Address: 62 Britton Street, London, EC1M 5UY, United Kingdom
Phone: +44 (0) 20 3422 4321
Website: www.privacyinternational.org

Emily Thornberry MP
Shadow Foreign Secretary
Sent by email

Dear Emily Thornberry
We are writing to express our continued concern with UK’s international intelligence sharing
agreements and to again call for key information and documentation regarding arrangements
to be made publically accessible.
The 2015 National Security Strategy and Strategic Defence and Security Review states that:
The UK’s security and prosperity is also underpinned by our cooperation with Australia,
Canada, New Zealand and the US through the Five Eyes intelligence sharing partnership;
the Five Eyes Law Enforcement Group on reducing the international threat and impact of
organised crime; and the Consular Colloque which allows us to support each other in
protecting our respective nationals overseas. We will strengthen our cooperation in these
areas.
While the Government has referenced an “intelligence sharing partnership”, details about the
extent of the arrangements, specific activities, safeguards, and oversight mechanisms are
currently not publicly available.
The original UKUSA agreement - drafted shortly after World War II - allows UK and US
agencies to share, by default, any raw intelligence and intelligence collection equipment (see
Attachment 1 [Eyes Wide Open]. Further, it has been reported that the current arrangements
also allow US intelligence agencies to collect intelligence and operate from within the UK,
reportedly including in support of special operations involving lethal force (see Attachment 2
[Intercept Report].
During proceedings at the Investigatory Powers Tribunal (IPT) in May 2014, the Government
alluded to secret internal guidance governing intelligence sharing, but has consistently
refused to make them publicly accessible or subject to parliamentary scrutiny. The
Government presented them to the IPT in a closed hearing, following which it disclosed a
“note” containing no heading and just a few paragraphs of text, which appear to summarise
some of the arrangements [1]. It remains unclear, however, whether the note is an actual
policy, part of a policy, a summary of a policy or a summary of submissions made by the
Government in the closed hearing. Further, it is also unclear whether the note sets out an
approach that the Government considers binding or is simply a description of desirable
practices. Finally, it is unclear who drafted or adopted the note (and under what legal
authority) or who has the power to amend it. The date on which the arrangements came into
force is unknown. It is equally unknown if the arrangements have ever been altered or
amended. The note also only governs UK receipt of intelligence gathered by the US, but not
when and how the UK shares information in the opposite direction.
Privacy International is a registered charity (No. 1147471)

 Address: 62 Britton Street, London, EC1M 5UY, United Kingdom
Phone: +44 (0) 20 3422 4321
Website: www.privacyinternational.org

We are writing today to request that full details regarding these arrangements be now
provided. It is essential that safeguards over such intelligence sharing agreements, and the
degree to which foreign intelligence agencies have access to UK intelligence, be made
publicly available.
We are also writing to request that the Government make publically accessible documents
related to subsequent instruments or other documents constituting agreements regarding the
exchange of intelligence between the UK government and the United States, New Zealand,
Australia and Canada.
We have become increasingly alarmed by the scale of surveillance that the internet has
enabled, and have continuously sought to ensure appropriate and publicly accessible
safeguards over government surveillance activities. In this pursuit, please find attached a
report published in 2015 detailing some of our concerns (Attachment 4 [Two years after
Snowden: Protecting human rights in an age of mass surveillance]).
We look forward to receiving a response as soon as possible, and stand by ready to assist in
any way possible.
Yours sincerely
[1] Quoted in the Liberty & Others v GCHQ & Others [2014] UKIPTrib 13_77-H, at paras
47-48 (see Attachment 3 [http://www.ipt-uk.com/docs/IPT_13_168-173_H.pdf]).

Privacy International is a registered charity (No. 1147471)

  

Annex 1

Eyes Wide Open

 

!

Executive Summary
The recent revelations, made possible by NSA-whistleblower Edward Snowden, of the
reach and scope of global surveillance practices have prompted a fundamental reexamination of the role of intelligence services in conducting coordinated cross-border
surveillance.
The Five Eyes alliance of States – comprised of the United States National Security
Agency (NSA), the United Kingdom’s Government Communications Headquarters
(GCHQ), Canada’s Communications Security Establishment Canada (CSEC), the
Australian Signals Directorate (ASD), and New Zealand’s Government Communications
Security Bureau (GCSB) – is the continuation of an intelligence partnership formed in the
aftermath of the Second World War. Today, the Five Eyes has infiltrated every aspect of
modern global communications systems.
The world has changed dramatically since the 1940s; then, private documents were
stored in filing cabinets under lock and key, and months could pass without one having
the need or luxury of making an international phone call. Now, private documents are
stored in unknown data centers around the world, international communications are
conducted daily, and our lives are lived – ideas exchanged, financial transactions
conducted, intimate moments shared – online.
The drastic changes to how we use technology to communicate have not gone
unnoticed by the Five Eyes alliance. A leaked NSA strategy document, shared amongst
Five Eyes partners, exposes the clear interest that intelligence agencies have in
collecting and analyzing signals intelligence (SIGINT) in the digital age:
“Digital information created since 2006 grew tenfold, reaching 1.8 exabytes in
2011, a trend projected to continue; ubiquitous computing is fundamentally
changing how people interact as individuals become untethered from information
sources and their communications tools; and the traces individuals leave when
they interact with the global network will define the capacity to locate,
characterize and understand entities.”1
Contrary to the complaints of the NSA and other Five Eyes agencies that they are ‘going
dark’ and losing the visibility they once had, the Five Eyes intelligence agencies are in
fact the most powerful they’ve ever been. Operating in the shadows and misleading the
public, the agencies boast in secret how they “have adapted in innovative and creative
ways that have led some to describe the current day as ‘the golden age of SIGINT’.”
The agencies are playing a dirty game; not content with following the already permissive
legal processes under which they operate, they’ve found ways to infiltrate all aspects of
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
1

NSA SIGINT Strategy, 23 February 2012, available at:
http://www.nytimes.com/interactive/2013/11/23/us/politics/23nsa-sigint-strategydocument.html?ref=politics&gwh=5E154810A5FB56B3E9AF98DF667AE3C8

!

1!

 !
modern communications networks. Forcing companies to handover their customers’
data under secret orders, and secretly tapping fibre optic cables between the same
companies’ data centers anyway. Accessing sensitive financial data through SWIFT, the
world’s financial messaging system, spending years negotiating an international
agreement to regulate access to the data through a democratic and accountable
process, and then hacking the networks to get direct access. Threatening politicians
with trumped up threats of impending cyber-war while operating intrusion operations
that weaken the security of networks globally; sabotaging encryption standards and
standards bodies thereby undermining the ability of internet users to secure information.
Each of these actions have been justified in secret, on the basis of secret interpretations
of international law and classified agreements. By remaining in the shadows, our
intelligence agencies – and the governments who control them – have removed our
ability to challenge their actions and their impact upon our human rights. We cannot hold
our governments accountable when their actions are obfuscated through secret deals
and covert legal frameworks. Secret law has never been law, and we cannot allow our
intelligence agencies to justify their activities on the basis of it.
We must move towards an understanding of global surveillance practices as
fundamentally opposed to the rule of law and to the well-established international human
right to privacy. In doing so, we must break down legal frameworks that obscure the
activities of the intelligence agencies or that preference the citizens or residents of Five
Eyes countries over the global internet population. These governments have carefully
constructed legal frameworks that provide differing levels of protections for internal
versus external communications, or those relating to nationals versus non-nationals,
attempt to circumvent national constitutional or human rights protections governing
interferences with the right to privacy of communications.
This notion must be rejected. The Five Eyes agencies are seeking not only defeat the
spirit and purpose of international human rights instruments; they are in direct violation
of their obligations under such instruments. Human rights obligations apply to all
individuals subject to a State’s jurisdiction. The obligation to respect privacy extends to
the privacy of all communications, so that the physical location of the individual may be
in a different jurisdiction to that where the interference with the right occurs.
This paper calls for a renewed understanding of the obligations of Five Eyes States with
respect to the right to privacy, and demands that the laws and regulations that enable
intelligence gathering and sharing under the Five Eyes alliance be brought into the light.
It begins, in Chapter One, by shining a light on the history and structure of the alliance,
and draws on information disclosed by whistleblowers and investigative journalists to
paint a picture of the alliance as it operates today. In Chapter Two, we argue that the
laws and regulations around which Five Eyes are constructed are insufficiently clear and
accessible to ensure they are in compliance with the rule of law. In Chapter Three, we
turn to the obligations of Five Eyes States under international human rights law and
argue for an “interference-based jurisdiction” whereby Five Eyes States owe a general
duty not to interfere with communications that pass through their territorial borders.
Through such a conceptualization, we argue, mass surveillance is cognisable within a
!

2!

 !
human rights framework in a way that provides rights and remedies to affected
individuals.
While the existence of the Five Eyes has been kept secret from the public and
parliaments, dogged investigative reporting from Duncan Campbell, Nicky Hager, and
James Bamford has gone some way to uncovering the extent of the arrangement. Now,
thanks to Edward Snowden, the public are able to understand more about the spying
that is being done in their name than ever before.
Trust must be restored, and our intelligence agencies must be brought under the rule of
law. Transparency around and accountability for these secret agreements is a crucial
first step.

Privacy International to grateful is Ben Jaffey, Caspar Bowden, Dan Squires, Duncan Campbell,
Eric Metcalfe, Ian Brown, James Bamford, Mark Scott, Marko Milanovic, Mathias Vermeulen,
Nicky Hager, Shamik Dutta, for their insight, feedback, discussions, investigation and support.
We are grateful to all of the whistleblowers whose responsible disclosures in the public interest
have brought transparency to the gross violations of human rights being conducted by the
intelligence agencies in our name.
Given the current rapid nature of information disclosures regarding the intelligence agencies, this
paper will be regularly updated to reflect the most accurate understanding we have of the nature
of the Five Eyes arrangement. Any errors or omission are solely attributable to the authors.
Version 1.0 – 26 November 2013

!

3!

 !

Chapter 1 – Understanding the Five Eyes
The birth of the Five Eyes alliance
Beginning in 1946, an alliance of five countries (the US, the UK, Australia, Canada and
New Zealand) developed a series of bilateral agreements over more than a decade that
became known as the UKUSA (pronounced yew-kew-zah) agreement, establishing the
Five Eyes alliance for the purpose of sharing intelligence, but primarily signals
intelligence (hereafter “SIGINT”). While the existence of the agreement has been noted
in history books and references are often made to it as part of reporting on the
intelligence agencies, there is little knowledge or understanding outside the services
themselves of exactly what the arrangement comprises.
Even within the governments of the respective countries, which the intelligence agencies
are meant to serve, there has historically been little appreciation for the extent of the
arrangement. The arrangement is so secretive the Australian Prime Minister reportedly
wasn’t informed of its existence until 19732. Former Prime Minister of New Zealand,
David Lange, once remarked that “it was not until I read this book [Nicky Hager’s
“Secret Power”, which detailed GCSB’s history] that I had any idea that we had been
committed to an international integrated electronic network.” He continued: “it is an
outrage that I and other ministers were told so little, and this raises the question of to
whom those concerned saw themselves ultimately answerable.”3
There has been no debate around the legitimacy or purpose of the Five Eyes alliance in
part due to the lack of publicly available information about it. In 2010, the US and UK
declassified numerous documents, including memoranda and draft texts, relating to the
creation of the UKUSA agreement. However, generally the Five Eyes States and their
intelligence services have been far too slow in declassifying information that no longer
needs to be secret, resulting in no mention on any government website of the
arrangement until recently.
The intelligence agencies involved in the alliance are the United States National Security
Agency (NSA), the United Kingdom’s Government Communications Headquarters
(GCHQ), Canada’s Communications Security Establishment Canada (CSEC), the
Australian Signals Directorate (ASD), and New Zealand’s Government Communications
Security Bureau (GCSB).
The extent of the original arrangement is broad and includes the
(1) collection of traffic;
(2) acquisition of communications documents and equipment;
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Canada’s role in secret intelligence alliance Five Eyes, CTV News, 8 October 2013, available at:
http://knlive.ctvnews.ca/mobile/the-knlive-hub/canada-s-role-in-secret-intelligence-alliance-five-eyes1.1489170
3
Secret Power, Nicky Hager, 1996, page 8 available at: http://www.nickyhager.info/Secret_Power.pdf
2

!

4!

 !
(3) traffic analysis;
(4) cryptanalysis;
(5) decryption and translation; and
(6) acquisition of information regarding communications organizations,
procedures, practices and equipment.
A draft of the original UKUSA agreement, declassified in 2010, explains that the
exchange of the above-listed information
“will be unrestricted on all work undertaken except when specifically excluded from
the agreement at the request of either party to limit such exceptions to the absolute
minimum and to exercise no restrictions other than those reported and mutually
agreed upon.”
Indeed, in addition to facilitating collaboration, the agreement suggests that all
intercepted material would be shared between Five Eyes States by default. The text
stipulates that “all raw traffic shall continue to be exchanged except in cases where one
or the other party agrees to forgo its copy.”
The working arrangement that was reached in 1953 by UKUSA parties explained that
“while Commonwealth countries other than the UK are not party to the UKUSA COMINT
agreement, they will not be regarded as Third Parties.”4 Instead “Canada, Australia and
New Zealand will be regarded as UKUSA-collaborating Commonwealth countries,” also
known as Second Parties. One retired senior NATO intelligence officer has suggested
“there is no formal over-arching international agreement that governs all Five Eyes
intelligence relationships.”5 It is not known how accurate that statement is, or how the
agreement has been modified in subsequent years as the text of the Five Eyes
agreement in its current form has never been made public.
Today, GCHQ simply states it has “partnerships with a range of allies […] [o]ur
collaboration with the USA, known as UKUSA, delivers enormous benefits to both
nations.”6 The NSA makes no direct reference to the UKUSA arrangement or the Five
Eyes States by name, except by way of historical references to partnerships with “the
British and the Dominions of Canada, Australia, and New Zealand” in the
declassification section of their website.7
The original agreement mandated secrecy, stating “it will be contrary to this agreement
to reveal its existence to any third party unless otherwise agreed” resulting in modern
day references to the existence of the agreement by the intelligence agencies remaining
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Appendix J, Principles of UKUSA collaboration with commonwealth countries other than the UK. Page 39,
available at: http://www.nationalarchives.gov.uk/ukusa/
5
Canada and the Five Eyes Intelligence Community, James Cox, Strategic Studies Working Group Papers,
December 2012, page 4, accessible at:
http://www.cdfai.org/PDF/Canada%20and%20the%20Five%20Eyes%20Intelligence%20Community.pdf
6
International Partners, GCHQ website, available at:
http://www.gchq.gov.uk/how_we_work/partnerships/Pages/International-partners.aspx
7
UKUSA Agreement Release 1940-1956, NSA website, available at:
http://www.nsa.gov/public_info/declass/ukusa.shtml
4

!

5!

 !
limited. The existence of the agreement was not acknowledged publicly until March
1999, when the Australian government confirmed that the Defence Signals Directorate
(now Australian Signals Directorate) "does co-operate with counterpart signals
intelligence organisations overseas under the UKUSA relationship."8
Canada’s CSEC9 states it maintains intelligence relationships with NSA, GCHQ, ASD
and GCSB, but only New Zealand’s GCSB10 and ASD11 mention the UKUSA agreement
by name.12
This obfuscation continues, with only cursory mentions made across a wide range of
public policy documents to the existence of an intelligence sharing partnership. For
example the UK Counter-Terrorist Strategy CONTEST, referred to the existence of the
Five Eyes agreement only in passing when stating the UK will “continue to develop our
most significant bilateral intelligence relationship with the US, and the ‘Five Eyes’
cooperation with the US, Australia, Canada and New Zealand.”13
We have been unable to locate any major public strategic policy document that
describes Australia’s, Canada’s, New Zealand’s or the United States’ involvement in the
Five Eyes in any detail.

The extent of Five Eyes collaboration
The close relationship between the five States is evidenced by documents recently
released by Edward Snowden. Almost all of the documents include the classification
“TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL” or “TOP
SECRET//COMINT//REL TO USA, FVEY.” These classification markings indicate the
material is top-secret communications intelligence (aka SIGINT) material that can be
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
The state of the art in communications Intelligence (COMINT) of automated processing for intelligence
purposes of intercepted broadband multi-language leased or common carrier systems, and its applicability
to COMINT targetting and selection, including speech recognition, October 1999, page 1, available at:
http://www.duncancampbell.org/menu/surveillance/echelon/IC2000_Report%20.pdf
9
CSEC's International Partnerships, CSEC website, available at: http://www.cse-cst.gc.ca/homeaccueil/about-apropos/peers-homologues-eng.html
10
UKUSA Allies, GCSB website, available at: http://www.gcsb.govt.nz/about-us/UKUSA.html
11
UKUSA Allies, ASD website, available at: http://www.asd.gov.au/partners/allies.htm
12
The New Zealand Prime Minister, John Key, has specifically referred to “Five Eyes” on several
occasions; at his 29 October 2013 press conference, for example, in answer to the question, ‘Do you think
the GCSB was aware of the extent of spying from the NSA on foreign leaders?” he replied: “Well I don’t
know all of the information they exchanged, the discussions they had with their counterparts. They are part
of Five Eyes so they had discussions which are at a much more granular level than I have….”, audio
available at: http://www.scoop.co.nz/stories/HL1310/S00224/pms-press-conference-audio-meridianspying-and-fonterra.htm. Similarly, at his 25 October, press conference, with reference to Edward
Snowden, he stated “He has a massive amount of data, we're part of Five Eyes, it's highly likely he's got
information related to New Zealand”, video available at http://www.3news.co.nz/Snowden-highly-likely-tohave-spy-info/tabid/1607/articleID/322789/Default.aspx#ixzz2lgdCec1I.
13
Securing Britain in an Age of Uncertainty: The Strategic Defence and Security Review, HM Government,
2010, page 46, available at:
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/62482/strategic-defencesecurity-review.pdf
8

!

6!

 !
released to the US, Australia, Canada, United Kingdom and New Zealand. The purpose
of the REL TO is to identify classified information that a party has predetermined to be
releasable (or has already been released) through established foreign disclosure
procedures and channels, to a foreign country or international organisation.14 Notably
while other alliances and coalitions exist such as the North Atlantic Treaty Organisation
(e.g. TS//REL TO USA, NATO), European Counter-Terrorism Forces (e.g TS//REL TO
USA, ECTF) or Chemical Weapons Convention States (e.g. TS//REL TO USA, CWCS)
none of the documents that have thus far been made public refer to any of these
arrangements, suggesting the Five Eyes alliance is the preeminent SIGINT collection
alliance.
The arrangement in this way was not just to create a set of principles of collaboration, or
the facilitation of information sharing, but to enable the dividing of tasks between
SIGINT agencies. The agreement explains that
“[a]llocation of major tasks, conferring a one-sided responsibility, is undesirable
and impracticable as a main principle; however, in order that the widest possible
cover of foreign cypher communications be achieved the COMINT agencies of the
two parties shall exchange proposals for the elimination of duplication. In addition,
collaboration between those agencies will take the form of suggestion and mutual
arrangement as to the undertaking of new tasks and changes in status of old
tasks.”15
The continuation of this sharing of tasks between agencies has been acknowledged with
former Defense Secretary Caspar Weinberger observing that the "United States has
neither the opportunity nor the resources to unilaterally collect all the intelligence
information we require. We compensate with a variety of intelligence sharing
arrangements with other nations in the world."16 The Canadian SIGINT agency CSEC
explain how it “relies on its closest foreign intelligence allies, the US, UK, Australia and
New Zealand to share the collection burden and the resulting intelligence yield.”17 Other
former intelligence analysts have confirmed18 there is “task-sharing” between the Five
Eyes groups.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Security Classification Markings—Authorization for ReleaseTo (RELTO)and Dissemination Control/
Declassification Markings, USTRANSCOM Foreign Disclosure Office, available at:
http://www.transcom.mil/publications/showPublication.cfm?docID=04A4D891-1EC9-F26D0715CB3E5AF1309B
15
Appendix E, Co-ordination of, and exchange of information on, cryptanalysis and associated
techniques. page 34, available at: http://www.nationalarchives.gov.uk/ukusa/PDF page 34
16
Declaration of the Secretary of Defence Caspar W Weinberger in USA v Jonathan Pollard, 1986.
Available at: http://www2.gwu.edu/~nsarchiv/NSAEBB/NSAEBB407/docs/EBB-PollardDoc6.pdf
17
Safeguarding Canada's security through information superiority, CSEC website, available at:
http://www.cse-cst.gc.ca/home-accueil/media/information-eng.html
18
Britain’s GCHQ ‘the brains,’ America’s NSA ‘the money’ behind spy alliance, Japan Times, 18th
November, 2013, accessible at: http://www.japantimes.co.jp/news/2013/11/18/world/britains-gchq-thebrains-americas-nsa-the-money-behind-spy-alliance/#.UozmbMvTnqB
14

!

7!

 !
The level of co-operation under the UKUSA agreement is so complete that "the national
product is often indistinguishable."19 This has resulted in former intelligence officials
explaining that the close-knit cooperation that exists under the UKUSA agreement
means “that SIGINT customers in both capitals seldom know which country generated
either the access or the product itself.”20 Another former British spy has said that
“[c]ooperation between the two countries, particularly, in SIGINT, is so close that it
becomes very difficult to know who is doing what [...] it’s just organizational mess.”21

The division of SIGINT collection responsibilities
Investigative journalist Duncan Campbell explains that historically
“[u]nder the UKUSA agreement, the five main English-speaking countries took
responsibility for overseeing surveillance in different parts of the globe. Britain's
zone included Africa and Europe, east to the Ural Mountains of the former USSR;
Canada covered northern latitudes and polar regions; Australia covered Oceania.
The agreement prescribed common procedures, targets, equipment and methods
that the SIGINT agencies would use.”22
More recently an ex-senior NATO intelligence officer elaborated on this point, saying
“[e]ach Five Eyes partner collects information over a specific area of the globe
[…] but their collection and analysis activities are orchestrated to the point that
they essentially act as one. Precise assignments are not publicly known, but
research indicates that Australia monitors South and East Asia emissions. New
Zealand covers the South Pacific and Southeast Asia. The UK devotes attention to
Europe and Western Russia, while the US monitors the Caribbean, China, Russia,
the Middle East and Africa.”23

Jointly run operations centres
In addition to fluidly sharing collected SIGINT, it is understood that many intelligence
facilities run by the respective Five Eyes countries are jointly operated, even jointly
staffed, by members of the intelligence agencies of Five Eyes countries. Each facility
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Robert Aldrich (2006) paper 'Transatlantic Intelligence and security co-operation', available at:
http://www2.warwick.ac.uk/fac/soc/pais/people/aldrich/publications/inta80_4_08_aldrich.pdfIntelligence'
20
S. Lander, 'International intelligence cooperation: an inside perspective', in Cambridge Review of
International Affairs, 2007, vol. 17, n°3, p.487.
21
Britain’s GCHQ ‘the brains,’ America’s NSA ‘the money’ behind spy alliance, Japan Times, 18th
November, 2013, accessible at: http://www.japantimes.co.jp/news/2013/11/18/world/britains-gchq-thebrains-americas-nsa-the-money-behind-spy-alliance/#.UozmbMvTnqB
22
Inside Echelon, Duncan Campbell, 2000, available at: http://www.heise.de/tp/artikel/6/6929/1.html
23
Canada and the Five Eyes Intelligence Community, James Cox, Strategic Studies Working Group
Papers, December 2012, accessible at:
http://www.cdfai.org/PDF/Canada%20and%20the%20Five%20Eyes%20Intelligence%20Community.pdf
page 6
19

!

8!

 !
collects SIGINT, which can then be shared with the other Five Eyes States.
An earlier incarnation of ASD, the Defence Signals Branch in Melbourne,24 was
described in the original 1956 UKUSA agreement as
“not purely a national centre. It is and will continue to be a joint U.K – Australian –
New Zealand organization manned by and integrated staff. It is a civilian
organization under the Australian Department of Defence and undertakes COMINT
tasks as agreed between the COMINT governing authorities of Australia and New
Zealand on the one hand and the London Signal Intelligence Board on the other.
On technical matters control is exercised by GCHQ on behalf of the London Signal
Intelligence Board.”
This jointly run operation has continued, with the Australian Joint Defence Facility at Pine
Gap being staffed by both Australian and US intelligence officers. The facility collects
intelligence that is jointly used and analysed.25 In fact, only half of the staff are
Australian,26 with US intelligence operatives from NSA and other agencies likely
accounting for the rest. An American official runs the base itself, with the posting being
considered “a step towards promotion into the most senior ranks of the US intelligence
community” with an Australian acts as deputy.27 With such an overwhelming US
presence, it is likely that that majority of the cost of running is base is paid for by the US;
the Australian Defence Department says Australia’s contribution to Pine Gap’s in 201112 was a mere AUS$14 million.28
The systems run at the base are tied into the largest Five Eyes intelligence structure with
“personnel sitting in airconditioned offices in central Australia [being] directly linked, on
a minute-by-minute basis, to US and allied military operations in Afghanistan and indeed
anywhere else across the eastern hemisphere.” 29 As a result it has been reported that
“[t]he practical reality is that Pine Gap's capabilities are now deeply and inextricably
entwined with US military operations, down to the tactical level, across half the world.”30
The New Zealand GCSB was similarly entwined with the NSA: the GCSB’s Director of
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
See: “The Defence Signals Bureau was established in 1947, as part of the Department of Defence, with
responsibility for maintaining a national sigint capability in peacetime. In 1977, DSD assumed its current
name” available at: http://www.dpmc.gov.au/publications/intelligence_inquiry/chapter7/4_dsd.htm
25
Pine Gap drives US drone kills, The Age, 21st July 2013, available at:
http://www.smh.com.au/national/pine-gap-drives-us-drone-kills-20130720-2qbsa.html
26
Australian outback station at forefront of US spying arsenal, The Sydney Morning Herald, 26th July 2013,
available at: http://www.smh.com.au/it-pro/security-it/australian-outback-station-at-forefront-of-us-spyingarsenal-20130726-hv10h.html
27
Australian outback station at forefront of US spying arsenal, The Sydney Morning Herald, 26th July 2013,
available at: http://www.smh.com.au/it-pro/security-it/australian-outback-station-at-forefront-of-us-spyingarsenal-20130726-hv10h.html
28
Pine Gap drives US drone kills, The Age, 21st July 2013, available at:
http://www.smh.com.au/national/pine-gap-drives-us-drone-kills-20130720-2qbsa.html
29
Pine Gap drives US drone kills, The Age, 21st July 2013, available at:
http://www.smh.com.au/national/pine-gap-drives-us-drone-kills-20130720-2qbsa.html
30
Australian outback station at forefront of US spying arsenal, The Sydney Morning Herald, 26th July 2013,
available at: http://www.smh.com.au/it-pro/security-it/australian-outback-station-at-forefront-of-us-spyingarsenal-20130726-hv10h.html
24

!

