Copy and Redistribute the Material in Any Medium Or Format

Attribution-NonCommercial-NoDerivs 2.0 KOREA

You are free to :

 Share — copy and redistribute the material in any medium or format

Under the follwing terms :

Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.

NonCommercial — You may not use the material for commercial purposes.

NoDerivatives — If you remix, transform, or build upon the material, you may not distribute the modified material.

You do not have to comply with the license for elements of the material in the public domain or where your use is permitted by an applicable exception or limitation.

This is a human-readable summary of (and not a substitute for) the license.

Disclaimer

국제학석사학위논문

Digital Allies: Preserving National Security through Signals Intelligence Cooperation within the UKUSA Agreement

디지털 동맹국들: UKUSA 협정내에서 SIGINT 형태로서 국가안보의 수호

이진솔

국제학석하

2016 년 7 월

서울대학교 국제대학원

국제학과 국제협력전공

Master’s Thesis

Digital Allies: Preserving National Security through Signals Intelligence Cooperation within the UKUSA Agreement

디지털 동맹국들: UKUSA 협정내에서 SIGINT 형태로서 국가안보의 수호

A Thesis Presented By

Anna Jinsol Lee

Graduate Program in International Cooperation For the degree of Master of International Studies

July 2016

The Graduate School of International Studies

Seoul National University

Digital Allies: Preserving National Security through Signals Intelligence Cooperation within the UKUSA Agreement

디지털 동맹국들: UKUSA 협정내에서 SIGINT 형태로서 국가안보의 수호

지도교수 신성호

이 논문을 국제학석사학위논문으로 제출함 2016 년 7 월

서울대학교 국제대학원 국제협력

이진솔

이진솔의 국제학석사학위논문을 인준함 2016 년 7 월

위원장 이근 (인)

부위원장 김태균 (인)

위원 신성호 (인)

THESIS ACCEPTANCE CERTIFICATE

The undersigned, appointed by

The Graduate School of International Studies

Seoul National University

Have examined a thesis entitled

Digital Allies: Preserving National Security through Signals Intelligence

Cooperation within the UKUSA Agreement

Academic Advisor: Professor Seong-ho Sheen

Presented by Anna Jinsol Lee, candidate for the degree of Master of International Studies, and hereby certify that the examined thesis is worthy of acceptance:

Signature Committee Chair Lee, Geun

Signature Committee Vice Chair Kim, Taekyoon

Signature Thesis Advisor Sheen, Seong-ho

Date: July 2016

The Graduate School of International Studies Agreement on Original Contents Provision

Concerning my thesis, I agree that Seoul National University will provide it for the purpose of the following:

1. Matters Agreed Upon

① I agree on duplication of my thesis for the purpose of its preservation or online provision only if the contents are maintained as the original ones. ② I agree on digitizing my thesis and reproducing/distributing, for Internet or other communication networks, part of or the entirety of the thesis for free of charge.

2. Author’s Obligation

I will immediately notify the Graduate School of Seoul National University of a request for suspension or cancellation of public use of my thesis once any changes in the agreement are needed (such as transfer of copyright to a third party or approval of publication of my thesis).

3. Obligations of Seoul National University

① Seoul National University will use the copyright protection tool (DRM) in case the university provides the thesis to external users. ② Seoul National University will take immediate follow-up actions once the author requests for a suspension or cancellation of public use of the thesis.

Thesis Title: Digital Allies: Preserving National Security through Signals Intelligence Cooperation within the UKUSA Agreement. 디지털 동맹국들: UKUSA 협정내에서 SIGINT 형태로서 국가안보의 수호

Category of Degree: Master’s Thesis Department: Graduate School of International Studies Student ID: 2014-24248 Author: Anna Jinsol Lee Date of Submission: July 2016

Abstract

The disclosure of the global surveillance practices of five democratic nations shook the world in June 2013. Though some were content with official justification as a matter of national security, many more were concerned with the implications these oversight abilities had on individual privacy and the possibility of a surveillance state. Using information released on the document disclosures from 2013 to 2015, the following thesis researches the impact mass surveillance practices and signals intelligence have had on the concept of national security and analyzes how democracies utilize signals intelligence data to fulfill their national security goals. This thesis focuses on the current national security strategies of the

United States and United Kingdom, comparing each nation’s usage of signals intelligence, post-Snowden actions, and subsequent domestic response. Based off of these findings, this thesis analyzes and critiques the current strategy of mass surveillance practices as utilized by democratic states, proposes policies to promote better practices, and discusses the concept of individual privacy in the context of national security.

