Karma, Black Holes and Infinite Monkeys: GCHQ tracks our online identities and behaviour

Here was a simple aim at the heart of the top-secret program: Record the website browsing habits of “every visible user on the Internet.”

In a recent report for The Intercept, the journalist Ryan Gallagher details new revelations on the dealings of the UK’s foreign intelligence agency, the GCHQ. The report is supplemented by top secret GCHQ documents obtained by Edward Snowden. It is all quite scary.

Every visible user on the internet – let that sink on for a moment. Apart from hardened hackers or the Snowdens of this world, schooled in the art of obfuscation, that is pretty much every user on the internet. Quite probably you and me.

Scary? Yes. Surprising? Not really? I mean, more than 2 years post Snowden, do the lengths to which the spooks go in their scramble for hegemony over the World Wide Web really surprise us anymore? We already knew, didn’t we, that the GCHQ has a programme called

TEMPORA “which mines vast amounts of emails, instant messages, voice calls and other communications and makes them accessible through a Google-style search tool named XKEYSCORE”?

So the spooks compile a vast database of communications data and then Google it for stuff that interests them. Just like you google stuff that interests you (your search getting stored in some database or other, just saying). I know, the small word “interesting” is the clincher, isn’t it? Most people seem to consider themselves so uninteresting to the spooks that it doesn’t really matter to them that their every move on the internet gets recorded and stored.

Okay, so you don’t care that privacy is dead (and there is really little doubt about that), but get this: perfectly ordinary people in the former GDR lived in fear because they were under constant surveillance. If the Stasi had had the GCHQ’s capabilities, well… let’s just say it would have been their dream come true. Or if the Nazis had had them. The kinds of capabilities that GCHQ seems to have, are every repressive regime’s wet dream.

And as if they knew that perhaps knowing this might upset us, we weren’t really asked if it was okay for us to have our privacy thus butchered. The most recent revelations being a perfect example. About seven years ago, “without any public debate or scrutiny” (i.e. without asking or even telling us), GCHQ launched a nifty little programme called KARMA POLICE. Yeah, probably a reference to the Radiohead-song of the same name which includes the line “this is what you get when you mess with us”.

Well, here is what you get when you mess with GCHQ – or rather, what you get without messing with anyone at all because it’s enough these days to simply be a “visible user” of the internet or, as I suppose you could also call them “a user of the internet”.

KARMA POLICE, according to the GCHQ’s own slides, was “designed to provide the agency with “either (a) a web browsing profile for every visible user on the Internet, or (b) a user profile for every visible website on the Internet.”

The operative word here being “every” of course. It’s that scale that is the true shocker. And KARMA POLICE of course is but one of many programmes,

“just one part of a giant global Internet spying apparatus built by” GCHQ. An apparatus which builds “profiles showing people’s web browsing histories… analyzes instant messenger communications, emails, Skype calls, text messages, cell phone locations, and social media interactions… keep[s] tabs on “suspicious” Google searches and usage of Google Maps”, and more.

As of 2012, GCHQ was storing about 50 billion metadata records about online communications and Web browsing activity every day, with plans in place to boost capacity to 100 billion daily by the end of that year.

Imperialism 2.0

2012 was three years ago. Kind of makes you wonder how much they are storing by now. The aim was to create “the biggest government surveillance system anywhere in the world,” “to perform…“population-scale” data mining, monitoring all communications across entire countries” (my emphasis). Basically, Mastering the Internet (the GCHQ’s words, not mine). Given that the British Empire once were “masters” of one fourth of the world’s territories and one fifth of its population that seems but an update of the same ambition for the digital age. Imperialism 2.0.

The name of the repository where much of that data is stored is telling: it is called Black Hole and anyone with even a rudimentary knowledge of space science knows what black holes do: they suck up matter, incessantly and greedily and without discrimination.

The name fits the bill:

Between August 2007 and March 2009, GCHQ documents say that Black Hole was used to store more than 1.1 trillion “events” — a term the agency uses to refer to metadata records — with about 10 billion new entries added every day.

Now, someone’s probably going to say that Black Hole “only” stores metadata. A reminder: metadata is, for example, who you call, when you call them and how long you speak to them, rather than the content of your call. Still massively revelatory when put into context. And not as well protected by the already rather weak judicial surveillance oversight in the UK. Good for the spies, not so good for us.

Now, obviously all this gathering and analysing is done in the name of security, to discover, for example people trying to “spread radical Islamic ideas.”

