The British government is setting a new standard for its Web spying.
According to new documents released today, that government is saying it has the right to eavesdrop without restriction on communications between people in Britain, if they use services based outside the UK — social networks such as Facebook or Twitter, or search engines like Google, which are headquartered in the U.S..
“Just how it’s routed shouldn’t dilute protections” for American or British occupants, Gregory Nojeim, senior counsel at the Center for Democracy and Technology, told VentureBeat.
British policy specifically excludes email between two people in Britain from being treated as such “external communications,” even if their communication is routed through a non-British server. But it is now defining Web services, such as Web searching, searching for a video on YouTube, or a tweet on Twitter, as external:
“Google’s data centres, containing its servers, are located around the world; but its largest centres are in the United States, and its largest European centres are outside the British Islands. So a Google search by an individual in the UK may well involve a communication from the searcher’s computer to a Google web server, which is received outside the British Islands; and a communication from Google to the searcher’s computer, which is sent outside the British Islands.”
Similarly, the British government says, posting a tweet will communicate with the Twitter infrastructure, which “is largely based in the United States.”
By this rationale, the British spy agencies are expanding the scope of “external communications,” which they can intercept at any time without reason. “Internal communications,” however, can only be intercepted after a government warrant has been issued.
‘Baseline of Protections’
The British document is part of a report released today by Privacy International and other civil liberties organizations, including Amnesty International, the American Civil Liberties Union and similar organizations in Canada, Egypt, Hungary, and Ireland.
The document, attributed to the British Office for Security and Counter Terrorism, was obtained by the organizations as a result of a lawsuit against the British government. The lawsuit is seeking an end to various British government surveillance efforts, as disclosed in documents made public by former U.S. National Security Agency contractor Edward Snowden.
But the meaning of “internal” and “external” communications in the age of the cloud quickly becomes cloudy. Services headquartered in one country may have an operational infrastructure in another. Google and Facebook, for example, have UK-based operations. How much is routed back to the U.S.? Additionally, a computer-savvy terrorist could disguise the routing of his communications.
Nojeim noted that the U.S. has not definitely said “it would abide by domestic rules for interception” if communications within the U.S. touched a server outside the country during its journey. He did point out that data backed up by Google to servers outside the U.S. is treated by the U.S. government “under lax surveillance rules of people aboard,” even though the data might pertain to communications entirely within the United States.
But there does appear to be one distinction between U.S. and British approaches. Nojeim said that the U.S. draws a distinction “between people inside and outside the U.S.,” particularly the geographical location of the target as determined by assumptions, personal history, IP addresses, and other data. The UK, however, appears to be focusing on whether the communications remain inside or go outside.
Is the U.S. target-based geographical approach better?
“My view,” Nojeim told us, “is that there should be a baseline of protections applied to all people, no matter where they’re located.” Some countries, he added, may then want to “provide additional protections to people [physically] inside their borders.”