The British government can tap into the cables carrying the world’s web traffic at will and spy on what people are doing on some of the world’s most popular social media sites, including YouTube, all without the knowledge or consent of the companies.
Documents taken from the National Security Agency by Edward Snowden and obtained by NBC News detail how British cyber spies demonstrated a pilot program to their U.S. partners in 2012 in which they were able to monitor YouTube in real time and collect addresses from the billions of videos watched daily, as well as some user information, for analysis. At the time the documents were printed, they were also able to spy on Facebook and Twitter.
Called “Psychology A New Kind of SIGDEV" (Signals Development), the presentation includes a section that spells out “Broad real-time monitoring of online activity” of YouTube videos, URLs “liked” on Facebook, and Blogspot/Blogger visits. The monitoring program is called “Squeaky Dolphin.”
Experts told NBC News the documents show the British had to have been either physically able to tap the cables carrying the world’s web traffic or able to use a third party to gain physical access to the massive stream of data, and would be able to extract some key data about specific users as well.
Representatives of Facebook and Google, which owns YouTube, said they hadn’t given the British government permission to access data and were unaware the collection had occurred. A source close to Google who asked not to be identified when discussing company policy said the company was “shocked” to learn the U.K. could have been “grabbing” its data.
One of the people who helped prepare the demonstration was an official from the British signals intelligence agency General Communications Headquarters (GCHQ) who worked for a division of the agency called GTE, or Global Telecoms Exploitation. GTE has already been shown in other documents released by Snowden to be tapping fiber optic cables around the world.
In 2013, the Guardian reported that Snowden documents showed GCHQ was able to tap fiber optic cables and store huge amounts of data for 30 days, and that the government was placing intercept probes on transatlantic cables when they landed on British territory. Germany’s Sueddeutsche Zeitung reported that another Snowden document indicated major telecom firms, including BT, Verizon and Vodafone, were cooperating.
The British cyber spies sometimes share their intercepted raw data and their analyses with their American counterparts. In October, the Washington Post revealed that a Snowden document dated Jan. 9, 2013, described a joint NSA/GCHQ program called MUSCULAR, in which the U.S. and British agencies shared intercepted data from fiber optic cables and copied “entire data flows” from Yahoo and Google.
According to a source knowledgeable about the agency’s operations, the NSA does analysis of social media similar to that in the GCHQ demonstration.
National security experts say that both the U.S. and British operations are within the scope of their respective national laws. When the Washington Post reported on the MUSCULAR program, the NSA said in a statement that it is “focused on discovering and developing intelligence about valid foreign intelligence targets only” and that it uses “Attorney General-approved processes to protect the privacy of U.S. persons.”
But privacy experts and former government officials say the lack of disclosure by the intelligence agencies inspires public fear that rights of privacy, free speech and dissent have been infringed.
“Governments have no business knowing which YouTube videos everyone in the world is watching,” said Chris Soghoian, chief technologist for the ACLU. “It’s one thing to spy on a particular person who has done something to warrant a government investigation but governments have no business monitoring the Facebook likes or YouTube views of hundreds of millions of people.”
It might also have a chilling effect on companies like Google. Jason Healey, former White House cyber czar under George W. Bush, says U.S. and British intelligence encroachment on the internet is a threat to everyone, including social media companies.
“We want our security services to be out there and keeping us safe," said Healey, "but we can also look for balance, we can look for limits, especially if we’re putting at risk this most transformative technology since Gutenberg.”
According to the documents obtained by NBC News, intelligence officers from GCHQ gave a demonstration in August 2012 that spelled out to their U.S. colleagues how the agency’s “Squeaky Dolphin” program could collect, analyze and utilize YouTube, Facebook and Blogger data in specific situations in real time.
The demonstration showed that by using tools including a version of commercially available analytic software called Splunk, GCHQ could extract information from the torrent of electronic data that moves across fiber optic cable and display it graphically on a computer dashboard. The presentation showed that analysts could determine which videos were popular among residents of specific cities, but did not provide information on individual social media users.
