Inside Menwith Hill

The narrow roads are quiet and winding, surrounded by rolling green fields and few visible signs of life beyond the occasional herd of sheep. But on the horizon, massive white golf ball-like domes protrude from the earth, protected behind a perimeter fence that is topped with piercing razor wire. Here, in the heart of the tranquil English countryside, is the National Security Agency’s largest overseas spying base.

Once known only by the code name Field Station 8613, the secret base — now called Menwith Hill Station — is located about nine miles west of the small town of Harrogate in North Yorkshire. Originally used to monitor Soviet communications through the Cold War, its focus has since dramatically shifted, and today it is a vital part of the NSA’s sprawling global surveillance network.

For years, journalists and researchers have speculated about what really goes on inside Menwith Hill, while human rights groups and some politicians have campaigned for more transparency about its activities. Yet the British government has steadfastly refused to comment, citing a longstanding policy not to discuss matters related to national security.

Now, however, top-secret documents obtained by The Intercept offer an unprecedented glimpse behind Menwith Hill’s razor wire fence. The files reveal for the first time how the NSA has used the British base to aid “a significant number of capture-kill operations” across the Middle East and North Africa, fueled by powerful eavesdropping technology that can harvest data from more than 300 million emails and phone calls a day.

Over the past decade, the documents show, the NSA has pioneered groundbreaking new spying programs at Menwith Hill to pinpoint the locations of suspected terrorists accessing the internet in remote parts of the world. The programs — with names such as GHOSTHUNTER and GHOSTWOLF — have provided support for conventional British and American military operations in Iraq and Afghanistan. But they have also aided covert missions in countries where the U.S. has not declared war. NSA employees at Menwith Hill have collaborated on a project to help “eliminate” terrorism targets in Yemen, for example, where the U.S. has waged a controversial drone bombing campaign that has resulted in dozens of civilian deaths.

The disclosures about Menwith Hill raise new questions about the extent of British complicity in U.S. drone strikes and other so-called targeted killing missions, which may in some cases have violated international laws or constituted war crimes. Successive U.K. governments have publicly stated that all activities at the base are carried out with the “full knowledge and consent” of British officials.

The revelations are “yet another example of the unacceptable level of secrecy that surrounds U.K. involvement in the U.S. ‘targeted killing’ program,” Kat Craig, legal director of London-based human rights group Reprieve, told The Intercept.

“It is now imperative that the prime minister comes clean about U.K. involvement in targeted killing,” Craig said, “to ensure that British personnel and resources are not implicated in illegal and immoral activities.”

Operation Socialist

When the incoming emails stopped arriving, it seemed innocuous at first. But it would eventually become clear that this was no routine technical problem. Inside a row of gray office buildings in Brussels, a major hacking attack was in progress. And the perpetrators were British government spies.

It was in the summer of 2012 that the anomalies were initially detected by employees at Belgium’s largest telecommunications provider, Belgacom. But it wasn’t until a year later, in June 2013, that the company’s security experts were able to figure out what was going on. The computer systems of Belgacom had been infected with a highly sophisticated malware, and it was disguising itself as legitimate Microsoft software while quietly stealing data.

Last year, documents from National Security Agency whistleblower Edward Snowden confirmed that British surveillance agency Government Communications Headquarters was behind the attack, codenamed Operation Socialist. And in November, The Intercept revealed that the malware found on Belgacom’s systems was one of the most advanced spy tools ever identified by security researchers, who named it “Regin.”

The full story about GCHQ’s infiltration of Belgacom, however, has never been told. Key details about the attack have remained shrouded in mystery—and the scope of the attack unclear.

Now, in partnership with Dutch and Belgian newspapers NRC Handelsblad and De Standaard, The Intercept has pieced together the first full reconstruction of events that took place before, during, and after the secret GCHQ hacking operation.

Based on new documents from the Snowden archive and interviews with sources familiar with the malware investigation at Belgacom, The Intercept and its partners have established that the attack on Belgacom was more aggressive and far-reaching than previously thought. It occurred in stages between 2010 and 2011, each time penetrating deeper into Belgacom’s systems, eventually compromising the very core of the company’s networks.

Snowden told The Intercept that the latest revelations amounted to unprecedented “smoking-gun attribution for a governmental cyber attack against critical infrastructure.”

The Belgacom hack, he said, is the “first documented example to show one EU member state mounting a cyber attack on another…a breathtaking example of the scale of the state-sponsored hacking problem.”

Publicly, Belgacom has played down the extent of the compromise, insisting that only its internal systems were breached and that customers’ data was never found to have been at risk. But secret GCHQ documents show the agency gained access far beyond Belgacom’s internal employee computers and was able to grab encrypted and unencrypted streams of private communications handled by the company.

