How innocent people 'of no security interest' are mere keystrokes away in UK's spy databases Classified mass-surveillance manuals for UK spies have been published today amid a legal battle against the British government. The newly obtained documents set out Blighty's secret do's and don'ts for monitoring populations. The files acknowledge that chapter and verse on the lives of people "of no security interest" lie …
It will become a lot easier for us, if Google Chrome simply loads the linked page:
"PI has today dumped hundreds of pages of these discovery documents online" https://privacyinternational.org/node/843
This site can’t provide a secure connection
privacyinternational.org uses an unsupported protocol.
I loaded Firefox, and there was no problem loading the page.
Is this just coincidence?
The site uses a SHA-1 certificate, which is strongly deprecated. Google takes a much harder line on this, and Chrome will automatically throw up warnings while Firefox doesn't.
So *in this case*, Google is trying hard to protect you and you're interpreting it as sinister.
"looking up their families, colleagues and even themselves"
If I was a dodgy spy I'd probably be very interested in what they have on the database about me or my family, afterall the data they hold could tell me if I'm in danger of having my collar felt so it is a bit dodgy really.
I was wondering why this is a problem.
The most obvious answer is that the database contains so many errors that employees cannot rely on it to fill out their travel expense forms. If this became public knowledge, people might question whether this enormous database was worth all the tax payers' money needed to funnel garbage into it. I can see how this would be considered utterly intolerable, and that staff should be thoroughly discouraged from looking themselves up.
Am I to take it this is spy speak for "We'll waggle our finger at you and say Naughty, Naughty while awarding ourselves a huge bonus."?
The first half yes. The second half I very much doubt. Workaday civil servants generally don't get bonuses of any worth whatsoever, and the people we're talking about are indeed workaday civil servants. I don't know if they still have red passports for the James Bond element of SIS, but those won't be the people trawling through your and my dirty linen, looking up the details on the nice bird in payroll, or seeing what became of their school mates.
Gathering masses of data is like mining ore. Getting useful information from data is like smelting ore to obtain a precious metal. A by-product of smelting ore is slag. I am slag. Generally smelters don't pay much attention to slag, but they don't have much respect for it either. Slag can be used with cement as a component of concrete.
>Colliery spoil is not slag
Here is the UK it is used for any industrial waste by-product - in US it's just smelting by-products IIRC.
The UK well-to-do have come to prefer the more sanitary 'spoil heap' but most people round here (and most over 50s men are former miners) still use slag for poor quality coal and slag heaps for the hills that surround us. Council prefers 'former slag heaps' as they've been covered with a thin layer of top-soil to encourage folk to buy the new housing built beneath them and above the workings.
"Slag can be used with cement as a component of concrete."
In the concrete industry, the stuff is generally known as ground granulated blast furnace slag - GGBFS or GGFS - sometimes abbreviated to blast furnace slag - BFS. This distinguishes it from other types of industrial waste products which may also be termed as "slag".
So;
Hundreds of thousands will today be one foot step away from falling onto a train line.
Millions will be just a stumble away from falling into the path of a bus, car, truck or whatever.
(Some will even be hit by a car, bus, truck motorcycle on or off the road.)
Some will be just a key stroke away from paying the wrong person most of their money.
Thousands will be just a key stroke or two away from downloading a nasty to their or their company computer.
Some, an unlucky few will be just a key stroke or two away from destroying their company
Millions will be just an instant away from getting a fraud call from a PPI, investment scam or whatever pusher.
Countless thousands will be just a random chance away from harm at the hands of a criminal of some form or another.
That is why we have rules and laws to try to protect them.
Wow rules and laws even apply to sensitive activities like doctors, pharmacists, HGV drivers, etc. and as the article confirms, even to data miners working for various agencies. Sadly some may break the rules, that is what supervision, management, the police and other agencies are supposed to be there to control, (in spite of what some now refer to the Criminal Protection Service) and certain other actors distorting the intent of what are becoming the human wrongs acts.
I think the point is that it's JUST a few keystrokes, and nothing but those keystrokes.
No special permission needed. Just an overall grant to access any data they feel like accessing given to a lot of people. And now with some tightened rules that aren't enforced, but perhaps results in a slap on the fingers if a "breach" has been discovered.
Pretty shitty and lazy if you ask me.
