MPs’ private emails are routinely accessed by GCHQ
First published by Computer Weekly on 1 June 2016
Duncan Campbell and Bill Goodwin
Computer Weekly investigation reveals the extent of interception of MPs’ and peers’ email communications and data
GCHQ and the US National Security Agency (NSA) have access to intercepted emails sent and received by all members of the UK Parliament and peers, including with their constituents, a Computer Weekly investigation has established.
The intelligence agency in Cheltenham has been able to harvest traffic details of all parliamentary emails, including details of the sender, recipient and subject matter, for at least three years. As a result, details of private email correspondence between MPs and constituents are being collected by GCHQ as a matter of routine.
GCHQ documents classified above top secret, released by NSA whistleblower Edward Snowden, also reveal that the spy agency has the capability to scan the content of parliamentary emails for “keywords” through an established cyber defence network that is connected to commercial software used to filter spam emails from MPs’ inboxes.
Disclosures raise new questions over IP Bill
The disclosures, which come as the House of Commons prepares for the Third Reading of the government’s controversial Investigatory Powers Bill on Monday 6 June, raise new questions over the sweeping powers to be granted in the bill to police and the security services.
The controversial decision by Parliament to replace its internal email and desktop office software with Microsoft’s Office 365 service in 2014, means that parliamentary data and documents constantly pass in and out of the UK to Microsoft’s datacentres in Dublin and the Netherlands, across the backbone of the internet.
Because files and emails leave the UK’s borders in this way, they are automatically accessible to GCHQ’s bulk interception system, Tempora. According to previously published Snowden documents, Tempora uses “probes” on commercial optical fibre cables crossing the Irish Sea and English Channel to harvest data.
Under existing law, GCHQ is permitted automatically to store datasets containing details of the senders, recipients and headings of all emails in and out of the UK, including internal UK-to-UK messages.
Forensic analysis shows 65% of Parliamentary emails routed overseas
Computer Weekly has carried out a forensic analysis of hundreds of emails sent to the magazine or the writers from parliamentary email addresses, using “header” information within the emails to trace the route of the emails.
The study showed that most of the mail messages (65%) were routed internationally, through Dublin and the Netherlands. About one-third were relayed by Microsoft’s new London datacentre. Cloud providers, such as Microsoft, use load-sharing procedures to distribute emails and data to more than one datacentre.
Every message also contained references to having been passed through clusters of scanning computers connected to GCHQ and located in the UK, France and Germany.
The NSA’s Prism system offers access to all parliamentary documents and email through Microsoft Office 365 software, as a result of secret directives given to Microsoft under controversial US 2008 surveillance laws. The directives were implemented at the same time as Microsoft was selling its cloud system, Office 365, to the Houses of Parliament.
Since concerns were raised about the NSA’s ability to access data stored by US technology companies, Microsoft has been rushing to build two new UK datacentres.
Wilson Doctrine does not protect MPs
MPs’ communications have been partially protected from interception for over 40 years under the “Wilson Doctrine”, introduced by the former prime minister Harold Wilson in 1968. But this offered no protection to communications that leave the UK’s borders, which are subject to automatic bulk collection by GCHQ.
“The House of Commons administration has serious questions to answer,” according to former Home Office minister and Conservative MP David Davis. “On whose authority was ‘consent’ granted to view members’ emails? How did they manage to obtain that consent from every one of the 650 members whose constituents’ confidentiality is affected?
“The government too has questions to answer as to why it did not explain this when asked on many occasions about the effect of the Wilson Doctrine,” he added.
“The government should also make it clear to parliament the extent to which scanning of all mail by a US-controlled company has made Parliamentary communications vulnerable to agencies of a foreign power, namely the American NSA."
How Parliament’s emails are under scrutiny
GCHQ’s Tempora system collects internet communications from optical fibre cables and automatically stores metadata, including sender, recipient and subject line, from MPs’ emails as they pass from the UK to Microsoft’s datacentres in Dublin and Holland, through tapped internet cables.
The US National Security Agency (NSA) and FBI has automatic access, using the Prism system, to documents saved by MPs on Office 365 OneDrive and held in Microsoft datacentres used by Parliament.
GCHQ has direct access to scan parliamentary email through a secret cyber-defence network, known as Haruspex, for “national security” purposes.
