TOP SECRET STRAP2 UK EYES ONLY

From:
Date: 13 June 2008
GCHQ Reference: A/9014/9105/55
Sian MacLeod
Mariot Leslie
Foreign Secretary

ISA-94: APPLICATION FOR RENEWAL OF WARRANT GPW/1160 IN RESPECT OF
ACTIVITIES WHICH INVOLVE THE MODIFICATION OF COMMERCIAL SOFTWARE
ISSUE
1.

GCHQ seek a renewal of warrant GPW/1160 issued under section 5 of the

Intelligence Services Act 1994 in respect of interference with computer software in breach
of copyright and licensing agreements.
TIMING
2.

Warrant GPW/1160 is due to expire on 7 July 2008. Signature is requested by 4

July. If renewed, the warrant will next expire on 7 January 2009.
PREFERRED OPTION
3.

That the Secretary of State issue the warrant. If the Secretary of State agrees, he

should sign and date the warrant instrument (GPW/R/167, immediately below this
submission and flagged “Reference Here”).
BACKGROUND
4.

GCHQ’s success as an intelligence agency is founded on technical knowledge and

creativity. In particular this may involve modifying commercially available software to
enable interception, decryption and other related tasks, or “reverse engineering” software
(this means to convert it from machine readable code into the original format, which is
1
THIS INFORMATION IS EXEMPT FROM DISCLOSURE UNDER THE FREEDOM OF INFORMATION ACT 2000 AND MAY BE
SUBJECT TO EXEMPTION UNDER OTHER UK INFORMATION LEGISLATION. REFER DISCLOSURE REQUESTS TO GCHQ ON
EXT
OR EMAIL
@GCHQ

TOP SECRET STRAP2 UK EYES ONLY

 TOP SECRET STRAP2 UK EYES ONLY
then comprehensible to a person). These actions, and others necessary to understand
how the software works, may represent an infringement of copyright. The interference
may also be contrary to, or inconsistent with, the provisions of any licensing agreement
between GCHQ and the owners of the rights in the software.
5.

Where this work is being carried out in support of a specific intercept operation or a

specific computer network exploitation (CNE) operation, the preparatory work can often be
taken to be included in the legal authorisation that applies to that operation. The
provisions of RIPA and ISA apply in most cases to all such enabling activities. This will be
the case for any software destined for operations covered by RIPA warrants and by
operations carried out under the ISA section 7 authorisation held by GCHQ for CNE
activities where the effect is overseas. Unless specifically authorised, however, it will not
be the case for specific operations carried out under ISA section 5 warrants, or in those
instances where the activity is being carried out not as preparatory to a specific operation
but as part of GCHQ’s continuing efforts to maintain its technical knowledge base and
develop future exploitation opportunities.
6.

In some other cases similar work is being carried out by CESG as part of

Information Assurance (IA) vulnerabilities research. A variety of software products may be
“reverse engineered” in order to identify and understand potential security vulnerabilities.
Authorisation will not normally be sought from the supplier or copyright owner.
7.

There is a risk that in the unlikely event of a challenge by the copyright owner or

licensor, the Courts would, in the absence of a legal authorisation, hold that such activity
was unlawful and amounted to a copyright infringement or breach of contract. The
purpose of this warrant is to provide authorisation for all continuing activities which involve
interference with copyright or licensed software, but which cannot be said to fall within any
other specific authorisation held by GCHQ and which are done without the permission of
the owner.
8.

Under the terms of this warrant, the majority of products examined since last

renewal have been in support of CNE operations, while a number were investigated in
support of CESG’s IA work and to enable police operations. In each case it was necessary
2
THIS INFORMATION IS EXEMPT FROM DISCLOSURE UNDER THE FREEDOM OF INFORMATION ACT 2000 AND MAY BE
SUBJECT TO EXEMPTION UNDER OTHER UK INFORMATION LEGISLATION. REFER DISCLOSURE REQUESTS TO GCHQ ON
EXT
OR EMAIL
@GCHQ

TOP SECRET STRAP2 UK EYES ONLY

 TOP SECRET STRAP2 UK EYES ONLY
to use this warrant as the product licence explicitly forbade reverse engineering.
CNE
9.

The products that were studied for CNE purposes included vBulletin web forum

software, widely used to run terrorist web forums. Software reverse engineering (SRE)
has enabled recovery of user credentials from web traffic and database content, research
into vulnerabilities that can provide access into such forums, and investigation of
opportunities for modifying a forum in order to mount attacks against target users. Similar
inroads into Invision Power Board, another web forum product, have also been possible.
Vulnerabilities in terrorist forum hosts using host management software CPanel have
likewise been identified through SRE, while vulnerabilities identified in the PostfixAdmin
software used by a targeted Internet Service Provider have allowed modification of an ISP
site and a subsequent attempt at implant delivery.
10.

GCHQ’s CNE operations against in-country communications switches (routers)

have also benefited from SRE. Capability against Cisco routers developed by this means
has allowed a CNE presence on the Pakistan Internet Exchange which affords access to
almost any user of the internet inside Pakistan. Our presence on routers likewise allows
us to re-route selected traffic across international links towards GCHQ’s passive collection
systems.
11.