9!

 !
Policy and Plans from 1984-1987, for example, was an NSA employee.31
In addition to bases in Australia and New Zealand, Britain’s history of Empire left GCHQ
with a widespread network of SIGINT outposts. Intelligence stations in Bermuda,
Cyprus, Gibraltar, Singapore and Hong Kong have all played critical collection roles over
the past 60 years.
One of the largest listening posts outside the US is based in northern England, yet has
been under US ownership since the 1950s. In 1996 the base was renamed RAF Menwith
Hill and it was reported that for the first time the Union Jack was raised alongside the
Stars and Stripes. David Bowe, MEP for Cleveland and Richmond, said this was
“designed to mislead” and that "[m]y information is that the RAF representation on the
base amounts to one token squadron leader. The name change was presumably decided
to make the whole site look more benign and acceptable."32 The base was the subject of
a six billion pound investment over last 20 years, with the majority of that likely to be US
funds.33
Other bases, such as GCHQ’s operation in the South West of England at Bude, are also
jointly staffed. The Guardian reported34 that in addition to jointly developing the
TEMPORA program, 300 analysts from GCHQ and 250 from the NSA were located at
Bude and directly assigned to examine material collected under the programme.
In his seminal report Interception Capabilities 2000, Duncan Campbell named a number
of foreign or jointly run NSA bases. He wrote
“[t]he US Air Force installed 500 metre wide arrays known as FLR-9 at sites
including Chicksands, England, San Vito dei Normanni in Italy, Karamursel in
Turkey, the Philippines, and at Misawa, Japan. Codenamed "Iron Horse", the first
FLR-9 stations came into operation in 1964. The US Navy established similar bases
in the US and at Rota, Spain, Bremerhaven, Germany, Edzell, Scotland, Guam, and
later in Puerto Rico, targeted on Cuba.”35

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
A fact unknown to the Prime Minister at the time: Hager, Secret Power, p. 21.
US spy base `taps UK phones for MI5', The Independant, 22 September 1996, available at:
http://www.independent.co.uk/news/uk/home-news/us-spy-base-taps-uk-phones-for-mi5-1364399.html
33
US spy base `taps UK phones for MI5', The Independant, 22 September 1996, available at:
http://www.independent.co.uk/news/uk/home-news/us-spy-base-taps-uk-phones-for-mi5-1364399.html
34
An early version of TEMPORA is referred to as the Cheltenham Processing Centre, additionally
codenamed TINT, and is described as a "joint GCHQ/NSA research initiative". The Guardian quotes an
internal GCHQ report that claims "GCHQ and NSA avoid processing the same data twice and proactively
seek to converge technical solutions and processing architectures." It was additionally reported that NSA
provided GCHQ with the technology necessary to sift through the material collected. The Guardian
reported that 300 analysts from GCHQ and 250 from NSA were directly assigned to examine the collected
material, although the number is now no doubt much larger. GCHQ have had staff examining collected
material since the project’s incarnation in 2008, with NSA analysts brought to trials in Summer 2011. Full
access was provided to NSA by Autumn 2011. An additional 850,000 NSA employees and US private
contractors with top secret clearance reportedly also have access to GCHQ databases
35
Inside Echelon, Duncan Campbell, 2000, available at: http://www.heise.de/tp/artikel/6/6929/1.html
31
32

!

10!

 !
Many of these sites remain active, as an NSA presentation displaying the primary foreign
collection operations bases shows. The presentation36 details both the US sites
distributed around the world as well as the 2nd party bases as follows:
Type
US site
US site
US site
US site
US site
US site
US site
US site
US site
2nd Party
2nd Party
2nd Party
2nd Party
2nd Party
2nd Party

Location
Yakima
Sugar Grove
Sabana Seca
Brasillia
Harrogate (aka Menwith
Hill)
Bad Aibling37
New Delhi
Thailand
Misawa38
Bude
Oman
Nairobi
Geraldton
Cyprus
New Zealand

Country
US
US
Puerto Rico
Brasil
UK

Codename
JACKNIFE
TIMBERLINE
CORALINE
SCS
MOONPENNY

Germany
India
Thailand
Japan
UK
Oman
Kenya
Australia
Cyprus
New Zealand

GARLICK
SCS
LEMONWOOD
LADYLOVE
CARBOY
SNICK
SCAPEL
STELLAR
SOUNDER
IRONSAN

It is important to note that, just because a base is being operated from within a
particular country, this does not forestall Five Eyes parties from collecting intelligence
therein on the host country. Ex-NSA staff have confirmed that communications are
monitored from “almost every nation in the world, including the nations on whose soil
the intercept bases are located.”39

Intelligence collection, analysis and sharing activities
It is believed that much of the intelligence collected under the Five Eyes arrangement can
be accessed by any of the Five Eyes partners at any time. Some codenamed
programmes that have been revealed to the public over the last decade go some way to
illustrating how the Five Eyes alliance collaborates on specific programmes of activity
and how some of this information is shared. It should be noted that these are just a
selection of programmes that have been made public, and are likely to represent a tiny
fraction of the joint collection undertaken by Five Eyes partners. Nevertheless these
codenamed programmes reveal just how integrated the Five Eyes SIGINT collection and
analysis methods are, and the existence of shared SIGINT tools and technologies
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
New slides about NSA collection programs, Electrospaces blog, 16th July, 2013, available at:
http://electrospaces.blogspot.co.uk/2013/07/new-slides-about-nsa-collection-programs.html
37
Bad Aibling Station, Wikipedia, available at: http://en.wikipedia.org/wiki/Bad_Aibling_Station
38
http://www.misawa.af.mil/ and http://www2.gwu.edu/~nsarchiv/NSAEBB/NSAEBB23/docs/doc12.pdf
39
Inside Echelon, Duncan Campbell, 2000, available at: http://www.heise.de/tp/artikel/6/6929/1.html
36

!

11!

 !
themselves.
As early as the 1980s, Five Eyes countries used a “global Internet-like communication
network to enable remote intelligence customers to task computers at each collection
site, and receive the results automatically.”40 This network was known as ECHELON and
was revealed to the public in 1988 by Duncan Campbell.41 An often-misunderstood term,
ECHELON is in fact a
“code name given by the NSA (U.S. National Security Agency) to a system that
collects and processes information derived from intercepting civil satellite
communications. The information obtained at ECHELON stations is fed into the
global communications network operated jointly by the SIGINT organisations of
the United States, United Kingdom, Australia, Canada and New Zealand.
ECHELON stations operate automatically. Most of the information that is selected
is automatically fed into the world-wide network of SIGINT stations.”42
It is not known how long the ECHELON programme continued in that form, but the NSA
went on to develop programmes such as THINTHREAD, which emerged at the turn of
the millennium. THINTHREAD was a sophisticated SIGINT analysis tool used "to create
graphs showing relationships and patterns that could tell analysts which targets they
should look at and which calls should be listened to."43 One of the creators of
THINTHREAD, Bill Binney described the tool to the New Yorker:
“As Binney imagined it, ThinThread would correlate data from financial
transactions, travel records, Web searches, G.P.S. equipment, and any other
"attributes" that an analyst might find useful in pinpointing "the bad guys." By 2000,
Binney, using fibre optics, had set up a computer network that could chart
relationships among people in real time. It also turned the N.S.A.'s data-collection
paradigm upside down. Instead of vacuuming up information around the world
and then sending it all back to headquarters for analysis, ThinThread processed
information as it was collected – discarding useless information on the spot and
avoiding the overload problem that plagued centralized systems. Binney says,
"The beauty of it is that it was open-ended, so it could keep expanding." 44
This programme was distributed around the world and trialed in conjunction with the Five
Eyes partners. Tim Shorrock explains:
“The THINTHREAD prototype went live in the fall of 2000 and […] several allied
foreign intelligence agencies were given the programme to conduct lawful
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Inside Echelon, Duncan Campbell, 2000, available at: http://www.heise.de/tp/artikel/6/6929/1.html
Somebody's listening, New Statesmen, 12 August 1988, available at:
http://web.archive.org/web/20070103071501/http://duncan.gn.apc.org/echelon-dc.htm
42
http://www.duncancampbell.org/menu/surveillance/echelon/IC2001-Paper1.pdf, page 2.
43
US spy device 'tested on NZ public', The New Zealand Herald, 25th May 2013, available at:
http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10886031
44
The Secret Sharer, The New Yorker, 23 May 2011, available at:
http://www.newyorker.com/reporting/2011/05/23/110523fa_fact_mayer?currentPage=all
40
41

!

12!

 !
surveillance in their own corners of the world. Those recipients included Canada,
[…] Britain, Australia and New Zealand.”45
Analysis tools such as these have been developed in secret over many years, often at
huge cost. That this tool was shared, even in trial version with Five Eyes partners, is an
important indicator of how tightly integrated the relationship is. Subsequent related
programmes codenamed TRAILBLAZER, TURBULENCE and TRAFFICTHIEF were later
adopted and used by Five Eyes partners.46
More recently, the Guardian reported47 that 300 analysts from GCHQ and 250 from the
NSA were directly assigned to examine material collected under the TEMPORA
programme. By placing taps at key undersea fibre optic cable landing stations, the
programme is able to intercept a significant portion of the communications that
traverses the UK. TEMPORA stores content for three days and metadata for 30 days.
Once content and data are collected, they can be filtered.
The precise nature of GCHQ’s filters remains secret. Filters could be applied based on
type of traffic (e.g. Skype, Facebook, Email), origin/destination of traffic, or to conduct
basic keyword searches, among many other purposes. Reportedly, approximately 40,000
search terms have been chosen and applied by GCHQ, and another 31,000 by the NSA
to information collected via TEMPORA.
GCHQ have had staff examining collected material since the project’s inception in 2008,
with NSA analysts brought to trial runs of the technology in summer 2011. Full access
was provided to NSA by autumn 2011. An additional 850,000 NSA employees and US
private contractors with top-secret clearance reportedly also have access to GCHQ
databases. GCHQ boasted that it had “given the NSA 36% of all the raw information
the British had intercepted from computers the agency was monitoring.”48 Additional
reporting from GCHQ internal documents explains how they "can now interchange
100% of GCHQ End Point Projects with NSA."49
GCHQ received £100 million ($160 million) in secret NSA funding over the last three
years to assist in the running of this project. This relationship was characterized by Sir
David Omand, former Director of GCHQ, as “a collaboration that’s worked very well
[…] [w]e have the brains; they have the money.”50
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
http://motherboard.vice.com/blog/the-nsa-reportedly-tested-its-top-spyware-on-new-zealand
http://www.smh.com.au/world/snowden-reveals-australias-links-to-us-spy-web-20130708-2plyg.html
47
An early version of TEMPORA is referred to as the Cheltenham Processing Centre, additionally
codenamed TINT, and is described as a "joint GCHQ/NSA research initiative". The Guardian quotes an
internal GCHQ report that claims "GCHQ and NSA avoid processing the same data twice and proactively
seek to converge technical solutions and processing architectures." It was additionally reported that NSA
provided GCHQ with the technology necessary to sift through the material collected.
48
http://www.theguardian.com/world/2013/nov/02/nsa-portrait-total-surveillance
49
GCHQ: Inside the top secret world of Britain’s biggest spy agency, The Guardian, 2 August 2013,
available at http://www.theguardian.com/world/2013/aug/02/gchq-spy-agency-nsa-snowden
50
http://www.japantimes.co.jp/news/2013/11/18/world/britains-gchq-the-brains-americas-nsa-the-moneybehind-spy-alliance/
45
46

!

13!

 !
Liaison officers are charged with the ultimate responsibility of ensuring continued
harmony and cooperation between their agencies and as James Bamford, author or
multiple books on the NSA explains “it is the senior liaison officers, the SIGINT
community's version of ambassadors, who control the day-to-day relations between the
UKUSA partners. And it is for that reason that the post of SUSLO (Office of the Senior
United States Liaison Officer) at NSA is both highly prized and carefully considered.”51
These positions to facilitate co-operation continue to exist throughout the arrangement.
A recent diplomatic cable from the US Ambassador in Wellington, New Zealand,
released by WikiLeaks, noting that “[t]he National Security Agency (NSA) has requested
a new, permanent position in Wellington.”52 The cable went on to state:
“The new position will advance US interests in New Zealand by improving liaison
and cooperation on vital signals intelligence matters. This is an area where the US
and NZ already work together closely and profitably, and continuing to build and
expand that relationship clearly stands to benefit both countries. This is especially
true in the post-September 11 environment, where NZ SIGINT capabilities
significantly enhance our common efforts to combat terrorism in the region and the
world.”
It is believed that much of the intelligence collected under the Five Eyes arrangement can
be accessed by any of the Five Eyes partners at any time. Shared NSA-GCHQ wikis are
used by both parties to exchange surveillance tips53 and leaked NSA documents reveal
that different Five Eyes partners have created shared and integrated databases, as
revealed by one NSA document that references “GCHQ-accessible 5-eyes [redacted]
databases.”54 One Guardian article explained:
“Gaining access to the huge classified data banks appears to be relatively easy.
Legal training sessions – which may also be required for access to information from
Australian, Canadian, or New Zealand agencies – suggest that gaining credentials
for data is relatively easy. The sessions are often done as self-learning and selfassessment, with "multiple choice, open-book" tests done at the agent's own desk
on its "iLearn" system. Agents then copy and paste their passing result in order to
gain access to the huge databases of communications.”55
A core programme that provides this capability is known as XKEYSCORE. That has been
described by internal NSA presentations as an “analytic framework” which enables a
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
The Puzzle Palace: A Report on America's Most Secret Agency, James Bamford, accessible at:
http://cryptome.org/jya/pp08.htm
52
http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10695100
53
http://mobile.nytimes.com/2013/11/03/world/no-morsel-too-minuscule-for-all-consumingnsa.html?pagewanted=2,all&hp=&_r=0; the New Zealand GCSB’s 2001/2012 Annual Report refers the
GCSB being able “to leverage off the training programmes of its overseas partners to increase
opportunities for staff to develop their tradecraft skills. Available at:
http://www.gcsb.govt.nz/newsroom/annual-reports/Annual%20Report%202012.pdf, p. 11.
54
US and UK struck secret deal to allow NSA to 'unmask' Britons' personal data, 20 August 2013, available
at: http://www.theguardian.com/world/2013/nov/20/us-uk-secret-deal-surveillance-personal-data#
55
Portrait of the NSA: no detail too small in quest for total surveillance, 2 November 2013, accessible at:
http://www.theguardian.com/world/2013/nov/02/nsa-portrait-total-surveillance
51

!

14!

 !
single search to query a “3-day rolling buffer” of “all unfiltered data” stored at 150
global sites on 700 database servers.56
The NSA XKEYSCORE system has sites that appear in Five Eyes countries,57 with the
New Zealand’s Waihopai Station, Australia’s Pine Gap, Shoal Bay, Riverina and
Geraldton Stations, and the UK’s Menwith Hill base all present. It has been confirmed
that all these bases use XKEYSCORE and “contribute to the program.”58 The system
indexes e-mail addresses, file names, IP addresses and port numbers, cookies, webmail
and chat usernames and buddylists, phone numbers, and metadata from web browsing
sessions including searches queried among many other types of data that flows through
their collection points. It has been reported that XKEYSCORE
“processes all signals before they are shunted off to various "production lines"
that deal with specific issues and the exploitation of different data types for
analysis - variously code-named NUCLEON (voice), PINWALE (video), MAINWAY
(call records) and MARINA (internet records)”59
One of these programmes, MARINA, “has the ability to look back on the last 365 days'
worth of DNI metadata seen by the SIGINT collection system, regardless whether or not
it was tasked for collection”60 giving Five Eyes partners the ability to look back on a full
year's history for any individual whose data was collected – either deliberately or
incidentally – by the system.

The no-spy deal myth
While UKUSA is often reported as having created a ‘no spy pact’ between Five Eyes
States, there is little in the original text to support such a notion. Crucially, first and
foremost no clause exists that attempts in any form to create such an obligation.
Instead, if anything the converse is true: the scope of the arrangement consciously
carves out space to permit State-on-State spying even by parties to UKUSA. It limits the
scope to governing the “relations of above-mentioned parties in communications
intelligence matters only” and more specifically that the “exchange of such … material
… is not prejudicial to national interests.”61
Additionally, while the text mandates that each party shall “maintain, in the country of
the other, a senior liaison officer accredited to the other,” once again the text is
caveated, stating that

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
http://www.theguardian.com/world/interactive/2013/jul/31/nsa-xkeyscore-program-full-presentation
http://www.theguardian.com/world/interactive/2013/jul/31/nsa-xkeyscore-program-full-presentation
page 5
58
http://www.smh.com.au/world/snowden-reveals-australias-links-to-us-spy-web-20130708-2plyg.html
59
http://www.smh.com.au/world/snowden-reveals-australias-links-to-us-spy-web-20130708-2plyg.html
60
http://www.theguardian.com/world/2013/sep/30/nsa-americans-metadata-year-documents
61
page 9
56
57

!

15!

 !
“[l]iaison officers of one party shall normally have unrestricted access to those
parts of the other’s agencies which are engaged directly in the production of
COMINT, except such parts thereof which contain unexchangable information.”62
As best can be ascertained, therefore, it seems there is no prohibition on intelligencegathering by Five Eyes States with respect to the citizens or residents of other Five Eyes
States. There is instead, it seems, a general understanding that citizens will not be
directly targeted, and where communications are incidentally intercepted there will be an
effort to minimize the use and analysis thereof by the intercepting State. This analysis
has been confirmed by a leaked draft 2005 NSA directive entitled “Collection,
Processing and Dissemination of Allied Communications.”63 This directive carries the
classification marking “NF” meaning “No Foreign”, short for “NOFORN” or "Not
Releasable to Foreign Nationals." The directive states:
“Under the British-U.S. Communications Intelligence Agreement of 5 March 1946
(commonly known as the United Kingdom/United States of American (UKUSA)
Agreement), both governments agreed to exchange communications intelligence
products, methods and techniques as applicable so long as it was not prejudicial
to national interests. This agreement has evolved to include a common
understanding that both governments will not target each other’s
citizens/persons. However when it is in the best interest of each nation, each
reserve the right to conduct unilateral COMINT against each other’s
citizens/persons. Therefore, under certain circumstances, it may be advisable and
allowable to target Second Party persons and second party communications
systems unilaterally when it in the best interests of the U.S and necessary for U.S
national security. Such targeting must be performed exclusively within the
direction, procedures and decision processes outlined in this directive.”64
The directive continues:
“When sharing the planned targeting information with a second party would be
contrary to US interests, or when the second party declines a collaboration
proposal, the proposed targeting must be presented to the signals intelligence
director for approval with justification for the criticality of the proposed collection.
If approved, any collection, processing and dissemination of the second party
information must be maintained in NoForn channels." 65
Significantly, the details of some NSA programmes, not intended to be shared with Five
Eyes countries, indicate that intelligence collection is taking place in Five Eyes partner
countries. NSA’s big data analysis and data visualization system BOUNDLESS
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
page 23
US and UK struck secret deal to allow NSA to 'unmask' Britons' personal data, 20 August 2013, available
at: http://www.theguardian.com/world/2013/nov/20/us-uk-secret-deal-surveillance-personal-data#
64
Draft 2005 directive, reprinted in “US and UK struck secret deal to allow NSA to 'unmask' Britons'
personal data,” The Guardian, 20 August 2013, available at:
http://www.theguardian.com/world/2013/nov/20/us-uk-secret-deal-surveillance-personal-data#
65
Ibid.
62
63

!

16!

 !
INFORMANT66 are marked “TOP SECRET//SI//NOFORN”. These documents show that
in March 2013 the agency collected 97 billion pieces of intelligence from computer
networks worldwide. The document grades countries based on a color scheme of green
(least subjected to surveillance) through to yellow and orange and finally, red (most
surveillance). Five Eyes partners are not excluded from the map and instead are shaded
green, which is suggestive that some collection of these States’ citizens or
communications is occurring.
Changes to the original arrangement, however, suggest a convention is in place
between at least two of the Five Eyes partners – UK and US – that prevents deliberate
collection or targeting of each other’s citizens unless authorised by the other State. The
2005 draft directive states: “[t]his agreement [UKUSA] has evolved to include a common
understanding that both governments will not target each other’s citizens/persons.” This
of course has not prevented spying without consent, but it appears it is preferable that
when Five Eyes partners want to spy on another member of the agreement, they do so
with the other country’s consent. It is unclear on what basis consent may be given or
withheld, but the directive explains:
"There are circumstances when targeting of second party persons and
communications systems, with the full knowledge and co-operation of one or more
second parties, is allowed when it is in the best interests of both nations."67
The directive goes on to state that these circumstances might include "targeting a UK
citizen located in London using a British telephone system;" "targeting a UK person
located in London using an internet service provider (ISP) in France;” or "targeting a
Pakistani person located in the UK using a UK ISP."
Historically, the Five Eyes members expected each other to make attempts to minimise
the retention and dissemination of information about Five Eyes partners once
intercepted. Duncan Campbell explains:
“New Zealand officials were instructed to remove the names of identifiable UKUSA
citizens or companies from their reports, inserting instead words such as "a
Canadian citizen" or "a US company". British COMINT staff have described
following similar procedures in respect of US citizens following the introduction of
legislation to limit NSA's domestic intelligence activities in 1978. The Australian
government says that "DSD and its counterparts operate internal procedures to
satisfy themselves that their national interests and policies are respected by the
others … the Rules [on SIGINT and Australian persons] prohibit the dissemination
of information relating to Australian persons gained accidentally during the course
of routine collection of foreign communications; or the reporting or recording of the

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
David Cameron's phone 'not monitored' by US, BBC News, 26th October 2013, available at:
http://www.theguardian.com/world/interactive/2013/jun/08/nsa-boundless-informant-data-mining-slides
67
US and UK struck secret deal to allow NSA to 'unmask' Britons' personal data, 20 August 2013, available
at: http://www.theguardian.com/world/2013/nov/20/us-uk-secret-deal-surveillance-personal-data#
66

!

17!

 !
names of Australian persons mentioned in foreign communications."68
A 2007 document explains that this is no longer an expectation, as the Five Eyes are
consenting to the broad trawling of data incidentally intercepted by other Five Eyes
partners. The document explains:
"Sigint [signals intelligence] policy … and the UK Liaison Office here at NSAW
[NSA Washington] worked together to come up with a new policy that expands the
use of incidentally collected unminimized UK data in SIGINT analysis[…] Now SID
analysts can unminimize all incidentally collected UK contact identifiers, including IP
and email addresses, fax and cell phone numbers, for use in analysis."69
Outside the Second Party partners that make up the Five Eyes, there is no ambiguity
about who else can be spied on, including third party partners. An internal NSA
presentation made clear “[w]e can, and often do, target the signals of most 3rd party
foreign partners.”70 In other words, the intelligence services of the Five Eyes agencies
may spy on each other, with some expectation that they will be consulted when this
occurs; everyone else is fair game, even if they have a separate intelligence-sharing
agreement with one or several Five Eyes members.
This understanding that allies may still be spied upon has been echoed in other public
statements made by the US, which in the wake of the Snowden revelations has
confirmed, through an unnamed senior official, that "we have not made across the
board changes in policy like, for example, terminating intelligence collection that might
be aimed at all allies."71

Spying on heads of State
Questions remain, however, as to whether arrangements within Five Eyes may prevent
the surveillance of the respective heads of States of Five Eyes partners. It has been
confirmed by the White House that UK Prime Minister David Cameron’s communications
“have not, are not and will not be monitored by the US.”72 However, while New Zealand
Prime Minister John Key has agreed that he is satisfied that the US has not spied on him
and that he is “confident of the position,” he will not confirm whether this is because the
Five Eyes members have agreed to this.73 Additionally after German Chancellor Angela
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
http://www.duncancampbell.org/menu/surveillance/echelon/IC2000_Report%20.pdf page 3
http://www.theguardian.com/world/2013/nov/20/us-uk-secret-deal-surveillance-personal-data#
70
http://www.spiegel.de/international/world/secret-documents-nsa-targeted-germany-and-eu-buildings-a908609.html
71
Feinstein: White House Will Stop Spying on Allies. White House: Not So Fast , The Atlantic Wire, 28th
October 2013, available at: http://www.thewire.com/politics/2013/10/sen-feinstein-white-house-will-stopspying-allies/71023/
72
http://www.bbc.co.uk/news/uk-politics-24668861
73
John Key, 29 October 2013, Post-Cabinet Press Conference, audio available at:
http://www.scoop.co.nz/stories/HL1310/S00224/pms-press-conference-audio-meridian-spying-andfonterra.htm
Key confident US didn't spy on him, Stuff.co.nz, 29th October 2013, available at:
http://www.stuff.co.nz/national/politics/9338530/Key-confident-US-didn-t-spy-on-him
68
69

!

18!

