20 Feb 2015

Phone employees in GCHQ’s sights

GCHQ works within a “strict legal and policy framework” that ensures its activities are “authorized, necessary and proportionate,” with proper oversight.

What does that actually mean? How intrusive can the spies be within those rules?

The latest leak from former US intelligence contractor Edward Snowden gives an idea.


Imagine you work for a Dutch mobile phone tech company. Your job is to oversee the SIM cards: those little bits of plastic you need to slot into the phone when you first buy it.

Part of your job is to make them secure: each SIM card is coded with a special key which scrambles all your calls, texts and web browsing so they can’t be decoded by anyone who intercepts them as they float across the airwaves. This scrambling of messages is what happens on 3G and 4G networks.

GCHQ wants those keys. Why? Because without the keys they’ve only got two methods for decoding the messages: either ask your company directly for help (which would probably require getting a warrant), or try to break the code by brute force (effectively hi-tech guessing until they get the right answer), which might tip off the surveillance target.

So instead GCHQ goes after you, the employee. You’re a techie, not a terrorist. But here is what, according to the latest Snowden claims, British spies can do to you:

– Break into your Gmail or MSN email accounts to spy on what you say, with the aim of working out whether you’re worth further hacking
– Break into your work email to do the same thing
– Hack your company’s sales teams’ computers to get information on your customers
– Change your company billing records to hide evidence of GCHQ’s hacking from your customers

According to the documents, GCHQ did all of this. The agency claims it operates within the law. Therefore all of the above is, apparently, legal.

The agency, in collaboration with the US National Security Agency, did this to multiple employees as it fought to grab the encryption keys from Gemalto, one of the world’s biggest SIM card manufacturers. (Got a T-Mobile phone? It’s possible there’s a Gemalto SIM inside it).

There’s no evidence in the documents to show that, once it had the keys, GCHQ abused its ability to decode the private communications of people around the world. If your phone has a Gemalto card inside, there’s nothing to suggest GCHQ is listening to your calls unless you’re a legitimate surveillance target.

But that’s not the point. If the UK’s “strict legal and policy framework” allows the targeting of private individuals at private companies in the way outlined above, there are serious questions about who’s creating and monitoring those rules.

In a statement, GCHQ told Channel 4 News:

“It is longstanding policy that we do not comment on intelligence matters. Furthermore,  all of GCHQ’s work is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Parliamentary Intelligence and Security Committee.

“All our operational processes rigorously support this position. In addition, the UK’s interception regime is entirely compatible with the European Convention on Human Rights.”

Follow @geoffwhite247 on Twitter.