Not A Secret: Bulk Interception Practices of Intelligence Agencies

This report by the Center for Democracy & Technology (CDT) was authored by London-based surveillance expert Eric Kind and edited by CDT’s Greg Nojeim [see report for full list of contributors]. It was made possible by a grant from the Open Society Foundations.

Executive Summary

In the United States, the government takes the position that bulk cable interception is a state secret — so secret that litigation challenging its lawfulness and compliance with the U.S. Constitution cannot proceed without revealing information that would pose a grave risk to U.S. national security.

Yet bulk cable interception is an officially confirmed practice in a number of countries around the world. The governments of the United Kingdom, Sweden, Germany, the Netherlands, Finland, France, and Canada have all officially confirmed that they undertake bulk cable interception. Other countries like Norway are also in the process of legislating for the practice.

In these countries, bulk cable interception is not a secret. Instead the practice is set out in legislation and accompanying explanatory documents, it is reviewed and publicly reported on in oversight reports and government-initiated independent reviews, and discussed in on-the-record media interviews.

Officials in a number of countries have set out the key stages for bulk cable interception, clearly linking the legal framework to the technical processes. In the U.K., officials have acknowledged a four-stage process, covering collection, filtering, automated selection, and human examination. In Sweden, they have set out a six-stage process of collection, automatic selection, data processing, analysis, dissemination, and feedback. In the Netherlands, officials have set out a four-stage process of preparation, data collection, processing, and analysis, with many sub-stages including cable selection, filtering, and data enrichment.

Oversight bodies of different countries have undertaken detailed scrutiny of bulk cable interception, including at the selector level. Between 2010 and 2014, the Swedish oversight body audited the Swedish intelligence agencies’ use of selectors on 17 occasions; the Dutch oversight body is currently reviewing whether selectors are sufficiently targeted and relevant to investigative priorities.

Detailed technical discussion has taken place around the challenge of filtering out communications of a country’s own citizens or residents. In Sweden, oversight reports include a discussion of the difficulty in separating domestic cable-based communications from those crossing the Swedish border, and the steps the Swedish intelligence agency has taken to address that problem, such as separating communications manually at the processing or analyzing stage. In Germany, a three-stage technical filtering process has been officially disclosed, along with the number of selection terms intelligence officials are seeking to filter out, and the number of selectors used to filter out known German nationals who are abroad.

Some countries, such as Sweden undertook significant public debates before their intelligence agencies began the practice, and Norway is in the midst of such debate now. When the U.K. overhauled the legal framework for bulk interception after the Snowden revelations, it published an “operational case” seeking to establish the need for bulk cable interception, and it commissioned independent reviews to assess and report publicly on whether the operational case was adequate.

There have been legal cases brought against the practice in the Netherlands, Sweden, Germany, and the U.K., and in each case, a court heard the challenge. Governments defending the challenged practices officially confirmed bulk interception capabilities. In the case of the U.K., the courts have even confirmed the identities of non-profit groups whose communications were unlawfully retained and selected under bulk interception programs run by U.K. intelligence agencies.

This relatively open discussion of bulk cable interception in Europe contrasts sharply with the efforts of the U.S. government to shield it from public scrutiny by citing the state secrets privilege. It calls into question the assertion by the U.S. government that the practice cannot be discussed in U.S. courts for fear of disclosing information that would pose a grave risk to U.S. national security.

The focus of this report is transparency about the technical efforts of governments worldwide to undertake bulk cable interception. It is not intended to be an analysis of the legal framework in these countries, instead focusing on the practice, and only drawing on the legal framework where helpful to understand that practice. While the countries analyzed here should be applauded for the transparency they have been able to achieve, official confirmation has had its limits and transparency can and should go further than it has thus far.

The report first sets out how the international cable network operates, and how communications that traverse it can be intercepted, with reference to a conceptual model of signals intelligence, explaining the process of extraction, filtering, storage, and analysis.

The report then undertakes a detailed analysis of the U.K. practice of bulk cable interception. It considers the historical background to bulk cable interception, the legal regime underpinning modern day practice, and recounts chronologically the U.K.’s gradual official confirmation of its bulk cable interception capabilities. Analysis of the official confirmed bulk interception process is then undertaken, reviewing how the U.K. system undertakes bearer selection, filtering, automatic selection for examination, and examination by human analysts.

Finally, a high-level review is provided of the bulk cable interception practices of Sweden, Germany, the Netherlands, Finland, France, Canada, South Africa, and Norway, highlighting specific officially-confirmed efforts that are unique to each country.

In setting out how transparent other countries are able to be in both the law governing bulk cable collection and the technical practice, this report seeks to counter the assertion that similar levels of transparency in the U.S. would amount to a grave risk to U.S. national security. Excessive secrecy is thwarting public debate about whether to permit bulk cable interception at all, and whether efforts to outlaw the practice of bulk collection domestically have been effective.

The United States has confirmed little with regard to its own bulk cable collection practices. In Presidential Policy Directive 28, the U.S. acknowledged that it engages in bulk collection, but did not specify how collection was undertaken. PPD-28 did not impose substantial limitations on such collection. It did articulate six broad uses to which information collected in bulk could be put, and indicated that the President could contract or expand that list. A subsequent report by the Privacy and Civil Liberties Oversight Board (PCLOB) indicated that as a practical matter, the PPD-28 use limitations were already in effect prior to issuance of PPD-28.

In addition, in a July 2, 2014 report, PCLOB described an Upstream collection program conducted pursuant to Section 702 of the Foreign Intelligence Surveillance Act. Upstream collection of internet communications involves the compelled assistance of communications service providers who operate the “internet backbone” in the U.S. The U.S. government regards Upstream as a targeted, as opposed to a bulk collection program, but this is matter of some contention as indicated in the Jewel v. NSA litigation. The U.S. has revealed very little information about how the surveillance program is conducted, but has described in vague terms the selectors that can be used to identify communications, and that communications collected can be “to,” “from,” or “about” a selector. The NSA abandoned “abouts” collection in 2017 because it could not be conducted lawfully given current technology.

After it was disclosed in June of 2013 by former NSA contractor Edward Snowden, the U.S. acknowledged that it was collecting in bulk records of phone calls to, from, and within the United States. Two years after it was disclosed, Congress outlawed the bulk collection of telephony metadata in the USA FREEDOM Act and substituted it for a broad, but targeted, program for collection of call detail records.

Snowden revealed five bulk collection programs that the U.S. government has thus far declined to confirm, and about which it has revealed little to no information: DISHFIRE, CO-TRAVELER, MUSCULAR, MYSTIC, and QUANTUM. Cell site location information, text messages, call detail records, and other information are collected. The MUSCULAR program, through which U.S. intelligence authorities collected in bulk traffic that flowed between Google and Yahoo! data centers, reportedly involved bulk cable interception techniques.

Read the accompanying court brief.


Resources

Download PDF

Share

Resources

Download PDF

Share