The problem – or one of the many problems in any case – is that counter-terrorism isn’t the only thing these programmes are used for. They were also used in hacks of the Belgian Telecommunications Company Belgacom and the Dutch simcard Provider Gemalto.

Come to the Dark Side – we have cookies!

Okay, but say you don’t care about economic espionage or compromised Simcards or things like that. What is going on is still crazy. Here is what the spooks can do with those vast amounts of data they store in their Black Hole if they let their various programmes loose on it.

Ryan Gallagher writes:

To find out the identity of a person or persons behind an IP address [a unique identifier in the form of a series of numbers, assigned to every device that uses the internet, not normally associated with a person’s real name], GCHQ analysts can enter the series of numbers into a… system named MUTANT BROTH, which is used to sift through data contained in the Black Hole repository about vast amounts of tiny intercepted files known as cookies.

Now, we’ve all come across cookies. In fact, we do it countless times each day. You may have become aware of the disclaimer that pops up if you visit a new website, telling you that the site uses cookies and giving you the option to learn more about the site’s cookie policy. Cookie is a term rather misleading in its friendliness. After all, who isn’t a fan of cookies, or as the Brits would probably call them: biscuits? They’re sweet, they’re yummy, very often there’s chocolate in them. Well, internet cookies aren’t quite so nice and full of happy hormones. Instead, they’re full of information about you. They get stored on your computer and they “can be thought of as an internet user’s identification card, which tell a web site when the user has returned.”

They can contain “your username or email address, your IP address, and even details about your login password and the kind of Internet browser you are using.”

Which obviously makes them extremely valuable and extremely revealing for the kinds of people who have the capabilities to store (Black Hole) and match (KARMA POLICE, MUTANT BROTH et al) the data provided by cookies with other data. Suddenly your IP address, otherwise not tied to your name or anything about you, can be searched by aid of a programme like MUTANT BROTH and matched with cookie data contained in a database like Black Hole, revealing information about your email addresses or username(s) which then, in turn, can pretty easily lead on to your real name, address, payment data, payment history, the works.

What emerges is

a “pattern of life” analysis showing the times of day and locations at which the person is most active online.”

So when and where you go on the internet most frequently, what you look at when you do so, for how long and so on. I am not kidding. The Intercept, along with its report, has published a slideshow designed by the GCHQ, which shows – a couple of slides in – that analysts (i.e. spooks) can see the date someone went online, the time of day, the place (in this case Instanbul) and the person’s email address

Here is what some of the programmes, according to one of the slides published by The Intercept allow the spooks to learn about you:

  • MUTANT BROTH: That you are online, where and when.
  • KARMA POLICE: Which websites you visit.
  • INFITINE MONKEYS: Which bulletin boards, web fora etc. you visit.
  • MARBLED GEKKO: How you use Google Maps and Google Earth.

The Register explains more of them here. Some more on stupid codenames for programmes here.

What emerges is, obviously, a pretty comprehensive picture of who you are, when you do stuff, and where you do it. Also, potentially, where you’re going to be, as you might look up a location you are going to visit on Google Maps or Google Earth (hint: use Open Street Map, it doesn’t track you).

A clear and present danger

The danger inherent in this kind of all-encompassing approach to spying on everyone everywhere becomes instantly obvious when you – just for the sake of argument – replace the word “terrorism” with “dissent” or ask the question what exactly is considered “criminal activity”. Now, I am not making light of terrorism, I am not equating it with political dissent and I am not saying that there isn’t a lot of criminal activity on the internet that is clearly identifiable as such and that should be prosecuted. However, that doesn’t alter the fact that what the spooks are doing is collecting data on billions of people unsuspected of any wrongdoing without a warrant or proper oversight or that, if the perception of the powers that be of what constitutes an act of terrorism or criminal activity ever changes, we may end up in dire straights. A random example: what if someone outlawed homosexuality or if your nationality or location were suddenly what the spooks consider “sensitive”?

You may argue that we kind of knew or suspected all this already. However, we do well to remind ourselves of just how intrusive GCHQ surveillance is at a time when the recently elected British government is once again pushing for extended surveillance powers (remember the Snoopers Charter?) and suggesting that encryption be banned. The latter is especially telling when you consider that

the biggest barrier to GCHQ’s mass collection of data does not appear to have come in the form of legal or policy restrictions. Rather, it is the increased use of encryption technology that protects the privacy of communications…

Unless the recently introduced Snowden Treaty catches on, it probably won’t be the law or policy that protect our privacy as users, but encryption technology. So if that technology gets banned, just how protected will we be? The short answer is: we won’t.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s