One might assume that countries like the United States and United Kingdom simply collect data on citizens through their own mass surveillance systems. Many governments around the world, however, work in concert to maintain intelligence sharing partnerships that allow them to pool their mined electronic communications. In a new report titled “Secret Global Surveillance Networks: Intelligence Sharing Between Governments and the Need for Safeguards,” Privacy International describes these partnerships as the outsourcing of surveillance. In “allowing governments to bypass domestic constraints on their surveillance activities,” the watchdog group says that the partnerships can “contribute to, or facilitate, serious human rights abuses, such as unlawful arrest or detention, or torture and other cruel, inhuman or degrading treatment.”
Depending on the countries’ specific intelligence sharing arrangements, most anything can be shared, says Edin Omanovic, Privacy International’s State Surveillance Programme Lead. The system’s trove includes information like raw internet and phone data, intelligence reports about individuals, watchlists, information about intelligence gathering techniques, information about encryption and decryption techniques, and more.
“Basically anything you would imagine an intelligence agency collecting,” Omanovic explains. “But obviously some arrangements are closer than others, so, for example, the U.S. has a closer intelligence-sharing relationship with the U.K. and other countries in the Five Eyes than other countries.”
The report, gleaned from research with 40 partners reaching out to oversight bodies in 42 countries, lays out the appearance and depth of these intelligence sharing partnerships. It also dives into the partnerships’ legality and existing oversight, which is quite weak. In all, only 21 oversight organizations sent Privacy International information on these intelligence sharing arrangements from their respective governments.
Omanovic says that few people actually think of this intelligence sharing network. This, he says, is because it was designed to be a secretive system. Many countries exhibit varying levels of trust between one another, which influences their level of cooperation.
“Certainly when it started post-Second World War, [NATO allies] foresaw that they would be able to share collection capabilities from satellite interception,” says Omanovic. ‘And because those agreements were there, it’s just kind of mutated into mass-scale internet surveillance in a way they would have never foreseen.”
The very nature of how the internet works has, according to Omanovic, helped this intelligence-sharing system expand and thrive. Since the internet is global, flowing through various nodes in many countries, the governments involved in intelligence sharing can easily pick up internet traffic from various points.
‘They’re Completely Shrouded in Secrecy’
A great deal of internet traffic, for instance, flows through data centers in the Five Eyes partnership—the U.S., U.K., Australia, New Zealand, and Canada. These countries collect and distribute a massive amount of internet traffic. Elsewhere, the Club de Berne is an intelligence-sharing arrangement amongst EU members states, while The Shanghai Cooperation Organization—a security, economic, and political cooperation forum—facilitates intelligence sharing between China, India, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Tajikistan, and Uzbekistan.
One of the most disturbing aspects of intelligence sharing systems, says Omanovic, is that “they’re completely shrouded in secrecy, making it impossible to know how much data is being shared.”
“I think the Edward Snowden revelations highlighted how advanced these relationships, not just from exchanging information but actually providing one another with raw intelligence as it’s being collected,” says Omanovic. “Even though the term is intelligence sharing, it goes far beyond that. It’s basically acting as a unitary intelligence collection system. Basically, you couldn’t even tell who was collecting the intelligence.”
The intelligence taken in by the Five Eyes, for example, is fed into a central query system known as XKeyscore, a program unveiled through Snowden’s revelations. XKeyscore essentially allows agents to run searches for various vectors of interest. Omanovic describes this data, and other information generated by different partnerships, as not being of really any intelligence value. It’s simply everything that can be hoovered up through various domestic surveillance programs: raw traffic of general internet packets.
One might be wondering if the Five Eyes network, or associated systems, is being used to combat Russian hacking and election interference. Any details on this sort of collaboration would require direct knowledge of the actual specifics of the programs that fall under the intelligence sharing partnerships, to which Privacy International is not privy. But Omanovic did say that cybersecurity is a growing issue on which governments collaborate through shared intelligence.
“If you look at the intelligence sharing partnerships that we highlight, we also have intelligence sharing partnerships between the NATO states and the ones based in Scandinavia, through which a lot of the Russian internet traffic travels,” Omanovic notes. “If you’re a user in Russia and you’re pinging a data center in the U.S., the U.K., or in Western Europe, then that internet traffic might well be flowing through Scandinavian fiber networks, or ones in Germany, Estonia, or the U.K. So, obviously, they have internet traffic that could be of value to investigations into Russia.”
While identifying and thwarting cybersecurity threats is a legitimate state interest, Privacy International and its partners believe governments shouldn’t lose sight of privacy. Again, for them, it’s a human right—one that requires vigilance in safeguarding.
“[This system] is one of the most fundamental threats to privacy at the moment, and it needs to be governed and overseen correctly,” says Omanovic. “We found only one country [Canada] which has introduced specific legislation to explicitly regulate intelligence sharing—the rest lack domestic legislation which regulates intelligence sharing. This means that such practices are extremely under-regulated and open to abuse: it is essential that stronger oversight measures are urgently implemented.”