 !
Merkel demanded74 that the United States sign a no-spy agreement to prohibit the
bilateral spying between nations, the US has indicated that while they would be willing to
engage in "a new form of collaboration” a no-spy pact is not on the table.75
Allied spying more broadly is a common activity. In 1960, when Bernon Mitchell and
William Martin infamously defected to the Soviet Union, they revealed the scope of
NSA’s activities, reporting that:
“We know from working at NSA [that] the United States reads the secret
communications of more than forty nations, including its own allies… NSA keeps
in operation more than 2000 manual intercept positions… Both enciphered and
plain text communications are monitored from almost every nation in the world,
including the nations on whose soil the intercept bases are located.”76

Other surveillance partnerships
Over almost seven decades, the Five Eyes alliance has splintered notably only once
when, in 1985, New Zealand’s new Labour Government refused to allow a US ship to
visit New Zealand, in accordance with the government’s anti-nuclear policy (not to allow
ships into its New Zealand waters without confirmation they were neither nuclearpowered, nor carrying nuclear weapons). This policy was turned into law in 1987 with the
creation of the New Zealand Nuclear Free Zone.77 The political fallout from the
introduction of the policy included the splintering off of New Zealand, at least
temporarily, from the Five Eyes, and the creation of a Four Eyes alliance with the
acronym ACGU. This split has been confirmed in a number of military classification
marking documents.78 It is understood that there was some distancing of New Zealand
from the Five Eyes in the years immediately following the incident, but that the schism
was less significant than previously thought;79 by making reference to documents dated
in the past decade, released as part of the Snowden leaks, it is clear that New Zealand
remains an integral part of the Five Eyes alliance.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Germany to seek ‘no spying’ deal with US, Financial Times, 12th August 2013, available at:
http://www.ft.com/cms/s/0/67eef7f4-0375-11e3-980a-00144feab7de.html
75
Germans Rejected: US Unlikely to Offer 'No-Spy' Agreement, Der Spiegel, 12th November 2013,
available at: http://www.spiegel.de/international/germany/us-declines-no-spy-pact-with-germany-butmight-reveal-snowden-secrets-a-933006.html
76
Inside Echelon, Duncan Campbell, 2000, available at: http://www.heise.de/tp/artikel/6/6929/1.html
77
New Zealand Nuclear Free Zone, Disarmament, and Arms Control Act 1987: s 9(2) states “The Prime
Minister may only grant approval for the entry into the internal waters of New Zealand by foreign warships
if the Prime Minister is satisfied that the warships will not be carrying any nuclear explosive device upon
their entry into the internal waters of New Zealand.” Section 11 states “Entry into the internal waters of
New Zealand by any ship whose propulsion is wholly or partly dependent on nuclear power is prohibited.”)
78
http://www.afcea.org/events/pastevents/documents/LWN11_Track_1_Session_5.pdf;
https://www2.centcom.mil/sites/foia/rr/CENTCOM%20Regulation%20CCR%2025210/Wardak%20CH47%20Investigation/r_EX%2060.pdf
79
See, Nicky Hager, Secret Power, 1996, pp. 23-24.
74

!

19!

 !
Additionally, other ‘Eyes-like’ relationships exist, in various forms with membership
ranging through 3-, 4-, 6-, 7-, 8-, 9- and 10- and 14-Eyes communities. These ‘Eyes’
reference different communities with varying focuses dealing with military coalitions,
intelligence partnerships with many having established dedicated communication
networks.80 The Guardian describes two such arrangements:
“the NSA has other coalitions, although intelligence-sharing is more restricted for
the additional partners: the 9-Eyes, which adds Denmark, France, the Netherlands
and Norway; the 14-Eyes, including Germany, Belgium, Italy, Spain and Sweden;
and 41-Eyes, adding in others in the allied coalition in Afghanistan.”81
This is supported by statements made by an ex-senior NATO intelligence officer:
"The Five Eyes SIGINT community also plays a ‘core’ role in a larger galaxy of
SIGINT organizations found in established democratic states, both west and east.
Five Eyes ‘plus’ gatherings in the west include Canada’s NATO allies and
important non-NATO partners such as Sweden. To the east, a Pacific version of
the Five Eyes ‘plus’ grouping includes, among others, Singapore and South Korea.
Such extensions add ‘reach’ and ‘layering’ to Five Eyes SIGINT capabilities."82
A New York Times article83 again confirms such groups exist by acknowledging "[m]ore
limited cooperation occurs with many more countries, including formal arrangements
called Nine Eyes and 14 Eyes and Nacsi, an alliance of the agencies of 26 NATO
countries." Different intelligence co-operation groups also exist outside the broader
abovementioned structures dealing with narrower areas of collaboration.84 Within these
groups, no attempt to create a no-spy deal has been made; these countries "can gather
intelligence against the United States through CNE (computer network exploitation) and
therefore share CNE and CND (Computer Network Defense) can sometimes pose clear
risks."85
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
http://electrospaces.blogspot.co.uk/2013/11/five-eyes-9-eyes-and-many-more.html
http://www.theguardian.com/world/2013/nov/02/nsa-portrait-total-surveillance
82
Canada and the Five Eyes Intelligence Community, James Cox, Strategic Studies Working Group
Papers, December 2012, accessible at:
http://www.cdfai.org/PDF/Canada%20and%20the%20Five%20Eyes%20Intelligence%20Community.pdf
page 7
83
No Morsel Too Minuscule for All-Consuming N.S.A. , New York Times, 2nd November, 2013
http://mobile.nytimes.com/2013/11/03/world/no-morsel-too-minuscule-for-all-consumingnsa.html?pagewanted=2,all&hp=&_r=0
84
One co-operation group is mentioned in an NSA document entitled “sharing computer networking
operations cryptologic information with foreign partners”. This document names the Five Eyes partnership
a “Tier A” group that has ‘comprehensive cooperation.’ The much larger “Tier B” of 19 countries has
‘focused co-operation’ and is mostly made up of European States, except Japan, Turkey and South Korea.
The full list includes Austria, Belgium, Czech Republic, Denmark, Germany, Greece, Hungry, Iceland, Italy,
Japan, Luxembourg, Netherlands, Norway, Poland, Portugal, South Korea, Spain, Sweden, Switzerland
and Turkey.
El CNI facilitó el espionaje masivo de EEUU a España , El Mundo, 10th October, 2013, accessible at:
http://www.elmundo.es/espana/2013/10/30/5270985d63fd3d7d778b4576.html
85
El CNI facilitó el espionaje masivo de EEUU a España , El Mundo, 10th October, 2013, accessible at:
http://www.elmundo.es/espana/2013/10/30/5270985d63fd3d7d778b4576.html
80
81

!

20!

 !

It was reported86 in 2010 when the UKUSA documents were first released, that “Norway
joined [the eavesdropping network] in 1952, Denmark in 1954, and Germany in 1955”
and that “Italy, Turkey, the Philippines and Ireland are also members.” This however has
been contested with a journalist working on the current Snowden documents staying
they were “confused by that reference.”87
The NATO Special Committee, made up of the heads of the security services of NATO
member countries, also provides a platform for intelligence sharing, although due to the
alliances diverse and growing membership it is thought there are concerns about sharing
sensitive military and SIGINT documents on a systematic basis.88 As explained by
Scheinen and Vermeulen,89 however:
“The Agreement between the parties to the North Atlantic Treaty for the security of
information of 1949 is quite short, but article 5 for instance gives states carte
blanche ‘to make any other agreement relating to the exchange of classified
information originated by them,’ leaving room for many technically detailed
arrangements in which the actual cooperation is being regulated.”

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
http://www.theguardian.com/world/2010/jun/25/intelligence-deal-uk-us-released
https://twitter.com/jamesrbuk/status/403643887685611520
88
The 28 NATO countries are Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark,
Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Lithuania, Luxembourg, Netherlands,
Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Turkey, United Kingdom, United States,
89
Scheinin, M and Vermeulen, M, “Intelligence cooperation in the fight against terrorism through the lens
of human rights law and the law of state responsibility,” in Born, Leigh and Wills (eds), International
Intelligence Cooperation and Accountability (Oxon: Routledge, 2011), 256.
86
87

!

21!

 !

Chapter Two – Secret law is not law
The intelligence agencies of the Five Eyes countries conduct some of the most
important, complex and far-reaching activities of any State agency, and they do so
under behind the justification of a thicket of convoluted and obfuscated legal and
regulatory frameworks. The laws and agreements that make up the Five Eyes
arrangement and apply it to domestic contexts lack any semblance of clarity or
accessibility necessary to ensure that the individuals whose rights and interests are
affected by them are able to understand their application. As such, they run contrary to
the fundamental building blocks of the rule of law.

The rule of law and accessibility
The accessibility of law is a foundational element the rule of law. Many have different
views of what exactly constitutes the rule of law, but it is widely understood to play a
critical role in checking excessive or arbitrary power. Core to the rule of law is the idea
that all individuals are able to know what law is exercised over them by those in power,
and how conduct must be accordingly regulated to ensure it is in compliance with such
laws. Lord Neuberger’s first principle of the rule of law explains just how critical the
accessibility of law is to the rule of law:
“At its most basic, the expression connotes a system under which the relationship
between the government and citizens, and between citizen and citizen, is
governed by laws which are followed and applied. That is rule by law, but the rule
of law requires more than that. First, the laws must be freely accessible: that
means as available and as understandable as possible.”90
If law itself isn’t published in a clear and understandable way then citizens cannot
evaluate when an action by another person, or by their government, is unlawful. As Tom
Bingham explains, “if the law is not sufficiently clear, then it becomes inaccessible; if
people cannot properly access (i.e. understand) the law that they are governed by, then
so far as they are concerned, they are being governed by arbitrary power.” For all
actions by the State there must be a legal justification. Simply because there is law on
the statute books does not necessarily mean that it isn’t arbitrary.

Accessing the laws regulating the actions of the Five Eyes
It has been alleged that “there is no formal over-arching international agreement that
governs all Five Eyes intelligence relationships,”91 but rather a myriad of memoranda,
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
http://www.supremecourt.gov.uk/docs/speech-131015.pdf
Canada and the Five Eyes Intelligence Community, James Cox, Strategic Studies Working Group
Papers, December 2012, accessible at:
http://www.cdfai.org/PDF/Canada%20and%20the%20Five%20Eyes%20Intelligence%20Community.pdf
90
91

!
!

22!

 !
agreements, and conventions that must be considered in tandem with complex national
legislation.
Scheinin and Vermeulen argue that
“The overwhelming majority of these intelligence cooperation arrangements are
secret – or at least they are never published nor registered at the UN Secretariat
pursuant to Article 102 of the UN Charter.92 From the perspective of international
law they are likely to fall within a murky area of ‘non-treaty arrangements’, which
can include arrangements such as ‘memoranda of understanding’, ‘political
agreements’ ‘provisional understanding’, ‘exchanges of notes’, ‘administrative
agreements’, ‘terms of reference’, ‘declarations’ and virtually every other name
one can think of.”93
However, taken together, the Five Eyes agreements arguably rise to the level of an
enforceable treaty under international law. It is clear from their scope and wide-reaching
ramifications that the Five Eyes agreements implicate the rights and interests of
individuals sufficiently to raise the agreements to the level of legally-binding treaty.
In any event, it is impossible to know whether the initial intentions of the drafters or the
scope of the legal obligations created under the agreements elevate them to the status
of legally-binding treaty because the agreements are completely hidden from public
view. Indeed, not only are the public unable to access and scrutinise the agreements
that regulate the actions of the Five Eyes, but even the intelligence services themselves
do not have a complete picture of the extent of intelligence sharing activities. The NSA
admitted during legal proceedings in 2011 that the information-gathering infrastructure
was so complex that "there was no single person with a complete understanding.” 94
The domestic legal frameworks implementing the obligations created by the Five Eyes
obligations are equally obfuscated. With respect to the US, for example, the NSA
acknowledged in a recently-released strategy document that
“[t]he interpretation and guidelines for applying [American] authorities, and in
some cases the authorities themselves, have not kept pace with the complexity of
the technology and target environments, or the operational expectations levied on
NSA’s mission.”95
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
page 4
92
Article 102 of the UN Charter states that: 1. Every treaty and every international agreement entered into
by any Member of the United Nations after the present Charter comes into force shall as soon as possible
be registered with the Secretariat and published by it. 2. No party to any such treaty or international
agreement which has not been registered in accordance with the provisions of paragraph 1 of this Article
may invoke that treaty or agreement before any organ of the United Nations.
93
Scheinin, M and Vermuelen, M, “Intelligence cooperation in the fight against terrorism through the lens
of human rights law and the law of state responsibility,” in Born, Leigh and Wills (eds), International
Intelligence Cooperation and Accountability (Oxon: Routledge, 2011), 256.
94
http://www.theregister.co.uk/Print/2013/09/11/declassified_documents_show_nsa_staff_abused_tappin
g_misled_courts/
95
(U) SIGINT Strategy, 2012-2016, 23 February 2012

!

23!

 !

The chair of the Senate intelligence committee, Diane Feinstein, has strongly criticised
the actions taken by the NSA under the purported ambit of the relevant legislation,
noting that “[…] it is clear to me that certain surveillance activities have been in effect
for more than a decade and that the Senate Intelligence Committee was not
satisfactorily informed.”96
In the UK, the Intelligence and Security Committee – in charge of overseeing the actions
of the UK intelligence agencies, including GCHQ – have responded to the Snowden
leaks by remarking:
“It has been alleged that GCHQ circumvented UK law by using the NSA’s PRISM
programme to access the content of private communications […] and we are
satisfied that they conformed with GCHQ’s statutory duties. The legal authority
for this is contained in the Intelligence Services Act 1994.”97
Yet the chair of the ISC has in fact admitted to confusion about whether “if British
intelligence agencies want to seek to know the content of emails can they get round the
normal law in the UK by simply asking an American agencies to provide that
information?”98
When the head of the committee charged with overseeing the lawfulness of the actions
of intelligence services is unsure as to whether such agencies have acted lawfully, there
is plainly a serious dearth in the accessibility of law, calling into question the rule of law.
Without law that is accessible, citizens are unable to regulate their conduct or scrutinise
that of their governments. In such circumstances, it is impossible to verify whether
governments are acting in accordance with the law as required of them under human
rights law.

Ensuring the Five Eyes act ‘in accordance with the law’
There is a significant body of European Court of Human Rights jurisprudence on what
constitutes interference “in accordance with the law” in the context of secret
surveillance and information gathering, such as that undertaken by the Five Eyes.
The Court begins from the perspective that surveillance, particularly secret surveillance,
is a significant infringement on human rights, and in order to be justified under the
European Convention on Human Rights must be sufficiently clear and precise ”to give
citizens an adequate indication as to the circumstances in which and the conditions on
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Paul Lewis and Spencer Ackerman, “NSA: Dianne Feinstein breaks ranks to oppose US spying on
allies,” The Guardian, 29 October 2013, available at http://www.theguardian.com/world/2013/oct/28/nsasurveillance-dianne-feinstein-opposed-allies.
97
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/225459/ISC-Statementon-GCHQ.pdf
98
Nicholas Watts, “GCHQ ‘broke law if it asked for NSA intelligence on UK citizens’, The Guardian, 10
June 2013, available at http://www.theguardian.com/world/2013/jun/10/gchq-broke-law-nsa-intelliegence
96

!

24!

 !
which public authorities are empowered to resort to this secret and potentially
dangerous interference.”99
It must be clear “what elements of the powers to intercept are incorporated in legal rules
and what elements remain within the discretion of the executive” and the law must
indicate “with reasonable clarity the scope and manner of exercise of the relevant
discretion conferred on the public authorities”100 in order that individuals may have some
certainty about the laws to which they are subject and regulate their conduct
accordingly.
Yet “the degree of certainty will depend on the circumstances.”101 As the Court has
noted, “foreseeability in the special context of secret measures of surveillance, such as
the interception of communications, cannot mean that an individual should be able to
foresee when the authorities are likely to intercept his communications so that he can
adapt his conduct accordingly...”102
Where a power vested in the executive is exercised in secret, however, the risks of
arbitrariness are evident: in the words of the Court in Weber v Germany, “a system of
secret surveillance for the protection of national security may undermine or even destroy
democracy under the cloak of defending it.”103 In such circumstances, “is essential to
have clear, detailed rules on the subject, especially as the technology available for use is
continually becoming more sophisticated…”104
What, then, does human rights law require of a law in order to ensure secret surveillance
does not infringe the principles of accessibility and foreseeability? The Court’s decision
in Weber is authoritative on this point:
“In its case law on secret measures of surveillance, the Court has developed the
following minimum safeguards that should be set out in statute law in order to
avoid abuses of power: the nature of the offences which may give rise to an
interception order; a definition of the categories of people liable to have their
telephones tapped; a limit on the duration of telephone tapping; the procedure to
be followed for examining, using and storing the data obtained; the precautions to
be taken when communicating the data to other parties; and the circumstances in
which recordings may or must be erased or the tapes destroyed.”105

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Malone v United Kingdom (1985) 7 EHRR 14 [67]
Ibid, at [79].
101
Ormerod., R. and Hooper, Blackstone’s Criminal Practice 2012, London 2012.
102
Weber v Germany, Application 54934/00, (2008) 46 EHRR SE5 at [77.]
103
Ibid, at [106].
104
Kruslin v France (1990) 12 EHHR 547, at [33].
105
Ibid, at [95]
99

100

!

25!

 !

Applying human rights requirements to the laws of the Five Eyes
There is no clear and accessible legal regime that indicates the circumstances in which,
and the conditions on which, Five Eyes authorities can request access to signals
intelligence from, or provide such intelligence, to another Five Eyes authority. Each of the
Five Eyes states have broad, vague domestic laws that purport to warrant the sharing of
and access to shared signal intelligence with the authorities of other States, but fail to
set out minimum safeguards or provide details of or restrictions upon the nature of
intelligence sharing.
In the United Kingdom, the ISC has indicated that the authority to share and receive
intelligence is granted by the Intelligence Services Act 1994. Section 3(1) of the 1994 Act
specifies the functions of GCHQ in these terms:
(1) There shall continue to be a Government Communications Headquarters under
the authority of the Secretary of State; and, subject to subsection (2) below, its
functions shall be –
(a) to monitor or interfere with electromagnetic, acoustic and other
emissions and any equipment producing such emissions and to obtain and
provide information derived from or related to such emissions or equipment
and from encrypted material; and
(b) to provide advice and assistance [...]”
Section 3(2) of the 1994 Act specifies the purposes for which the functions referred to in
s3(1)(a) shall be exercisable, and makes clear that they shall be exercisable only (a) in the interests of national security, with particular reference to the defence
and foreign policies of Her Majesty’s Government in the United Kingdom; or
(b) in the interests of the economic well-being of the United Kingdom in relation to
the actions or intentions of persons outside the British Islands; or
(c) in support of the prevention or detection of serious crime.
Section 4(2)(a) of the 1994 Act imposes on the Director of GCHQ a duty to ensure –
(a) that there are arrangements for securing that no information is obtained by
GCHQ except so far as necessary for the proper discharge of its functions
and that no information is disclosed by it except so far as necessary for that
purpose or for the purpose of any criminal proceedings.
In the United States, the scope of intelligence activities was initially set down in
Executive Order 12333 – United States intelligence activities, of December 4, 1981.106
Even though the structure of the United States intelligence community changed
considerably after 9/11, the powers granted in the Executive Order nevertheless
continue to be invoked.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
106

!

http://www.archives.gov/federal-register/codification/executive-order/12333.html#1.9

26!

 !
Section 1.12 (b) provides that the responsibilities of the National Security Agency shall
include, inter alia:
(5) Dissemination of signals intelligence information for national foreign intelligence
purposes to authorized elements of the Government, including the military services,
in accordance with guidance from the Director of Central Intelligence;
(6) Collection, processing and dissemination of signals intelligence information for
counterintelligence purposes;
(7) Provision of signals intelligence support for the conduct of military operations in
accordance with tasking, priorities, and standards of timeliness assigned by the
Secretary of Defense. If provision of such support requires use of national collection
systems, these systems will be tasked within existing guidance from the Director of
Central Intelligence;
[…]
(12) Conduct of foreign cryptologic liaison relationships, with liaison for intelligence
purposes conducted in accordance with policies formulated by the Director of Central
Intelligence […]
Section 1.7 deals with the responsibilities of Senior Officials of the Intelligence Community,
and designates the following responsibility to the Director of Central Intelligence:
(f) Disseminate intelligence to cooperating foreign governments under arrangements
established or agreed to by the Director of Central Intelligence […]
Section 1.8 relates to the Central Intelligence Agency, and includes among that body’s
functions to
(a) Collect, produce and disseminate foreign intelligence and counterintelligence,
including information not otherwise obtainable […]
The legislation in Australia is slightly more detailed with regards to the circumstances in
which intelligence can be shared with and received from foreign intelligence agencies.
The actions of the Australian intelligence agencies are governed by the Intelligence
Services Act 2001, section 7 of which articulates the functions of the Australian Signals
Directorate, which include
(1) to obtain intelligence about the capabilities, intentions or activities of people or
organisations outside Australia in the form of electromagnetic energy, whether
guided or unguided or both, or in the form of electrical, magnetic or acoustic
energy, for the purposes of meeting the requirements of the Government, and
in particular the requirements of the Defence Force, for such intelligence; and
(2) to communicate, in accordance with the Government’s requirements, such
intelligence; and
(3) to provide material, advice and other assistance to Commonwealth and State
authorities on matters relating to the security and integrity of information that
is processed, stored or communicated by electronic or similar means; […]

!

27!

 !
Pursuant to s11(2AA) of the Act, intelligence agencies may communicate incidentally
obtained intelligence to appropriate Commonwealth or State authorities or to authorities
of other countries approved under paragraph 13(1)(c) if the intelligence relates to the
involvement, or likely involvement, by a person in one or more of the following activities:
(a) activities that present a significant risk to a person’s safety;
(b) acting for, or on behalf of, a foreign power;
(c) activities that are a threat to security;
(d) activities related to the proliferation of weapons of mass destruction or the
movement of goods listed from time to time in the Defence and Strategic
Goods List (within the meaning of regulation 13E of the Customs (Prohibited
Exports) Regulations 1958);
(e) committing a serious crime.
Section 13(1)(c) permits the agency to cooperate with “authorities of other countries
approved by the Minister as being capable of assisting the agency in the performance of
its functions.”
The New Zealand similarly provides the Government Communications Security Bureau
with broad powers and functions, including under section 8A
(a) to co-operate with, and provide advice and assistance to, any public authority
whether in New Zealand or overseas, or to any other entity authorised by the
Minister, on any matters relating to the protection, security, and integrity of—
(i) communications, including those that are processed, stored, or
communicated in or through information infrastructures; and
(ii)information infrastructures of importance to the Government of New
Zealand; […]
and under section 8B
(a) to gather and analyse intelligence (including from information infrastructures) in
accordance with the Government's requirements about the capabilities,
intentions, and activities of foreign persons and foreign organisations; and
(b) to gather and analyse intelligence about information infrastructures; and
(c) to provide any intelligence gathered and any analysis of the intelligence to—
(i) the Minister; and
(ii) any person or office holder (whether in New Zealand or overseas)
authorised by the Minister to receive the intelligence.
Section 8B(2) also sanctions the sharing of information with foreign intelligence
authorities, stipulating “[f]or the purpose of performing its function under subsection
(1)(a) and (b), the Bureau may co-operate with, and provide advice and assistance to,
any public authority (whether in New Zealand or overseas) and any other entity
authorised by the Minister for the purposes of this subsection.”

!

28!

 !
In Canada, the functions of the Communications Security Establishment Canada
(CSEC) are articulated in Part V.1 to the National Defence Act. Section 273.64(1) sets
out CSEC’s three-part mandate, namely
(a) to acquire and use information from the global information infrastructure for the
purpose of providing foreign intelligence, in accordance with Government of
Canada intelligence priorities;
(b) to provide advice, guidance and services to help ensure the protection of
electronic information and of information infrastructures of importance to the
Government of Canada; and
(c) to provide technical and operational assistance to federal law enforcement and
security agencies in the performance of their lawful duties.
Part V.1 of the National Defence Act in relation to CSEC does not contain any
provisions on cooperation with other agencies, including foreign agencies.
An analysis of these cursory legal provisions reveals that they fall far short of describing
the fluid and integrated intelligence sharing activities that take place under the ambit of
the Five Eyes arrangement with sufficient clarity and detail to ensure that individuals can
forsee their application. None of the domestic legal regimes set out the circumstances in
which intelligence authorities can obtain, store and transfer nationals’ or residents’
private communication and other information that are intercepted by another Five Eyes
agency, nor which will govern the circumstances in which any of the Five Eyes States
can request the interception of communications by another party to the alliance. The
same applies to obtaining private information such as emails, web-histories etc. held by
internet and other telecommunication companies. There is there a legal regime that
indicates, once such communications are provided to the authorities of one State, the
procedure for examining, using or storing the communication, the conditions for
transferring it to third parties and the circumstances in which it will be destroyed.
The legal and regulatory frameworks that govern and give effect to Five Eyes cannot be
said to be sufficiently clear and detailed to meet the requirement of being “in
accordance with the law,” nor they are they sufficiently accessible to ensure that they
comply with the rule of law. Secret, convoluted or obfuscated law can never be
considered law within a democratic society governed by the rule of law. The actions of
the Five Eyes run completely contrary to the fundamental building blocks of such a
society.

!

29!

 !

Chapter Three – Holding the Five Eyes to account
The recent revelations of global surveillance practices have prompted a fundamental reexamination of the responsibility of States under international law with respect to crossborder surveillance. The patchwork of secret spying programmes and intelligencesharing agreements implemented by parties to the Five Eyes arrangement constitutes an
integrated global surveillance arrangement that now covers the majority of the world’s
communications.
At the heart of this arrangement are carefully constructed legal frameworks that provide
differing levels of protections for internal versus external communications, or those
relating to nationals versus non-nationals. These frameworks attempt to circumvent
national constitutional or human rights protections governing interferences with the right
to privacy of communications that, States contend, apply only to nationals or those
within their territorial jurisdiction.
In doing so, the Five Eyes states not only defeat the spirit and purpose of international
human rights instruments; they are in direct violation of their obligations under such
instruments. Human rights obligations apply to all individuals subject to a State’s
jurisdiction.107 Jurisdiction extends not only to the territory of the State, but to anyone
within the power and effective control of the State, even if they are outside the
territory.108 It is argued here that jurisdiction extends to situations where a State
interferes with the right to privacy of an individual whose communications are
intercepted, stored or processed within that State’s territory. In such circumstances, the
State owes obligations to that individual regardless of their location.
By understanding State jurisdiction over human rights violations in this way we can give
effect to international human rights obligations in the digital age. Through the concept of
“interference-based jurisdiction”, whereby, subject to permissible limitations, States owe
a general duty not to interfere with communications that pass through their territorial
borders, mass surveillance is cognisable within a human rights framework in a way that
provides rights and remedies to affected individuals. Without such a perspective on
responsibility for violations that properly reflects the nature and scope of Five Eyes
surveillance, and the way in which privacy violations occur, States will continue to
conduct surveillance in a way that renders human rights obligations meaningless.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ICCPR, Article 2: “Each State Party to the present Covenant undertakes to respect and to ensure to all
individuals within its territory and subject to its jurisdiction…”; ECHR, Article 1: “The High Contracting
Parties shall secure to everyone within their jurisdiction the rights and freedoms defined in Section I of this
Convention;” American Convention on Human Rights, Article 1: “The States Parties to this Convention
undertake to respect the rights and freedoms recognized herein and to ensure to all persons subject to
their jurisdiction the free and full exercise of those rights and freedoms, without any discrimination for
reasons of race, color, sex, language, religion, political or other opinion, national or social origin,
economic status, birth, or any other social condition.”
108
Human Rights Committee General Comment 31, para 10.
107

!