Keywords: cybersecurity, Five Eyes, ICT, privacy, security, signals intelligence, surveillance, terrorism, UKUSA Agreement, United Kingdom, United States

Acronyms and Abbreviations

ASD Australian Signals Directorate AVID Dutch General Intelligence and Security Service (Algemene Inlichtingen en Veiligheidsdienst) BND German Federal Intelligence Service (Bundesnachrichtendienst) BfV German Federal Office for the Protection of the Constitution (Bundesamt für Verfassungsschutz) CIA Central Intelligence Agency CISA Cyber Intelligence Sharing Act COMINT Communications Intelligence CSEC Communications Security Establishment of Canada DGSE French General Directorate for External Security (Direction Générale de la Sécurité Extérieure) DSD Australian Defence Signals Directorate FISA Foreign Intelligence Surveillance Act FOUO For Official Use Only FRA Swedish National Defence Radio Establishment (Försvarets radioanstalt) FVEY Five Eyes GCHQ British Government Communications Headquarters GCSB New Zealand Government Communications Security Bureau ICT Information and communications technology JSA Joint SIGINT Activity NOFORN No Foreign Nationals NSA United States National Security Agency OPSEC Operations Security ORCON Originator Controlled REL TO Related To (distribution permitted to following countries) SCS Special Collection Service SI Special Intelligence SIGDEV Signals intelligence development SIGINT Signals intelligence SUSLAG Special US Liaison Activity Germany TK TALENT KEYHOLE TS Top Secret U Unclassified UKUSA United Kingdom-United States of America Agreement

Table of Contents Abstract ...... i Acronyms and Abbreviations ...... ii Table of Contents ...... iii Tables and Figures ...... v I. Introduction ...... 1 1. Argument Overview ...... 9 2. Notes on Terminology ...... 13 3. A Brief History of UKUSA Surveillance Cooperation ...... 14 4. Chapter Outline ...... 17 II. Analytical Approach ...... 18 1. Theoretical Framework ...... 18 1-1. Security Theory ...... 18 1-2. Applications in Cyberspace ...... 21 2. Literature Review ...... 26 3. Research Question and Methodology ...... 29 III. The FVEY Surveillance Network ...... 31 1. The Five Eyes and Beyond ...... 31 2. Analyzing FVEY Surveillance Activity ...... 34 2-1. Reading the Disclosed Documents ...... 34 2-2. Data Collection and Reporting ...... 38 3. The Security Priorities of the UKUSA Agreement and FVEY ...... 41 IV. Case Studies in Disclosure and Aftermath ...... 43 1. The United States of America ...... 43 1-1. National Security Strategy ...... 43 1-2. UKUSA SIGINT Utilization ...... 46 1-3. Post-Disclosure Domestic Activity ...... 50 2. The United Kingdom ...... 57 2-1. National Security Strategy ...... 57 2-2. UKUSA SIGINT Utilization ...... 60 2-3. Post-Disclosure Domestic Activity ...... 62 3. FVEY and Surveillance in Democracies ...... 67 V. The Future of Signals Intelligence in Security ...... 76 1. Surveillance in Democracies: Are There Other Options? ...... 76 2. Transparency of Government and Enforcement ...... 78 3. The Individual in National Security ...... 80 4. Introducing Technical Expertise ...... 81 5. SIGINT Surveillance and Terrorism ...... 82 6. A Discussion about Privacy’s Future ...... 83 iii

VI. Concluding Analysis ...... 85 1. Thesis Findings ...... 85 2. Limitations and Future Research ...... 87 Bibliography ...... 90 Appendix A: Key ICT indicators 2005-2015 (totals and penetration rates) ...... 98 Appendix B: Disclosed Documents (United States) ...... 99 Appendix C: Disclosed Documents (United Kingdom) ...... 109

