US and UK struck secret deal to allow NSA to 'unmask' Britons' personal data

• 2007 deal allows NSA to store previously restricted material
• UK citizens not suspected of wrongdoing caught up in dragnet
• Separate draft memo proposes US spying on 'Five-Eyes' allies

The phone, internet and email records of UK citizens not suspected of any wrongdoing have been analysed and stored by America's National Security Agency under a secret deal that was approved by British intelligence officials, according to documents from the whistleblower Edward Snowden.

In the first explicit confirmation that UK citizens have been caught up in US mass surveillance programs, an NSA memo describes how in 2007 an agreement was reached that allowed the agency to "unmask" and hold on to personal data about Britons that had previously been off limits.

The memo, published in a joint investigation by the Guardian and Britain's Channel 4 News, says the material is being put in databases where it can be made available to other members of the US intelligence and military community.

Britain and the US are the main two partners in the 'Five-Eyes' intelligence-sharing alliance, which also includes Australia, New Zealand and Canada. Until now, it had been generally understood that the citizens of each country were protected from surveillance by any of the others.

But the Snowden material reveals that:

• In 2007, the rules were changed to allow the NSA to analyse and retain any British citizens' mobile phone and fax numbers, emails and IP addresses swept up by its dragnet. Previously, this data had been stripped out of NSA databases – "minimized", in intelligence agency parlance – under rules agreed between the two countries.

• These communications were "incidentally collected" by the NSA, meaning the individuals were not the initial targets of surveillance operations and therefore were not suspected of wrongdoing.

• The NSA has been using the UK data to conduct so-called "pattern of life" or "contact-chaining" analyses, under which the agency can look up to three "hops" away from a target of interest – examining the communications of a friend of a friend of a friend. Guardian analysis suggests three hops for a typical Facebook user could pull the data of more than 5 million people into the dragnet.

• A separate draft memo, marked top-secret and dated from 2005, reveals a proposed NSA procedure for spying on the citizens of the UK and other Five-Eyes nations, even where the partner government has explicitly denied the US permission to do so. The memo makes clear that partner countries must not be informed about this surveillance, or even the procedure itself.

The 2007 briefing was sent out to all analysts in the NSA's Signals Intelligence Directorate (SID), which is responsible for collecting, processing, and sharing information gleaned from US surveillance programs.

Up to this point, the Americans had only been allowed to retain the details of British landline phone numbers that had been collected incidentally in any of their trawls.

But the memo explains there was a fundamental change in policy that allowed the US to look at and store vast amounts of personal data that would previously have been discarded.

It states: "Sigint [signals intelligence] policy … and the UK Liaison Office here at NSAW [NSA Washington] worked together to come up with a new policy that expands the use of incidentally collected unminimized UK data in Sigint analysis.

"The new policy expands the previous memo issued in 2004 that only allowed the unminimizing of incidentally collected UK phone numbers for use in analysis.

"Now SID analysts can unminimize all incidentally collected UK contact identifiers, including IP and email addresses, fax and cell phone numbers, for use in analysis."

The memo also set out in more detail what the NSA could and could not do.

The agency was, for example, still barred from making any UK citizen a target of surveillance programs that would look at the content of their communications without getting a warrant. However, they now:

• "Are authorized to unmask UK contact identifiers resulting from incidental collection."

• "May utilize the UK contact identifiers in Sigint development contact chaining analysis."

• "May retain unminimized UK contact identifiers incidentally collected under this authority within content and metadata stores and provided to follow-on USSS (US Sigint System) applications."

The document does not say whether the UK Liaison Office, which is operated by GCHQ, discussed this rule change with government ministers in London before granting approval, nor who within the intelligence agencies would have been responsible for the decision.

The Guardian contacted GCHQ and the Cabinet Office on Thursday November 7 to ask for clarification, but despite repeated requests since then, neither has been prepared to comment.

Since the signing in 1946 of the UKUSA Signals Intelligence Agreement, which first established the Five-Eyes partnership, it has been a convention that the allied intelligence agencies do not monitor one another's citizens without permission – an agreement often referred to publicly by officials across the Five-Eyes nations.

However, a draft 2005 directive in the name of the NSA's director of signals intelligence reveals the NSA prepared policies enabling its staff to spy on Five-Eyes citizens, even where the partner country has refused permission to do so.

nsatear2
nsatear2 Photograph: Guardian Photograph: Guardian

The document, titled 'Collection, Processing and Dissemination of Allied Communications', has separate classifications from paragraph to paragraph. Some are cleared to be shared with America's allies, while others – marked "NF", for No Foreign – are to be kept strictly within the agency. The NSA refers to its Five-Eyes partners as "second party" countries.

The memo states that the Five-Eyes agreement "has evolved to include a common understanding that both governments will not target each other's citizens/persons".

But the next sentence – classified as not to be shared with foreign partners – states that governments "reserved the right" to conduct intelligence operations against each other's citizens "when it is in the best interests of each nation".

"Therefore," the draft memo continues, "under certain circumstances, it may be advisable and allowable to target second party persons and second party communications systems unilaterally, when it is in the best interests of the US and necessary for US national security."

