National security apparently means “securing” the nation at the expense of citizens’ security. New Snowden documents published by The Intercept show massive amounts of dicking around in the coding of popular anti-virus software by the NSA and GCHQ. The list of antivirus products not affected would be much, much shorter than a list of those that have been.
Much of what listed here involves the NSA and GCHQ monitoring threats reported to these antivirus makers (by intercepting email messages, naturally), obviously in hopes of finding something temporarily exploitable. But in other cases, the efforts went much, much deeper. The GCHQ obtained a warrant to reverse engineer Kapersky products because it felt the company’s software was “obstructing” its hacking attempts.
“Personal security products such as the Russian anti-virus software Kaspersky continue to pose a challenge to GCHQ’s CNE [Computer Network Exploitation] capability and SRE is essential in order to be able to exploit such software and to prevent detection of our activities,” the warrant renewal request said. “Examination of Kaspersky and other such products continues.” The warrant renewal request also states that GCHQ reverse engineers anti-virus programs to assess their fitness for use by government agencies.
Not only did the GCHQ seek permission to tear apart a legitimate security product for its own ends, but it also asked for an exception to UK copyright law in order to do so.
GCHQ’s success as an intelligence agency is founded on technical knowledge and creativity. In particular this may involve modifying commercially available software to enable interception, decryption and other related tasks, or “reverse engineering” software (this means to convert it from machine readable code into the original format, which is then comprehensible to a person). These actions, and others necessary to understand how the software works, may represent an infringement of copyright. The interference may also be contrary to, or inconsistent with, the provisions of any licensing agreement between GCHQ and the owners of the rights in the software.
Recognizing this could potentially cause a problem if its efforts were discovered, GCHQ explicitly asked that it be granted permission to engage in copyright infringement in the name of national security.
There is a risk that in the unlikely event of a challenge by the copyright owner or licensor, the Courts would, in the absence of a legal authorisation, hold that such activity was unlawful and amounted to a copyright infringement or breach of contract. The purpose of this warrant is to provide authorisation for all continuing activities which involve interference with copyright or licensed software, but which cannot be said to fall within any other specific authorisation held by GCHQ and which are done without the permission of the owner.
In other words, GCHQ doesn’t have specific authorization to violate copyrights or licensing agreements, but for this particular effort, the warrant would act as a blanket permission slip to engage in this illegal activity. And, in doing so, it stretched an intelligence law to cover its violation of intellectual property laws.
GCHQ obtained a warrant for reverse engineering under a section of British intelligence law that does not explicitly authorize — and had apparently never been used to authorize — the sort of copyright infringement GCHQ believed was necessary to conduct such activity.
The spy agency instead relied on the Intelligence Services Commissioner to let it use a law pertaining only to property and “wireless telegraphy,” a law that had never been applied to intellectual property, according to GCHQ’s own warrant renewal application. Eric King, deputy director of U.K. surveillance watchdog Privacy International said, after being shown documents related to the warrant, “The secret reinterpretation of powers, in entirely novel ways, that have not been tested in adversarial court processes, is everything that is wrong with how GCHQ is using their legal powers.”
On top of that, the type of warrant it obtained was only to be used for foreign surveillance, but supporting documentation notes GCHQ would also be performing its reverse engineering to support “police operations” and the domestically-focused National Technical Assistance Centre.
When it comes to national security efforts, laws just don’t apply, it would appear. The NSA and GCHQ’s efforts are completely indistinguishable from those of cybercriminals. While these agencies may have “good” on their side — at least in terms of not wishing specific harm to non-targets — the end result is the same: a less secure computing world.