Belgacom invested several million dollars in its efforts to clean-up its systems and beef-up its security after the attack. However, The Intercept has learned that sources familiar with the malware investigation at the company are uncomfortable with how the clean-up operation was handled—and they believe parts of the GCHQ malware were never fully removed.

The revelations about the scope of the hacking operation will likely alarm Belgacom’s customers across the world. The company operates a large number of data links internationally (see interactive map below), and it serves millions of people across Europe as well as officials from top institutions including the European Commission, the European Parliament, and the European Council. The new details will also be closely scrutinized by a federal prosecutor in Belgium, who is currently carrying out a criminal investigation into the attack on the company.

Sophia in ’t Veld, a Dutch politician who chaired the European Parliament’s recent inquiry into mass surveillance exposed by Snowden, told The Intercept that she believes the British government should face sanctions if the latest disclosures are proven.

“Compensating Belgacom should be the very least it should do,” in ’t Veld said. “But I am more concerned about accountability for breaking the law, violating fundamental rights, and eroding our democratic systems.”
Other similarly sophisticated state-sponsored malware attacks believed to have been perpetrated by Western countries have involved Stuxnet, a bug used to sabotage Iranian nuclear systems, and Flame, a spy malware that was found collecting data from systems predominantly in the Middle East.

What sets the secret British infiltration of Belgacom apart is that it was perpetrated against a close ally—and is backed up by a series of top-secret documents, which The Intercept is now publishing.
GCHQ declined to comment for this story, and insisted that its actions are “necessary legal, and proportionate.”

The Surveillance Engine

The National Security Agency is secretly providing data to nearly two dozen U.S. government agencies with a “Google-like” search engine built to share more than 850 billion records about phone calls, emails, cellphone locations, and internet chats, according to classified documents obtained by The Intercept.

The documents provide the first definitive evidence that the NSA has for years made massive amounts of surveillance data directly accessible to domestic law enforcement agencies. Planning documents for ICREACH, as the search engine is called, cite the Federal Bureau of Investigation and the Drug Enforcement Administration as key participants.

ICREACH contains information on the private communications of foreigners and, it appears, millions of records on American citizens who have not been accused of any wrongdoing. Details about its existence are contained in the archive of materials provided to The Intercept by NSA whistleblower Edward Snowden.

Earlier revelations sourced to the Snowden documents have exposed a multitude of NSA programs for collecting large volumes of communications. The NSA has acknowledged that it shares some of its collected data with domestic agencies like the FBI, but details about the method and scope of its sharing have remained shrouded in secrecy.

ICREACH has been accessible to more than 1,000 analysts at 23 U.S. government agencies that perform intelligence work, according to a 2010 memo. A planning document from 2007 lists the DEA, FBI, Central Intelligence Agency, and the Defense Intelligence Agency as core members. Information shared through ICREACH can be used to track people’s movements, map out their networks of associates, help predict future actions, and potentially reveal religious affiliations or political beliefs.

The creation of ICREACH represented a landmark moment in the history of classified U.S. government surveillance, according to the NSA documents.

“The ICREACH team delivered the first-ever wholesale sharing of communications metadata within the U.S. Intelligence Community,” noted a top-secret memo dated December 2007. “This team began over two years ago with a basic concept compelled by the IC’s increasing need for communications metadata and NSA’s ability to collect, process and store vast amounts of communications metadata related to worldwide intelligence targets.”

The search tool was designed to be the largest system for internally sharing secret surveillance records in the United States, capable of handling two to five billion new records every day, including more than 30 different kinds of metadata on emails, phone calls, faxes, internet chats, and text messages, as well as location information collected from cellphones. Metadata reveals information about a communication—such as the “to” and “from” parts of an email, and the time and date it was sent, or the phone numbers someone called and when they called—but not the content of the message or audio of the call.

ICREACH does not appear to have a direct relationship to the large NSA database, previously reported by The Guardian, that stores information on millions of ordinary Americans’ phone calls under Section 215 of the Patriot Act. Unlike the 215 database, which is accessible to a small number of NSA employees and can be searched only in terrorism-related investigations, ICREACH grants access to a vast pool of data that can be mined by analysts from across the intelligence community for “foreign intelligence”—a vague term that is far broader than counterterrorism.