30!

 !
We seek to introduce an alternative perspective on jurisdiction and to further
understandings of how human rights law can be understood in the digital age. Our
intention is to supplement - not to detract from – other arguments around how
jurisdiction in international human rights law functions in relation to mass surveillance.
For example, interferences occurring outside the territory of the state may be
attributable to that state under the ordinary principles of state responsibility. However,
we are concerned exclusively with a State’s obligations in relation to interferences with
the right to privacy (when communications are collected, stored or processed) occurring
within the physical territory of that State.

The right to privacy of communications
The right to privacy is an internationally recognized right. Article 17 (1) of the
International Covenant on Civil and Political Rights provides
“No one shall be subjected to arbitrary or unlawful interference with his privacy,
family, home or correspondence, nor to unlawful attacks on his honour and
reputation.”
According to the United Nations Human Rights Committee, in its General Comment No.
16:
“Compliance with article 17 requires that the integrity and confidentiality of
correspondence should be guaranteed de jure and de facto. Correspondence
should be delivered to the addressee without interception and without being
opened or otherwise read. Surveillance, whether electronic or otherwise,
interceptions of telephonic, telegraphic and other forms of communication, wiretapping and recording of conversations should be prohibited.”109
Article 8 of the European Convention on Human Rights provides a right to respect for
one’s “private and family life, his home and his correspondence”, subject to certain
restrictions that are "in accordance with law" and "necessary in a democratic society".
The European Court of Human Rights has consistently held that the interception of
telephone communications, as well as facsimile and e-mail communications content,110
are covered by notions of “private life” and “correspondence” and thus constitute an
interference with Article 8.111
Importantly the European Court has found112 the interception and/or storage of a
communication constitutes the violation, and that the “subsequent use of the stored
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
CCPR General Comment No. 16: Article 17 (Right to Privacy), para. 8.
Liberty & Ors v United Kingdom (2008) Application 58243/00
111
See Malone v United Kingdom (1985) 7 EHRR 14 [64]; Weber v Germany (2008) 46 EHRR SE5 at [77];
and Kennedy v United Kingdom (2011) 52 EHRR 4 at [118]).
112
Amann v Switzerland (2000) application 27798/95; Leander v. Sweden judgment of 26 March 1987,
Series A no. 116, p. 22, § 48
109
110

!

31!

 !
information has no bearing on that finding“113 nor does it matter “whether the
information gathered on the applicant was sensitive or not or as to whether the applicant
had been inconvenienced in any way.“114 It is argued that the same reasoning applies to
the processing of communications.
Therefore, the right to privacy, extending as it does to the privacy of communications, is
a relatively unusual right in the sense that its realization can occur remotely from the
physical location of the individual.
When an individual sends a letter, email or a text-message, or makes a phone call, that
communication leaves their physical proximity and travels to its destination. In the course
of its transmission the communication may pass through multiple other States and,
therefore, multiple jurisdictions. The right to privacy of the communication remains intact,
subject only to the permissible limitations set out under human rights law.115

Mass surveillance as a breach of the right to privacy of
communications
The Special Rapporteur on the promotion and protection of the right to freedom of
expression and opinion has described the invasiveness of mass interception of fibre
optic cables:116
“By placing taps on the fibre optic cables, through which the majority of digital
communication information flows, and applying word, voice and speech
recognition, States can achieve almost complete control of tele- and online
communications.”
The Special Rapporteur reasons that “[m]ass interception technology eradicates any
considerations of proportionality, enabling indiscriminate surveillance. It enables the
State to copy and monitor every single act of communication in a particular country or
area, without gaining authorization for each individual case of interception.”117
Mass surveillance has also been found to be an interference with the right to privacy
under European human rights law. In Weber and Saravia v Germany (2006) Application
54934/00, the Court reiterated that
“the mere existence of legislation which allows a system for the
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Amann v Switzerland (2000) application 27798/95 para 69
Amann v Switzerland (2000) application 27798/95 para 70
115
A comprehensive account of the permissible limitations on the right to privacy is presented in the report
of the UN Special Rapporteur on the freedom of expression and opinion of 17 April 2013 (A/HRC/23/40).
116
Report of the Special Rapporteur on promotion and protection of the right to freedom of expression
and opinion, Frank La Rue, 17 April 2013, A/HRC/23/40, available at
http://www.ohchr.org/Documents/HRBodies/HRCouncil/RegularSession/Session23/A.HRC.23.40_EN.pdf,
at para. 38.
117
Ibid, para. 62.
113
114

!

32!

 !
secret monitoring of communications entails a threat of surveillance for all those
to whom the legislation may be applied. This threat necessarily strikes at freedom
of communication between users of the telecommunications services and thereby
amounts in itself to an interference with the exercise of the applicants’ rights
under Article 8, irrespective of any measures actually taken against them.”
The collection and storage of data that relates to an individual’s private life is so
invasive, and brings with it such risk of abuse, that it alone amounts to an interference
with the right to privacy, according to European Court of Human Rights jurisprudence.118
Accordingly, mass surveillance programmes must violate international law.

Jurisdiction and human rights obligations
Traditional conceptions of State human rights obligations focus on a nexus between the
territory where the obligation is owed and an individual’s connection with that territory
(by virtue of nationality, residence or physical location within it). In the context of
obligations under international human rights treaties, jurisdiction has traditionally served
as a doctrinal bar to the recognition and realization of human rights obligations extraterritorially. Although, as noted by Milanovic:
“[q]uestions as to when a state owes obligations under a human rights treaty
towards an individual located outside its territory are being brought more and
more frequently, before courts both international and domestic. Victims of aerial
bombardment119, inhabitants of territories under military occupation120 – including
deposed dictators121, suspected terrorists detained in Guantanamo by the United
States122, and the family of a former KGB spy who was assassinated in London
through the use of a radioactive toxin, allegedly at the orders or with the collusion
of the Russian government123 – all of these people have claimed protection from
human rights law against a state affecting their lives while acting outside its
territory.”
The jurisdiction clauses in two of the most relevant human rights instruments – the
European Convention on Human Rights (ECHR) and the International Covenant on Civil
and Political Rights (ICCPR) – are notably different in their construction and numerous
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
S and Marper v United Kingdom (2009) 48 EHRR 50 at [67].
Bankovic and Others v Belgium and Others, App. No. 52207/99, (dec.) [GC], 12 December 2001,
hereinafter Bankovic.
120
R (Al-Skeini and others) v Secretary of State for Defence, [2007] UKHL 26, [2007] 3 WLR 33, [2007] 3 All
ER 685, on appeal from [2005] EWCA Civ 1609, [2007] QB 140, hereinafter Al-Skeini.
121
Saddam Hussein v 21 Countries, App. No. 23276/04, (dec.), March 2006.
122
See the Conclusions and Recommendations of the Committee against Torture: United States of
America, CAT/C/USA/CO/2, 25 July 2006, paras. 14 & 15 and the Concluding Observations of the Human
Rights Committee : United States of America, CCPR/C/USA/CO/3, 15 September 2006, para. 10,
available at http://www.unhchr.ch/tbs/doc.nsf
123
See ‘Lawyers for slain Russian agent Litvinenko take case to European court’, International Herald
Tribune, 22 November 2007, available at http://www.iht.com/articles/ap/2007/11/23/europe/EU-GENBritain-Litvinenko.php?WT.mc_id=rsseurope.
118
119

!

33!

 !
arguments have been mounted to support an understanding of the obligations arising
under such treaties as being applicable outside the strict territorial boundaries of the
State.
Article 1 of the ECHR holds:
“The High Contracting Parties shall secure to everyone within their jurisdiction the
rights and freedoms defined in Section I of this Convention.”
In Al-Skeini v United Kingdom,124 the European Court of Human Rights moulded – if not
departed from – its earlier jurisprudence in Banković 125 to issue a decision that affirms
extra-territorial jurisdiction, stating:
“whenever the State through its agents exercises control and authority over an
individual, and thus jurisdiction, the State is under an obligation under Article 1 to
secure to that individual the rights and freedoms under Section 1 of the
Convention that are relevant to the situation of that individual. In this sense,
therefore, the Convention rights can be “divided and tailored” (compare
Banković, cited above, § 75).”126
While Milanovic (2011) notes127 some inconsistencies in the Court’s reasoning,
particularly vis a vis Banković, crucially the case stands as authority that, although the
jurisdictional competence of a State is primarily territorial, it is not limited by territory. It
can also extend to those over whom the State exercises authority or control.
In contrast, Article 2(1) of the ICCPR holds:
“Each State Party to the present Covenant undertakes to respect and to ensure
to all individuals within its territory and subject to its jurisdiction the rights
recognized in the present Covenant…”
In 1966, the International Law Commission, in its Draft Articles on the Law of Treaties
(subsequently the Vienna Convention on the Law of Treaties) noted that “[c]ertain types
of treaty, by reason of their subject matter, are hardly susceptible of territorial
application in the ordinary sense. Most treaties, however, have application to territory
and a question may arise as to what is their precise scope territorially.”128
For the purpose of defining the conditions of applicability of the Covenant, the notion of
jurisdiction refers to the relationship between the individual and the state in connection
with a violation of human rights, wherever it occurred, so that acts of States that take
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Application 55721/07, 7 July 2011
Application 52207/99, 12 December 2001
126
Bankovic, at para [73].
127
http://www.ejiltalk.org/european-court-decides-al-skeini-and-al-jedda/
128
ILC, ‘Draft Articles on the law of Treaties with Commentaries,’ (1966) 2 Yearbook of the International
Law Commission 187 at 213.
124
125

!

34!

 !
place or produce effects outside the national territory may be deemed to fall under the
jurisdiction of the state concerned.129
As noted above, the right to privacy extends to the privacy of cross-border
communications, so that the physical location of the individual may be in a different
jurisdiction to that where the interference with the right occurs.
This distinction is examined by Milanovic (2011) who asserts that extraterritorial
application can take one of two forms:
“it will most frequently arise from an extraterritorial state act, i.e. conduct
attributable to the state, either of commission or of omission, performed outside
its sovereign borders… However – and this is a crucial point – extraterritorial
application does not require an extraterritorial state act, but solely that the
individual concerned is located outside the state’s territory, while the injury to his
rights may as well take place inside it.”130
With regard to the right to privacy, many violations are not due to extra-territorial acts,
but jurisdictional acts with extra-territorial effects. The instances in which jurisdictional
acts have extra-territorial effects are infrequent but not without precedent.
One example provided by Milanovic is the question of property rights of foreigners or
those absent from the territory. A person may have property rights in the UK by virtue of
owning a property in the territory, but may be temporarily or permanently located outside
the UK. If the property were to be searched or seized without adherence to legal
standards there would be a violation of the individual’s right to privacy, regardless of
their location at the time of the interference. This is an example of “interference-based”
jurisdiction.
A second example is that of enjoyment of Article 6 ECHR fair trial rights during trials in
absentia where the individual in question has absconded outside the State’s territory.
The European Court of Human Rights has repeatedly upheld the right of defendants to
enjoy the protections of Article 6 even when they are absent from their trial and outside
the territory of the State. In Sejdovic v Italy,131 for example, the Court held, at [91]:
“Although not absolute, the right of everyone charged with a criminal offence to
be effectively defended by a lawyer, assigned officially if need be, is one of the
fundamental features of a fair trial (see Poitrimol, cited above, § 34). A person
charged with a criminal offence does not lose the benefit of this right merely on
account of not being present at the trial (see Mariani v. France, no. 43640/98, §
40, 31 March 2005).”
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Delia Salides de Lopez v. Uruguay, Communication No. 52/1979, 13th Sess., at 88, 91
¶ 12.2, U.N. Doc. CCPR/C/OP/1 (29 July 1981).
130
Marko Milanovic, Extraterritorial Application of Human Rights Treaties: Law, Principles, and Policy
(Oxford: Oxford University Press, 2011).
131
Application 56581/00, 1 March 2006
129

!

35!

 !
A further example is the situation in the European Court of Human Rights’ case
Bosphorus Hava Yollari Turizm ve Ticaret Anonim Sirketi v Ireland (2005) 42 EHRR 1,
where Irish authorities at Dublin Airport impounded an aircraft that had been leased by a
Turkish company from the national airline of the former Yugoslavia. The company argued
that the Irish authorities had acted in a way that was incompatible with the European
Convention on Human Rights. In considering the issue of jurisdiction, the Court noted
the territorial basis of jurisdiction in international law and observed:132
“In the present case it is not disputed that the act about which the applicant
company complained, the detention of the aircraft leased by it for a period of
time, was implemented by the authorities of the respondent State on its territory
following a decision made by the Irish Minister for Transport. In such
circumstances the applicant company, as the addressee of the impugned act, fell
within the “jurisdiction” of the Irish State, with the consequence that its complaint
about that act is compatible ratione loci, personae and materiae with the
provisions of the Convention.”
With respect to the right to privacy, the European Court has considered at least two
cases133 in which surveillance has involved the interference with the right to privacy of
those outside of the respective State’s territory. In neither has the Court directly
considered the issue of whether obligations owed are extended to individuals outside
the territory.

Application to interferences with the right to privacy in the digital age
With the advent of the internet and new digital forms of communication, now most
digital communications take the fastest and cheapest route to their destination, rather
than the most direct. This infrastructure means that the sender has no ability to choose,
nor immediate knowledge of, the route that their communication will take. Even when a
digital communication is being sent to a recipient within the same country as the sender,
it may travel around the world to reach its destination.
This shift in communications infrastructure means that communications travel through
many more countries, are stored in a variety of countries (particularly through the
growing popularity of cloud computing) and are thus vulnerable to inception by multiple
intelligence agencies. From their bases within the territory of each country, each
respective intelligence agency collects and analyses communications that traverse their
territory and beyond. While there are many methods used by intelligence agencies to
intercept communications, one of the consistent techniques is to exploit the
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Para 137.
In Weber and Saravia v. Germany, Application 54934/00, 29 June 2006, the Court found that the
application was inadmissible by other means; in Liberty and Ors v United Kingdom, Application 58243/00,
1 July 2008, the Government proceeded on the basis that the applicants could claim to be victims of an
interference with their communications sent to or from their offices in the UK and Ireland.
132
133

!

36!

 !
communications infrastructure itself, often in the form of the transnational cables that
carry the world’s communications.
For more than 50 years the security agencies have intercepted these transnational links.
From 1945 onwards the US intelligence agencies systematically intercepted telegraphic
data entering or exiting the United States under the codename Project SHAMROCK. As
technology developed, newer fibre optic cables were laid that could carry many more
communications. These links were also intercepted by intelligence agencies within their
territory. Investigative journalist Duncan Campbell explained in 2000 how the NSA was
intercepting the foreign communications within US territory:
“Internet traffic can be accessed either from international communications links
entering the United States, or when it reaches major Internet exchanges. Both
methods have advantages. Access to communications systems is likely to be
remain clandestine - whereas access to Internet exchanges might be more
detectable. […] According to a former employee, NSA had by 1995 installed
“sniffer” software to collect such traffic at nine major Internet exchange points
(IXPs).”134
The UK is using more modern versions of this technique to intercept, store and process
communications that enter and exit the country in the form of their mass surveillance
program TEMPORA. While these undersea fibre-optic cables will land in multiple different
countries, due to the UK's geographical position, a disproportionate number of undersea
cables land in the UK before they cross the Atlantic Ocean. The Guardian135 reported
that by the summer of 2011, GCHQ had attached probes to more than 200 links within
their territory, including at main network switches and undersea cable landing stations.
Similar capabilities exist allowing intelligence agencies to intercept satellite
communications.136137
Crucially, by intercepting communications in this way, the communication is being
interfered with within the territory of the intercepting state. This amounts to an
interference with the right to privacy and must be justified according to the restrictions
of human rights law. Such an interference invokes the negative obligation and
responsibility of the interfering State not to violate fundamental rights.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
NSA slides explain the PRISM data-collection program, The Washington Post, June 6, 2013, Updated
July 10, 2013, available at: http://www.washingtonpost.com/wp-srv/special/politics/prism-collectiondocuments/; see also, Temporary Committee of the European Parliament on the ECHELON Interception
System, Report on the existence of a global system for the interception of private and commercial
communications (ECHELON interception system) (2001/2098(INI)), tabled in the European Parliament on
11 July 2001.
135
GCHQ taps fibre-optic cables for secret access to world's communications, The Guardian, 21 June
2013, available at: http://www.guardian.co.uk/uk/2013/jun/21/gchq-cables-secret-world-communicationsnsa
136
The state of the art in communications Intelligence (COMINT) of automated processing for intelligence
purposes of intercepted broadband multi-language leased or common carrier systems, and its applicability
to COMINT targetting and selection, including speech recognition, Duncan Campbell, Oct 1999
http://www.duncancampbell.org/menu/surveillance/echelon/IC2000_Report%20.pdf
137
Secret Power, Nicky Hager, 1996, http://www.nickyhager.info/ebook-of-secret-power/
134

!

37!

 !

Regardless of their location or nationality, all individuals are entitled to have their right to
privacy respected not only by the State upon whose territory they stand, but by the
State within whose territory their rights are exercised. If their communications pass
through the territory of another State, and that State interferes with the communications,
it will activate that State’s jurisdiction under international human rights law. Accordingly,
the US and UK owe the same obligation to each individual whose communications pass
through their territory: not to interfere with those communications, subject to permissible
limitations established under international law. Such “interference-based jurisdiction”
obligations extend globally, regardless of boundaries.

Five Eyes legal frameworks that circumvent human rights obligations
Each of the Five Eyes members have complex legal frameworks governing the
interception, monitoring and retention of communications content and data. This paper
does not attempt to comprehensively outline such frameworks, and only excerpts some
relevant provisions to illustrate the obfuscatory nature of legal frameworks that enable
the rights of non-nationals or those outside the territory to be diminished.
United States
FISA section 1881a is entitled “Procedures for targeting certain persons outside the
United States other than United States persons”.
Section 1881(a) ss (a) provides:
(a) the Attorney General and the Director of National Intelligence may authorize
jointly, for a period of up to 1 year from the effective date of the authorization,
the targeting of persons reasonably believed to be located outside the United
States to acquire foreign intelligence information.
An authorisation pursuant to FISA section 1881(a) permits “foreign intelligence
information” to be obtained both by directly intercepting communications during
transmission and by making a request to an electronic service provider that stores the
information to make it available to the authorities.
United Kingdom
The Regulation of Investigatory Powers Act 2000 distinguishes between “internal” and
“external” surveillance. Where the communication is internal (i.e. neither sent nor
received outside the British Islands, see RIPA s 20), a warrant to permit lawful
interception must describe one person as the “interception subject” (s 8(1)(a)) or
identify a “single set of premises” for which the interception is to take place (s 8(1)(b)).
The warrant must set out “the addresses, numbers, apparatus or other factors, or
combination of factors, that are to be used for identifying the communications that may
be or are to be intercepted” (s 8(2)).
Where the communication is “external”, that is either sent or received outside the British
Islands, RIPA s 8(1) and 8(2) do not apply. There is no need to identify any particular
person who is to be subject of the interception or a particular address that will be
!

38!

 !
targeted.
New Zealand
The Government Security Communications Bureau (GCSB) is permitted to conduct
interception by applying for an interception warrant under s15A of the Government
Communications Security Bureau Act 2003 (amended 2013). However, s14 of the Act (as
amended) states that in performing the function of intelligence gathering and analysis,
the GSCB cannot “authorise or do anything for the purpose of intercepting the private
communications of a person who is a New Zealand citizen or a permanent resident of
New Zealand, unless (and to the extent that) the person comes within the definition of
foreign person or foreign organisation....”.
However, this limitation does not apply to the GCSB’s two other functions – surveillance
of New Zealanders related to cyber-security and assisting other agencies (such as the
Police) – and the definition of “private communications” could be interpret to exclude
meta-data.
Australia
Under the Intelligence Services Act 2001, the Australian intelligence agencies can
conduct any activity connected with their functions138 provided they have the
authorisation of the relevant Minister (s8).
However, where there is an Australian person involved the Minister must be satisfied of
the following before making an authorisation (s9):
(a) any activities which may be done in reliance on the authorisation will be
necessary for the proper performance of a function of the agency concerned;
and
(b) there are satisfactory arrangements in place to ensure that nothing will be
done in reliance on the authorisation beyond what is necessary for the proper
performance of a function of the agency; and
(c) there are satisfactory arrangements in place to ensure that the nature and
consequences of acts done in reliance on the authorisation will be reasonable,
having regard to the purposes for which they are carried out.
In addition, the Minister must (s9(1A))
(a) be satisfied that the Australian person mentioned in that subparagraph is, or is
likely to be, involved in one or more of the following activities:
(i) activities that present a significant risk to a person’s safety;
(ii) acting for, or on behalf of, a foreign power;
(iii) activities that are, or are likely to be, a threat to security;
(iv) activities related to the proliferation of weapons of mass destruction or
the movement of goods listed from time to time in the Defence and
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Which include to obtain foreign intelligence (ASIS), to obtain intelligence relevant to security (ASIO), to
obtain foreign intelligence using the electrical, magnetic or acoustic energy (ASD), or to obtain geospatial
and imagery intelligence via electromagnetic spectrum (DIGO)
138

!

39!

 !
Strategic Goods List (within the meaning of regulation 13E of the Customs
(Prohibited Exports) Regulations 1958);
(v) committing a serious crime by moving money, goods or people;
(vi) committing a serious crime by using or transferring intellectual property;
(vii) committing a serious crime by transmitting data or signals by means of
guided and/or unguided electromagnetic energy; and
(b) if the Australian person is, or is likely to be, involved in an activity or activities
that are, or are likely to be, a threat to security (whether or not covered by
another subparagraph of paragraph (a) in addition to subparagraph (a)(iii))—
obtain the agreement of the Minister responsible for administering
the Australian Security Intelligence Organisation Act 1979.
There are separate Rules to Protect the Privacy of Australians for each of the intelligence
agencies, stating that where it is not clear whether a person is an Australian, it is
presumed that a person within Australia is Australian and outside of Australia is not
Australian (Rule 1.1). Where an intelligence agency does retain intelligence information
concerning an Australian person, the agency must ensure the information is protected by
security safeguards, and access to the information is only to be provided to persons
who require it (Rule 2.2).
Canada
The National Defence Act pertains to the Communications Security Establishment
Canada (CSEC) and establishes that the mandate of CSEC is (s273.64 (1))
(a) to acquire and use information from the global information infrastructure for the
purpose of providing foreign intelligence, in accordance with Government of
Canada intelligence priorities;
(b) to provide advice, guidance and services to help ensure the protection of
electronic information and of information infrastructures of importance to the
Government of Canada; […]
Para (2) of the section provides that activities
(a) shall not be directed at Canadians or any person in Canada; and
(b) shall be subject to measures to protect the privacy of Canadians in the use and
retention of intercepted information.
It is evident that the legal frameworks of the Five Eyes States currently distinguish
between the obligations owed to nationals or those within the States’ territories, and
non-nationals and those outside. In doing so, these legal frameworks infringe upon the
rights of all individuals within the respective States’ jurisdiction (i.e. anyone whose
communications pass through and are interfered with within the territory of that State) to
enjoy human rights protections equally and without discrimination.
In human rights law, discrimination constitutes any distinction, exclusion, restriction or
preference, or other differential treatment based on any ground, including national or
social origin, or other status, and which has the purpose or effect of nullifying or
impairing the recognition, enjoyment, or exercise by all persons, on an equal footing, of
!

40!

 !
all rights and freedoms. The Human Rights Committee has deemed nationality a ground
of “other status” with respect of article 2(1) of the ICCPR in Gueye and ors v France.139
It is both irrational and contrary to the spirit and purpose of international human rights
norms to suppose that the privacy of a person’s communications could be accorded
different legal weight according to their nationality or residence. An equivalent
distinction on the basis of ethnicity or gender would be deemed to be manifestly
incompatible with human rights law; why then should States be able to purport to offer
varying protections based on an individual’s nationality or location? If an individual within
a State’s jurisdiction is granted lower or diminished human rights protections – or indeed
is deprived of such protections – solely on the basis of their nationality or location, this
will not only lead to a violation of the right they seek to enjoy, but will amounts to an
interference with their right to be free from discrimination.

Towards an understanding of interference-based jurisdiction
Individuals have a legitimate expectation that their human rights will be respected not
only by the State upon whose territory they stand, but by the State within whose territory
their rights are exercised. The current legal frameworks of the Five Eyes States purport
to discriminate between the rights and obligations owed to nationals or those physically
within their territory, and those outside of it, or non-nationals. Yet the concept of
jurisdiction, under human rights law, is not a rigid one. States have interference-based
jurisdiction for particular negative human rights obligations when the interference with
the right occurs within their territory. The way the global communications infrastructure is
built requires that the right to privacy of communications can be exercised globally, and
communications can be monitored in a place far from the location of the individual to
whom they belong. Accordingly, the States Parties to the Five Eyes arrangement have
jurisdiction over – and thus owe obligations to – individuals whose communications they
monitor, which jurisdiction is invoked when the State interferes with the communication
of an individual, thus infringing upon their right to privacy.
This understanding of jurisdiction and human rights obligations pertaining to the right to
privacy is key to ensuring that individuals can seek redress against global surveillance
arrangements that are threatening their rights to privacy and free expression.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
139

!

Gueye and Others v. France (Comm. No. 196/1985)

41!

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

09/11/2016, 18*09

Annex 2

f

INSIDE
MENWITH
HILL
The NSA’s British
Base at the Heart
of U.S. Targeted
Killing

Photo: Trevor Paglen

Ryan Gallagher

t

September 6 2016, 10:05 a.m.

