSPs MLAT is probably the tidiest and safest way to comply with a UK request: but as the report points out, the average time taken to turn one of these requests around is 286 days. The ISC still thinks MLAT is useful in criminal prosecutions where there is evidence of wrongdoing, but "where the aim is to determine the threat posed by individuals and there is as yet insufficient evidence for criminal prosecution," it's of no use whatsoever.

Now compare and contrast with how RIPA operates in the UK. If the security services want an individual's communications data, they apply for a RIPA warrant via the Home Office. This requires a justification that it is both necessary and proportionate, and the various investigations into Adewobale and his co-conspirator Michael Adebolajo mainly failed to meet that threshold. They were Subjects of Interest, but the security services largely failed to find sufficient evidence to warrant more intensive surveillance.

Unless they've concocted an amazingly widespread and complex cover story, the report does seem to suggest that here we have largely honest coppers and internal-security spooks being correct and proportionate about the people they bug (which, reading around the report's redactions, we take to be what "intrusive surveillance" means). There's a possible argument that more intrusive surveillance of either man might have made a difference, but there was no legal justification for it, and given that the intrusive surveillance already carried out on one of them hadn't come up with much, the spooks would probably have moved on to likelier targets even under a laxer supervisory regime.

Granted you've got your legal justification in the UK, however, you can then serve a UK telecoms company or ISP for billing records and sundry metadata. This can be very useful, as is clear from the report. MI5 for example failed to obtain billing data for Adebowale's landline (this is one of several small, possibly non game-changing mistakes the report highlights). If it had done so, it would have found a call to a Yemeni number belonging to someone believed to be in contact with Al Qaeda in the Arabian Peninsula. A mobile phone left in the car after the attack also showed Adebowale had been in touch with a "wide range of extremists", including an AQAP suspect, but by then it was too late.

Of the landline error, the report says:

Had MI5 found this telephone contact (from the billing data), it would probably have led them to seek further communications data, which would have revealed previous contact or attempted contact with this number on five other dates since 26 September 2012. It might also have led them to seek traces with other partners who might have been able to provide further information on the communications with SoI ECHO [the AQAP suspect], including discussions about potential extremist activity.

So although retained communications data was no game-changer in the investigations into Adebowale and Adebolajo, we can see how it might have been, and surely has been in other cases. That however does not mean that the retention of everybody's/ data is either necessary or proportionate.

A RIPA warrant can cover different kinds of data - billing data for a mobile phone or landline, or perhaps an IP address. In the first cases you're looking for what a known individual has been up to, while in the latter you're checking out the individual who's been up to it. Once you have that individual and their ISP, you've got a shot at finding out what else they've been up to. Almost inevitably, this is going to lead the British security services to something outside UK jurisdiction. They can start to build a picture if the suspect's activities are mainly within UK jurisdiction, but otherwise they're unsighted. Which is where we came in.

OK then, let's try spookery

MI5 has the capacity to employ what we take to be the more traditional black arts of spycraft in order to get more information about an individual's activities:

Clear? This splendidly redacted section would seem to be telling us that they could monitor his Internet connection and/or bug his premises. But if Adebowale was using a connection they didn't know about and/or weren't tapping, that wouldn't help. And they don't know specifically how he made the post that communicated with FOXTROT, an unnamed extremist. And if MI5 ran into encryption, the report adds, its ability to read the communication would have depended on the availability of analytical resources and other priorities at the time.

GCHQ, then? GCHQ's capabilities are somewhat more international, as is coyly revealed here:

And:

The "technical operations" used to "access communications sent from an SoI's computer or device" that is used "only when targeting the communications of the highest priority SoIs" must be corkers. GCHQ also opens up on how much of the world's Internet traffic it can intercept:

Or not. But even without seeing the percentages we can deduce that GCHQ can only access a fraction of traffic, and that it can only process a fraction of that. And even if they'd caught this particular piece of traffic they would not have known they'd caught it, and would not have processed it.

Which takes us back to the web companies, and to the way they deal with suspected terrorist content. Says the ISC:

Whilst there may be practical difficulties involved, the companies should accept they have a responsibility to notify the relevant authorities when an automatic trigger indicating terrorism is activated and allow the authorities, whether US or UK, to take the next step. We further note that several of the companies attributed the lack of monitoring to the need to protect their users' privacy. However, where there is a possibility that a terrorist atrocity is being planned, that argument should not be allowed to prevail.

The first part of that seems a reasonable basis for discussions between the CSPs and HMG, because - as we said at the outset - the companies have plenty of motivation to tackle this. The ISC is surely being delusional if it thinks that every/ automatic terrorism trigger should be passed on to the authorities, but something that works better and doesn't overload the CSP or the security services could possibly be worked out.

Passing tips directly to the UK services will however remain tricky, and as Ross Anderson argues here, this is unlikely to change any time soon.

The ISC itself accepts that changes to US legislation are "unlikely in the short term, particularly in the climate created by the NSA leaks." It does believe that there is "merit" in attempting to extend the MLAT process to intelligence investigations but the Home Office demurs, saying treaty changes would need senate ratification, possibly primary legislation, and the process still wouldn't be fast enough. In addition "the intelligence case underpinning the warrant application [would have] to be considered by US authorities", and "the Secretary of State's decision (i.e. the warrant) would be exposed to scrutiny by a US court." Which the Home Office would not like.

The ISC comes up with one other possibility that may be worth pursuing:

We note that the US CSPs have an agreed process for tackling child sexual abuse images: this should be examined to see whether a similar model could be adopted for terrorism cases. In the case of child abuse, there is a mandatory obligation under US law to report such images to the US National Center for Missing and Exploited Children (NCMEC). NCMEC then "makes that information available to non-US law enforcement by providing access to country-specific information in NCMEC's database via a virtual private network".

Otherwise, it's back to talking, and hoping that the US companies aren't sufficiently pissed off by lurid headlines and shouting politicians to abandon cooperation. On the upside the headlines and the speeches in no way reflect what the ISC report actually says, and these companies are big enough and sophisticated enough to know they do need to keep government onside.

So they'll talk, so long as some people shut up really soon now. Whatever emerges certainly won't be the magic bullet of information-sharing that would allow the UK to serve RIPA warrants on US companies, and the FBI to do it the other way around - but then if that were possible, we probably wouldn't like it either, right? ®

*We made that bit up.

The Register - Independent news and views for the tech community. Part of Situation Publishing