home

PRISM, "Five Eyes" and Kim Dotcom

The PRISM story keeps growing -- now there are reports the NSA has shared data on Kim Dotcom obtained via PRISM with the international spy group "Five Eyes," (background here -- it includes representatives from the U.S., U.K., New Zealand, Canada and Australia,) and that Five Eyes may have given the intercepted data on Kim Dotcom to New Zealand's GSB, which in turn gave it to a specialized New Zealand police group, that used the information to assist the FBI and facilitate his arrest on U.S. charges.

"Five Eyes" met in New Zealand just 2 days before the Prime Minister announced the illegal interception of Kim Dotcom's communications on Sept. 17. Who was at the meeting? Reportedly, Intelligence Co-ordination Group director Roy Ferguson, a former ambassador to the US,along with representatives from the US Central Intelligence Agency, National Security Agency, Britain's Communications Headquarters, Canada's Communications Security Establishment and the Australian Secret Intelligence Service. [More...]

It was just revealed in New Zealand that Kim DotCom's intercepted data allegedly shared with Five Eyes may have emanated from PRISM:

Documents show strings of data being fed into a spying system which has links to the Five Eyes network, of which New Zealand's GCSB is a member with Australian, Canadian, UK and US partners.

It is the same information used to match personal detail harvested by the Prism system, revealed in the Guardian newspaper as being set up in 2007 to monitor people outside the US by sifting through massive amounts of data collected from Apple, Facebook, Google, Microsoft and other internet giants. The revelation rocked the US, forcing President Barack Obama to defend the system as a "modest encroachments on privacy", and then the UK, after it emerged its partner in the Five Eyes network had access to the Prism scheme for at least three years.

Dotcom is certain of the PRISM link:

Mr Dotcom, who faces extradition to the US on charges of copyright violation, said he believed the GCSB sifted through Prism data with his details prior to the arrest. "It certainly did involve Prism. GCSB relies heavily on US spy technology. The Five Eyes have one brain and it sits in the US."

Papers released in the Dotcom court case support the links to the Five Eyes network but crucially have the name of the intelligence system doing the actual spying deleted.

What the documents show:

Documents show analysts tasked with organising the spying marked it as associated with the Five Eyes network. One document, classifying it as "Secret", listed the five member nations and stated: "Please enter into [name of system redacted] and mark as priority." The accompanying list is called "Selectors of Interest" and details a long string of information similar to that used in Prism. It includes cellphone numbers, driver licence details, email addresses, passport numbers, internet protocol and real world addresses.

Another document was headed up "Top Secret" and "rel to NZL/FVEY" (New Zealand/Five Eyes). It referred to "traffic volume from these selectors", showing information was intercepted.

Then there's this European report by the Centre for the Study of Conflicts, Liberty and Security that I wrote about in January. The report says that FISA allows “purely political surveillance on foreigners' data” if it is stored using U.S. cloud services like those provided by Google, Microsoft and Facebook." Via Slate:

According to [report co-author Caspar]Bowden, the 2008 FISA amendment created a power of “mass surveillance” specifically targeted at the data of non-U.S. persons located outside America, which applies to cloud computing. This means that U.S. companies with a presence in the EU can be compelled under a secret surveillance order, issued by a secret court, to hand over data on Europeans. Because non-American citizens outside the United States have been deemed by the court not to fall under the search and seizure protections of the Fourth Amendment, it opens the door to an unprecedented kind of snooping.

William E. Kennard, United States Ambassador to the European Union, denied the U.S. was engaging in mass snooping of Europeans at the 2012 European Cloud Computing Conference:

While some cloud providers here in Europe have recently made the fear of unlimited U.S. Government access to data a selling point for their services, this is an inaccurate assessment and completely ignores the facts. As many of you know, all law enforcement and national security investigations in the United States are subject to a careful set of legal and judicial constraints to protect individual privacy. While our systems may differ in approach, let me assure you that we have in place protections that are fundamentally similar to those in Europe. In a number of critical areas, the U.S. provides more restrictions to the access of personal data than do European Member States. 


Caspar Bowden, who previously served as the chief privacy adviser to Microsoft Europe, says differently. He says the new FISA extensions are worse than the Patriot Act:

Bowden says FISA is effectively “a carte blanche for anything that furthers U.S. foreign policy interests” and legalizes the monitoring of European journalists, activists, and politicians who are engaged in any issue in which the United States has a stake. FISA, according to Bowden, expressly makes it lawful for the United States to do “continuous mass-surveillance of ordinary lawful democratic political activities,” and could even go as far as to force U.S. cloud providers like Google to provide a live “wiretap” of European users’ data.

The report says the 2008 FISA Amendments extended snooping on foreigners to data stored in the cloud.

[A] test case at the Foreign Intelligence Surveillance Court of Review... held definitively that the Fourth Amendment requirement for a specific warrant only applied to surveillance directed at US persons. This opened the door for Congress to enact FISAA §1881a in 2008, which authorized mass- surveillance of foreigners (outside US territory), but whose data was within range of US jurisdiction.

However, the most significant change escaped any comment or public debate altogether. The scope of surveillance was extended beyond interception of communications, to include any data in public cloud computing as well. This change occurred merely by incorporating “remote computing services” into the definition of an “electronic communication service provider.”

As a result of the way FISA defines “foreign intelligence information”, "which includes information with respect to a foreign-based political organization or foreign territory that relates to the conduct of the foreign affairs of the United States," (which was accomplished by truncating and substituting limbs of clauses §1801e and §1801a)the report says:

In other words, it is lawful in the US to conduct purely political surveillance on foreigners' data accessible in US Clouds .... FISAAA 1881a means that any data-at-rest formerly processed “on premise” within the EU, which becomes migrated into Clouds, becomes liable to mass-surveillance – for purposes of furthering the foreign affairs of the US (as well as the expected purposes of terrorism, money-laundering etc.).

Then the report discusses the threat caused by "new NSA data centres constructed for storage and analysis on an unprecedented scale," citing the March, 2012 WIRED article, ex