The draft directive states who can approve the surveillance, and stresses the need for secrecy.

NSAtear4
NSAtear4 Photograph: Guardian Photograph: Guardian

"When sharing the planned targeting information with a second party would be contrary to US interests, or when the second party declines a collaboration proposal, the proposed targeting must be presented to the signals intelligence director for approval with justification for the criticality of the proposed collection.

"If approved, any collection, processing and dissemination of the second party information must be maintained in NoForn channels."

The document does not reveal whether such operations had been authorized in the past, nor whether the NSA believes its Five-Eyes partners conduct operations against US citizens.

The other sections of the document, cleared for sharing with the UK and other partners, strike a different tone, emphasising that spying on each other's citizens is a collaborative affair that is most commonly achieved "when the proposed target is associated with a global problem such as weapons proliferation, terrorism, drug trafficking or organised crime activities."

It states, for example: "There are circumstances when targeting of second party persons and communications systems, with the full knowledge and co-operation of one or more second parties, is allowed when it is in the best interests of both nations."

NSAtear3
NSAtear3 Photograph: Guardian Photograph: Guardian

The memo says the circumstances might include "targeting a UK citizen located in London using a British telephone system"; "targeting a UK person located in London using an internet service provider (ISP) in France; or "targeting a Pakistani person located in the UK using a UK ISP."

A spokeswoman for the NSA declined to answer questions from the Guardian on whether the draft directive had been implemented and, if so, when. The NSA and the White House also refused to comment on the agency's 2007 agreement with the UK to store and analyze data on British citizens.

The British foreign secretary in 2005 was Jack Straw, and in 2007 it was Margaret Beckett. The Guardian approached both of them to ask if they knew about or sanctioned a change in policy. Both declined to comment.

The Five-Eyes nations have, so far, steered clear of the diplomatic upheavals, which have emerged as a result of revelations of the NSA spying on its allies.

France, Germany and Spain have all recently summoned their respective US ambassadors to discuss surveillance within their borders, while earlier this month the UK ambassador to Germany was invited to discuss alleged eavesdropping from the UK embassy in Berlin.

Contributor

James Ball

The GuardianTramp

Related Content

Article image
Watchdog demands GCHQ report on NSA's UK data storage
Intelligence and security committee chair Sir Malcolm Rifkind seeks explanation of deal that allowed US to 'unmask' Britons

Nick Hopkins and Matthew Taylor

21, Nov, 2013 @1:40 PM

Article image
NSA and GCHQ activities appear illegal, says EU parliamentary inquiry

Civil liberties committee report demands end to indiscriminate collection of personal data by British and US agencies

Nick Hopkins and Ian Traynor

09, Jan, 2014 @5:02 PM

Article image
Social media mass surveillance is permitted by law, says top UK official

Charles Farr's statement marks first time government has commented on how it exploits the UK's legal framework to operate mass interception

Owen Bowcott, legal affairs correspondent, and James Ball

17, Jun, 2014 @7:06 PM

Article image
Edward Snowden NSA files: secret surveillance and our revelations so far
Leaked National Security Agency documents have led to several hundred Guardian stories on electronic privacy and the state

James Ball

21, Aug, 2013 @7:36 PM

Article image
Optic Nerve: millions of Yahoo webcam images intercepted by GCHQ

• Optic Nerve program collected Yahoo webcam images in bulk
• 1.8m users targeted by UK agency in six-month period alone
• Yahoo: 'A whole new level of violation of our users' privacy'
• Material included large quantity of sexually explicit images

Spencer Ackerman and James Ball

28, Feb, 2014 @10:31 AM

Article image
Spy chiefs should not be accountable to parliament, says ex-GCHQ chief

Sir David Omand expresses view in debate on surveillance featuring Guardian editor and Wikipedia founder

Kevin Rawlinson and Paul Owen

17, Dec, 2013 @11:56 PM

Article image
Former Labour minister accuses spies of ignoring MPs over surveillance

Nick Brown says there is 'uncanny' similarity between GCHQ programmes exposed by Edward Snowden and bill's proposals

Rowena Mason, political correspondent

16, Oct, 2013 @12:11 AM

Article image
Surveillance technology out of control, says Lord Ashdown
Exclusive: Former Lib Dem leader says it is time for a high-level inquiry to address fundamental questions about privacy

Nick Hopkins and Matthew Taylor

18, Nov, 2013 @7:10 PM

Article image
Extent of spy agencies' surveillance to be investigated by parliamentary body

Intelligence inquiry begun after Edward Snowden leaks and Guardian revelations on GCHQ and NSA personal data sharing

Nick Hopkins, Patrick Wintour, Rowena Mason and Matthew Taylor

17, Oct, 2013 @8:54 AM

Article image
Civil liberties: GCHQ and the American data trough | Editorial

Editorial: The Guardian's Prism documents raise questions about US-UK intelligence-gathering, including that from British citizens, which should urgently be debated in parliament

Editorial

07, Jun, 2013 @9:08 PM