When David Cameron announced during #WeProtectChildren summit that GCHQ will join forces with National Crime Agency in order to effectively tackle problem of child pornography in Tor he, probably unintentionally, made a rather sweeping statement about role of intelligence agencies in process of fighting crime. GCHQ’s primary function after all is spying on foreign entities and protecting national security of the UK. In fact Intelligence Service Act 1994 names three functions of the agency: mentioned national security with emphasis on foreign and defence policy, economic well-being of the UK (again with emphasis on foreign actors) and in the last place support of the prevention and detection of serious crime. Status of use of the SIGINT in domestic matters is therefore not as obvious as it could be interpreted from Cameron’s words. Even in the UK, which generally have relaxed legal boundaries regarding law enforcement authority, power to authorise interception of communication by GCHQ still lies in the hands of the Secretary of State. Note has to be made that it is not yet clear what will be the form of cooperation between GCHQ and NCA – perhaps GCHQ will provide only technical assistance (i.e. forensic service) without resorting to more aggressive capabilities.
For some types of operations this kind of cooperation is natural – for example counter intelligence efforts most often rely on work of domestic intelligence, or specialised counter intelligence, agencies which disclose gathered materials in the course of court proceedings. However, that is true for intelligence agencies operating within borders of the country by default i.e. MI5 or FBI. The problem is that nowadays governments try to shift, or at least partially redirect, focus of foreign signal intelligence into tackling local threats. This is without a doubt result of use of more sophisticated tools by criminals. It is hard to argue with Cameron’s assessment, that use of Tor requires special efforts from law enforcement as well as use of measures available only to specific entities. At the same time question remains whether already existing regulations keep up with quick changes in actual policy.
Good example of legislative shift towards balancing means available to intelligence and criminal investigation community is the Netherlands. Due to the fact that AIDV (Algemene Inlichtingen- en Veiligheidsdienst – General Intelligence and Security Service) and MIDV (Militaire Inlichtingen- en Veiligheidsdienst – Military Intelligence and Security Service) may engage in intrusive surveillance without judicial authorisation (some techniques require decision of the minister, similarly to the UK) criminal investigation is strictly separated from their activity. However, provisions enacted aims to increase use of intrusive measures, as well as facilitate stream of more general intelligence gathering. Designated units of Dutch police called CIE (criminele inlichtingen eenheden) are tasked with gathering information on serious and organised, which might be used for starting prosecution. CIE reports generally cannot be used as evidence in court, however chief of the specific CIE might be called to testify under oath, just as any police officer. Regarding information exchange between ordinary police and AIDV / MIDV, intelligence agencies may provide leads to police, while police is obliged to provide relevant materials to the intelligence. As mentioned however, investigations remain separate. While gathering materials for AIDV, police cannot use their investigative power or share information from CIE (For full description of the status of Dutch law in terms of criminal intelligence please see article: Intelligence as legal evidence). On the contrary, in the US lines between intelligence and criminal matters are blurred, especially in the context of FISC and Patriot Act – problem which became too apparent when it turned out that NSA counter terrorism programs were used largely by DEA to tip-off drug investigations.
In terms of involving intelligence in computer operation, such as tackling Tor it seems much harder to define boundaries of cooperation without de fact authorising full-blown involvement. First of all, process of passing of information is not as simple as in case of traditional crime. Effective use of SIGINT resources to produce legal evidence will (or rather should) require disclosure of techniques used. While in ‘normal’ cases measures such as use of informers or wiretapping are already set in stone, and it became understandable that identity of informer cannot be disclosed, in case of cyber operations lack of disclosure potentially means making internet less safe for normal users. To illustrate: operation ‘onymous’, which ended in massive take down of darknet drug markets, is cause of concern for Tor project due to possibility of new vulnerability which potentially endanger every Tor user. Criminal complaint US v Benthall omits any details regarding how his location was tracked down. That is in stark contrast to the Ross Ulbricht case, where even initial complaint contained detailed description of investigation (sans details of alleged IP leaking exploit, described in declaration of agent Tarbell). Given that disclosure of vulnerabilities is already becoming an issue, it is not unreasonable to extrapolate it to what will happen when intelligence community will become officially involved. After all fallout of Snowden leaks proved that SIGINT community will actively fight against revealing methods they use – whether they should or not, and to what degree is completely separate issue. Also, on a sidenote, it is becoming increasingly obvious that judiciary will have to gain significant technical expertise to properly analyse and understand description of methods used, in order to judge their compliance with criminal procedure.
Second point is potential blanket application of intrusive measures into criminal investigations. As already shown by case of FISC rulings, everything less than explicit ban on using certain techniques will lead to abuse, reinforced by limited means of challenging decision caused by secrecy of process. The question which seems not to be considered yet is whether in case of common criminal matters, given that procedural guarantees have been satisfied, every method available from technical point of view is appropriate – especially important matter in terms of mass surveillance. Given how capabilities of intelligence agencies increase nowadays, things might come to the point where it would be undesirable to deploy some methods, even if they are effective. For example: even if all unrelated data would be discarded, should NSA engage in massive traffic analysis (effectively global passive adversary) to find child pornography distributors using Tor? Does the benefits outweighs the costs? This issue is relevant even right now, as law enforcement is generally authorised to deploy any technical means to collect evidence after obtaining judicial authorisation.
These problems are certainly just few of many that will have to be considered in the process of merging signal intelligence into criminal investigations. Hopefully clearly regulated provisions will provide greater protection for civil liberties than current attempts of introducing aggressive surveillance by unofficial cooperation and secret warrants.