62

LEIA EM POR TU GU Ê S

https://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

Page 1 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

09/11/2016, 18*09

HE NAR ROW
ROAD S are
quiet and
winding, surrounded by
rolling green
fields and few
visible signs of
life beyond the
occasional
herd of sheep. But on the horizon,
massive white golf ball-like domes pro-

T

trude from the earth, protected behind a
perimeter fence that is topped with piercing razor wire. Here, in the heart of the
tranquil English countryside, is the National Security Agency’s largest overseas
spying base.
Once known only by the code name Field
Station 8613, the secret base — now
called Menwith Hill Station — is located
about nine miles west of the small town
of Harrogate in North Yorkshire. Originally used to monitor Soviet communications through the Cold War, its focus has
since dramatically shifted, and today it is
a vital part of the NSA’s sprawling global
surveillance network.

https://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

Page 2 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

09/11/2016, 18*09

For years, journalists and researchers
have speculated about what really goes
on inside Menwith Hill, while human
rights groups and some politicians have
campaigned for more transparency
about its activities. Yet the British government has steadfastly refused to comment, citing a longstanding policy not to
discuss matters related to national
security.
Now, however, top-secret documents obtained by The Intercept offer an unprecedented glimpse behind Menwith Hill’s
razor wire fence. The files reveal for the
first time how the NSA has used the British base to aid “a significant number of
capture-kill operations” across the
Middle East and North Africa, fueled by
powerful eavesdropping technology that
can harvest data from more than 300 million emails and phone calls a day.
Over the past decade, the documents
show, the NSA has pioneered groundbreaking new spying programs at Menwith Hill to pinpoint the locations of suspected terrorists accessing the internet in
remote parts of the world. The programs
— with names such as GHOSTHUNTER
and GHOSTWOLF — have provided suphttps://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

Page 3 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

09/11/2016, 18*09

port for conventional British and American military operations in Iraq and Afghanistan. But they have also aided covert missions in countries where the U.S.
has not declared war. NSA employees at
Menwith Hill have collaborated on a project to help “eliminate” terrorism targets
in Yemen, for example, where the U.S.
has waged a controversial drone bombing campaign that has resulted in dozens
of civilian deaths.
The disclosures about Menwith Hill raise
new questions about the extent of British
complicity in U.S. drone strikes and other
so-called targeted killing missions, which
may in some cases have violated international laws or constituted war crimes.
Successive U.K. governments have publicly stated that all activities at the base
are carried out with the “full knowledge
and consent” of British officials.
The revelations are “yet another example
of the unacceptable level of secrecy that
surrounds U.K. involvement in the U.S.
‘targeted killing’ program,” Kat Craig,
legal director of London-based human
rights group Reprieve, told The Intercept.
“It is now imperative that the prime minhttps://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

Page 4 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

09/11/2016, 18*09

ister comes clean about U.K. involvement
in targeted killing,” Craig said, “to ensure that British personnel and resources
are not implicated in illegal and immoral
activities.”
The British government’s Ministry of Defence, which handles media inquires related to Menwith Hill, declined to comment for this story.
The NSA referred a request for comment
to the Director of National Intelligence’s
office.
Richard Kolko, a spokesperson for the
DNI, said in a statement: “The men and
women serving the intelligence community safeguard U.S. national security
by collecting information, conducting
analysis, and providing intelligence for
informed decision making under a strict
set of laws, policies and guidelines. This
mission protects our nation and others
around the world.”

https://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

Page 5 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

https://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

09/11/2016, 18*09

Page 6 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

09/11/2016, 18*09

Menwith Hill on March 11, 2014. Photo: Trevor Paglen

T

HE
E QUIP MENT
AT Menwith
Hill

covers roughly one square mile, which is
patrolled 24 hours a day by armed British
military police and monitored by cameras
perched on posts that peer down on
almost every section of the 10-foot
perimeter fence.
Most visible from the outside are a
cluster of about 30 of the giant white
domes. But the site also houses a self-contained community, accessible only to
those with security clearance. Among operations buildings in which analysts
listen in on monitored conversations,
there is a bowling alley, a small pool hall,
a bar, a fast food restaurant, and a general store.
Most of the world’s international phone
https://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

Page 7 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

09/11/2016, 18*09

calls, internet traffic, emails, and other
communications are sent over a network
of undersea cables that connect countries
like giant arteries. At spy outposts across
the world, the NSA and its partners tap
into these cables to monitor the data
flowing through them. But Menwith Hill
is focused on a different kind of surveillance: eavesdropping on communications
as they are being transmitted through
the air.
According to top-secret documents obtained by The Intercept from NSA whistleblower Edward Snowden, Menwith
Hill has two main spying capabilities.
The first is called FORNSAT, which uses
powerful antennae contained within the
golf ball-like domes to eavesdrop on communications as they are being beamed
between foreign satellites. The second is
called OVERHEAD, which uses U.S. government satellites orbiting above targeted countries to locate and monitor
wireless communications on the ground
below — such as cellphone calls and even
WiFi traffic.

https://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

Page 8 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

09/11/2016, 18*09

A spy satellite launched in 2009 and operated from Menwith Hill. Its role was to intercept communications
flowing across “commercial satellite uplinks,” according to NSA documents.

In the late 1980s, international
communication networks were
revolutionized by new fiber-optic
undersea cables. The technology was
cheaper than satellites and could transmit
data across the world much faster than
ever before, at almost the speed of light.
For this reason, according to the NSA’s
documents, in the mid-1990s the U.S.
intelligence community was convinced
that satellite communications would soon
become obsolete, to be fully replaced by
fiber-optic cable networks.
But the prediction proved to be wrong.
And millions of phone calls are still
beamed between satellites today, alongside troves of internet data, which the
https://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

Page 9 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

09/11/2016, 18*09

NSA has readily exploited at Menwith
Hill.
“The commercial satellite communication business is alive and well and bursting at the seams with increasingly sophisticated bulk DNI (Digital Network Intelligence) traffic that is largely unencrypted,” the NSA reported in a 2006 document. “This data source alone provides
more data for Menwith Hill analysts to
sift through than our entire enterprise
had to deal with in the not-so-distant
past.”
As of 2009, Menwith
Hill’s foreign satellite surveillance mission, code-named
MOONPENNY, was
monitoring 163 different satellite data
links. The intercepted communications
were funneled into a
variety of different
repositories storing
phone calls, text
messages, emails,
internet browsing
histories, and other
https://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

The U.S.
and U.K.
governments
have actively
misled the
public for
years through
a “cover
story.”
Page 10 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

09/11/2016, 18*09

data.
It is not clear precisely how many communications Menwith Hill is capable of
tapping into at any one time, but the
NSA’s documents indicate the number is
extremely large. In a single 12-hour period in May 2011, for instance, its surveillance systems logged more than 335 million metadata records, which reveal information such as the sender and recipient of an email, or the phone numbers
someone called and at what time.
To keep information about Menwith
Hill’s surveillance role secret, the U.S.
and U.K. governments have actively
misled the public for years through a
“cover story” portraying the base as a facility used to provide “rapid radio relay
and conduct communications research.”
A classified U.S. document, dated from
2005, cautioned spy agency employees
against revealing the truth. “It is important to know the established cover story
for MHS [Menwith Hill Station] and to
protect the fact that MHS is an intelligence collection facility,” the document
stated. “Any reference to satellites being
operated or any connection to intelligence gathering is strictly prohibited.”
https://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

Page 11 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

https://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

09/11/2016, 18*09

Page 12 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

09/11/2016, 18*09

Menwith Hill Station on March 11, 2014. Photo: Trevor
Paglen

T

HE OUTPO ST
WAS built in
the 1950s as
part of a deal
made by the
British and
American governments to

house U.S. personnel and surveillance equipment. In its early days,
Menwith Hill’s technology was much
more primitive. According to Kenneth
Bird, who worked at the base in the
1960s during the Cold War, it was focused
then on monitoring high frequency radio
signals in Eastern Europe. Intercepted
conversations were recorded on Ampex
tape recorders, Bird noted in his published 1997 account, with some transcribed by analysts in real-time using
typewriters.
The modern Menwith Hill is a very different place. Now, not only are its spying
systems capable of vacuuming up far
more communications, but they also
have a far broader geographic reach. In
https://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

Page 13 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

09/11/2016, 18*09

addition, the targets of the surveillance
have drastically changed, as have the purposes for which the eavesdropping is carried out.
The documents obtained by The Intercept
reveal that spy satellites operated at Menwith Hill today can target communications in China and Latin America, and
also provide “continuous coverage of the
majority of the Eurasian landmass,”
where they intercept “tactical military,
scientific, political, and economic communications signals.” But perhaps the
most significant role the base has played
in recent years has been in the Middle
East and North Africa.
Especially in remote parts of the world
where there are no fiber-optic cable
links, it is common for internet connections and phone calls to be routed over
satellite. Consequently, Menwith Hill became a vital asset in the U.S. government’s counterterrorism campaign after
the 9/11 attacks. Since then, the base has
been used extensively to tap into communications in otherwise hard-to-reach
areas where Islamic extremist groups
such as al Qaeda and al Shabaab have
been known to operate — for example,
https://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

Page 14 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

09/11/2016, 18*09

in the Afghanistan-Pakistan border region, Somalia, and Yemen.

An aerial image captured by a U.S. satellite in support
of a covert GHOSTHUNTER operation.

Crucially, however, Menwith Hill has been
used for more than just gathering
intelligence on people and governments
across countries in the Middle East and
North Africa. Surveillance tools such as
the GHOSTHUNTER system were
developed to directly aid military
operations, pinpointing the locations of
targeted people or groups so that they
could then be captured or killed.
The NSA’s documents describe
GHOSTHUNTER as a means “to locate targets when they log onto the internet.” It
https://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

Page 15 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

09/11/2016, 18*09

was first developed in 2006 as “the only
capability of its kind” and it enabled “a
significant number of capture-kill operations” against alleged terrorists. Only a
few specific examples are given, but
those cases give a remarkable insight
into the extraordinary power of the
technology.
In 2007, for instance, analysts at Menwith
Hill used GHOSTHUNTER to help track
down a suspected al Qaeda “facilitator”
in Lebanon who was described as “highly
actionable,” meaning he had been
deemed a legitimate target to kill or capture. The location of the target — who
was known by several names, including
Abu Sumayah — was traced to within a
few hundred meters based on intercepts
of his communications. Then a spy satellite took an aerial photograph of the
neighborhood in Sidon, south Lebanon,
in which he was believed to be living,
mapping out the surrounding streets and
houses. A top-secret document detailing
the surveillance indicates that the information was to be passed to a secretive
special operations unit known as Task
Force 11-9, which would have been
equipped to conduct a covert raid to kill
https://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

Page 16 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

09/11/2016, 18*09

or capture Sumayah. The outcome of the
operation, however, is unclear, as it is
not revealed in the document.
In another case in 2007, GHOSTHUNTER
was used to identify an alleged al Qaeda
“weapons procurer” in Iraq named Abu
Sayf. The NSA’s surveillance systems
spotted Sayf logging into Yahoo email or
messenger accounts at an internet cafe
near a mosque in Anah, a town on the
Euphrates River that is about 200 miles
northwest of Baghdad. Analysts at Menwith Hill used GHOSTHUNTER to track
down his location and spy satellites operated from the British base captured aerial
images. This information was passed to
U.S. military commanders based in Fallujah to be included as part of a “targeting
plan.”
A few days later, a special operations unit
named Task Force-16 stormed two properties, where they detained Sayf, his father,
two brothers, and five associates.
By 2008, the apparent popularity of
GHOSTHUNTER within the intelligence
community meant that it was rolled out
at other surveillance bases where NSA
has a presence, including in Ayios
https://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

Page 17 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

09/11/2016, 18*09

Nikolaos, Cyprus, and Misawa, Japan. The
expansion of the capability to the other
bases meant that it now had “near-global
coverage.” But Menwith Hill remained its
most important surveillance site. “[Menwith Hill] still supplies about 99% of the
FORNSAT data used in GHOSTHUNTER
geolocations,” noted a January 2008 document about the program.
A 2009 document added that
GHOSTHUNTER’s focus was at that time
“on geolocation of internet caf és in the
Middle East/North Africa region in support of U.S. military operations” and said
that it had to date “successfully geolocated over 5,000 VSAT terminals in
Iraq, Afghanistan, Syria, Lebanon, and
Iran.” VSAT, or Very Small Aperture Terminal, is a satellite system commonly
used by internet caf és and foreign governments in the Middle East to send and
receive communications and data.
GHOSTHUNTER could also home in on
VSATs in Pakistan, Somalia, Algeria, the
Philippines, Mali, Kenya, and Sudan, the
documents indicate.
Menwith Hill’s unique ability to track
down satellite devices across the world at
times placed it on the front line of conhttps://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

Page 18 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

09/11/2016, 18*09

flicts thousands of miles away. In Afghanistan, for instance, analysts at the
base used the VSAT surveillance to help
track down suspected members of the
Taliban, which led to “approximately 30
enemy killed” during one series of attacks that were mentioned in a top-secret
July 2011 report. In early 2012, Menwith
Hill’s analysts were again called upon to
track down a VSAT: this time, to assist
British special forces in Afghanistan’s
Helmand Province. The terminal was
swiftly located, and within an hour an
MQ-9 Reaper drone was dispatched to the
area, presumably to launch an airstrike.
But the lethal use of the surveillance data
does not appear to have been restricted
to conventional war zones such as Afghanistan or Iraq. The NSA developed
similar methods at Menwith Hill to track
down terror suspects in Yemen, where
the U.S. has waged a covert drone war
against militants associated with al
Qaeda in the Northern Peninsula.
In early 2010, the agency revealed in an
internal report that it had launched a
new technique at the British base to
identify many targets “at almost 40 different geolocated internet caf és” in Yehttps://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

Page 19 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

09/11/2016, 18*09

men’s Shabwah province and in the
country’s capital, Sanaa. The technique,
the document revealed, was linked to a
broader classified initiative called
GHOSTWOLF, described as a project to
“capture or eliminate key nodes in terrorist networks” by focusing primarily on
“providing actionable geolocation intelligence derived from [surveillance] to customers and their operational
components.”
The description of GHOSTWOLF ties Menwith Hill to lethal operations in Yemen,
providing the first documentary evidence
that directly implicates the U.K. in covert
actions in the country.

https://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

Page 20 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

09/11/2016, 18*09

Menwith Hill, March 13, 2013. Photo: Trevor Paglen

https://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

Page 21 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

M

09/11/2016, 18*09

EN WI TH
HIL L’S P REVI OUSLY undisclosed role aiding the socalled targeted
killing of terror suspects
highlights the

extent of the
British government’s apparent complicity
in controversial U.S. attacks — and raises
questions about the legality of the secret
operations carried out from the base.
There are some 2,200 personnel at Menwith Hill, the majority of whom are
Americans. Alongside NSA employees
within the complex, the U.S. National Reconnaissance Office also has a major
presence at the site, running its own
“ground station” from which it controls a
number of spy satellites.
But the British government has publicly
asserted as recently as 2014 that operations at the base “have always been, and
https://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

Page 22 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

09/11/2016, 18*09

continue to be” carried out with its
“knowledge and consent.” Moreover,
roughly 600 of the personnel at the facility are from U.K. agencies, including employees of the NSA’s British counterpart
Government Communications Headquarters, or GCHQ.
For several years, British human rights
campaigners and lawmakers have been
pressuring the government to provide information about whether it has had any
role aiding U.S. targeted killing operations, yet they have been met with silence. In particular, there has been an attempt to establish whether the U.K. has
aided U.S. drone bombings outside of declared war zones — in countries including Yemen, Pakistan, and Somalia —
which have resulted in the deaths of hundreds of civilians and are in some cases
considered by United Nations officials to
possibly constitute war crimes and violations of international law.
Though the Snowden documents analyzed by The Intercept state that Menwith
Hill has aided “a significant number” of
“capture-kill” operations, they do not reveal specific details about all of the incidents that resulted in fatalities. What is
https://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

Page 23 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

09/11/2016, 18*09

clear, however, is that the base has targeted countries such as Yemen, Pakistan,
and Somalia as part of location-tracking
programs like GHOSTHUNTER and
GHOSTWOLF — which were created to
help pinpoint individuals so they could
be captured or killed — suggesting it has
played a part in drone strikes in these
countries.

“An individual
involved in passing that
information is likely to
be an accessory to
murder.”
Craig, the legal director at Reprieve, reviewed the Menwith Hill documents —
and said that they indicated British complicity in covert U.S. drone attacks. “For
years, Reprieve and others have sought
clarification from the British government
about the role of U.K. bases in the U.S.
covert drone program, which has killed
large numbers of civilians in countries
where we are not at war,” she told The Inhttps://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

Page 24 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

09/11/2016, 18*09

tercept. “We were palmed off with platitudes and reassured that any U.S. activities on or involving British bases were
fully compliant with domestic and international legal provisions. It now appears
that this was far from the truth.”
Jemima Stratford QC, a leading British
human rights lawyer, told The Intercept
that there were “serious questions to be
asked and serious arguments to be made”
about the legality of the lethal operations
aided from Menwith Hill. The operations,
Stratford said, could have violated the
European Convention on Human Rights,
an international treaty that the U.K. still
remains bound to despite its recent vote
to leave the European Union. Article 2 of
the Convention protects the “right to
life” and states that “no one shall be deprived of his life intentionally” except
when it is ordered by a court as a punishment for a crime.
Stratford has previously warned that if
British officials have facilitated covert
U.S. drone strikes outside of declared war
zones, they could even be implicated in
murder. In 2014, she advised members of
the U.K. Parliament that because the U.S.
is not at war with countries such as Yehttps://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

Page 25 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

09/11/2016, 18*09

men or Pakistan, in the context of English and international law, the individuals who are targeted by drones in these
countries are not “combatants” and their
killers are not entitled to “combatant
immunity.”
“If the U.K. government knows that it is
transferring data that may be used for
drone strikes against non-combatants …
that transfer is probably unlawful,” Stratford told the members of Parliament. “An
individual involved in passing that information is likely to be an accessory to
murder.”
GCHQ refused to answer questions for
this story, citing a “long standing policy
that we do not comment on intelligence
matters.” A spokesperson for the agency
issued a generic statement asserting that
“all of GCHQ’s work is carried out in accordance with a strict legal and policy
framework, which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous
oversight.” The spokesperson insisted
that “U.K.’s interception regime is entirely compatible with the European Convention on Human Rights.”

https://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

Page 26 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

https://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

09/11/2016, 18*09

Page 27 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

09/11/2016, 18*09

A Gate at Menwith Hill Station prohibiting entrance on
March 12, 2014. Photo: Trevor Paglen

I

N FE B RUARY
201 4, the U.S.
Department of
Defense announced after
a review that it
was planning
to reduce per-

sonnel at Menwith Hill by
2016, with about 500 service members
and civilians set to be removed from the
site. A U.S. Air Force spokesperson told
the military newspaper Stars and Stripes
that the decision was based on technological advances, which he declined to discuss, though he mentioned improvements in “server capacity to the hardware that we’re using; we’re doing more
with less.”
The documents provided by Snowden
shine light on some of the specific technological changes. Most notably, they
https://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

Page 28 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

09/11/2016, 18*09

show that there has been significant investment in introducing new and more
sophisticated mass surveillance systems
at Menwith Hill in recent years. A crucial
moment came in 2008, when then-NSA
Director Keith Alexander introduced a
radical shift in policy. Visiting Menwith
Hill in June that year, Alexander set a
challenge for employees at the base.
“Why can’t we collect all the signals, all
the time?” he said, according to NSA documents. “Sounds like a good summer
homework project for Menwith.”
As a result, a new “collection posture”
was introduced at the base, the aim being to “collect it all, process it all, exploit
it all.” In other words, it would vacuum
up as many communications within its
reach as technologically possible.
Between 2009 and 2012, Menwith Hill
spent more than $40 million on a
massive new 95,000-square-foot operations building — nearly twice the size of
an average American football field. A
large chunk of this space — 10,000 square
feet — was set aside for a data center
that boasted the ability to store huge
troves of intercepted communications.
During the renovations, the NSA shipped
https://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

Page 29 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

09/11/2016, 18*09

in new computer systems and laid 182
miles of cables, enough to stretch from
New York City to the outskirts of Boston.
The agency also had a 200-seat-capacity
auditorium constructed to host classified
operations meetings and other events.
Some of the extensive expansion work
was visible from the
road outside the secure complex,
which triggered
protests from a local
activist group called
the Campaign for
the Accountability
of American Bases.
Since the early
1990s, the group has

“How
can Menwith
carry out
operations of
which there is
absolutely no
accountability
to the
public?”

closely monitored
activities at Menwith Hill. And for
the last 16 years, its
members have held a small demonstra-

tion every Tuesday outside the base’s
main entrance, greeting NSA employees
with flags and colorful homemade banners bearing slogans critical of U.S. foreign policy and drone strikes.
https://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

Page 30 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

09/11/2016, 18*09

Fabian Hamilton, a member of Parliament based in the nearby city of Leeds,
has become a supporter of the campaign’s work, occasionally attending
events organized by the group and advocating for more transparency at Menwith
Hill. Hamilton, who represents the Labour Party, has doggedly attempted to
find out basic information about the
base, asking the government at least 40
parliamentary questions since 2010 about
its activities. He has sought clarification
on a variety of issues, such as how many
U.S. personnel are stationed at the site,
whether it is involved in conducting
drone strikes, and whether members of a
British parliamentary oversight committee have been given full access to review
its operations. But his efforts have been
repeatedly stonewalled, with British government officials refusing to provide any
details on the grounds of national
security.
Hamilton told The Intercept that he found
the secrecy shrouding Menwith Hill to be
“offensive.” The revelations about the
role it has played in U.S. killing and capture operations, he said, showed there
needed to be a full review of its operahttps://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

Page 31 of 35

 The NSAʼs British Base at the Heart of U.S. Targeted Killing

09/11/2016, 18*09

tions. “Any nation-state that uses military
means to attack any target, whether it is
a terrorist, whether it is legitimate or
not, has to be accountable to its electorate for what it does,” Hamilton said.
“That’s the basis of our Parliament, it’s
the basis of our whole democratic system. How can we say that Menwith can
carry out operations of which there is absolutely no accountability to the public? I
don’t buy this idea that you say the word
‘security’ and nobody can know anything. We need to know what is being
done in our name.”
———
Documents published with this article:
Elegant Chaos: collect it all, exploit it
all
Elegant Chaos: collect it all, exploit it
all (plus notes)
Ghosthunter: only capability of its
kind
Menwith satellite classification guide
UK special forces Reaper drone (JanFeb-2012)
Afghanistan 30 enemy killed (Jan-Feb
2012)
Project Sandstorm wifi geolocation
(Jan 2011)
https://theintercept.com/2016/09/06/nsa-menwith-hill-targeted-killing-surveillance/

Page 32 of 35

 Annex 3

MR JUSTICE BURTON
Approved Judgment

iv)

47.

It has, and takes, the opportunity, with the benefit of full argument, to probe
fully whether matters disclosed to it in closed hearing, pursuant to the
Respondents’ obligation to do so pursuant to s.68(6) of RIPA, can and should
be disclosed in open and thereby publicised.

We have been greatly assisted by the substantial submissions in the open hearing,
and in the closed hearings by sight of and understanding what Mr Eadie called the
“arrangements below the waterline” and their explanation, and submissions by the
Respondents and by Counsel to the Tribunal. As a result of the process described in
paragraph 10 above, the following Disclosure was made by the Respondents
relevant to the Prism Issue. It was made by reference to the evidence given in the
closed hearing which they were prepared to disclose, subject to the express caveat
that references to “the Intelligence Services” in the Disclosure were references to
whichever of the Intelligence Services carried out the relevant activities described in
it, in the context of the factual premises set out in paragraph 14 above:
“1.

A request may only be made by the Intelligence Services
to the government of a country or territory outside the
United
Kingdom
for
unanalysed
intercepted
communications (and associated communications data),
otherwise than in accordance with an international
mutual legal assistance agreement, if either:
a. a relevant interception warrant under the Regulation
of Investigatory Powers Act 2000 (“RIPA”) has
already been issued by the Secretary of State, the
assistance of the foreign government is necessary to
obtain the communications at issue because they
cannot be obtained under the relevant RIPA
interception warrant and it is necessary and
proportionate for the Intelligence Services to obtain
those communications; or
b. making the request for the communications at issue in
the absence of a relevant RIPA interception warrant
does not amount to a deliberate circumvention of RIPA
or otherwise contravene the principle established in
Padfield v. Minister of Agriculture, Fisheries and
Food [1968] AC 997 (for example, because it is not
technically feasible to obtain the communications via
RIPA interception), and it is necessary and
proportionate for the Intelligence Services to obtain
those communications. In these circumstances, the
question whether the request should be made would be
considered and decided upon by the Secretary of State
personally.
For these purposes a “relevant RIPA interception
warrant” means either (i) a s8(1) warrant in relation to
the target at issue; (ii) a s8(4) warrant and an
accompanying certificate which includes one or more

 MR JUSTICE BURTON
Approved Judgment

“descriptions of intercepted material” (within the
meaning of s8(4)(b) of RIPA) covering the target’s
communications, together with an appropriate s16(3)
modification (for individuals known to be within the
British Islands); or (iii) a s8(4) warrant and
accompanying certificate which includes one or more
“descriptions of intercepted material” covering the
target’s communications (for other individuals). The
reference to a “warrant for interception, signed by a
Minister” being “already in place” in the ISC’s
Statement of 17 July 2013 should be understood in these
terms. (Given sub-paragraph (b), and as previously
submitted in open, a RIPA interception warrant is not as
a matter of law required in all cases in which unanalysed
intercepted communications might be sought from a
foreign government.)
2.

Where the Intelligence Services receive intercepted
communications content or communications data from the
government of a country or territory outside the United
Kingdom, irrespective whether it is / they are solicited or
unsolicited, whether the content is analysed or
unanalysed, or whether or not the communications data
are associated with the content of communications, the
communications content and data are, pursuant to
internal “arrangements”, subject to the same internal
rules and safeguards as the same categories of content or
data, when they are obtained directly by the Intelligence
Services as a result of interception under RIPA.”

We considered that this Disclosure could be made open, and it was so made with the
consent of the Respondents.
48.

In addition, after the further open hearing, the Respondents made the following
further Disclosure of evidence given in the closed hearings:
(1)

“The US Government has publicly acknowledged that the
Prism system and Upstream programme, undertaken in
accordance with Section 702 of the Foreign Intelligence
Surveillance Act, permit the acquisition of communications
to, from, or about specific tasked selectors associated with
non-US persons who are reasonably believed to be located
outside the United States in order to acquire foreign
intelligence information. To the extent that the Intelligence
Services are permitted by the US Government to make
requests for material obtained under the Prism system
(and/or on the Claimants' case, pursuant to the Upstream
programme), those requests may only be made for
unanalysed intercepted communications (and associated
communications data) acquired in this way.”

