Sixteen days after the Tempora disclosure in the Guardian and the operational implications for UK clients are sharper than I had thought even three weeks ago. The story Glenn Greenwald and Ewen MacAskill published on the twenty-first — that GCHQ has been running, with NSA cooperation, full-content interception of approximately two hundred fibre-optic cables landing in the UK — is the kind of disclosure that the UK security-research community has been gesturing towards as theoretical capability for at least a decade. The capability is operational. The buffer arrangements (three days of full content, thirty days of metadata, longer for selected material) are operationally substantial. The structural implication for clients with data flowing through UK landing stations is direct and unpleasant.
The technical mechanism is described in the Snowden documents with the kind of internal-codename specificity that internal NSA documents have. MUSCULAR is the joint NSA-GCHQ programme that intercepts traffic between Google's data centres; TEMPORA is the GCHQ programme for the fibre-tap collection itself; LEMON SQUEEZER is the cryptanalytic work on encrypted material captured through TEMPORA. The technical infrastructure is, on what is in the public documents, a substantial buffer-and-search system that maintains rolling windows of intercepted traffic and applies standing analytic queries against the buffer. The capability is approximately what the post-9/11 NSA documents have been hinting at for years; the public confirmation is what is new.
The UK-specific implications are several. First, the legal framework. GCHQ operates under the Regulation of Investigatory Powers Act 2000 and the Intelligence Services Act 1994, both of which contain provisions that have been interpreted broadly enough to cover the kind of bulk interception TEMPORA represents. The legal interpretation has not been publicly challenged in court, in part because the secrecy framework around GCHQ activity makes successful challenge structurally difficult. The Investigatory Powers Tribunal exists but has historically been a deferential venue; the European Court of Human Rights cases that have so far reached judgement have been on narrow technical questions rather than on the constitutionality of bulk collection itself. The legal question is, at this point, mostly unresolved. Ross Anderson at Cambridge has been writing about this consistently and is the right reference point on the legal-academic angle.
Second, the geographic implications. The UK landing stations for international fibre traffic — in Bude, Cornwall, principally, but also at several other coastal sites — handle a substantial fraction of trans-Atlantic communications. Anything that transits between Europe and the US is candidate traffic for TEMPORA collection. This includes — and is the part of the analysis that has been preoccupying me through the past two weeks — a meaningful proportion of the cloud-platform traffic that UK-headquartered organisations rely on. The post-PRISM data-residency conversation has been about US-jurisdictional compulsion; TEMPORA adds UK-jurisdictional collection on top, which means that the obvious "move sensitive data to UK-hosted platforms" answer is operationally bounded by the same kind of state-level interception capability that the US case raises.
Third, the relationship between GCHQ and US tech companies. The Snowden material indicates that the UK programme has access — through cooperation, through technical means, or through a combination — to substantial portions of the US tech-company traffic that PRISM is also collecting. The aggregate effect is that data passing through US-operated platforms is collectible by both NSA (PRISM) and GCHQ (TEMPORA at landing stations and possibly through MUSCULAR-style data-centre links). The "either or" framing that has dominated the early Snowden coverage understates the structural redundancy of the collection.
For the engagement work, the post-Tempora conversation has been the same conversation I started having after PRISM but with sharper edges. UK-jurisdictional clients (which is most of them) cannot escape UK collection by using UK platforms; they cannot escape US collection by using non-US platforms if the traffic transits US infrastructure; the only operationally credible answer at the architectural level is end-to-end encryption with keys held outside the platform-vendor's control. This is technically possible — the GPG-and-PGP infrastructure can do it for email, OTR can do it for chat, the various dedicated encrypted-storage tools are starting to emerge for cloud-style storage — but the operational cost is non-trivial and the user-experience cost is meaningful.
The narrower question I keep coming back to is what to do about email. Most of the engagement clients use Microsoft Exchange or Google Apps; both are subject to PRISM-style compulsion, both are subject to TEMPORA-style interception of inter-data-centre traffic. The structural answer is end-to-end content encryption, but the deployment cost at organisation scale is — given the OpenPGP-tooling problems I wrote about in the Petraeus piece — high enough that I have not yet seen any of the engagement clients commit to it. The honest engagement-team recommendation has, for the past fortnight, been "for sensitive content, use OpenPGP; for everything else, accept that the content is collectible by the relevant intelligence services and act accordingly". This is not a satisfying recommendation. It is, on present evidence, the honest one. Bruce Schneier's continued analysis has been the most useful corroboration I have found that the recommendation is roughly the right one.
For the wider piece I want to write — the structural relationship between commercial security infrastructure and state-level surveillance infrastructure — Tempora is the UK confirmation of what PRISM was the US confirmation of. The two together make the case in a way that either alone could not. The defensive-engineering response is the privacy-and-encryption methodology I have been writing; the political response is up to others. The piece I have been outlining for some weeks has now moved past outline stage and I will finish it over the summer.
The next post is probably the Microsoft-NSA-collaboration material that has been hinted at in additional Snowden documents, or whatever surfaces from the continuing wave of disclosures. The pace is high enough that there is likely to be another substantial story before next weekend.