U.K. government uses overseas location of Facebook, Google servers as spying justification

The U.K.’s intelligence agencies see British people’s Google(s fb) searches and communications sent over services such as Facebook(s fb) as fair game for interception when the relevant servers are based outside the country, the British counter-terrorism chief has told a surveillance court.

Charles Farr, the director general of the Office for Security and Counter Terrorism (OSCT) at the Home Office, revealed the policy in testimony (PDF) to the Investigatory Powers Tribunal a month ago, following legal challenges lodged by civil liberties groups. Privacy International (PI), the organization leading the lawsuits, says it was only able to publish the statement a month later, on Tuesday.

PI and its partners, including Amnesty International and the American Civil Liberties Union (ACLU), are trying to unpick the secrecy surrounding the U.S.’s Prism and the U.K.’s Tempora, two surveillance programs that were revealed in Edward Snowden’s NSA documents. British spy agencies have refused to acknowledge or deny the existence of Tempora, the scheme in which they tap major communications cables around the world to scoop up large quantities of data.

In PI’s words, this is “the first time the Government has openly commented on how it thinks it can use the UK’s vague surveillance legal framework to indiscriminately intercept communications through its mass interception programme, Tempora.”

What’s external?

Under British law, spies shouldn’t be spying on internal/domestic communications, but the same restrictions don’t apply to external/foreign communications. According to Farr’s testimony, an email sent between people in the U.K. is internal, even if it’s sent via foreign servers, for example through a service like Gmail or Hotmail – because both the sender and the recipient are in the U.K.

However, Farr said the same did not necessarily apply in different contexts. With a Google search, he said, the intended recipient of the communication (i.e. the search query) is Google’s server, which is probably outside the U.K. – therefore it and the response are both “external”. The same goes for messages posted on Facebook, but not for emails sent through Facebook.

The activists see this as depriving British residents of “the essential safeguards that would otherwise be applied to their communications — simply because they are using services that are based outside the U.K.”

According to Liberty legal director James Welch:

“The security services consider that they’re entitled to read, listen and analyse all our communications on Facebook, Google and other U.S.-based platforms. If there was any remaining doubt that our snooping laws need a radical overhaul there can be no longer. The Agencies now operate in a legal and ethical vacuum; why the deafening silence from our elected representatives?”

RIPA rules

There’s more in Farr’s testimony to annoy civil liberties fans – by his explanation, it’s impossible to collect external communications while avoiding the collection of some internal communications:

“The only practical way in which the Government can ensure that it is able to obtain at least a fraction of the type of communication in which it is interested is to provide for the interception of a large volume of communications, and the subsequent selection of a small fraction of those communications for examination by the application of relevant selectors […] While this approach may lead to the interception of some communications that are not external, section 8(4) operations [surveillance operations with a broad, non-specific warrant] are conducted in a way that keeps this to the minimum necessary to achieve the objective of intercepting wanted external communications.”

The counter-terrorism chief said this was equivalent to the “strategic monitoring” allowed under German law.

A related debate over how privacy laws apply overseas is underway in the U.S. where Microsoft is challenging the government’s claim that a domestic search warrant can reach emails located on an Irish server.