Personal security products such as the Russian anti-virus software Kaspersky

continue to pose a challenge to GCHQ’s CNE capability and SRE is essential in order to
be able to exploit such software and to prevent detection of our activities. Examination of
Kaspersky and other such products continues.
12.

SRE work also supports long term CNE research, which needs to be done to

strengthen GCHQ’s technical knowledge base and to sustain and improve its future Sigint
capability, in particular to be able to respond effectively to changing target practices. In
addition, the SRE courses run at GCHQ not only aim to train the students in SRE
techniques but also offer an opportunity for them to examine new products or those that
are of interest but have yet to be reverse engineered.
3
THIS INFORMATION IS EXEMPT FROM DISCLOSURE UNDER THE FREEDOM OF INFORMATION ACT 2000 AND MAY BE
SUBJECT TO EXEMPTION UNDER OTHER UK INFORMATION LEGISLATION. REFER DISCLOSURE REQUESTS TO GCHQ ON
EXT
OR EMAIL
@GCHQ

TOP SECRET STRAP2 UK EYES ONLY

 TOP SECRET STRAP2 UK EYES ONLY
Information assurance
13.

During the period under review CESG analysed a number of products that are or

may be used by a wide range of government departments and officials. Examination of
Microsoft’s Mobile Data Manager, a management system for mobile devices such as
PDAs, has assisted with evaluation of this product for government use, while SRE of a
product in use by GCHQ for electronic data records management has contributed to the
development of protection against electronic attack.
14. CESG have also analysed examples of malware, the malicious software such as
viruses or worms with which computers are deliberately infected in order to cause
harm. Malware is unconventional by design and its effect on a system can vary greatly
depending on environmental factors or the attackers’ intent. It is therefore important
that we understand in great detail how a computer’s operating system is affected and
SRE of monitoring tools FileMon and RegMon, for example, has afforded significant
insights into how malware can bypass these logging tools. Equally, malware is often
delivered by targeting vulnerabilities in applications such as Microsoft Office or Adobe
Acrobat, and the role of SRE in identifying such vulnerabilities is critical to
understanding and counteracting the risks posed to government departments.
GCHQ assistance to law enforcement and intelligence agencies
15. GCHQ’s unit providing specialist technical support to the law enforcement and
intelligence agencies, the National Technical Assistance Centre (NTAC), has used
this warrant to reverse engineer Acer eDataSecurity, allowing for the decryption of
material relating to a high profile police case, and CrypticDisk, allowing for the
decryption of material relating to a child abuse investigation.

Software reverse

engineering against commercial encryption products continues to play a crucial role in
developing new capability for NTAC forensics.
RISK ASSESSMENT
16. The risk of any interference such as that described in paragraph 4 becoming
apparent to the owner of copyright or licensing rights is negligible.
4
THIS INFORMATION IS EXEMPT FROM DISCLOSURE UNDER THE FREEDOM OF INFORMATION ACT 2000 AND MAY BE
SUBJECT TO EXEMPTION UNDER OTHER UK INFORMATION LEGISLATION. REFER DISCLOSURE REQUESTS TO GCHQ ON
EXT
OR EMAIL
@GCHQ

TOP SECRET STRAP2 UK EYES ONLY

 TOP SECRET STRAPZ UK EYES ONLY

LEGAL ISSUES

When this warrant was eriginally submitted te the then Secretary ef State, there
was believed te be ne precedent fer the use ef a warrant under sectien 5 ef the
Intelligence Services Act ?[994 in relatien te intellectual preperty as embedied in
cepyright er licensing agreements. Hewever, the Intelligence Services Cemmissiener
was censulted in 2005 en the applicability ef a warrant in these circumstances and he

was centent that sectien 5 ceuld be used te remeve such liability.

13. I censider it necessary that the actiens specified in the warrant be taken te assist
SSHQ in carrying eut its functiens under sectien 3 ef the Intelligence Services
Act 1994, which in this instance are exercisable in the interests ef natienal security
and the ecenemic well-being ef the United Kingdem. I further censider that the taking
et the actien is prepertienate te what the actiens seek te achieve and that what the
actiens seek te achieve ceuld net reasenably be achieved by ether means.
lnferrnatien ebtained as a result ef the actiens will be subject te the arrangements in

ferce under sectien 4 et the Act.

19. GSHD legal advisers have checked the text ef the attached instrument and are
centent that it cenferms in all respects with the Act. I have persenally checked the
attached instrument and certify that it centerrns in all respects te the details given in

the submissien.

[Please phene 92 {Brent} fer precedural queries}

5
THIS IS EXEMPT FRGM UNDER THE AGT Ell-Ell} AND MAT BE
SUBJECT TU EXEMPTION UNDER GR LEGISLAT ER DISELDSURE REQUESTS TD GCHCI DH
EIT DR EMAIL HO

TOP SECRET STRAPZ UK EYES ON LY