Tables and Figures Figure 1. Global ICT Access per 100 Inhabitants (2005-2015) ...... 6 Figure 2. Human-Computer Interface ...... 23 Figure 3. Cyberspace Formation with Computer-Facilitated Interaction ...... 24 Table 1. U.S. NSA List of Approved SIGINT Partners ...... 33 Figure 4. BOUNDLESS INFORMANT Surveillance Heat Map ...... 34 Table 2. US and UK Classification Terms ...... 36 Figure 5. Targeted Content of Disclosed Documents (2013-2015) ...... 38 Figure 6. Content Targeted by United States ...... 47 Figure 7. Nations Targeted by United States ...... 47 Table 3. US Documents with FVEY vs. NOFORN Dissemination ...... 49 Figure 8. Terrorism vs. Privacy in the United States (2006-2013) ...... 52 Figure 9. Approval Ratings of Government Surveillance ...... 55 Figure 10. Content Targeted by United Kingdom ...... 61 Figure 11. Nations Targeted by United Kingdom ...... 62 Figure 12. UK Citizen Approval of Proposed Security Measures, 2006 ...... 65 Figure 13. Surveillance on All Citizens vs. Foreign Nationals ...... 69

I. Introduction

Since the government unchained itself from the constitution after 9/11, it has been eating our democracy alive from the inside out. There's no room in a democracy for this kind of secrecy. [...] That is what's at stake here: to an NSA with these unwarranted powers, we're all potentially guilty; we're all potential suspects until we prove otherwise. That is what happens when the government has all the data. — Thomas Drake, former senior executive of the NSA1

On June 6 of 2013, a news report from The Guardian revealed that the

United States National Security Agency (NSA) had issued a top secret order to telecommunications company Verizon Wireless, granting them the ability to collect over 120 million telephone records from U.S. customers.2 Thus began a series of media disclosures surrounding the global surveillance practices of the

United States and its international partners. Through top-secret documents provided by ex-NSA contractor Edward Snowden, classified intelligence on spying programs and mass collection of citizen metadata became widely available to the public, uncovering a wide array of government activity ranging from the collection of phone call and online traffic metadata to previous active efforts in breaking encryption. At the center of this massive electronic data collection effort was “the

Five Eyes”, a signals intelligence alliance that split the collaborative duties of spying among five nations: the United States, the United Kingdom, Canada,

Australia, and New Zealand. While a significant amount of the intelligence

1 Thomas Drake, “Snowden Saw What I Saw: Surveillance Criminally Subverting the Constitution,” The Guardian, http://www.theguardian.com/commentisfree/2013/jun/12/snowden-surveillance- subverting-constitution. 2 Glenn Greenwald, “NSA Collecting Phone Records of Millions of Verizon Customers Daily,” The Guardian, http://www.theguardian.com/world/2013/jun/06/nsa-phone-records-verizon-court-order. 1

gathered remained strictly for the eyes of the primary alliance, several third party nations were also privy to this data. Though there had been previous suspicion surrounding government spying activity,3 the global surveillance disclosures of

2013 provided inexorable proof of national mass data collection in unfathomable quantities.

Delving further into the leaked documents reveals that the Five Eyes alliance actually served as an extension of the United Kingdom-United States of

America (UKUSA) Agreement, a signals intelligence pact formed between the two eponymous cooperating nations in 1948. Through this contract, the United States and United Kingdom agreed to the mutual exchange of foreign communications data, including the collection of traffic analysis, communication documents and equipment, cryptanalysis, decryption and translation, and information on communication organizations, practices, procedures, and equipment. Second party extension was eventually granted to Canada, Australia, and New Zealand with a later amendment, and a disclosed classified presentation from the NSA showed that the group of third parties has since expanded to include 33 additional countries.