Data available through ICREACH appears to be primarily derived from surveillance of foreigners’ communications, and planning documents show that it draws on a variety of different sources of data maintained by the NSA. Though one 2010 internal paper clearly calls it “the ICREACH database,” a U.S. official familiar with the system disputed that, telling The Intercept that while “it enables the sharing of certain foreign intelligence metadata,” ICREACH is “not a repository [and] does not store events or records.” Instead, it appears to provide analysts with the ability to perform a one-stop search of information from a wide variety of separate databases.

In a statement to The Intercept, the Office of the Director of National Intelligence confirmed that the system shares data that is swept up by programs authorized under Executive Order 12333, a controversial Reagan-era presidential directive that underpins several NSA bulk surveillance operations that monitor communications overseas. The 12333 surveillance takes place with no court oversight and has received minimal Congressional scrutiny because it is targeted at foreign, not domestic, communication networks. But the broad scale of 12333 surveillance means that some Americans’ communications get caught in the dragnet as they transit international cables or satellites—and documents contained in the Snowden archive indicate that ICREACH taps into some of that data.

Legal experts told The Intercept they were shocked to learn about the scale of the ICREACH system and are concerned that law enforcement authorities might use it for domestic investigations that are not related to terrorism.

“To me, this is extremely troublesome,” said Elizabeth Goitein, co-director of the Liberty and National Security Program at the New York University School of Law’s Brennan Center for Justice. “The myth that metadata is just a bunch of numbers and is not as revealing as actual communications content was exploded long ago—this is a trove of incredibly sensitive information.” Brian Owsley, a federal magistrate judge between 2005 and 2013, said he was alarmed that traditional law enforcement agencies such as the FBI and the DEA were among those with access to the NSA’s surveillance troves. “This is not something that I think the government should be doing,” said Owsley, an assistant professor of law at Indiana Tech Law School. “Perhaps if information is useful in a specific case, they can get judicial authority to provide it to another agency. But there shouldn’t be this buddy-buddy system back-and-forth.”

Jeffrey Anchukaitis, an ODNI spokesman, declined to comment on a series of questions from The Intercept about the size and scope of ICREACH, but said that sharing information had become “a pillar of the post-9/11 intelligence community” as part of an effort to prevent valuable intelligence from being “stove-piped in any single office or agency.”

Using ICREACH to query the surveillance data, “analysts can develop vital intelligence leads without requiring access to raw intelligence collected by other IC [Intelligence Community] agencies,” Anchukaitis said. “In the case of NSA, access to raw signals intelligence is strictly limited to those with the training and authority to handle it appropriately. The highest priority of the intelligence community is to work within the constraints of law to collect, analyze and understand information related to potential threats to our national security.”

Menwith Hill

Situated awkwardly in the heart of rolling green English countryside is the United States’ largest overseas intelligence station. Surrounded by farmland and sheep, hundreds of National Security Agency staff go to work every day at RAF Menwith Hill, where they eavesdrop on communications intercepted by satellite dishes contained in about 30 huge golf ball-like domes.

Used by the NSA since the 1960s, Menwith Hill is an important spy center. But there is growing disquiet in Britain over whether intelligence gathered at the base is being used to help with the CIA’s controversial clandestine drone strikes. And the government is keeping mum.

Earlier this month, Ken Macdonald, former chief prosecutor for England and Wales, spoke out on the subject in an interview with the London Times. He told the newspaper he believed there was compelling evidence that Britain was providing the United States with information subsequently used to help with drone attacks in countries like Pakistan. Because the United Nations says that the CIA’s covert drone campaign possibly violates international law, the allegation was politically explosive. The implication is that the British government could itself be complicit in unlawful drone bombings, which in Pakistan alone since 2004 have killed up to an estimated 3,337 people, among them hundreds of civilians.

Prior to Macdonald thrusting the issue into the spotlight, it had been simmering for some time. In May, a Pakistani student whose father was killed in a suspected U.S. drone attack launched legal action against the British government in a bid to expose whether it hands over intelligence for drone attacks on terrorist suspects. And a study published in March claimed the Menwith Hill base was being expanded to “support 'real-time' U.S. military actions, including drone attacks and those carried out by special operations forces.”

What goes on inside the Menwith station is impossible to know for sure. However, according to a 2001 European Parliament report, it is part of a surveillance network called ECHELON, situated to intercept communications routed over the Indian and Atlantic oceans. Former NSA employee Margaret Newsham, who worked at Menwith Hill 20 years ago, told CBS it monitored Russian and Chinese communications (but on one occasion spied on U.S. Sen. Strom Thurmond). And the Federation of American Scientists has claimed it is capable of intercepting an astonishing two million communications an hour.

If these reported capabilities are correct, it seems highly plausible that the base’s satellites are today intercepting at least some communications from the Middle East — which could help how the CIA picks its targets for drone strikes in countries such as Pakistan, Yemen and Somalia.