 MR JUSTICE BURTON
Approved Judgment

Secretariat) and again as set out in paragraph 47 above, taking account of the
submissions and criticisms of the Claimants and the observations of the
Tribunal in closed hearing. We are satisfied that the Disclosures cast a clear
and accurate summary or résumé of that part of the evidence given in the
closed hearing which ought to be disclosed: and that the balance of the
evidence and submissions given in closed hearing was too sensitive for
disclosure without risk to national security or to the NCND principle.
(iv)

We are satisfied that the description of the circumstances in which, when a
request is made, there is an existing warrant is clear. Although the reader of
this judgment will be enabled to understand the position better when, in
relation to the s.8(4) issue, fuller exposition is given below, it is clear that the
preconditions are either the existence of a s.8(1) warrant or the existence of a
s.8(4) warrant within whose ambit the proposed target’s communications fall,
together, if the individual is known to be within the British Islands, with a
s.16(3) modification.

51.

In relation to paragraph 1 of the Disclosure, this subjects any requests pursuant to
Prism and/or Upstream in respect of intercept or communications data to the RIPA
regime, save only for the wholly exceptional scenario referred to as a 1(b) request.
A 1(b) request has in fact never occurred, as the ISC has recognised as set out at
paragraph 5 of its Statement, (cited in paragraph 23 above), and as now confirmed
by the Respondents, as set out in paragraph 48(2) above.

52.

In relation to paragraph 2 of the Disclosure, by which the same obligations and
safeguards are applied to the receipt of any intercept or communications data
pursuant to Prism and/or Upstream as apply when they are obtained directly by the
Intelligence Services as a result of interception under RIPA:

53.

(i)

We must address below, with regard to the s.8(4) Issue, the nature and
adequacy of those obligations and safeguards resulting from and relating to
interception under RIPA, and, subject to (ii) below, the same considerations
will apply.

(ii)

As Mr Squires accepted, the clarification given within paragraph 1 of the
Disclosure, that there will only be a request under Prism and/or Upstream,
by reference to the existence of a s.8(4) warrant, which relates to an
individual known to be within the British Islands, if a s.16(3) modification
is in place, means that the RIPA safeguards under ss.15 and 16 (dealt with
in detail below) in fact apply: except as he pointed out, in respect of a 1(b)
Request so far as s.16 safeguards are concerned.

The one matter of concern is this. Although it is the case that any request for, or
receipt of, intercept or communications data pursuant to Prism and/or Upstream is
ordinarily subject to the same safeguards as in a case where intercept or
communication data are obtained directly by the Respondents, if there were a 1(b)
request, albeit that such request must go to the Secretary of State, and that any
material so obtained must be dealt with pursuant to RIPA, there is the possibility
that the s.16 protection might not apply. As already indicated, no 1(b) request has
in fact ever occurred, and there has thus been no problem hitherto. We are however
satisfied that there ought to be introduced a procedure whereby any such request, if

 Annex 4
i 3
TWO YEARS
AFTER 

PROTECTING HUMAN RIGHTS IN AN
AGE OF MASS SURVEILLANCE

 

 

 

Hm INTERNATIONAL

 

(COVER IMAGE) A student
works on a computer that
is projecting former U.S.
National Security Agency
contractor Edward Snowden
as he appears live via
video during a world affairs
conference in Toronto ©
REUTERS/Mark Blinch

2 TWO YEARS AFTER SNOWDEN JUNE 2015

© REUTERS/Zoran Milich

International and regional institutions and
experts, including the UN High Commissioner
for Human Rights and the Parliamentary
Assembly of the Council of Europe, have
expressed significant concerns about mass
surveillance programmes and warned about
the danger they pose to human rights. In
December 2014, the UN General Assembly
adopted a second resolution on the right
to privacy in the digital age, where it
expressed deep concern “at the negative
impact that surveillance and/or interception
of communications...in particular when
carried out on a mass scale, may have on the

Public opposition has grown globally. A poll
commissioned by Amnesty International,
which questioned 15,000 people from
13 countries across every continent, found
that 71 per cent of people are strongly
opposed to their governments spying on
their internet and phone communications.

GCHQ and NSA hacked into the internal
computer network of Gemalto, the largest
manufacturer of SIM cards in the world,
possibly stealing billions of encryption
keys used to protect the privacy of mobile
phone communications around the world.

GCHQ and the NSA have coopted some of the world’s largest
telecommunications companies to tap
the transatlantic undersea cables and
intercept the private communications
they carry, under their respective
TEMPORA and Upstream programmes;

the NSA recorded, stored and analysed
metadata related to every single telephone
call and text message transmitted in
Mexico, Kenya, and the Philippines;

Companies – including Facebook, Google
and Microsoft – were forced to handover
their customers’ data under secret orders
through the NSA’s Prism programme;

exposed by the media based on files leaked by
Edward Snowden have included evidence that:

“The hard truth is that the use of
mass surveillance technology
effectively does away with the
right to privacy of communications
on the Internet altogether.”

Ben Emmerson QC, UN Special Rapporteur on
counter-terrorism and human rights

EXECUTIVE SUMMARY

On 5 June 2013, a British newspaper, The
Guardian, published the first in a series
of revelations about indiscriminate mass
surveillance by the USA’s National Security
Agency (NSA) and the UK’s Government
Communications Headquarters (GCHQ).
Edward Snowden, a whistleblower who had
worked with the NSA, provided concrete
evidence of global communications
surveillance programmes that monitor the
internet and phone activity of hundreds
of millions of people across the world.

Governments can have legitimate reasons
for using communications surveillance, for
example to combat crime or protect national
security. However because surveillance
interferes with the rights to privacy and
freedom of expression, it must be done in
accordance with strict criteria: surveillance
must be targeted, based on reasonable
suspicion, undertaken in accordance with the
law, necessary to meet a legitimate aim and be
conducted in a manner that is proportionate to
that aim, and non-discriminatory. This means
that mass surveillance that indiscriminately
collects the communications of large
numbers of people cannot be justified.
Mass surveillance violates both the right
to privacy and to freedom of expression.

This briefing presents an overview of the
information that has come to light in the past
two years about mass surveillance programmes
run by the UK, US and other governments, as
well as the key legal, policy and technological
developments relating to mass surveillance
and the right to privacy during this period.
In this briefing, Amnesty International and
Privacy International also present a 7-point
plan of action to guarantee the protection
of human rights in the digital age.

In the past two years, we have learned the
extent of mass surveillance programmes
operated chiefly by the NSA and GCHQ, with
the close cooperation of their sister agencies
in Australia, Canada and New Zealand –
collectively known as the Five Eyes Alliance (or
‘Five Eyes’). The revelations, which have been

JUNE 2015 TWO YEARS AFTER SNOWDEN 3

 exercise and enjoyment of human rights.” In
March 2015, the UN Human Rights Council
established for the first time a permanent
mandate for a Special Rapporteur on the
right to privacy, a historic move that will
ensure privacy issues are at the forefront
of the UN’s agenda for years to come.
Courts in a number of countries ruled
against mass surveillance and intelligencesharing practices. In the United Kingdom,
the Investigatory Powers Tribunal ruled that,
prior to the Tribunal’s judgements handed
down in December 2014 and February
2015, the regime governing the soliciting,
receiving, storing and transmitting by UK
authorities of private communications of
individuals located in the UK, which have
been obtained by US authorities pursuant
to the Prism and Upstream programmes,
contravened the European Convention on
Human Rights. In the USA, a federal court
of appeal ruled in May 2015 that the mass
collection of US phone records was illegal.
Many of the world’s largest technology
companies have also spoken out against mass
surveillance. In 2013, ten companies –including
Apple, Facebook, Google, Microsoft, Twitter
and Yahoo! – launched the Reform Global

Government Surveillance Coalition, advocating
for an end to bulk collection practices under the
USA Patriot Act, among other legal reforms.
Several major companies took more tangible
steps against surveillance, increasing the
default security and encryption provided
to users on their platforms and services,
better protecting the privacy of internet users
against indiscriminate mass surveillance.

Note on information about US and UK
surveillance practices: The vast majority of
information on mass surveillance practices
by the USA and the UK in the public
domain is based on documents leaked by
whistleblower and former NSA analyst Edward
Snowden. Documents leaked contain internal
NSA and GCHQ documents. Some of the
disclosures also include information about
surveillance activities by other countries.
Revelations about these mass surveillance
practices have been published by various
news organizations in several countries.
The US government has confirmed the
existence of some of the programmes
exposed by the revelations, such as the
Prism programme, however the information
in most of the revelations has not been
confirmed – or denied by either the US or
the UK governments. In the absence of
rejection by the USA or the UK of information
contained in these leaks, and the fact that
the authenticity of the documents leaked
by Edward Snowden has not been disputed
by either of the countries, information
about mass surveillance programmes from
these leaks is assumed to be correct.

are owed equally to persons abroad as to
those present in one’s own country.
Companies have a responsibility to respect
the right to privacy online. To live up to this
responsibility they should take far bolder steps
to increase security on their platforms and
services, so that private user data is not made
freely available for harvesting by governments.
There is a rising tide of opinion against mass
surveillance, but much remains at stake.
Governments globally have enacted new
laws granting mass surveillance powers of
their own. This year has seen sweeping new
surveillance powers introduced in Pakistan
and France, while Denmark, Switzerland,
the Netherlands and UK are set to present
new intelligence bills in the near future.
Preserving privacy, and ultimately freedom
of expression, will require concerted action
by individuals, technologists, legal experts,
civil society, international organizations,
companies and governments. No single
solution is sufficient; rather a combination of
domestic legal reforms, strong international
standards, robust privacy protecting
technologies, corporate commitment to user
privacy and individual action is needed.

6
Amber Hildebrandt, Dave Seglins, and Michael Pereir, CSE monitors millions of Canadian
emails to government, CBC News, 25 February 2015, online at: www.cbc.ca/news/csemonitors-millions-of-canadian-emails-to-government-1.2969687 (accessed 28 May 2015)

5
Ryan Gallagher and Glenn Greenwald, Canada casts global surveillance dragnet
over file downloads, The Intercept, 18 January 2015, online at: https://firstlook.org/
theintercept/2015/01/28/canada-cse-levitation-mass-surveillance/ (accessed 28 May
2015)

4
Spencer Ackerman and James Ball, Optic Nerve: millions of Yahoo webcam images
intercepted by GCHQ, The Guardian, 28 February 2014, online at: www.theguardian.com/
world/2014/feb/27/gchq-nsa-webcam-images-internet-yahoo (accessed 28 May 2015)

There are also signs of limited legal reforms.
For example, the USA Freedom Act, which
was passed by the House of Representatives
in May, attempts to end government bulk
collection of US phone records.1 However,
the law would also require companies to
hold, search, and analyse certain data at
the request of the government, arguably
expanding the statutory basis for largescale data collection rather than ending
it. Additionally, many other aspects of US
surveillance remain under-regulated and
unaccountable under the new law – including
the mass surveillance of millions of people
outside of the US. Pressure is needed to
ensure that governments dismantle these
extraordinarily invasive surveillance systems
at home and abroad. A first step in this
regard is to recognise that privacy rights

1
Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline
Over Monitoring Act of 2015 (USA FREEDOM Act of 2015), H.R.— 114th Congress
(2015-2016).

For further information, see Privacy International, The Five Eyes, online at: www.
privacyinternational.org/?q=node/51 (accessed 28 May 2015)

2

3
See Craig Timberg, NSA slide shows surveillance of undersea cables, The Washington
Post, 10 July 2013, online at: www.washingtonpost.com/business/economy/the-nsa-slideyou-havent-seen/2013/07/10/32801426-e8e6-11e2-aa9f-c03a72e2d342_story.html
and Ewen MacAskill, Julian Borger, Nick Hopkins, Nick Davies and James Ball, GCHQ
taps fibre-optic cables for secret access to world’s communications, The Guardian, 21
June 2013, online at: www.theguardian.com/uk/2013/jun/21/gchq-cables-secret-worldcommunications-nsa (both accessed 28 May 2015)

4 TWO YEARS AFTER SNOWDEN JUNE 2015

organization is collecting so much locational
information under the programme that the
capabilities are “outpacing our ability to
ingest, process and store” the data.12

4 – Listening into the telephone
calls of entire countries

The NSA has obtained copies of every single
telephone call made in entire countries. The
voice interception programme, code-named
MYSTIC and SOMALGET, is referred to as
a “time machine” because it enables the
NSA to replay recordings of any telephone
call without requiring that an individual be
targeted in advance for surveillance.13 It has
already been used to record all voice calls in
the Bahamas and Afghanistan and to capture
metadata of all voice calls in Mexico, Kenya,
and the Philippines, affecting a combined
population of more than 250 million people.

5 – Lobbying for surveillance laws abroad

A team at the NSA known as the Foreign
Affairs Division exists to pressure or incentivize
other countries to change their laws to enable
mass surveillance and co-operate with the
NSA.14 This team looks for loopholes in laws
and constitutional protections that would
enable foreign partner agencies to undertake
mass surveillance operations that were
never contemplated by the legislature.

According to Edward Snowden, Sweden,
Germany and the Netherlands “received
instruction from the NSA, sometimes
under the guise of the US Department
of Defence and other bodies, on how
to degrade the legal protections of
their countries’ communications.”15
GCHQ is also providing similar advice: one
GCHQ document says that “[t]he Dutch
have some legislative issues that they
need to work through before their legal
environment would allow them to operate in

15
Andrew Byrne, Snowden: US spy agencies pressed EU states to ease privacy laws, The
Financial Times, 7 March 2014, online at: www.ft.com/cms/s/0/9f45bcb2-a616-11e38a2a-00144feab7de.html#axzz3a7iVHH6t (accessed 28 May 2015)

14

Andrew Byrne, Snowden: US spy agencies pressed EU states to ease privacy laws, The
Financial Times, 7 March 2014, online at: www.ft.com/cms/s/0/9f45bcb2-a616-11e38a2a-00144feab7de.html#axzz3a7iVHH6t (accessed 28 May 2015)

13
Barton Gellman and Ashkan Soltani, NSA surveillance programme reaches ‘into the
past’ to retrieve, replay phone calls, Washington Post, 18 March 2014, online at: www.
washingtonpost.com/world/national-security/nsa-surveillance-program-reaches-intothe-past-to-retrieve-replay-phone-calls/2014/03/18/226d2646-ade9-11e3-a49e76adc9210f19_story.html (accessed 28 May 2015)

12
Barton Gellman and Ashkan Soltani, NSA tracking cellphone locations worldwide:
Snowden documents show, Washington Post, 4 December 2013, online at: www.
washingtonpost.com/world/national-security/nsa-tracking-cellphone-locations-worldwidesnowden-documents-show/2013/12/04/5492873a-5cf2-11e3-bc56-c6ca94801fac_
story.html (accessed 28 May 2015)

The NSA collects nearly 5 billion records a day
pertaining to the location of mobile phones
around the world, under a set of programmes
known collectively as CO-TRAVELLER.
According to a 2012 NSA internal briefing, the

3 – Tracking the location of our mobile phones

Meanwhile, GCHQ targeted Belgacom,
Belgium’s largest telecommunications
provider. The UK agency hacked internal
employee computers in order to be able
to grab private communications handled
by the company. Belgacom has millions
of customers including officials from the
European Commission, the European
Parliament, and the European Council.11

The NSA and GCHQ then conspired to
break into the main communications links
that connect the data centres of some of
these companies around the world. Under
this programme, code-named MUSCULAR,
millions of records are captured every day
from internal Yahoo! and Google networks.10

Nine companies including Apple, Facebook,
Google, Microsoft and Yahoo! have been
forced to hand over their customers’ data
under secret orders issued as part of the
NSA’s Prism programme,8 while being
gagged from publicly talking about it.9

2 – Accessing companies’ data
centres and internal systems

In New Zealand, the Government
Communications Security Bureau (GCSB)
uses satellite interception to capture
internet and telephone data transmitted to
and from the Asia Pacific region. In 2009
they upgraded their main base in Waihopai
to be “full take”, ensuring they had the
capacity to capture all communications
travelling on their networks, and sharing
the raw data with the Five Eyes Alliance.7

MASS SURVEILLANCE OF INTERNET AND
PHONE COMMUNICATIONS: WHAT WE
LEARNED ABOUT US AND UK PROGRAMMES
We now know, through the Snowden
revelations, that the US and UK intelligence
agencies have been operating indiscriminate
mass surveillance programmes on a global
scale, enabling the interception of a large
proportion of the world’s Internet traffic
as well as the phone communications of
hundreds of millions of people. These
capabilities are coupled with vast intelligencesharing practices between members of the
Five Eyes Alliance, as well as with a web of
intelligence agencies in dozens of countries
around the world.2 These are some of the
programmes run by the NSA and GCHQ
that have been revealed since 2013.
1 – Tapping into global
telecommunications networks
The NSA and GCHQ are directly intercepting
transatlantic undersea internet cables in
their respective Upstream and TEMPORA
programmes.3 These programmes intercept
huge quantities of internet traffic, scanning
and filtering every communication passing
through the cables that make up the backbone
of the internet. Undersea cable tapping
provides UK and US intelligence agencies
with unprecedented surveillance powers.
In one six-month period, GCHQ, under its
OPTIC NERVE programme, intercepted
1.8 million Yahoo! video chats, capturing
images, that contained between 3 and 11
per cent of which contained “undesirable
nudity”, before processing them through
facial recognition technology.4
In Canada, the Communications Security
Establishment Canada (CSEC) intercepts
cables and records up to 15 million downloads
daily from file sharing websites like Rapidshare
or Megaupload. 5 CSEC also monitors
millions of emails, storing them for “days to
months” as it applies analysis technology.6

7
Ryan Gallagher And Nicky Hager, New Zealand spies on neighbours in secret “Five
Eyes global surveillance, The Intercept, 3 April 2015, online at: https://firstlook.org/
theintercept/2015/03/04/new-zealand-gcsb-surveillance-waihopai-xkeyscore/ (accessed
28 May 2015)

8
The Guardian, NSA Prism programme slides, 1 November 2013, online at: www.
theguardian.com/world/interactive/2013/nov/01/prism-slides-nsa-document (accessed 28
May 2015)

9
Leo Kelion, Q&A: NSA’s Prism internet surveillance scheme, BBC, 1 July 2013, online at:
www.bbc.co.uk/news/technology-23051248 (accessed 28 May 2015)

10
Barton Gellman and Ashkan Soltani, NSA infiltrates links to Yahoo, Google data centers
worldwide, Snowden documents say, Washington Post, 30 October 2013, online at: www.
washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo-google-datacenters-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74d89d714ca4dd_story.html (accessed 28 May 2015)

Ryan Gallagher, Operation Socialist: The Inside Story of How British Spies Hacked
Belgium’s Largest Telco, The Intercept, 13 December 2014, online at: https://firstlook.
org/theintercept/2014/12/13/belgacom-hack-gchq-inside-story/ (accessed 28 May 2015)
11

JUNE 2015 TWO YEARS AFTER SNOWDEN 5

 the way that GCHQ does. We are providing
legal advice on how we have tackled some
of these issues to Dutch lawyers.”16
6 – Spreading mass surveillance

8 – Hacking into phones and apps

and running covert agents in the global
telecommunications industry.”22

9 – Controlling core communications
infrastructure

The Five Eyes have built up their capabilities to
infect individuals’ devices with intrusive malware
in order to be able to, in their words, “exploit any
phone, anywhere, anytime.”23 UK and US spies
have boasted that “if its [sic] on the phone, we
can get it.”24 Far from deploying this tactic in
exceptional circumstances only, the Five Eyes
have aggressively developed these tools to infect
potentially millions of computers and phones
worldwide.25 Canada’s CSEC even spied on the
computers and smartphones that connected
Brazil’s mining and energy ministry, in order
to gather economic intelligence.26 In a leaked
NSA presentation, the agency commented
on its own capabilities: “who knew in 1984
that [smart phones] would be Big Brother and
the zombies would be paying customers?”27

7 – Undermining encryption standards
Working in partnership with telecommunications
companies, the NSA is “aggressively involved
in shaping traffic” to artificially change the
route of internet communications, redirecting
them to flow past Five Eyes interception
points.28 When that fails, the Five Eyes secretly
deploy malware into core telecommunications
networks to enable them to copy traffic into
the NSA’s mass surveillance infrastructure.
One of the ways the NSA does this is by
“interdicting” shipments of computer hardware
as they are delivered to customers, altering
the hardware in order to ensure that they can
gain access to networks “around the world.”29
In essence, in addition to tapping the
communications that cross their borders,
the NSA and GCHQ are proactively trying
to redirect communications traffic so that it

In order to acquire more information from
their overseas partners, the Five Eyes provide
equipment and expertise to assist partner
agencies to tap undersea cables in their
territories.17 The technology enables partners to
‘ingest’ massive amounts of data in a manner
that facilitates processing, and provides a
copy of the intercepted communications to
the Five Eyes. In 2011, the NSA spent a total
of $91 million on these foreign cable access
programmes with more than 13 overseas
sites now in operation, two of which are in
Germany and Denmark.18 In Germany, the
Bundesnachrichtendienst (BND) intercepts
satellite and cable communications, and
was reportedly sharing 220 million phone
metadata records every day with the NSA.19

The NSA and GCHQ have been sabotaging
encryption standards, working to undermine
the ability to securely communicate
through their decryption programmes,
Bullrun (NSA) and Edgehill (GCHQ).
A 2010 GCHQ document explained that
“[f]or the past decade, NSA has lead [sic]
an aggressive, multi-pronged effort to break
widely used internet encryption technologies”
and “insert vulnerabilities into commercial
encryption systems.”20 Meanwhile,
GCHQ was revealed to be exploring ways to
break into the encrypted data of Facebook,
Google, Microsoft’s Hotmail and Yahoo!.21
GCHQ also established a Humint [human
intelligence] Operations Team, which
according to an internal GCHQ document
is “responsible for identifying, recruiting

travels past their probes and taps, allowing
it to be intercepted, collected and analysed.
In this way, the core infrastructure of the
internet is being co-opted to feed data into
the Five Eyes surveillance programmes.
10 – Stealing encryption keys
GCHQ and NSA hacked into the internal
computer network of Gemalto, the largest
manufacturer of SIM cards in the world, stealing
billions of encryption keys used to protect
the privacy of mobile phone communications
around the world.30 With these stolen encryption
keys, intelligence agencies can unlock mobile
communications without needing approval
from telecom companies and sidestepping
the need to get a warrant, while leaving no
trace on the wireless provider’s network that
the communications were intercepted.

23

Nick Hopkins and Julian Borger, Exclusive: NSA pays £100m in secret funding for
GCHQ, The Guardian, 1 August 2013, www.theguardian.com/uk-news/2013/aug/01/nsapaid-gchq-spying-edward-snowden (accessed 28 May 2015)

16
Julian Borger, GCHQ and European spy agencies worked together on mass surveillance,
The Guardian, 1 November 2013, online at: www.theguardian.com/uk-news/2013/nov/01/
gchq-europe-spy-agencies-mass-surveillance-snowden (accessed 28 May 2015)

24
Russell Brandom, New NSA documents reveal massive data collection from mobile apps,
The Verge, 27 January 2014, online at: www.theverge.com/2014/1/27/5350714/new-nsadocuments-reveal-massive-data-collection-from-mobile-apps (accessed 28 May 2015)

30
Jeremy Scahill and Josh Begley, The great SIM heist: how spies stole the keys
to the encryption castle, The Intercept, 19 February 2015, https://firstlook.org/
theintercept/2015/02/19/great-sim-heist/ (accessed 28 May 2015)

29

Inside TAO: Documents Reveal Top NSA Hacking Unit, Der Spiegel, 29 December 2013,
online at: www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-tospy-on-global-networks-a-940969-3.html (accessed 28 May 2015)

28
Glenn Greenwald, No Place to Hide: Edward Snowden, the Nsa, and the U.S.
Surveillance State, 2014, p.105.

27
Marcel Rosenbach, Laura Poitras and Holger Stark, iSpy: How the NSA accesses
smartphone data, Der Spiegal, 9 September 2013, www.spiegel.de/international/world/
how-the-nsa-spies-on-smartphones-including-the-blackberry-a-921161.html (accessed
28 May 2015)

26
Amber Hildebrandt, Dave Seglins, and Michael Pereira, Communication Security
Establishment’s cyberwarfare toolbox revealed, CBC News, 2 April 2015, online at: www.
cbc.ca/news/canada/communication-security-establishment-s-cyberwarfare-toolboxrevealed-1.3002978 (accessed 28 May 2015)

25
Ryan Gallagher And Glenn Greenwald, How the NSA plan to infect millions of
computers with malware, The Intercept, 3 December 2014, https://firstlook.org/
theintercept/2014/03/12/nsa-plans-infect-millions-computers-malware/ (accessed 28 May
2015)

17
Ryan Gallagher, How secret partners expand NSA’s surveillance dragnet, The Intercept,
19 June 2014, online at: https://firstlook.org/theintercept/2014/06/18/nsa-surveillancesecret-cable-partners-revealed-rampart-a/ (accessed 28 May 2015)

18
Ryan Gallagher, How secret partners expand NSA’s surveillance dragnet, The Intercept,
19 June 2014, online at: https://firstlook.org/theintercept/2014/06/18/nsa-surveillancesecret-cable-partners-revealed-rampart-a/ (accessed 28 May 2015)Kai Biermann, BND
stores 220 million telephone data – every day, Zeit Online, 2 February 2015, online at:
www.zeit.de/digital/datenschutz/2015-02/bnd-nsa-mass-surveillance (accessed 28 May
2015)

19
Kai Biermann, BND stores 220 million telephone data – every day, Zeit Online, 2
February 2015, online at: www.zeit.de/digital/datenschutz/2015-02/bnd-nsa-masssurveillance (accessed 28 May 2015)

20
James Ball, Julian Borger and Glenn Greenwald, Revealed: how US and UK spy agencies
defeat internet privacy and security, The Guardian, 6 September 2013, online at: www.
theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security (accessed 28
May 2015)

21
Nicole Perlroth, Jeff Larson and Scott Shane, N.S.A. Able to Foil Basic Safeguards
of Privacy on Web, The New York Times, 5 September 2013, online at: www.nytimes.
com/2013/09/06/us/nsa-foils-much-internet-encryption.html?hp&_r=0 (accessed 28 May
2015)

22
James Ball, Julian Borger and Glenn Greenwald, Revealed: how US and UK spy agencies
defeat internet privacy and security, The Guardian, 6 September 2013, online at: www.
theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security (accessed 28
May 2015)

6 TWO YEARS AFTER SNOWDEN JUNE 2015

© RADiUS-TWC

60 per cent of people think technology
companies have a duty to help them secure
their personal information from governments,
as opposed to only 26 per cent who agree with
firms providing authorities with access to data.