Exposures of this indiscriminate mass data collection sparked outrage and anger in citizens around the world, inciting public protests and outcry calling for the protection of individual privacy. Political movements such as “Restore the

Fourth” in the United States quickly gained traction with their demands of

3 Chris Blackhurst and John Gilbert, “US Spy Base ‘taps UK Phones for MI5,’” The Independent, October 23, 2011, http://www.independent.co.uk/news/uk/home-news/us-spy-base-taps-uk-phones- for-mi5-1364399.html. 2

dismantling the NSA’s surveillance programs, proclaiming that the existence and use of these programs violates constitutional rights protecting against unreasonable searches and seizures without warrants. Protests in over 80 U.S. cities were held on

July 4, 2013 in response to these intelligence leaks.4 Reacting to U.S. attempts to extradite and prosecute Snowden, Amnesty International and other international organizations have called for the safe asylum and protection of whistleblowers who have performed similar actions on behalf of informing the public.5 International leaders who were targeted by UKUSA surveillance have also expressed marked disapproval: these revelations have not only sparked fury in international rivals, but have also alienated neutral states and allies. Leaders and citizens alike have demanded that the Five Eyes be held accountable and provide an explanation for their actions.

In the face of these disclosures and citizen reactions, government officials and political leaders of the nations directly involved have either declined comment or defended these surveillance practices. The Five Eyes nations have taken particular measures to address domestic outrage, reassuring their citizens that intelligence gathering programs do not target citizens at home and that all surveillance activity conducted has been within the legal confines of the state.

Among all state leaders that have commented on the disclosures, a notably

4 Heather Kelly, “Protests against the NSA Spring up across U.S.” CNN, July 5, 2013, http://edition.cnn.com/2013/07/04/tech/web/restore-nsa-protests. 5 “USA Must Not Persecute Whistleblower Edward Snowden,” Amnesty International, July 2, 2013, https://www.amnesty.org/en/latest/news/2013/07/usa-must-not-persecute-whistleblower-edwardsnowden/. 3

common justification for mass surveillance practices has been as a matter of protecting national security. The United States and United Kingdom have been especially vocal in their defenses, specifically citing terrorism as a threat dangerous enough to validate the all-encompassing capabilities of their intelligence programs.

There is no spying on Americans. We don’t have a domestic spying program. What we do have is some mechanisms that can track a phone number or an email address that is connected to a terrorist attack. […] That information is useful. 6 — U.S. President Barack Obama

We live in a world of terror and terrorism. We saw that on the streets of Woolwich only too recently, and I think it is right that we have well- funded, well-organized intelligence services to help keep us safe. But let me be absolutely clear, they are intelligence services that operate within the law, within a law that we have laid down, and they are also subject to proper scrutiny by the intelligence and security committee in the House of Commons. 7 — British Prime Minister David Cameron

While a more skeptical eye may view these explanations as attempted backpedaling, the threat of terrorism tends to be left unquestioned by the general public, and surveys have shown that government actions performed in the name of national security are broadly accepted at face value by a majority of the population.

Shortly after the revelations of surveillance activity, the Pew Research Center and the Washington Post surveyed over one thousand U.S. citizens. They found that

56% of Americans surveyed believed that the NSA collection of telephone records

6 Greg Henderson, “Obama to Leno: ‘There Is No Spying On Americans,’” NPR, August 7, 2013, http://www.npr.org/sections/thetwo-way/2013/08/06/209692380/obama-to-leno-there-is-no-spying- on-americans. 7 Janet Stobart, “Britain Denies Using PRISM to Get Around Domestic Spying Laws,” Los Angeles Times, June 10, 2013, http://articles.latimes.com/2013/jun/10/world/la-fg-wn-britain-nsa-prism- surveillance-program-20130610. 4

is an acceptable method for the U.S. government to combat terrorism.8 A similar poll conducted by YouGov on British citizens revealed that only 19% of those surveyed thought that British Security Services possessed too many powers over ordinary citizens, with 22% saying they should gain more powers.9 Three years have passed since the surveillance documents were leaked, and recent surveys still show that while U.S. citizens have made greater personal efforts to shield information from the government,10 there has been more public approval among

British citizens for increasing security services’ access to public communications as a means to fight terrorism.11

Terrorism is one of many concepts that have fallen comfortably into the category of stateless threats possessing transnational consequences, challenging security strategies and becoming a subject of high priority in the international community. Combined with the close interconnected nature of our wireless environment, it is unsurprising that terrorism and information and communications technology (ICT) are often mentioned in the same breath. Attacks initiated by individuals or small organizations are not only less costly than traditional state warfare, but also cannot be as easily predicted or anticipated. While these