"Sadly some may break the rules, that is what supervision, management, the police and other agencies are supposed to be there to control"
True. And those who break the rules, at least those rules which are part of legislation, can be prosecuted. But are those who break this set of rules prosecuted? If not why not? People have been asking "Quis custodiet ipsos custodes?" for a very long time and with very good reason.
You misunderstood, didn't you?
This is "Yes, we have installed CCTV in the bedrooms of every citizen in the UK without them knowing and yes, the video feed from the CCTV camera in YOUR bedroom is available on the monitors in GCHQ, but only if you tune the monitor to the right channel and we ask our agents to not do that."
@Richard Jones 1
You're not thinking deeply enough about this issue. What happens when a less benign government rises to power? Imagine how the Nazis would have rubbed their hands with glee given access to this kind of information. It would have made rounding-up "undesirables" so much more efficient. It's not good enough to blithely sit-back and pretend it doesn't matter. It does.
First off, the actual article is great.
But I agree that the headline draws attention to the wrong bit. Of course we're all "mere keystrokes away". That's like saying that anything you could conceivably want a computer to do is a Simple Matter of Programming.
The story here is not that it's possible for the spooks to look up anyone, we knew that was the case and it has to work that way. The shocker is that they are routinely abusing that power, their bosses know that they're doing it, and they're not too bothered about it. The tone of these guidelines is not what I would hope "We have an exceptional level of trust placed in us, those who abuse that trust should expect to be dismissed", it's more like "C'mmon guys, stop being so lazy. At some point we'll get audited on this so we'll have to pretend to be upset with your use of the system."
@"That is why we have rules and laws to try to protect them."
And when you don't? When Parliament rejects Snoopers Charter and they grab the data anyway? When all that's left is a code of conduct administered in secret by the same people who broke the laws?
If self regulation works, then why do we have police? And courts? And prisons? The law itself would be enough, "It's the law so people will obey because its the law".
GCHQ will never abuse this data because their own rules say not to abuse the data.
But then why do we need GCHQ? We have anti-terror laws, the terrorists will obey the anti-terror laws because they're laws! Do we even need to make anti-terror laws? Why not just make anti-terror codes of conduct? We can let ISIS write their own code of conduct and administer it themselves, and I'm sure they'll report their own code of conduct is working well, and totally being obeyed... just like the GCHQ report!
Either that, or we can realize Snoopers Charter was rejected, their [Mass Surveillance / big database of everyone's data / search that database free from any warrant restrictions] HAS NO LEGAL BASIS, is completely incompatible with the legal process of warrant, judicial checks and balances and the democracy.
I was going to have a rant about the quality of their staff, but then I realised that they would see the ability to be comfortable poking around in other people's doings as an essential trait.
But I wonder if their staff's tendency to search for trivial reasons is perhaps diluting the capability of the system to provide extra insights?
Someone may come up in an investigation and turn out to 'not be of interest'. But if the system tracked such things and found that the same someone was appearing in multiple disparate investigations, then it could flag them up for special consideration. If staff are trawling for personal reasons, then such useful insights might not be possible.
That's assuming the db is reasonably sophisticated and not just a giant spreadsheet, of course.
Now, I am *very* protective of my own and others' privacy and I have the court cases to prove it.
With that said, it does seem reasonable that intelligence (as opposed to law enforcement) will have access to bulk databases. It is also inevitable that people of no interest are going to show up here and there when looking things up.
From this very article, they are aware of that, and they are aware that what those people do is none of their business. That is a good thing.
So how do they deal with it? They trust their employees to be grown-ups and tell them: you do have access to all of this, please act responsibly and do not misuse it?
I don't know, but that's exactly how I like to be treated myself, and that's how I treat those who work for me.
If someone doesn't want to abide by this simple rule, then they will no longer be working for me. However, I refuse to treat people like children and put their own tools under lock.
So in principle, I cannot categorically say I would not be agreeable to a gentlemen's pact, where they can have my data "a few keystrokes away", as long as it is used responsibly. I guess it all comes down to the quality (and quantity) of people having access to that data.
Might as well add: we're talking about data which has been collected incidentally, such as social security records, and stuff like that, most certainly not data expressly created for this purpose--such as forcing telecomms to collect and retain data that would normally not be of use to them, forcing them to systematically hand over PNRs, etc.
A balance needs to be reached. I do not think this article would have appeared if it was felt that currently that balance exists.