With regard to the role of companies

In Australia, Canada, New Zealand and
the United Kingdom – all countries with
whom the USA shares the fruits of mass
surveillance – more than three times as
many people oppose US surveillance (70
per cent) as support it (17 per cent).

Even in the country with least opposition,
France, the majority of people still opposed
US surveillaance (56 per cent).

Strongest opposition to the USA
intercepting, storing and analysing internet
use came from Germany (81per cent
against) and Brazil (80 per cent).

71 per cent of respondents were
strongly opposed to the United States of
America monitoring their internet use.

With regard to US mass surveillance
of other countries:

INTERNATIONAL PUBLIC OPINION REJECTS MASS SURVEILLANCE

An international poll commissioned by
Amnesty International, which questioned
15,000 people from 13 countries across every
continent, found that 71 per cent of people are
strongly opposed to their governments spying
on their internet and phone communications.
The poll was undertaken in February 2015.

Key findings of the poll include:

With regard to surveillance by own government:

In all 13 countries covered by the poll,
people did not want their own government to
intercept, store and analyse their phone and
internet use. On average, twice as many were
against surveillance by their government (59
per cent) as those who approved (26 per cent).

Most opposed to mass surveillance
by their own government are people in
Brazil (65 per cent) and Germany (69 per
cent). Spain (67 per cent), where reports
that the NSA tapped 60 million Spanish
phone calls were met with outrage in
2013, also topped the opposition table.

The majority of US citizens (63 per cent) are
against their government’s surveillance scheme
compared to only 20 per cent in favour.

JUNE 2015 TWO YEARS AFTER SNOWDEN 7

 The resolution stated “The surveillance
practices disclosed so far endanger
fundamental human rights, including the
rights to privacy, freedom of information
and expression, and the rights to a fair trial
and freedom of religion: especially when
privileged communications of lawyers and
religious ministers are intercepted and when
digital evidence is manipulated. These
rights are cornerstones of democracy. Their
infringement without adequate judicial
control also jeopardizes the rule of law.”39
Finally, and most significantly, the UN
Human Rights Council took decisive action
in adopting by consensus a March 2015
resolution that established a permanent
independent expert on the right to privacy.40
The Special Rapporteur on privacy will be
appointed at the June 2015 session of the
Council, and will have responsibilities which
include reporting on alleged violations of
the right to privacy, including those which
arise “in connection with the challenges
arising from new technologies.”41

2014, online at: https://firstlook.org/theintercept/document/2014/10/15/un-reporthuman-rights-terrorism/ (accessed 28 May 2015)

In April 2015, the Parliamentary Assembly
of the Council of Europe adopted its own
resolution, with perhaps the starkest
condemnation of surveillance to date.

The Council of Europe’s Commissioner for
Human Rights also weighed in, writing in an
issue paper entitled The rule of law on the
Internet and in the wider digital world, “it
is becoming increasingly clear that secret,
massive and indiscriminate surveillance
programmes are not in conformity with
European human rights law and cannot be
justified by the fight against terrorism or other
important threats to national security.”38

A second UN General Assembly resolution
in December 2014 reiterated the sentiments
of its 2013 resolution, expressing States’
deep concern “at the negative impact
that surveillance and/or interception of
communications...in particular when carried
out on a mass scale, may have on the
exercise and enjoyment of human rights.”37

Her findings were reinforced in October
2014 by the UN Special Rapporteur
on counter-terrorism and human rights
who condemned mass surveillance by
saying, “The hard truth is that the use of
mass surveillance technology effectively
does away with the right to privacy of
communications on the Internet altogether.”36

In July 2014, the UN High Commissioner
for Human Rights, in a report entitled
“The right to privacy in the digital age”,
pronounced, “The very existence of a
mass surveillance programme... creates
an interference with privacy.”35

secret, or even illegal mass surveillance
programmes.”34 The LIBE Committee
“takes the view that such programmes are
incompatible with the principles of necessity
and proportionality in a democratic society.”

EXPERTS AND INTERNATIONAL BODIES CALL MASS
SURVEILLANCE A VIOLATION OF HUMAN RIGHTS
Over the past two years, a number
of prominent national, regional and
international bodies and experts have
pronounced mass surveillance a violation
of human rights. Together, they form a
substantial body of authoritative opinion
on the legality of mass surveillance such
as that practiced by the NSA and GCHQ.
First came a report in December 2013 by
the President’s Review Board, an expert
board convened by US President Barack
Obama to scrutinise the Snowden revelations.
The Board condemned the NSA’s mass
surveillance programmes, stating that “the
government should not be permitted to collect
and store all mass, undigested, non-public
personal information about individuals
to enable future queries and data-mining
for foreign intelligence purposes.”31
The Board’s view was echoed in a resolution
the same month by the UN General
Assembly, which expressed its deep concern
at the negative impact that interception
and collection of communications data, in
particular when carried out on a mass scale,
may have on the exercise of human rights.32
In January 2014, a report from the Privacy
and Civil Liberties Oversight Board, an
independent agency within the US government,
found that the bulk collection of telephone
metadata by the NSA to be unauthorized
under Section 215 of the USA Patriot
Act. The report also declared it to be a
violation of the Electronic Communications
Privacy Act and raises concerns under both
the First and Fourth Amendments.33
The European Parliament’s Committee on Civil
Liberties, Justice and Home Affairs (LIBE
Committee) inquiry into the NSA surveillance
programmes delivered its report in February
2014, finding that “the fight against terrorism
can never be a justification for untargeted,

31
Liberty and security in a changing world: Report and Recommendations of The
President’s Review Group on Intelligence and Communications Technologies, 12 December
2013, Recommendation 4, p.25, online at: www.whitehouse.gov/sites/default/files/
docs/2013-12-12_rg_final_report.pdf (accessed 28 May 2015)

38
Council of Europe Commissioner for Human Rights, The rule of law on
the Internet and in the wider digital world, December 2014, online at:
https://wcd.coe.int/com.instranet.InstraServlet?command=com.instranet.
CmdBlobGet&InstranetImage=2734552&SecMode=1&DocId=2262340&Usage=2
(accessed 28 May 2015)

37
United Nations, Resolution adopted by the General Assembly on 18 December 2014,
69/166. The right to privacy in the digital age, A/RES/69/166, 10 February 2015, online
at: www.un.org/en/ga/search/view_doc.asp?symbol=A/RES/69/166 (accessed 28 May
2015)

33
Privacy and Civil Liberties Oversight Board, Report on the telephone records
programme conducted under Section 215 of the USA PATRIOT Act and on the Operations
of the Foreign Intelligence Surveillance Court, Online at: www.documentcloud.org/
documents/1008937-final-report-1-23-14.html (accessed 28 May 2015)

39
Parliamentary Assembly, Resolution 2045 (2015) provisional version- mass surveillance,
21 April 2015, online at: http://assembly.coe.int/nw/xml/XRef/Xref-XML2HTML-en.
asp?fileid=21692&lang=en (accessed 28 May 2015)

32
UNGA Resolution 68/167: The right to privacy in the digital age, 18 December 2013,
online at: www.un.org/en/ga/search/view_doc.asp?symbol=A/RES/68/167 (accessed 28
May 2015)

34
LIBE Committee Inquiry on Electronic Mass Surveillance of EU Citizens, online at:
www.europarl.europa.eu/committees/en/libe/subject-files.html?id=20130923CDT71796
(accessed 28 May 2015)

40
United Nations Human Rights Council, The right to privacy in the digital age, A/
HRC/28/L.27, 24 March 2015, online at: www.privacyinternational.org/sites/default/files/
SR%20resolution.pdf (accessed 28 May 2015)

41
United Nations Human Rights Council, The right to privacy in the digital age, A/
HRC/28/L.27, 24 March 2015, online at: www.privacyinternational.org/sites/default/files/
SR%20resolution.pdf (accessed 28 May 2015)

35
United Nations Human Rights Council, The right to privacy in the digital age – report
of the Office of the United Nations High Commissioner for Human Rights, A/HRC/27/37,
30 June 2014, online at: www.ohchr.org/EN/HRBodies/HRC/RegularSessions/Session27/
Documents/A.HRC.27.37_en.pdf (accessed 28 May 2015)

36
United Nations, Promotion and protection of human rights and fundamental freedoms
while countering terrorism – note by the Secretary-General, A/69/397, 23 September

8 TWO YEARS AFTER SNOWDEN JUNE 2015

In Canada, the British Columbia Council for Civil
Liberties filed a lawsuit against Canada’s signals
intelligence agencies – the Communications
Security Establishment Canada – claiming that its
secret and unchecked surveillance of Canadians
is unconstitutional.50 The case is ongoing.

Most recently, in May 2015, the US Court of
Appeals for the Second Circuit ruled in favour of
the American Civil Liberties Union, finding that
the mass collection of US phone records was not
authorised by section 215 of the Patriot Act.47
The Court noted that the “expansive development
of government repositories of formerly private
records would be an unprecedented contraction
of the privacy expectations of all Americans,”
and held that it was not authorised on the face
of the legislation.48 The Court added that such
a momentous interference with privacy would
have to be “preceded by substantial debate,
and expressed in unmistakable language.”49

In addition, in the UK, seven Internet and
communications service providers from the UK,
the USA, Germany, the Netherlands, South Korea
and Zimbabwe, along with Privacy International,
challenged the deployment by GCHQ of hacking
capabilities and computer network exploitation
techniques. In bringing the case, the claimants
prompted the UK government to produce a Draft
Code of Practice on “Equipment Interference”,
in itself a victory given that the use of hacking by
British intelligence services was never previously
formally confirmed. The case will be heard by
the Investigatory Powers Tribunal in 2015.46

Convention on Human Rights, has been adjourned
pending the resolution of another case.45

JUDICIAL SCRUTINY OF MASS
SURVEILLANCE PRACTICES WORLDWIDE
Since June 2013, civil society organizations,
companies and lawyers have launched a number
of legal challenges against mass surveillance
in all Five Eyes countries, as well as other
countries believed to have extensive mass
surveillance programmes. Notably, judgments
in the UK and USA found some GCHQ and NSA
practices to be unlawful. Several important
cases are pending in domestic courts and
the European Court of Human Rights.

THE FIVE EYES
In the UK in 2013, Privacy International,
Amnesty International and eight other
human rights organisations brought a legal
challenge to UK communications surveillance
practices. As a result, in February 2015,
the Investigatory Powers Tribunal ruled that
intelligence sharing between the USA and the
UK was unlawful prior to its December 2014 and
February 2015 judgments, because the rules
governing the UK’s access to the NSA’s Prism
and Upstream programmes were secret.43
During the legal proceedings the UK government
was compelled to disclose information about the
intelligence sharing relationship with the USA.
While the Tribunal considered that following these
disclosures the UK became compliant with Article
8 (right to privacy) of the European Convention,
the claimant organisations disagree and have
brought the case to the European Court of Human
Rights (ECtHR). Two other cases challenging
UK surveillance practices are currently pending
at the ECtHR; claimants include Big Brother
Watch, English PEN, the Open Rights Group
and the Bureau of Investigative Journalism.44

In New Zealand, the Green Party filed a complaint
with the Inspector-General of Intelligence
and Security (IGIS) over allegations that the
surveillance agency Government Communications
Security Bureau (GCSB) had been spying on New
Zealanders in the Pacific. The IGIS announced in
March 2015 that it would commence an inquiry,
not only into the specific allegations, but into all
of GCSB procedures and compliance systems.51

For more information, see www.privacyinternational.org/?q=node/459 (accessed 28 May 2015)

52

(ASD) and its role in Five Eyes mass surveillance,
but declined to proceed with an inquiry.

CHALLENGES IN OTHER COUNTRIES

A coalition of citizens and civil society
organisations in the Netherlands challenged
the intelligence sharing practices of the Dutch
General Intelligence and Security Service and
Dutch Military Intelligence and Security Services.
In a case before the District Court of The Hague,
the claimants argued that the receipt and use of
foreign intelligence collected through US mass
surveillance programmes should end.52 The
Court rejected the claim; this year the Dutch
government will overhaul surveillance legislation.

In Germany, a legal challenge brought by lawyer
Niko Härting against the Federal Intelligence
Service (the Bundesnachrictendienst, or BND)
argued that BND “strategic surveillance” of
foreign email traffic was unconstitutional.
The case was dismissed on procedural
grounds – the Court found that Mr Härting
lacked standing to bring the claim.

42

WHAT IS THE FIVE EYES ALLIANCE?

The Five Eyes Alliance is a secretive, global
surveillance arrangement of States comprised
of the United States National Security Agency
(NSA), the United Kingdom’s Government
Communications Headquarters (GCHQ), Canada’s
Communications Security Establishment Canada
(CSEC), the Australian Signals Directorate
(ASD), and New Zealand’s Government
Communications Security Bureau (GCSB).

The alliance began in 1946; its purpose is
sharing intelligence, primarily signals intelligence
(SIGINT). Under the alliance’s agreement,
interception, collection, acquisition, analysis,
and decryption is conducted by each of the State
parties in their respective parts of the globe,
and all intelligence information is shared by
default. Their agreement is wide in scope and
establishes jointly-run operations centres where
operatives from multiple intelligence agencies of
the Five Eyes States work alongside each other.

For more information, see Privacy First, District court of The Hague wide off the mark in Citizens
v. Plasterk case, online at: www.privacyfirst.eu/actions/litigation/item/616-district-court-of-thehague-wide-off-the-mark-in-citizens-v-plasterk-case.html (accessed 28 May 2015)

51
For more information, see Inspector-General of Intelligence and Security, Inquiry into the
Government Communications Security Bureau’s process for determining its foreign intelligence
activity, 14 May 2015, online at: www.igis.govt.nz/announcements/ (accessed 28 May 2015)

50

British Columbia Civil Liberties Association, CCLA Sues Canadian Government to Stop Illegal
Spying, online at: https://bccla.org/stop-illegal-spying/protect-our-privacy-case-details/ (accessed
28 May 2015)

49
United States Court of Appeal for the Second Circuit, ACLU v. Clapper, Case 14-42, 7 May
2015, online at: http://pdfserver.amlaw.com/nlj/NSA_ca2_20150507.pdf (accessed 28 May
2015), pp. 74-75.

48
United States Court of Appeal for the Second Circuit, ACLU v. Clapper, Case 14-42, 7 May 2015, online
at: http://pdfserver.amlaw.com/nlj/NSA_ca2_20150507.pdf (accessed 28 May 2015), pp. 74-75.

The Australian IGIS was also asked to investigate
the actions of the Australian Signals Directorate

For more information, see www.privacyinternational.org/?q=node/51 (accessed 28 May 2015)

Also at the European Court of Human Rights,
in September 2014 Privacy International
challenged the blanket exemption from freedom
of information laws afforded to the British
intelligence agency GCHQ. Privacy International
was denied access to the Five Eyes Agreement,
the document governing the secretive spying
alliance. The application to the Court, which
contends that a blanket exemption is a violation
of the right to receive and impart information
enshrined in Article 10 of the European

42

43
The judgment can be found at www.ipt-uk.com/docs/Liberty_Ors_Judgment_6Feb15.pdf and
the order at www.ipt-uk.com/docs/Liberty-Order6Feb15.pdf (both accessed 28 May 2015)

45

For more information, see www.privacyinternational.org/?q=node/81 (accessed 28 May 2015)

44
See www.privacynotprism.org.uk/ and Bureau of Investigative Journalism, A summary of the
Bureau’s application to the European Court of Human Rights, 14 September 2014, online at:
www.thebureauinvestigates.com/2014/09/14/a-summary-of-the-bureaus-application-to-theeuropean-court-of-human-rights/ (both accessed 28 May 2015)

46

47
United States Court of Appeal for the Second Circuit, ACLU v. Clapper, Case 14-42, 7 May
2015, online at: http://pdfserver.amlaw.com/nlj/NSA_ca2_20150507.pdf (accessed 28 May
2015)

JUNE 2015 TWO YEARS AFTER SNOWDEN 9

  HEIHV SHVEIA 0M1 91023!an HEIHV SHVEM OMl?l

fpnb? 

I



- 

 

12 TWO YEARS AFTER SNOWDEN JUNE 2015

WHO HAS BEEN
SPIED ON?
Governments almost always justify the need
for mass surveillance on the basis of national
security. However, Snowden has revealed that
their capabilities and programmes end up
being employed in contexts that go far beyond
what is necessary to protect national security.
As well as intercepting the communications
of hundreds of millions of ordinary people,
the NSA and GCHQ have put specific groups
and individuals on their spying ‘watchlists’.
Amongst those who have been targeted are:
MEDECINS DU MONDE (DOCTORS OF THE WORLD) 53
The organization is a well-known and
highly regarded international organization
that provides medical care to “those
affected by war, natural disasters, disease,
hunger, poverty or exclusion.”54
“We were shocked by the allegations
which amounted to a shameful waste
of taxpayers’ money; money that would
be better spent vaccinating Syrian
children against polio, rebuilding the
Philippines’ shattered health system or
in any other place in the world where
help was urgently needed at that time.”
Leigh Daynes, Executive Director
of Doctors of the World UK55
Joaquín Almunia, Vice-President
of the European Commission
It was revealed the NSA and GCHQ spied
on Joaquín Almunia, vice-president of the
European Commission with a mandate
overseeing competition policy. His mandate
focuses on “fighting against cartels,
preventing dominant companies from
abusing their market power in any sector or
any country in Europe, and maintaining a
rigorous scrutiny of proposed mergers.”56
“[The revelations] are unacceptable and
deserve our strongest condemnation.
This is not the type of behaviour that
we expect from strategic partners, let
alone from our own member states.”
Pia Ahrenkilde Hansen, European
Commission Spokesperson 57

THE UNITED NATIONS CHILDREN’S FUND (UNICEF) 58
UNICEF is an agency of the United Nations
that promotes the rights and well-being of
children globally. The organization promotes
girls’ education, works on children’s
immunization and nutrition and to prevent the
spread of HIV/AIDS among young people.59

AHMAD MUAFFAQ ZAIDAN, AL JAZEERA’S
PAKISTAN BUREAU CHIEF60
The NSA placed Ahmad Muaffiaq Zaidan,
a respected investigative journalist and
long-time Islamabad bureau chief for
Al Jazeera, on a ‘terror watchlist’ based
on metadata the agency collected.

“For us to be able to inform the world, we
have to be able to freely contact relevant
figures in the public discourse, speak with
people on the ground, and gather critical
information...To assert that myself, or any
journalist, has any affiliation with any
group on account of their contact book,
phone call logs, or sources is an absurd
distortion of the truth and a complete
violation of the profession of journalism.”

Ahmad Muaffaq Zaidan, Al Jazeera

FAISAL GILL 61
A member of the US Republican party who
held a top-secret security clearance and
who served in the Department of Homeland
Security under President George W. Bush,
he was one of several public Muslim figures
in the USA who were revealed to be on a
list of NSA and FBI surveillance targets.

61
Glenn Greenwald and Murtaza Hussain, Meet the Muslim American Leader the FBI and
NSA Have Been Spying On, The Intercept, 9 July 2014, online at: https://firstlook.org/
theintercept/2014/07/09/under-surveillance/ (accessed 28 May 2015)

60
Cora Currier, Glenn Greenwald, and Andrew Fishman, US government designated
prominent Al Jazeera journalist as member of Al Qaeda, The Intercept, 8 May 2015, online
at: https://firstlook.org/theintercept/2015/05/08/u-s-government-designated-prominental-jazeera-journalist-al-qaeda-member-put-watch-list/ (accessed 28 May 2015)

59

See online at: www.unicef.org/about/who/index_introduction.html (accessed 28 May
2015)

58
James Ball and Nick Hopkins, GCHQ and NSA targeted charities, Germans, Israeli
PM and EU chief, 20 December 2013, online at: www.theguardian.com/uk-news/2013/
dec/20/gchq-targeted-aid-agencies-german-government-eu-commissioner (accessed 28
May 2015)

“I don’t know why…I’ve done everything in
my life to be patriotic. I served in the Navy,
served in the government, was active in my
community – I’ve done everything that a
good citizen, in my opinion, should do.”

Faisal Gill

Online at: http://doctorsoftheworld.org.uk/pages/what-we-do (accessed 28 May 2015)

53
James Ball and Nick Hopkins, GCHQ and NSA targeted charities, Germans, Israeli
PM and EU chief, The Guardian, 20 December 2013, online at: www.theguardian.com/
uk-news/2013/dec/20/gchq-targeted-aid-agencies-german-government-eu-commissioner
(accessed 28 May 2015)

54

55
Leigh Daynes, Doctors of the World: How we discovered GCHQ was spying on us, 20
April 2015, online at: www.opendemocracy.net/digitaliberties/leigh-daynes/doctors-ofworld-how-we-discovered-gchq-was-spying-on-our-operations (accessed 28 May 2015)

Joaquin Almunia, Mandate, online at: http://ec.europa.eu/archives/
commission_2010-2014/almunia/about/mandate/index_en.htm
56

57
European Commission, Statement by Commission spokeswoman on the newspaper
allegations of surveillance of Vice-President Almunia, 20 December 2013, online at:
http://europa.eu/rapid/press-release_MEMO-13-1189_en.htm?locale=en (accessed 28
May 2015)

JUNE 2015 TWO YEARS AFTER SNOWDEN 13

 Most controversially, the draft law ignores the
need for intelligence agencies to seek and
receive a warrant authorized by a judge.
The law therefore fundamentally disregards the
requirements of oversight and accountability
of French intelligence agencies whilst
simultaneously granting them broader and
more intrusive powers. For example, for the
purpose of preventing terrorism, the draft law
requires internet and telecoms providers to
place “black boxes” in their infrastructure
to record metadata; it also allows security
agents to hack into computers or mobile
devices, track people’s locations and spy
on emails, texts and other communications
from a person they think may be in contact
with someone involved in suspicious
activity, even if unintentionally, or because
they are in the same geographic area for
example, by using a device known as an

65
Joint Statement from Article 19, Human Rights Watch, Privacy International, Digital
Rights Foundation, and others on the Prevention of Electronic Crimes Bill 2015 Pakistan,
online at: www.privacyinternational.org/sites/default/files/Prevention-of-Electronic-CrimesBill-International-Joint-Statement_2.pdf (accessed 28 May 2015)

64
Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline
Over Monitoring Act of 2015 (USA FREEDOM Act of 2015), H.R.— 114th Congress
(2015-2016)

In May 2015 in France, the lower chamber of
the parliament enacted sweeping surveillance
powers in a new intelligence law. The draft
law, which the government says is a tool
needed to prevent terrorism (without however
defining this term in the legislation), allows
the prime minister to authorise intrusive
surveillance measures for several other
broad and equally undefined goals such
as “promot[ing] essential foreign policy
interests”, and preventing “any form of foreign
interference.” It is unclear what these vague
terms encompass and the concern is that it
could be used for reasons which often will
have nothing to do with preventing wrongdoing.

In April 2015, Pakistan’s National Assembly
approved a new cybercrime bill, drastically
expanding the surveillance powers of the
government. The Prevention of Electronic
Crimes Bill – as it is called – now awaits
vote in the Senate. If approved, the new
law would mandate that service providers
retain data about citizens’ telephone and
email communications for a minimum of one
year.65 Additionally, the bill would allow for
the Federal Government to unilaterally share
intelligence gathered from investigations
with foreign intelligence agencies including
the NSA, without the need for judicial
authorization. The bill contains broad and
insufficiently defined powers to “seize”
data (defined in the bill as making a copy of
data), but does not specify the procedures
to do this. By leaving this to the discretion
of the Federal Government, the law fails to
set out clear and accessible rules in line
with international human rights standards.

The threat to privacy, and ultimately
freedom of expression, has also increased as
countries outside of the Five Eyes Alliance
have sought to legalize stronger surveillance
powers. This year has seen sweeping new
surveillance powers proposed in legislation
in Pakistan, France and Switzerland while
in the Netherlands a new intelligence
bill is expected in the near future.

of promoting cybersecurity. Furthermore,
many other aspects of US surveillance
remain under-regulated and unaccountable
under the new law – including the mass
surveillance of millions of people outside
of the US. Additionally, the law does not
sufficiently rein in the interception or
collection of data other than phone records,
nor does it ensure meaningful oversight by
the Foreign Intelligence Surveillance Court.

GOVERNMENTS SEEK GREATER
SURVEILLANCE POWERS
Despite serious opposition, Five Eyes
governments have taken limited or no steps to
dismantle their mass surveillance programmes
in the past two years. In the case of the UK,
the government has sought to validate and
extend existing unlawful practices. Elsewhere,
governments have enacted new laws granting
mass surveillance powers of their own. In some
cases these new laws may even be an attempt
to place on legal footing unlawful surveillance
that governments were already conducting.
In July 2014, the UK government fast-tracked
a new Data Retention and Investigatory Powers
Act as ‘emergency legislation’ and rushed it
through parliament in a single day. The Act
was designed to revise UK data retention law
in response to an April 2014 ruling by the
European Court of Justice (ECJ) invalidating
the 2009 Data Retention Directive. The law
not only provides for ongoing blanket retention
of communications data of UK residents, in
direct contradiction with the ECJ ruling, it
also extends the reach of UK interception
powers by enabling the government to require
companies based outside of the United
Kingdom to comply with the UK’s warrants.62
In addition, the Draft Communications Data
Bill, or so-called “Snoopers’ Charter”, is
likely to make a comeback in the UK after
the election of a majority Conservative
Government in May 2015. The controversial
bill, which was defeated narrowly in 2014
and has been widely opposed by privacy
and human rights groups, would further
expand UK intelligence powers and provide
access to bulk communications data by other
agencies within the UK, such as the police.
In the United States, in contrast, there
have been limited steps to reign in mass
surveillance. President Obama responded
to the Snowden revelations by issuing a
presidential policy directive that purported to
significantly limit retention and dissemination
of collected data.63 Moreover, Congress
debated surveillance reform and, as of
publication, the House of Representatives
passed the USA Freedom Act, which attempts
to end government bulk collection of US
phone records.64 However, the law would
also require companies to hold, search,
and analyse certain data at the request of
the government, arguably expanding the
statutory basis for large-scale data collection
rather than ending it. Congress has also
sought to significantly expand the NSA’s
access to personal information in the name

62
Liberty, Privacy International, Open Rights Group, Big Brother Watch, Article 19 and
English PEN briefing on the fast-track Data Retention and Investigatory Powers Bill,
online at: www.liberty-human-rights.org.uk/sites/default/files/Briefing%20on%20the%20
Data%20Retention%20and%20Investigatory%20Powers%20Bill.pdf (accessed 28 May
2015)

63
Presidential Policy Directive 28, Signals Intelligence Activities, 17 January 2014, online
at: www.whitehouse.gov/the-press-office/2014/01/17/presidential-policy-directive-signalsintelligence-activities (accessed 28 May 2015)

14 TWO YEARS AFTER SNOWDEN JUNE 2015

IMSI Catcher which is physically deployed
to intercept and decrypt SMS messages
and phone calls from all mobile phones
within a radius of several hundred metres.
Probably one of the most worrying aspects
of this draft legislation is what it does not
say. In particular, a major loophole contained
in the draft law could pave the way for
indiscriminate mass surveillance of all
forms of internet use. Indeed, the draft law
empowers the Prime Minister to authorise
the interception of communications “sent
or received abroad.” Nothing is said about
the surveillance techniques that could be
used with regard to these communications,
instead these techniques will be contained in
a secret decree, hence bypassing Parliament.
Furthermore, the bill does not say in any
meaningful way what conditions will be
required for such surveillance to be conducted
and what procedures will need to be followed
by the authorities. These are particularly
critical flaws of the proposed legislation given

that vast amounts of online communications
transfer through servers located abroad. Such
silence in the bill paves the way for arbitrary
and indiscriminate surveillance against
both French and non-French nationals.