Labour deputy leader Tom Watson MP told Computer Weekly: “This will shock many of my parliamentary colleagues and provides a further illustration of why it is right for the government to give additional protections in law to MPs, lawyers and journalists. Theresa May has the opportunity to do this during the passage of the IP Bill in Parliament.”
“There is no doubt that MPs, by virtue of their work, are more likely to be targeted by the UK’s enemies. It is understandable that our security services want to takes steps to protect them, but any and all measures they introduce must be based on consent,” he added.
SNP spokesperson Gavin Newlands MP said: “The SNP share the concerns that have been expressed over the partial removal of protection offered to privileged correspondence. It is of the upmost importance to any modern democracy that parliamentarians are able to communicate with constituents and advisers in complete confidence.”
The MP's comments came as the home secretary, Theresa May, made last-minute concessions on the Investigatory Powers Bill to strengthen the Wilson Doctrine.
Under revisions announced on 1 June, the prime minister must in future give explicit approval for law enforcement agencies to hack into MP’s computers and phones or to access their communications data.
Secret cyber defence system has links to MessageLabs
Computer Weekly’s investigation also confirmed that MPs’ incoming and outgoing emails are automatically scanned through a network run by MessageLabs, a subsidiary of another US corporation, Symantec, which has been contracted by Parliament to provide services including spam filtering and malware detection.
MessageLabs provides GCHQ with direct access to parliamentary emails, through a secret cyber security network called Haruspex, according to GCHQ’s “Cyber Defence Operations” legal policy instructions disclosed by Edward Snowden. The scanning system has been in operation for at least a decade. The documents reveal that Haruspex has been extended beyond “the detection, analysis and prevention of network-based attacks” against government computer systems, to allow it to be used to report other activities, provided they are in the interests of “national security” – a concept the government has refused to define.
Members of the Scottish National Party and Labour Party, who have scrutinised the Investigatory Powers Bill, have criticised the government for misusing “national security” to justify surveillance operations against trade unionists and critics of the police.
The MessageLabs scanning system, used on all emails to and from Parliament, can be programmed to detect keywords as well as to look for malicious attachments or spam. MPs and peers have not been told about the MessageLabs system, nor specifically asked for permission for their emails to be scanned in this way.
Computer Weekly put a series of questions to Symantec, the US corporation that supplies the MessageLabs service, about the role of MessageLabs in Parliament and its links to Haruspex. A spokesperson said: “Symantec has legal non-disclosure agreements with all of our customers and, as a result, cannot discuss specific cases.”
Parliament’s move to Office 365
Parliament began the path to an updated IT system that ultimately left MPs’ emails and documents exposed to greater risks of surveillance from the UK and US intelligence services in May 2013.
Joan Miller, then the director of Parliamentary ICT (PICT), told the House of Lords management board: “Office 365 had a slightly higher risk relating to data sovereignty, but Microsoft’s and the House’s lawyers…felt that the chance of the risk materialising was low.”
Less than a month later the Guardian revealed the Snowden document leak and the existence of the NSA’s Prism programme, which requires US companies, including Microsoft, to build systems to allow the NSA and the FBI to access, on-demand, their customers’ messages and files, including documents held in cloud datacentres.
Within a week, Miller told Parliament’s management board that “PICT had reviewed its advice on data sovereignty and cloud computing following news stories about PRISM and was content that the risk was unchanged.”
Low risk not no risk
“We didn’t think there was no risk, we thought it was a low risk [in 2013],” she told Computer Weekly. Asked if “UK parliamentary data may end up being requisitioned by the NSA”, she said: “We did consider that, yes.”
Miller, who retired as director of parliamentary IT in 2014, told Computer Weekly that Microsoft claimed to have doubts over the legality of the secret orders issued by the US government to obtain data under Prism and would be prepared to challenge it in court.
Microsoft questions legality of US disclosure orders
Microsoft is currently fighting a US federal court order to hand over customer email data stored in its Dublin datacentre in connection with an investigation into drugs trafficking. “It is taking legal action against the US government, after being served 2,576 secret legal demands in a year, effectively silencing Microsoft from speaking to customers about warrants or other legal processes affecting their data.”
Microsoft’s president and chief legal officer, Brad Smith, visited Parliament in person to offer reassurances over the sovereignty of parliamentary data, as negotiations over Office 365 were underway, Miller revealed.