The presenters gave an example of their real-time monitoring capability, showing the Americans how they pulled trend information from YouTube, Facebook and blog posts on Feb. 13, 2012, in advance of an anti-government protest in Bahrain the following day.
More than a year prior to the demonstration, in a 2012 annual report, members of Parliament had complained that the U.K.’s intelligence agencies had missed the warning signs of the uprisings that became the Arab Spring of 2011, and had expressed the wish to improve “global” intelligence collection.
During the presentation, according to a note on the documents, the presenters noted for their audience that “Squeaky Dolphin” was not intended for spying on specific people and their internet behavior. The note reads, “Not interested in individuals just broad trends!”
But cyber-security experts told NBC News that once the information has been collected, intelligence agencies have the ability to extract some user information as well. In 2010, according to other Snowden documents obtained by NBC News, GCHQ exploited unencrypted data from Twitter to identify specific users around the world and target them with propaganda.
The experts also said that the only way that GCHQ would be able to do real-time analysis of trends would be to tap the cables directly and store the data or use a third party, like a private company, to extract and collect the raw data. As much as 11 percent of global internet bandwidth travels through U.K. internet exchanges, according to Bill Woodcock, president of PCH, a non-profit internet organization that tracks and measures and documents fiber infrastructure around the world.
In the case of the YouTube video information, the surveillance of the unencrypted material was done not only without the knowledge of the public but without the knowledge or permission of Google, the U.S. company that owns the video sharing service.
"We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryption across more and more Google services and links,” said a Google spokesperson. “We do not provide any government, including the UK government, with access to our systems. These allegations underscore the urgent need for reform of government surveillance practices."
A source close to Google added that Google was “shocked” because the company had pushed back against British legislation that would have required Google to store its metadata and other information for U.K. government use. The legislation, introduced by Home Secretary Theresa May in 2012, was publicly repudiated by Deputy Prime Minister Nick Clegg in 2013 and has never become law. May hopes to reintroduce a modified version this spring.
“It’s extremely surprising,” said the source, “that while they were pushing for the data via the law, they might have simultaneously been using their capability to grab it anyway.”
Encryption would prevent simple collection of the data by an outside entity like the government. Google has not yet encrypted YouTube or Blogger. Facebook and Twitter have now fully encrypted all their data.
Facebook confirmed to NBC News that while its “like” data was unencrypted, the company never gave it to the U.K. government and was unaware that GCHQ might have been siphoning the data. The company assumes the data was taken somewhere outside its networks and data centers.
“Network security is an important part of the way we protect user information,” said Facebook spokesman Jay Nancarrow, “which is why we finished moving our site traffic to HTTPS by default last year, implemented Perfect Forward Secrecy, and continue to strengthen all aspects of our network.”
GCHQ would not confirm or deny the existence of the Squeaky Dolphin program or anything else connected with this report. The agency declined to answer questions about the scope of its data collection or how it accessed the datastream.
In a statement, a GCHQ spokesperson emphasized that that the agency operated within the law.
“All of GCHQ's work is carried out in accordance with a strict legal and policy framework,” said the statement, “which ensure[s] that our activities are authorized, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Parliamentary Intelligence and Security Committee. All of our operational processes rigorously support this position.”
A spokesperson for the NSA said in a statement that the U.S. agency is not interested in “the communications of people who are not valid foreign intelligence targets.”
“Any implication that NSA's foreign intelligence collection is focused on the social media communications of everyday Americans is not true,” said the statement. “We collect only those communications that we are authorized by law to collect for valid foreign intelligence and counterintelligence purposes – regardless of the technical means used by the targets. Because some data of U.S. persons may at times be incidentally collected in NSA’s lawful foreign intelligence mission, privacy protections for U.S. persons exist across the entire process concerning the use, handling, retention, and dissemination of data.”
The spokesperson also said that working with foreign intelligence services “strengthens the national security of both nations,” but that NSA can’t “use those relationships to circumvent U.S. legal restrictions.”
Both U.S. and British officials assert that while their passive collection of electronic communications might have great breadth, the actual use of the data collected is very targeted, and is dictated by specific missions. Sources familiar with GCHQ operations state firmly that this is the case in each of the agency’s operations.