In Switzerland two draft laws are currently
under review that would provide the Swiss
authorities with invasive new surveillance
powers. The draft Intelligence Law will
give the intelligence service powers to
intercept communications running through
internet cable traffic passing through
Switzerland. The second law would introduce
a requirement for telecommunications
providers to retain metadata on all
communications for 12 months.

67

Commission in December 2013.66 In its
formal response to the commission, the Dutch
government proposed plans for the intelligence
agents to have access to internet cable traffic
passing through the Netherlands (much like
the USA’s Upstream and UK’s TEMPORA
programmes).67 This would pave the way for
indiscriminate interception, collection and
storage of telecommunications material that is
not targeted at an individual or an identifiable
and distinguishable group or location, and is
not based on reasonable suspicion. The Dutch
government is set to present its new draft ‘bulk
interception’ within the next few months.
Political pressure is also growing in Finland to
establish its own mass surveillance system.
In January 2015 a working group of the
defence ministry proposed that new legislation
should be initiated which would authorize
wide powers for communications surveillance,
including cross-border internet cable tapping,
to the security, police and defence forces.

Government Position on revising the interception system Intelligence and Security
Services Act 2002, document 33820-4, 21 November 2014, online at: https://zoek.
officielebekendmakingen.nl/kst-33820-4.html (accessed 28 May 2015)

Other European countries seem set to followsuit. In the Netherlands, the government is
proposing to update its law on Intelligence
and Security Services to capitalize on the
“explosive growth in international cable
networks”, as recommended by the Dessens

66
Evaluatie Wet op de inlichtingen- en veiligheidsdiensten 2002. Naar een balans tussen
bevoegdheden en waarborgen // Evaluation Intelligence and security services Act 2002.
Towards a balance between powers and safeguards, 2 December 2013, from page 171
onwards (recommendation 8.5).

JUNE 2015 TWO YEARS AFTER SNOWDEN 15

 used by the NSA to gather data about foreign
internet communications. By the end of June
2013, Microsoft and Google had filed a lawsuit
in the USA asking to be able to reveal how
many times both companies had been ordered
to disclose data under FISA.76 In February
2014, the US government allowed Microsoft,
Facebook, Google and Yahoo! to disclose
information for the first time about the volume
of data they had been legally obliged to
provide to the NSA.77 The firms expressed that
they could not disclose the precise numbers
and types of requests they received.78
In December 2013, eight companies – Google,
Microsoft, Facebook, Twitter, Yahoo!, AOL,
LinkedIn, and Apple, launched the Reform
Global Government Surveillance Coalition
calling for “the world’s governments to address
the practices and laws regulating government
surveillance of individuals and access to their
information.”79 Expanding to 10 companies,
with the addition of Dropbox and Evernote, the
Coalition published an open letter addressed to
the US Senate in November 2014 urging them
to sign the USA Freedom Act into law. The
coalition has also called for reforms including:
“preventing government access to data without
proper legal process; assuring that providers
are not required to locate infrastructure within
a country’s border; promoting the free flow of
data across borders; and avoiding conflicts
among nations through robust, principled, and
transparent frameworks that govern lawful
requests for data across jurisdictions.”80
In March 2015, the Coalition joined with other
technology companies, privacy advocates
and human rights groups in an open letter
addressed to, among others, President

Obama, Director of National Intelligence,
James Clapper, and the Director of the NSA,
Admiral Michael Rogers, calling for “a clear,
strong, and effective end to bulk collection
practices under the USA PATRIOT Act”,
the law which authorizes some of the bulk
collection of metadata by the NSA.81
Other technology companies like Cisco, which
makes core routing and switching equipment,
have introduced more drastic measures to avoid
NSA interception of their equipment. Instituting
a new policy as a result of Snowden’s
disclosures, Cisco is offering sensitive
customers the option to ship equipment to fake
addresses in an attempt to foil the NSA.82
In addition to advocating for legal reform
in the US, some companies have worked to
increase the default security and encryption
provided to users on their platforms and
services. Apple was the first company to
roll-out full-disk encryption on its mobile
operating system when it launched iOS 8
in September 2014.83 This now means all
data on iPhones with iOS 8 – photos, emails,
contacts, call history – is encrypted by default
and inaccessible without entering the correct
password. The company also uses end-to-end
encryption to protect its text and video call
services, iMessage and FaceTime; according
to Apple, it “wouldn’t be able to comply
with a wiretap order even if we wanted to.”84
Google has followed suit by offering full-disk
encryption for new devices loaded with its 5.0
Lollipop operating system, though few Android
handset providers have yet adopted this.
Whatsapp also made the headlines by
switching to provide end-to-end encryption
in its instant messaging app, adopting the
encryption protocol of an open-source app
called TextSecure, developed to protect
users’ privacy. The steps by Apple, Google
and Whatsapp to increase encryption since
Snowden’s disclosures is a sign that consumer
pressure is pushing the industry towards
greater privacy and security standards.
These developments provide greater protection
to the privacy rights of users, however some

governments have expressed concerns
that stronger encryption will prevent law
enforcement and intelligence agencies from
accessing communications and threatened to
force companies to install backdoors so that
government agencies can access the data.

Law enforcement officials, including then US
Attorney General Eric Holder and FBI Director
James Comey, criticized Apple claiming its new
encryption standard will prevent them from
accessing data on iPhones for law enforcement
purposes.85 In January 2015, the British Prime
Minister, David Cameron, said that if his party
won the May 2015 election (which it did), the
new government would introduce legislation to
give the security services the power to read all
messages sent over the internet.86 He said:

“In extremis, it has been possible to read
someone’s letter, to listen to someone’s call,
to listen in on mobile communications…
The question remains: are we going to
allow a means of communications where it
simply is not possible to do that? My answer
to that question is: no, we must not.”

David Cameron, UK Prime Minister, January
2015

However, government attacks on encryption
don’t stand up to scrutiny. For years, the FBI
recommended that people use encryption on
their phones as protection against crime.87 The
overwhelming view among technology experts is
that it is simply impossible to create backdoors
only for “the good guys”. In response to FBI
criticisms of Apple, Bruce Schneier, one of
the most eminent authorities on cryptography
and computer security in the world wrote:

Reacting to David Cameron’s announcement,
technology writer Cory Doctorow said:

“If your Whatsapp or Google Hangouts has
a deliberately introduced flaw in it, then
foreign spies, criminals, crooked police…
will eventually discover this vulnerability.
They -- and not just the security services
-- will be able to use it to intercept all of
our communications. That includes things
like the pictures of your kids in your bath
that you send to your parents to the trade
secrets you send to your co-workers.”89

Technology companies have a very important
role to play in the protection of the right to
privacy. By adopting stronger encryption
standards, they can ensure that the internet
communications of billions of internet users
are protected from intrusive surveillance
and criminal attacks. Companies that fail
to do so are not simply failing the trust
of their users, but potentially also their
responsibility to respect the right to privacy
of their users. There are further steps that
companies can and should undertake to ensure
that their customers are better informed
about the risks to their human rights; for
example, they should transparently and
clearly communicate the legal requirements
for handing over user data to governments
in every jurisdiction they operate in.

“If they are really honest, they [the
security services] know that withholding
encryption will penalise good people, not
put a barrier up for bad people. There
is no trade-off. It fundamentally doesn’t
work. There has to be other solutions.”

Tim Cook, Apple CEO, 27 February 2014

JUNE 2015 TWO YEARS AFTER SNOWDEN 17

89
Cory Doctorow, What David Cameron just proposed would endanger every Briton and
destroy the IT industry, online at: http://boingboing.net/2015/01/13/what-david-cameronjust-propos.html (accessed 28 May 2015)

88

Bruce Schneier, iPhone Encryption and the Return of the Crypto Wars, 6 October 2014,
online at: www.schneier.com/blog/archives/2014/10/iphone_encrypti_1.html (accessed
28 May 2015)

87
techdirt, FBI Quietly Removes Recommendation To Encrypt Your Phone... As FBI
Director Warns How Encryption Will Lead To Tears, 26 March 2015, online at: www.
techdirt.com/articles/20150325/17430330432/fbi-quietly-removes-recommendationto-encrypt-your-phone-as-fbi-director-warns-how-encryption-will-lead-to-tears.shtml
(accessed 28 May 2015)

86
Christopher Hope, Spies should be able to monitor all online messaging, says David
Cameron, The Telegraph, 12 January 2015, online at: www.telegraph.co.uk/technology/
internet-security/11340621/Spies-should-be-able-to-monitor-all-online-messaging-saysDavid-Cameron.html (accessed 28 May 2015)

“You can’t build a backdoor that only the
good guys can walk through. Encryption
protects against cybercriminals, industrial
competitors, the Chinese secret police
and the FBI. You’re either vulnerable to
eavesdropping by any of them, or you’re
secure from eavesdropping from all of them.”

Bruce Schneier88

82
Darren Pauli, Cisco posts kit to empty houses to dodge NSA chop shops, The Register,
18 March 2015, online at: www.theregister.co.uk/2015/03/18/want_to_dodge_nsa_
supply_chain_taps_ask_cisco_for_a_dead_drop/?mt=1426694168077 (accessed 28 May
2015)

81
Online at: https://static.newamerica.org/attachments/2579-nsa-coalition-letter/NSA_
coalition_letter_032515_politico.pdf (accessed 28 May 2015)
77
Spencer Ackerman and Dominic Rushe, Microsoft, Facebook, Google and Yahoo release
US surveillance requests, The Guardian, 3 February 2014, online at: www.theguardian.
com/world/2014/feb/03/microsoft-facebook-google-yahoo-fisa-surveillance-requests
(accessed 28 May 2015) and Spencer Ackerman, Tech giants reach White House deal
on NSA surveillance of customer data, The Guardian, 27 January 2014, online at: www.
theguardian.com/world/2014/jan/27/tech-giants-white-house-deal-surveillance-customerdata (accessed 28 May 2015)

See www.apple.com/uk/privacy/privacy-built-in/ (accessed 28 May 2015)

Julia Edwards, U.S. attorney general criticizes Apple, Google data encryption,
Reuters, 30 September 2014, online at: www.reuters.com/article/2014/09/30/us-usasmartphones-holder-idUSKCN0HP22P20140930 (accessed 28 May 2015)
85

84

83
Cyrus Farivar, Apple expands data encryption under IOS 8, making handover to cops
moot, ars technica, 18 September 2014, online at: http://arstechnica.com/apple/2014/09/
apple-expands-data-encryption-under-ios-8-making-handover-to-cops-moot/ (accessed
28 May 2015)

Online at: www.reformgovernmentsurveillance.com/ (accessed 28 May 2015)
Online at: http://reformgs.tumblr.com/post/102821955852/open-letter-to-the-us-senate
(accessed 28 May 2015)
80

79

78
Spencer Ackerman and Dominic Rushe, Microsoft, Facebook, Google and Yahoo release
US surveillance requests, The Guardian, 3 February 2014, online at: www.theguardian.
com/world/2014/feb/03/microsoft-facebook-google-yahoo-fisa-surveillance-requests
(accessed 28 May 2015)

76
Charles Arthur. Microsoft joins Google in demanding to disclose FISA requests, The
Guardian, 28 June 2013, online at: www.theguardian.com/technology/2013/jun/28/
microsoft-google-fisa-united-states-government (accessed 28 May 2015)

75
Craig Timberg, Major tech companies unite to call for new limits on surveillance,
The Washington Post, 9 December 2013, online at: www.washingtonpost.com/
business/technology/major-tech-companies-unite-to-call-for-new-limits-onsurveillance/2013/12/08/530f0fd4-6051-11e3-bf45-61f69f54fc5f_story.html (accessed
28 May 2015)

recommendations for U.S. policymakers and industry leaders, 21 July 2014, online at:
www.lawfareblog.com/wp-content/uploads/2014/07/Lawfare-Research-Paper-SeriesVol2No3.pdf (accessed 28 May 2015), p.6

In the weeks following the disclosures,
some companies put pressure on the US
government to increase transparency around
requests made under the Foreign Intelligence
Surveillance Act (FISA), the mechanism

Marissa Mayer, CEO, Yahoo! 75

“Revelations about government surveillance
activities have shaken the trust of our
users, and it is time for the United
States government to act to restore the
confidence of citizens around the world”.

Looking to restore trust in their platforms
and services, major US technology firms
have publicly spoken out against US mass
surveillance programmes in the past two
years. A number of major companies have
called on the US government to reform the
laws underpinning bulk data collection and
retention and disclose greater information
about their mass surveillance practices.

the NSA with 81 per cent stating that they
“want to know exactly where their data is
being hosted.”72 A number of governments
called for internet companies to keep their
data on local servers rather than in the USA
and encouraged the use of services that
do not send data to the USA. For example,
the German Interior Minister Hans-Peter
Friedrich declared that, “whoever fears their
communication is being intercepted in any
way should use services that don’t go through
American servers.”73 France’s Minister for
the Digital Economy similarly insisted that it
was now necessary to “locate data centers
and servers in [French] national territory in
order to better ensure data security.”74

US TECHNOLOGY COMPANIES PUSH BACK
AGAINST MASS SURVEILLANCE
“People won’t use technology they
don’t trust. Governments have put
this trust at risk, and governments
need to help restore it.”
Brad Smith, General Counsel and Executive Vice
President, Legal and Corporate Affairs, Microsoft
Microsoft, Apple, Google, Facebook and Yahoo!
were among a list of nine US technology
companies to be implicated in the first wave
of Snowden’s disclosures.68 The revelation
that the NSA accessed their users’ data,
based on secret court orders through the
Prism programme, sent shockwaves through
the industry. In addition to cooperating
with NSA data requests, further disclosures
revealed the existence of secret programmes
that provided the NSA with wholesale
access to some companies’ customer data.
The Snowden revelations showed that the
NSA was secretly intercepting data held by
Google and Yahoo! as it passed between the
companies’ data centres – access that both
companies claim they did not know about.69
Further leaked documents suggested that
the NSA had access to Microsoft encrypted
emails and Skype video calls70 and that
the NSA had worked on programmes to be
able to remotely access data on iPhone,
Android and Blackberry smartphones.71
US companies faced a consumer backlash as
news of the leaks eroded trust and threatened
revenues – especially with customers outside
of the USA. In a survey of 300 British and
Canadian businesses released by PEER 1 in
January 2014, 25 per cent of respondents
indicated that they were moving data outside
of the USA as a result of the revelations about

68
Barton Gellman and Laura Poitras, U.S., British intelligence mining data from nine U.S.
Internet companies in broad secret program, The Washington Post, 7 June 2013, online
at: www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-usinternet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845d970ccb04497_story.html (accessed 28 May 2015)

69
Dominic Rushe, Spencer Ackerman and James Ball, Reports that NSA taps into Google
and Yahoo data hubs infuriate tech giants, The Guardian, 31 October 2013, online at:
www.theguardian.com/technology/2013/oct/30/google-reports-nsa-secretly-interceptsdata-links (accessed 28 May 2015)

70
Glenn Greenwald, Ewen MacAskill, Laura Poitras, Spencer Ackerman and Dominic
Rushe, Microsoft handed the NSA access to encrypted messages, The Guardian, 12 July
2013, online at: www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaborationuser-data, (accessed 28 May 2015)

71
Marcel Rosenbach, Laura Poitras and Holger Stark, iSpy: How the NSA
accesses smartphone data, Der Spiegal, 9 September 2013, online at: www.
spiegel.de/international/world/how-the-nsa-spies-on-smartphones-including-theblackberry-a-921161.html (accessed 28 May 2015)

72
Danielle Kehl, Kevin Bankston, Robyn Greene and Robert Morgus, Surveillance Costs:
the NSA’s Impact on the Economy, Internet Freedom & Cybersecurity, Open Technology
Institute, July 2014, online at: www.newamerica.org/downloads/Surveilance_Costs_Final.
pdf (accessed 28 May 2015), p.8.

Jonah Force Hill, The growth of data localization post-Snowden: Analysis and

73
Jonah Force Hill, The growth of data localization post-Snowden: Analysis and
recommendations for U.S. policymakers and industry leaders, 21 July 2014, online at:
www.lawfareblog.com/wp-content/uploads/2014/07/Lawfare-Research-Paper-SeriesVol2No3.pdf (accessed 28 May 2015), p.6

74

16 TWO YEARS AFTER SNOWDEN JUNE 2015

 THE WAY FORWARD
Two years on from Edward Snowden’s
revelations, the vast mass surveillance
apparatus operated by the US and UK
intelligence agencies remains intact, and
there are no indications on the horizon that
they intend to halt the deployment – and
indeed the expansion – of their capabilities.
Despite the information that has been revealed
to the public, UK and US mass surveillance
programmes remain shrouded in secrecy.
Nothing illustrates this better than the UK
government’s policy of “neither confirm nor
deny” (NCND). The NCND policy has left
those who brought legal challenges against
UK mass surveillance programmes with no
choice but to make legal arguments about
hypothetical scenarios – this has meant that
actual programmes such as TEMPORA, the
existence of which is clear based on the
documents disclosed by Edward Snowden, are
shielded from any kind of meaningful scrutiny.
Despite widespread condemnation of US
and UK mass surveillance practices as
violations of human rights, and courts
ruling in both countries that some of
these practices were illegal, it appears

that no one has been held to account for
authorising these intrusive programmes.
The message that the USA and UK – as well
as their close partners Australia, Canada and
New Zealand – are sending is clear: they will
not give up their mass surveillance programmes
easily. In addition, in the two years since
Snowden’s revelations, we have witnessed a
growing number of countries, such as Egypt,90
France91 and Pakistan92 seeking to increase
their communications surveillance capabilities.

The following 7-point plan is a call to action for
civil society, technologists, experts, companies
and governments who want to preserve the
ideals the internet was built on: freedom,
openness and accessibility. We believe that
these steps are essential to guarantee the
protection of human rights in our digital age.

all the time. Technological advances will mean
that surveillance technology becomes cheaper
and more powerful; many of the capabilities
available only to the NSA and GCHQ today
will be commonplace for most countries in
a matter of years. Protecting privacy and,
ultimately, freedom of expression in this
digital age requires action on several fronts:
the widespread and unrestricted use of strong
encryption and anonymity tools; domestic legal
and policy reform; respect for international
standards; and the protection of whistleblowers
uncovering public interest information such
as evidence of human rights violations.

The threats to privacy online are increasing
and with them the risks to freedom of
expression. However, there has been a
growing fight back with journalists exposing
surveillance programmes, civil society
challenging mass surveillance and companies
that have strengthened privacy protections in
their products. Most importantly, since the
Snowden revelations, hundreds of millions
of individual internet users have taken
steps to protect their privacy online.93

1. National laws should be reformed to ensure
that they comply with international human
rights law and standards, including by not

93
Bill Schneier, Over 700 Million People Taking Steps to Avoid NSA Surveillance, 15
December 2014, online at: www.schneier.com/crypto-gram/archives/2014/1215.html#7
(accessed 28 May 2015)

92
See Privacy International, International human rights organisations seriously concerned
about the prevention of electronic crimes bill 2015 Pakistan, 20 April 2015, online at:
www.privacyinternational.org/?q=node/566 (accessed 28 May 2015)

2015, online at: www.amnesty.fr/Nos-campagnes/Liberte-expression/Actualites/Franceles-deputes-approuvent-la-surveillance-de-masse-15061 (both accessed 28 May 2015)

LEGAL AND POLICY REFORM:
This growing activism is what stands against
the threat of pervasive surveillance where
governments spy on everything and everyone,

90
See Amnesty International, Egypt’s plan for mass surveillance of social media an attack
on internet privacy and freedom of expression, 4 June 2014, online at www.amnesty.
org/en/articles/news/2014/06/egypt-s-attack-internet-privacy-tightens-noose-freedomexpression/ and ‘You are being watched!’ Egypt’s mass Internet surveillance, Mada Masr,
29 September 2014, online at www.amnesty.org/en/articles/news/2014/06/egypt-sattack-internet-privacy-tightens-noose-freedom-expression/ (both accessed 28 May 2015)

91
See Amnesty International, France: Halt rush towards surveillance state, 4 May 2015,
online at: www.amnesty.org/en/articles/news/2015/05/france-surveillance-state/ and
Amnesty International, France: les députés approuvent la surveillance de masse, 5 May

18 TWO YEARS AFTER SNOWDEN JUNE 2015

© JASON REED/Reuters/Corbis

allowing for indiscriminate mass surveillance.
Key principles that must be upheld include:
a. Ensuring that surveillance of
communications only happens when it is
targeted, based on sufficient evidence of
wrongdoing, and authorised by a strictly
independent authority, such as a judge;
b. Ensuring there is transparent and
independent parliamentary and judicial
oversight of surveillance powers;
c. Making rules and policies about
surveillance publicly available,
including how governments are sharing
information with other states;
d. Ensuring equal privacy protections
apply for nationals and non-nationals,
those within the territory of the
state, and those outside it.
e. Intelligence sharing should be
strictly regulated and conducted
in a manner compliant with states’
human rights obligations;
2. Governments should not make
encryption and anonimization
technologies, or their use, illegal;
3. Whistleblowers, including those working on
national security issues, should be afforded

strong legal protection from any form of
retaliation, including by way of prosecution, for
having disclosed public interest information
such as on human rights violations.94

CORPORATE DUE DILIGENCE

In line with companies’ responsibility
to respect human rights:

97

telecommunications companies and internet
companies should clearly inform users
about legal requirements that they have
to comply with, particularly in relation to
handing over user information or content.

INTERNATIONAL STANDARDS

7. Further explore and develop means
and measures needed to ensure better
implementation of the international human
rights standards applicable to communications
surveillance, building on efforts towards
identifying relevant elements that have
started in the past two years, including
reports by the UN Special Rapporteur
on Freedom of Expression,95 the UN
High Commissioner of Human Rights the
Special Rapporteur on the promotion and
protection of human rights and fundamental
freedoms while countering terrorism,96 as
well as civil society initiatives such as the
Necessary and Proportionate Principles.97

International Principles on the Application of Human Rights to Communications
Surveillance, May 2014, online at: https://en.necessaryandproportionate.org/ (accessed
28 May 2015)

96
General Assembly, Report of the Special Rapporteur on the promotion and protection
of human rights and fundamental freedoms while countering terrorism, A/69/397, 23
September 2014, online at: http://daccess-dds-ny.un.org/doc/UNDOC/GEN/N14/545/19/
PDF/N1454519.pdf?OpenElement (accessed 28 May 2015)

RegularSession/Session23/A.HRC.23.40_EN.pdf (accessed 28 May 2015)

4. Companies that own and/or operate
telecommunications or internet infrastructure,
including undersea telecommunications
cables, and internet companies, must
ensure that access to data is permitted only
when it conforms to international law and
standards on human rights, including by
taking legal action to challenge government
requests that seek bulk/wholesale
access to communications traffic;
5. Major internet and telecommunications
companies should lead the way in using strong
encryption and other privacy technologies,
including through implementing end-to-end
encryption by default, where possible;
6. Internet service providers,

94
See The Global Principles on National Security and the Right to Information (The
Tshwane Principles), online at: www.opensocietyfoundations.org/publications/globalprinciples-national-security-and-freedom-information-tshwane-principles see also
Parliamentary Assembly of the Council of Europe, National security and access to
information, Resolution 1954 (2013), online at: http://assembly.coe.int/nw/xml/XRef/X2HXref-ViewPDF.asp?FileID=20190&lang=en (both accessed 28 May 2015) which welcomed
the adoption of the Tschwane Principles.

95
United Nations Human Rights Council, Report of the Special Rapporteur on the
promotion and protection of the right to freedom of opinion and expression, Frank La Rue,
A/HRC/23/40, 17 April 2013 online at: www.ohchr.org/Documents/HRBodies/HRCouncil/

JUNE 2015 TWO YEARS AFTER SNOWDEN 19

© HOANG DINH NAM/AFP/Getty Images

 Privacy International investigates the secret world
of government surveillance and exposes the companies
enabling it. We litigate to ensure that surveillance is
consistent with the rule of law. We advocate for strong
national, regional, and international laws that protect
privacy. We conduct research to catalyse policy change.
We raise awareness about technologies and laws that
place privacy at risk, to ensure that the public is informed
and engaged.
PRIVACYINTERNATIONAL.ORG
62 Britton Street, London,
United Kingdom, EC1M 5UY GB

Amnesty International is a global movement of more
than 7 million people who campaign for a world where
human rights are enjoyed by all.
Our vision is for every person to enjoy all the rights
enshrined in the Universal Declaration of Human Rights
and other international human rights standards.
We are independent of any government, political ideology,
economic interest or religion and are funded mainly by our
membership and public donations.
AMNESTY.ORG
Amnesty International, International Secretariat,
Peter Benenson House, 1 Easton Street,
London WC1X 0DW, United Kingdom
Index: ACT 30/1795/2015, English, June 2015