A smoking gun: memo shows security services colluded to transfer UK citizens’ data

One more big ker-plonk in the drip, drip, drip of revelations over just how unprivate UK (and British Commonwealth) citizens call data has proved to be when left to the tender mercies of spooks focused on hunting down terrorists.

The latest revelation, courtesy of "whistleblower" Edward Snowden, is that the security agencies tied together in the “five eyes” info-sharing alliance (UK, US, Canada, Australia and New Zealand) [shirley that’sh 10 eyes?… Ed] changed the rules of the game in 2007 so that UK numbers - collected by the US as part of its big data capture exercise - could be ‘unmasked’. In other words, the US spooks could collect and store a UK number’s ID info where it had called (or been called by) a number in the US.

The data would then be “made available” to all the various US agencies that are engaged in analysing, sifting and drawing conclusions about who’s talking to who - constructing the global terrorists social map as it were.

Prior to 2007 the agencies concerned appear to have been rightfully sniffy about one government’s security agency collecting information (spying) on the citizens of another and there appear to have been specific rules laid down and followed. But those rules were changed so that any Brit “incidentally collected” by the NSA (ie not the initial target of the surveillance but maybe a contact of an NSA target) could then be filed away with all his details on the US database. Before that, such contact data could be held but “minimized” (stripped of extra contact data - email, facebook etc).

The Snowden leaks also appear to show that the US agencies had proposed collecting and analysing all the data anyway (without permission and don’t let on we’re doing it) as early as 2005, but it’s unclear whether this was ever done.

However, at least a veneer of legality appears to have been maintained with post 2007 instructions carefully setting out what could, and could not, be done with the “unmasked” maximised material resultiing from incidental collection. That is: no surveillance of other countries’ citizens (officially - there appear to have been proposals to relax this) but, importantly, the info COULD be used for so-called chaining.

Contact Chaining (or Pattern of Life) analysis draws on the old degrees of separation meme. It’s where you look at friends and then friends of friends then yet one more hop: a process that can drag perhaps a million people into the net. Big, but not impossibly big, data and very useful when you’re able to crunch all the data down on a large system to find compelling associations between targets. It no doubt works a treat.

But UK citizens (most of them) are quite confident that they’re not terrorists and are wondering how else chaining might be used against them. Governments and agencies have a lot of work to do if they’re to restore trust in the security services and the various service providers that have, apparently, played ball with them.