@anonymous_coward
Quote: "They trust their employees to be grown-ups and tell them....."
Sorry, but this misses the point completely, and it misses it in two separate ways:
1. The Government has absolutely no right to collect the data in the first place when it involves "people of no security interest". What about "innocent until proved guilty"? What about warrants for collection, where "the Government" shows "reasonable cause" to an independent judge?
2. What about the trust of ordinary citizens in this STASI-like system? Why should WE THE PEOPLE trust politicians and managers to "trust their employees"?.....(see item 1).
Your comments try to sound reasonable and argued....and fail completely because the whole basis of your argument is, to put it mildly, faulty.
> 1. [...]
I get the impression that your are confusing police and judicial work with that of the intelligence services. The intelligence services, by their very nature, hardly ever get involved in judicial cases, discretion being their most important trait.
In other words, intelligence may very well know about your illegal activities, but unless those are of a level to threaten the State, they will keep that to themselves. For purely practical reasons if nothing else.
> 2. What about the trust of ordinary citizens in this STASI-like system?
I am more than tempted to qualify the legislative evolution of the country, and Western Europe in general, in the last couple decades, as very STASI-like indeed.
The work of the intelligence services, on the other hand? I just do not know enough what they do and how they do it to be able to formulate an opinion. There might be widespread abuse, there might not. I just do not know.
> Why should WE THE PEOPLE trust politicians and managers to "trust their employees"?.....(see item 1).
Are you not conflating issues here? The politicians, and our relationship with them, are an entirely separate matter than what was being discussed.
> Your comments try to sound reasonable and argued....and fail completely because the whole basis of your argument is, to put it mildly, faulty.
In what way? The status quo is, they have a lot of information at their disposal (a lot of it thanks to laws enacted by those politicians that you have previously mentioned and that a majority of us--the population--has voted into power for better or worse). You could argue whether they should or should not have access to whatever they have access to, but in the meanwhile, should they exercise restrain and act responsibly, or what are the alternatives?
I have to add: in my position I have access to very sensitive and personal data. Yet I have never accessed anything I had no business accessing, I have never divulged any information for which I did have a mandate to access, and I have never felt even tempted to do any of that. I work with people who abide by these same principles. Not because we are afraid of repercussions (there wouldn't be any--the bucket stops here), but because we value our professional integrity. I am not willing to throw a blanket accusation against intelligence operatives in general, or anyone else in a position of responsibility, of lacking that sort of integrity themselves.
@" but then I realised that they would see the ability to be comfortable poking around in other people's doings as an essential trait."
i.e. Fishing.
Instead of starting with a case, and justifying each search legally. Just spend your days fishing for whatever takes your fancy.
Even if its just "Oh lets see who have more than 2000 quid in the bank records, and visited Panama on the flight database", that's abuse. It can be well intentioned abuse, but the *legal* process, the one they're supposed to follow, it very rigorously defined, and its nothing like this.
> Instead of starting with a case, and justifying each search legally. Just spend your days fishing for whatever takes your fancy.
Respectfully, I do not know that they do that. Do you?
I think both of us would agree that abuses must be prevented, and any transgressions swiftly punished, but we need to have commensurate evidence before we make accusations, otherwise we are doing ourselves and our society a regrettable disservice.
> It can be well intentioned abuse, but the *legal* process, the one they're supposed to follow
Aren't you perhaps mixing up police and intelligence work? They are not the same. They are not even remotely similar.
re: "You'd think that if they know someone is not if interest they'd do their best to remove the data from the system"
Have you tried removing data, such as records of dead people from a CRM system?
It is much simpler to simply flag the record and move on, at some stage the CRM system and database will have to be renewed, at which point data cleanse becomes a much simpler process.
"Have you tried removing data, such as records of dead people from a CRM system?"
Removing data should be a design requirement. If it was and the implementation was competent then removal shouldn't be difficult.
In this case we're dealing with public servants who in positions of trust. That means they should be able to show that they deserve our trust. If it's difficult or impossible to remove the data of innocent people then we can reasonably infer that they didn't include that in the design, that they didn't intend such data should be removed and that maybe we can't trust them.
keystroke away: Tuttle, Buttle
Real life is starting to approach the movie Brasil, with politicians coming out with ridiculous statements and government 'security' agents missing highly suspect people (who go on to commit acts of terror) while still trying to spy the bulk of the innocent population.
Anon- obviously
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