It’s also plausible that any intercepts gathered at Menwith play a crucial — not just contributory — role. In April, the Washington Post revealed that the White House had approved drone strikes in Yemen based solely on intelligence signatures. These are defined, according to the Post, as patterns of behavior indicative of a plot against U.S. interests “detected through signals intercepts, human sources and aerial surveillance.”

This brand of intelligence-led warfare has already led Germany to limit information it shares with the United States. The British government, however, does not take the same position — and is contributing to the secrecy that surrounds drone operations.

Fabian Hamilton, a member of the British Parliament, asked the government earlier this month whether Menwith Hill plays a role in the planning and deployment of drones in Afghanistan, Pakistan, Yemen, and Somalia. The response? He was not permitted to know. “For operational and security reasons we do not comment on the specific activities carried out at RAF Menwith Hill,” said Andrew Robathan, minister of state for the armed forces.

The secrecy is a problem, for basic democratic reasons if nothing else. It’s obvious that the British government wants to protect Menwith Hill’s activities on national security grounds, which might be justifiable to some extent. But if a foreign military is using a base in the English countryside to help conduct covert wars in far-flung lands, that’s a different matter altogether — and surely the British public has a right to know about it.

This article first appeared at Slate.com

Surveillance Proof

As government agencies in the United States, the United Kingdom, Canada, and Australia push for increased surveillance powers, one pioneering American is pushing back.

New York-based entrepreneur Nicholas Merrill is making progress on a project he revealed in April: an encryption-based telecommunications provider designed to be “untappable.” After crowd-funding almost $70,000 in donations, Merrill says that he has held talks with a host of interested venture capitalists and a few “really big companies” apparently interested in partnering up or helping with financial support. Now the “surveillance-proof” software is in development, and he is on track to begin operating a limited service by the end of the year.

Merrill’s ultimate aim is to create a telecommunications infrastructure that inhibits mass surveillance. First, he is building an Internet provider that will use end-to-end encryption for Web browsing and email. Then he plans to roll out a mobile phone service that will enable users to encrypt calls, making them difficult to intercept. The key to decrypt the communications would be held by each individual customer, not Merrill’s company. Because the telecom firm would be unable to access the communications, law enforcement agencies that want to read or listen to communications would be forced to serve warrants or court orders on individuals directly. “This would make it impossible to do blanket, dragnet surveillance of all the customers of a telecommunications carrier,” Merrill says.

The idea for the project is not to help bad guys evade detection, though undoubtedly that’s how some critics will see it. Rather, Merrill is particularly keen to develop the technology to help journalists and human rights organizations—groups, he says, “whose right to confidentiality is more or less accepted under the law.”

Merrill has a strong record of defending user privacy. In 2004, he became the first ISP executive to successfully challenge a secret FBI “national security letter” demanding he hand over customer information. His willingness to question the constitutionality of the secret letter at the time put him at odds with most major telecoms providers, which have a poor track record when it comes to protecting customer privacy. In 2005 and 2006, a number of companies were revealed to have handed over troves of customer data and opened up wiretaps to the National Security Agency, sometimes without a warrant.

Today, Merrill admits prospective funders of his latest project have expressed concerns that it could lead to a confrontation with powerful actors (“It’s challenging to go up against some of the forces that are trying to open up all communications to wiretapping,” he says). But he is trying to address this by showing that government and law enforcement agencies could themselves benefit from his technology. Cybersecurity and privacy are part of the same problem but framed differently, he believes. Both could be addressed at once by ubiquitous encryption of communications and data transfer—protecting user privacy while also helping prevent malicious hackers from stealing information.

Some establishment figures have already been won over by Merrill’s argument. The advisory board of his nonprofit research institute, Calyx, which is developing the technology, includes a former NSA technical director and a former federal prosecutor who is also ex-CIA. Whether he can get the backing of current members of the U.S. law enforcement community, though, is another matter altogether. Merrill’s technology could be seen as creating extra barriers for law enforcement and the authorities would likely oppose it for that reason. Existing U.S. wiretapping law, called CALEA, states that telecom providers "shall not be responsible for decrypting" communications if they don't possess "the information necessary to decrypt.” But that may change under reforms proposed by the FBI, which is actively seeking more surveillance powers.

As governments increasingly move toward expanding their power to conduct electronic surveillance, it is inevitable that innovative technologists, software developers, and cryptographers will work to help people protect the privacy of their personal communications. Earlier this week the NSA’s chief tried to quell concerns over allegations that it is building a huge domestic surveillance center in Utah, dismissing whistle-blowers’ claims as “baloney.” Given the NSA’s recent history, however, it is likely many Americans will remain skeptical about the spy agency’s reassurances—and some will turn to encryption.

