GCHQ Surveillance: The Power of Britain's Data Vacuum
Britain's intelligence service stores millions of bits of online data in Internet buffers. In SPIEGEL, Edward Snowden explains GCHQ's "full take" approach. All data that travels through the UK is captured.
In an interview published in the latest edition of SPIEGEL, National Security Agency whistleblower Edward Snowden reports on how America's NSA intelligence service works together with Germany's federal intelligence agency, the BND, more intensively than previously known.
He also provides an in-depth account of the surveillance operations of the NSA and its British counterpart, the Government Communications Headquarters (GCHQ). Britain's Tempora system is the signal intelligence community's first "full-take Internet buffer," Snowden said in an interview.
The scope of this "full take" system is vast. According to the whistleblower and Britain's Guardian newspaper, Tempora stores communications data for up to 30 days and saves the content of those messages for up to three days, in a so-called Internet buffer. "It snarfs everything, in a rolling buffer to allow retroactive investigation without missing a single bit," Snowden said. If you send a single data packet, he further explains, "and it routes through the UK, we get it."
Asked if it is possible to get around this total surveillance of all Internet communication, he said: "As a general rule, so long as you have any choice at all, you should never route through or peer with the UK under any circumstances."
But is that a realistic scenario? Can one really escape the British data vaccuum cleaner by channelling one's own Internet data parcels through lines that are out of reach of British security authorities?
"There is no way that you as an ordinary Internet user can say: I want my data to be routed this or that way," said Philipp Blank of German telecommunications company Deutsche Telekom. Klaus Landedfeld, a board member in charge of infrastructure and networks at the German Internet industry association Eco, agreed. "You've got no influence over that as the end-user." Theoretically, one could try to influence the data flow by changing one's telecommunications provider -- "not every undersea cable runs via Great Britain." But the providers constantly change the cables they send their customers' data through, he added.
In addition, many of the most important services for private Internet users are based in the United States. "You can't get around the American companies," said Landefeld. Anyone using Facebook, Google, Microsoft services, Skype, AOL services or Yahoo could be an open book for the NSA thanks to its Prism spying program, should the organization be interested in taking a look.
Companies Can 'Make Certain Choices'
For commercial clients, Landefeld considers it possible that they can find targeted pathways for their data. Such companies generally have tech experts and they can directly negotiate with service providers on bandwidth issues and access. "If you have enough knowhow and ability, you can make certain choices," he says.
Practically, however, it is likely to be virtually impossible that data sets can be sent somewhere through a cable to which NSA and GCHQ has no access. Most trans-Atlantic cables with significant capacity run through the British isles. In addition, most providers simultaneously use several different cables to protect themselves should one of the channels fail. Redundancy is the best protection against significant service disruption.
"Deutsche Telekom sends data via six different channels to North America," says Telekom spokesperson Blank. Multiple channels can even be involved in merely calling up a single website from a single computer. "Essentially, routers and switches make specific decisions for each connection," says Landefeld. When five images can be seen on a single site, it represents five different connections.
None of that changes the fact that the service provider has control abilities and can determine which paths certain data takes to reach its endpoint. But content and geography are not considered in making those determinations. "We manage traffic flows, but only based on what the fastest route is at that moment," says Blank. Theoretically, he says, "data packets could be marked and sent by routers via specific channels." But that is currently not the standard practice, he adds. Telekom is considering the possibility of so-called Managed Services for its video service T-Entertain, for example. At the moment, however, this method is not being used, according to Blank.
Could the state order telecommunications providers to not use connections that are currently considered to be insecure? No, says Landefeld. "The state cannot tell me as a provider which undersea cable I should use." German law, he says, does not allow such a thing.
© SPIEGEL ONLINE 2013
All Rights Reserved
Reproduction only allowed with the permission of SPIEGELnet GmbH