Remember the story from last year about the NSA using dirty tricks, like spying on the porn habits of non-terrorists and then trying to leak them to discredit those (again, non-terrorist) individuals? Apparently, the UK’s version of the NSA is way ahead of the NSA on that. A new report by Glenn Greenwald and others at NBC, based on Snowden documents, shows that the GCHQ has an entire program dedicated to these kinds of attacks. Now, there is some reasonable argument to be made that this is part of basic espionage protocol, but generally speaking that’s supposed to be the mandate of the actual spy agencies (in the US, that would be the CIA, in the UK MI5 or MI6). When it moves over into organizations like the NSA and GCHQ, which are supposed to be more about merely collecting and analyzing “signals intelligence” rather than “offensive” attacks, it becomes increasingly questionable. And yet, the GCHQ seems positively giddy about its ability to go online and mess with people and companies. For example, a presentation shows that they will mess with people’s social networking accounts, and leak info to friends, colleagues and neighbors:
As GCHQ says in the presentation, this is all part of the strategy to “destroy, deny, degrade and disrupt” those they wish to target. And some of it involves directly spying on journalists, something that the various intelligence agencies keep claiming they don’t do. Yet, in part of the presentation they explain how they can use a journalist to get to a target:
The 2010 presentation also describes another potential operation that would utilize a technique called “credential harvesting” to select journalists who could be used to spread information. According to intelligence sources, spies considered using electronic snooping to identify non-British journalists who would then be manipulated to feed information to the target of a covert campaign. Apparently, the journalist’s job would provide access to the targeted individual, perhaps for an interview. The documents do not specify whether the journalists would be aware or unaware that they were being used to funnel information.
While some might argue that using journalists is an effective way to go after targets, it automatically puts any investigative journalist in serious danger. Daniel Pearl, the Wall Street Journal reporter who was famously killed in Pakistan years ago, was accused by his captors of being a spy. GCHQ’s actions make such claims much more credible and put many journalists’ lives in danger. While the report suggests this plan was never actually put into action, just the fact that they’re considering it is immensely troubling.
The report also details using digital equivalents of traditional “honey traps,” — trying to lure people to certain places with the promise of meeting beautiful women. It also talks about a program called “Royal Concierge” which involved pushing specific people to stay in specific hotels in the UK where GCHQ could better spy on them. They’ve even explored the possibility of canceling the reservations of people who pick hotels where GCHQ doesn’t have as much ability to monitor.
Some of what’s described is basic spycraft, but it’s the kind of thing that isn’t supposed to be under the GCHQ’s mandate, and that reasonably has some people concerned.
Eric King, a lawyer who teaches IT law at the London School of Economics and is head of research at Privacy International, a British civil liberties advocacy group, said it was “remarkable” that the British government thought it had the right to hack computers, since none of the U.K.’s intelligence agencies has a “clear lawful authority” to launch their own attacks.
“GCHQ has no clear authority to send a virus or conduct cyber attacks,” said King. “Hacking is one of the most invasive methods of surveillance.” King said British cyber spies had gone on offense with “no legal safeguards” and without any public debate, even though the British government has criticized other nations, like Russia, for allegedly engaging in cyber warfare.
Of course, as we’ve been seeing over and over again over the past year, these agencies don’t seem to much care about whether or not they really have a mandate to do this stuff.