8 “Majority Views NSA Phone Tracking as Acceptable Anti-Terror Tactic,” Pew Internet & American Life Project, June 10, 2013, http://www.people-press.org/2013/06/10/majority-views-nsa- phone-tracking-as-acceptable-anti-terror-tactic/. 9 Will Dahlgreen, “Little Appetite for Scaling Back Surveillance,” YouGov, October 13, 2013, https://yougov.co.uk/news/2013/10/13/little-appetite-scaling-back-surveillance/. 10 Lee Rainie and Mary Madden, “Americans’ Privacy Strategies Post-Snowden,” Pew Internet & American Life Project, March 16, 2015, http://www.pewinternet.org/2015/03/16/americans-privacy- strategies-post-snowden/. 11 Will Dahlgreen, “Broad Support for Increased Surveillance Powers,” YouGov, January 15, 2015, https://yougov.co.uk/news/2015/01/18/more-surveillance-please-were-british/. 5

advantages already exist on the physical plane, they are greatly magnified in digital space. The low cost of entry in addition to easily accessible worldwide reach allows individual actors to transcend their geographic limits and perform influential actions unhindered.12 Malicious actors also enjoy the advantage of relative anonymity online, making attribution of criminal offenses difficult and the probability of being caught extremely low. With so many factors favoring the individual in digital space, increasing access to ICT (illustrated in Figure 1) may as well be considered a growing pool of potential security threats for the state and its citizens.

Figure 1. Global ICT Access per 100 Inhabitants (2005-2015)13

100

0 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

Mobile-cellular telephone subscriptions Active mobile-broadband subscriptions Individuals using the Internet

Approaches to combating terrorism and similar threats have focused on prevention and detection rather than strengthening existing defenses, as the nature

12 Franklin D. Kramer, Cyberpower and National Security (Washington, DC: Center for Technology and National Security Policy, 2009), 62. 13 From International Telecommunication Union. See Appendix A for full data set. 6

of terrorism renders it unable to be absolutely “defeated”—only reduced or controlled to a certain extent. Therefore, while many variations of counterterrorism policy exist, its primary mission remains focused on saving lives without compromising other national interests and objectives.14 In this way, monitoring these omnipresent electronic signals could hypothetically be considered a faithful application of this counterterrorism strategy: it possesses the greatest capacity to detect and quash potential malicious attacks with minimal to zero physical cost on either side. Official justifications reflect this interpretation of surveillance potential, as President Barack Obama stated in a press conference with German

Chancellor Angela Merkel, “We know of at least fifty threats that have been averted because of this information…so lives have been saved.”15 Though this may appear to be a reasonable use of citizen data, the assumption that counterterrorism is the sole motivation for surveillance is an imprudent conclusion, especially in an age of increasing dependence on networking technology.

The reality is that publicly, very little evidence gives sufficient credence to the idea that widespread data collection of this degree is necessary or even effectively contributes to combating terrorism. The “New York subway bomber”

Najibullah Zazi, a frequently cited case of terror attempts halted by surveillance, had been reportedly caught by an intercepted email sent to Pakistan in September

14 Paul R. Pillar, “Dealing with Terrorists,” in The Use of Force: Military Power and International Politics, eds. Robert J. Art and Kenneth Waltz (Lanham, MD: Rowman & Littlefield, 2009), 502. 15 “President Obama and Chancellor Merkel on NSA Surveillance Issue,” Deutsche Welle (English), July 19, 2013, https://youtu.be/qG0D3A8FkPo?t=4m. 7

of 2009. Though the program PRISM has been credited for this victory, this operation could have been completed without the use of PRISM surveillance to the same degree of success—traditional British investigation had provided the United

States with the clues necessary to watch Zazi under warranted approval months before his arrest.16 The President’s Review Group on Intelligence and

Communications Technology further stated in a report that, “the information contributed to terrorist investigations by the use of [USA PATRIOT Act] section

215 telephony meta-data was not essential to preventing attacks and could readily have been obtained in a timely manner using conventional section 215 orders.”17

While security officials have argued that the absence of a successful terrorist attack is enough evidence to prove the necessity of warrantless surveillance, the opaque nature of government data collection coupled with accusations of privacy rights infringement have cast the means to this end under heavy suspicion. Defenders of privacy rights have expressed doubt as to whether such secretive and pervasive data collection practices have a place in democratic society.