In 2014, then leader of the House of Commons William Hague was forced to reassure MPs about the security of their emails after an MP raised concerns that US authorities could gain access to Microsoft’s European datacentres.
Miller said she also received reassurances that GCHQ would not abuse its access to monitor MPs’ communications, which might include emails to MPs from constituents passing on sensitive information or blowing the whistle on wrong-doing or corruption.
“GCHQ is quite clear, every time I have spoken to them, that they follow the law. It would not be lawful for them to look at those emails. That sounds a bit naive, I don’t think it is,” she said. MPs are concerned that current laws place no restriction on the use of interception, when this is allegedly carried out with “consent”.
At the same time as Microsoft was negotiating the sale of Office 365 to Parliament, the supplier was arranging for its cloud storage system, then called SkyDrive, to be connected to Prism, to allow the US to obtain foreign intelligence, documents from Edward Snowden revealed.
An NSA information bulletin, dated 7 March 2013 and marked “Top Secret – No Foreign Dissemination”, boasted that Microsoft’s SkyDrive system had been open to full NSA inspection, including Word, PowerPoint and Excel files.
“Fundamentally, the decision to move to [Office] 365 sits on the sensitivity of the data that we were looking at and the risk that we felt, and combining those together, but the business decision was that it was an acceptable risk,” said Miller.
Miller told Computer Weekly that she believed MPs would have been made aware of security risks, and asked to agree to the interception. She said, having retired, she could not refer to any current documents.
Computer Weekly has obtained copied of the 2015 “acceptable use” agreement for parliamentary digital services and signed by MPs and peers, and also the 2015 Members’ Handbook. Neither document warns MPs that their incoming and outgoing mails are scanned for keywords by the US-owned MessageLabs network that has links to the intelligence services.
All MPs are given a “parliament.uk” email address, although many also use private email addresses for non-parliamentary work. MPs and peers contacted by Computer Weekly said they had not been told about the potential security risks of using parliamentary email and the Office 365 system.
A Microsoft spokesperson declined to comment to Computer Weekly, saying only: “Due to client confidentiality, Microsoft does not disclose the terms of any of our customer agreements.”
Microsoft’s fight back against government surveillance
Since 2013, Microsoft has begun fighting back against US government surveillance.
The company is immersed in a legal battle with the US government to hand over emails stored in its Dublin data, in what is widely regarded as test case into enforceability of US law in the Republic of Ireland.
In April 2016, it launched a highly public legal fight against the US government, in a Washington court, demanding that the government drops its use of gagging orders to prevent Microsoft informing customers when their data has been accessed by the US government.
Smith revealed that the US government has served 2,576 secret legal demands over the space of 18 months, which effectively prevent Microsoft speaking to its customers about legal moves by the US government to access their data.
“People have a right to know as soon as reasonably possible when the government serves a provider with a legal demand to access their records or emails. Providers like Microsoft have a right to inform customers and be transparent with the public,” he said.
Microsoft declined to comment on whether plans to create new datacentres in Britain and an independently run datacentre in Germany, were part of a strategic move to protect its government and other customers’ data from US surveillance.
The location of the new datacentres in the UK, known as United Kingdom West and United Kingdom South, have not been made public.
But people familiar with the project say they are likely to be hosted in existing datacentre space owned by Colt Data Services, on the outskirts of London, and Next Generation Data, Europe’s largest datacentre, in Newport, Wales.
The centres will allow businesses, including government departments, that are concerned about data sovereignty to retain and back up within UK borders.
Microsoft CEO Satya Nadella, questioned in a television interview about the move, said that Microsoft had to respond to concerns over data privacy.
“I think that we have absolutely to deal with the realities of how regulation is being shaped, because of the legitimate concerns governments have about data privacy,” he said, speaking in 2015, when Microsoft announced the initiative.
Microsoft has gone further with its German datacentres, currently under construction, at Magdeburg and Frankfurt am Main. The company has handed over the management and control of its customers data to Deutsche Telecom, further distancing Microsoft from potential compulsory disclosure of data to US intelligence agencies.
Under the arrangement, Microsoft will not be able to access the data without the permission of customers or the data trustee, further distancing itself from any attempts by the US government to access its customers’ data.