One of the papers published by the Intelligence and Security Committee (ISC) with its report into “Privacy and Security” contained a five-page memo from GCHQ’s legal advisers (see last week’s blog and references). It suggests that the secret organisation is about to offer email services to the public in order to allay concerns about the mass retention of communications data.
I have checked with a leading domain name registration company, and it appears that the first steps have already been taken. I can confirm that the “patriot.me.uk” and “patriot.uk” domain names have been registered to a certain “Professor Gordon C. H. Quatermass, P.O. Box 500, Hubble Road, Cheltenham GL51 0EX” (a joke name if ever there was one).
The memo anticipates that GCHQ’s free email service will start in January 2016 and will be targeted at domestic subscribers; it also anticipates the development of special cookies and cloud services. The move allows the use of powers to be focused on non-consensual circumstances (i.e. users who don't use the patriot.me.uk” and “patriot.uk" domains).
The analysis outlines how GCHQ’s email service “will enhance the on-line security experience of those who use the ‘patriot’ domains” and assumes that recent public opinion surveys which show good public support for the mass retention of communications data are correct (e.g. a YouGov Poll of January 18th shows 53% in favour of mass data retention; a similar Australian poll shows 66% support).
The memo then outlines GCHQ procedures as follows:
- Subscribers in favour of mass data retention associated with their emails can open an account associated with the new GCHQ “patriot” domain names from the New Year. GCHQ will have obtained data subject consent for any data retention as individuals “are not compelled to open a ‘patriot’ email account”.
- GCHQ in its fair processing notice will stress that communications data for all “patriot” domains are to be retained for one year; there is no Article 8 human rights issue as users of the “patriot” domain names are freely consenting to this retention.
- Those sending email messages to a “patriot” domain (e.g. from the Hotmail.co.uk or gmail.com domain) have also consented to communications data retention by GCHQ. This is because “such users are not obliged to send an email to a ‘patriot’ domain; if they do so, they are freely choosing to send the email knowing the retention criteria”.
- GCHQ stresses that because an email is transmitted using its services, it does not mean that the content will be read by GCHQ or that communications data will be retained. Emails associated with “innocent subscribers will only be examined if they need to be cleared of suspicion”.
- As more and more subscribers see the benefit of a GCHQ account, the “patriot” domain names will be in demand. Indeed, “we expect business use to increase exponentially” because “employees will not send inappropriate messages via these domain names and are more likely to conform with their employer’s acceptable use policy”.
- Use of the ‘“patriot” domains will help reduce spam and phishing as “spammers are unlikely send bulk emails to GCHQ because they risk subsequent tracing and exposure”. Indeed “the evidence we collect might help the Information Commissioner serve monetary penalty notice on spammers”.
- On an individual basis, “cyber-bullies and those who trash reputations anonymously” are unlikely to risk exposure given GCHQ’s “ability to trace senders from IP addresses”.
From public comments made yesterday by leading politicians during the Election campaign, GCHQ’s email service is gaining considerable political support.
Mrs Theresa May, former Home Secretary, has approved the GCHQ initiative. Seeking re-election as the MP for Maidenhead, she told her constituents: “An email address in the form ‘Theresa.May@patriot.uk’ or ‘David.Cameron@patriot.me.uk’ demonstrates where each citizen’s heart and mind lies”.
She added “Not only will a ‘patriot.me.uk’ account demonstrate that the user is not a terrorist, child abuser, wife beater or member of the mafia, it will show that senders and/or recipients of emails can be trusted as they trust GCHQ”.
The UKIP leader, in his speech at Dover yesterday, said he also supported the GCHQ initiative. “I am proud of my ‘Nigel.Farage@patriot.me.uk’ email address” he said, adding “I think we can draw obvious conclusions if individuals, especially those who come to our shores from abroad, fail to obtain a patriot email account when they reside in the UK”.
In an echo of Norman Tebbit’s infamous cricket test (“Immigrants who support their native countries rather than England at the sport of cricket are not significantly integrated into the United Kingdom”), Mr Farage added: “the failure to use a ‘patriot’ account sends a message about the commitment of each citizen to the preservation of customs and social values that are cherished in the UK”.
Mr. Farage used the event to announce a new UKIP policy: those who successfully apply for a passport will be given a “patriot” email address so “we know where we stand if they refuse to use it”.
The memo suggests that if the email initiative is successful, that GCHQ should consider producing its own surveillance cookies modelled on adware. Because of the volume of data hoovered-up by these cookies, they are colloquially known by GCHQ techies as ‘suckies’ (a shorthand for “surveillance cookies”).
According to the report, GCHQ should also consider offering new Cloud services such as “MaaS” (Monitoring as a Service) and “SaaS” (Surveillance as a Service). The memo notes that if the UK banks were to use these GCHQ cloud services, then this would ease the Government’s problems associated with tax evasion and help the police trace money transfers to terrorists and organised crime.
The memo states that “The public would not understand why the banks failed to use GCHQ Cloud services as the Treasury and taxpayer is the obvious beneficiary”; there would “be a strong public interest to oblige the financial services industry to use them”.
After all, the memo concludes, “if members of the public, for their own online protection, use the patriot domain names, why should we not expect the financial sector to be equally patriotic?”.
Because of the implications of this memo, I will be raising this issue at our UPDATE conference on May 11th – details of the program from http://www.amberhawk.com/pdf/Amber_UPDATE_CONFERENCE_advancebookingform.pdf
ISC Press statement, report and evidence accessible from: http://isc.independent.gov.uk/
Written evidence from: http://isc.independent.gov.uk/public-evidence (date posted is 12 March 2015)