Merrill aims to launch his telecommunications firm first in the United States before tackling the international market, where there are also mounting concerns about government surveillance schemes. “We’re not trying to force people to use our service,” Merrill says. “What we’re trying to do is re-envision how the telecommunications industry could work if privacy and encryption technology was built in from the beginning.”

This article first appeared at Slate.com

'It was about the potential slaughter of citizens'

Katharine Gun was 29 years old when the government tried to prosecute her for breaching the Official Secrets Act. It was early 2003, and both Britain and America were on the road to war with Iraq. Amid since-discredited claims that Iraq was allegedly producing biological weapons, the British prime minister, Tony Blair, and the US president, George W Bush, met at the White House. That same day, 31 January 2003, an email passed across Gun's desk at her office in Cheltenham, where she worked as a translator for the British Government Communications Headquarters (GCHQ), the intelligence agency.

The email shocked her. From the US National Security Agency (NSA), it detailed US plans to illegally bug the offices of six UN member states in the lead-up to the Iraq war. Its intention was clear – it asked for British help in the ploy, to give US policymakers "the edge" in swaying opinion in favour of the war. This was a direct attempt to undermine democratic process, Gun felt, and she had to do something about it.

Eight years on and now a mother, she recalls her thoughts that day. "I was particularly concerned about the reason behind the bugging, because it was in order to facilitate an invasion in Iraq," she says. "It was about the potential slaughter of citizens and the disruption and destruction of a country which was already practically on its knees. I felt that the public really needed to know about that."

She printed off a copy and stewed on it for a while, before passing it on to a friend with ties to journalists. Not long later, the story appeared on the front page of the Observer, two weeks before the Iraq invasion. Gun knew she was in for trouble when she saw the headline one quiet Sunday at her local shop. It read: "Revealed: US dirty tricks to win vote on Iraq war".

A full-blown government investigation ensued, and it wasn't long before Gun cracked under pressure and admitted to the leak. She was promptly arrested and charged with breaching the Official Secrets Act. But after several high-profile court visits, the charges were dropped when the prosecution declined to give evidence.

Yet even after clearing her name and moving far away from the GCHQ heartland in Cheltenham, Gun found it hard to leave her past behind as she took up new career in teaching. "It was quite difficult at first to let go of that name tag that was applied to me," she says, "and it did take quite a while – maybe two years – before I got back into my own skin."

Would she do it again if faced with the same choice today? "That is a difficult question," she replies. "Before I had a child my answer was always, 'Yes, I would do it again,' but when you have a family and a child to think about, then it does put a slightly different twist on the whole issue . . . You've got to weigh up your decisions."

Now a full-time mother, Gun remains vocal in her support for the principles behind whistleblowing. In December, she signed a statement in support of WikiLeaks along with the Pentagon Papers leaker Daniel Ellsberg and other prominent former whistleblowers.

She also expresses her alarm at the treatment of Bradley Manning, the 23-year-old US soldier accused of leaking thousands of classified documents to WikiLeaks. Manning has been held in solitary confinement for more than 300 days, in conditions Amnesty International has described as "inhumane" and "repressive".

"It's atrocious that in a so-called democracy a soldier serving in the US army is facing that sort of treatment, which, I believe, is against any proper legal jurisdiction," says Gun. "It just goes to show the state of America – how fearful they are of losing their grip on absolute power in the global world."

The sheer volume of documents Manning is alleged to have leaked – over 700,000 – would have been inconceivable back in 2003, the year Gun released her solitary email to the world.

Since then, technology has allowed for leaking on an industrial scale, like never before. At the same time governments have evolved new ways of spying on each other. Last November, it was revealed – in a diplomatic cable released by WikiLeaks, no less – that the US had plotted secretly to illegally obtain biometric data (including iris scans, fingerprints and DNA) as well as credit-card information from the UN leadership.

The revelation caused a sensation, but for Gun it was a familiar story that hardly came as a surprise.

"That's just the way of the world," she says. "The whole Big Brother vision of the world is looming large . . . Until people open their eyes and realise what it means to start relinquishing these things, it'll be too late."

This article originally appeared at: http://www.newstatesman.com/blogs/the-staggers/2011/04/iraq-war-gun-british-2003

To read about more by me on prominent modern-day whistleblowers, click here and here. To read my report on a recent debate in London about whistleblowing featuring WikiLeaks' Julian Assange, click here (part I) and here (part II).