16 Ed Pilkington and Nicholas Watt, “NSA Surveillance Played Little Role in Foiling Terror Plots, Experts Say,” The Guardian, June 12, 2013, http://www.theguardian.com/world/2013/jun/12/nsa- surveillance-data-terror-attack. 17 Richard A. Clarke et al., The NSA Report: Liberty and Security in a Changing World (Princeton: Princeton University Press, 2014), 104. 8

1. Argument Overview

The findings of these surveillance disclosures and their subsequent aftermath have opened up many questions that have inspired and guided this thesis.

The first of these questions arises from criticisms of government surveillance practices in democratic states: government-mandated surveillance is not a new phenomenon, but such practices are frequently associated with oppressive regimes intending to eliminate criticism or opposition. States boasting individual and civil liberties have historically vilified such mass government oversight and citizen shadowing, condemning nations practicing these as authoritarian police states.

Now faced with proof of conducting similar practices, the democratic nations in question can hardly deny the perceived hypocrisy of these previous accusations.

Considering the justifications provided by officials and comparing them with the actual contributions of citizen data, the question remains: if democratic states do not condone how surveillance is used in openly restrictive regimes and no direct correlation to the prevention of terrorism has been proven, how is the information gathered from signals intelligence most effectively used?

The existence of a robust signals intelligence pact among nations also invites academic inquiry. Many nations have a national strategy regarding signals intelligence, but few cooperative coalitions dedicated to sharing or exchanging this data currently exist. In fact, interactions between nations on signals intelligence tend to border on antagonistic, characterized by secrecy, theft, and offensive attacks. How does cooperation in signals intelligence collection under the UKUSA

Agreement mutually support the national security goals of the United States and

United Kingdom? The disclosures of SIGINT interactions among the “Five Eyes” have provided a unique opportunity to investigate the true security priorities of the participating states, and how mass surveillance capabilities can aid nations in achieving their objectives.

Finally, there is the difference in citizen reaction to surveillance practices and its use for national security between the United States and United Kingdom to consider. While both nations’ citizens accepted reduced individual privacy to a certain degree in the name of national security, U.S. citizens have shown to be much more adamant about the dismantling of the NSA and programs similar to

PRISM two years later. On the other hand, British citizens generally appear to have grown more tolerant of the national surveillance system, though they agree that surveillance practices should be changed to abide by standard search laws. The diverging attitudes towards government-regulated surveillance in these two countries can be puzzling, especially when considering the shared civic ideals upheld by both. Is this deviation indicative of a differing conception of national security, and if so, how does the function of these signals surveillance programs accord with these conceptions?

All of these questions are pieces to a larger puzzle: How has national security evolved with the capabilities of mass surveillance and signals intelligence data collection, and how have democratic nations adapted their national security strategies to accommodate these changes? The knowledge of government

collection and utilization of signals intelligence has opened up new areas of discussion—not only on the political and social consequences of mass oversight, but also on the concept of privacy in a digital context and its place in security.

Though the analysis of this thesis is limited to comparing the present security priorities of state surveillance in two democratic states, the possible implications of its findings reach far beyond this narrow scope. As global ICT access increases and personal information gradually becomes more accessible (and subsequently more vulnerable), answering these questions will be pivotal for future consideration.

In my thesis, I argue that signals intelligence has not only added factors and a new dimension to consider in national security strategy, but has also altered the concept of security by fragmenting its targets. Individuals have traditionally been considered the “bottom line” for most social analysis18 with their role in security only recently explored as a new kind of actor, but the variety of ways in which actors can take advantage of regularly transmitted electronic signals calls for the security of the individual as a target to be considered as well. Many nations have recognized the power an individual possesses in digital space as an actor, but often do not plan for the individual as a target when crafting national security strategies. This could be considered repetitive in the traditional scope of security, as ensuring the safety of a group would protect the individuals within by default;

18 Barry Buzan, Ole Wæver, and Jaap de Wilde, Security: A New Framework for Analysis (Boulder: Lynne Rienner Publishers, 1998), 6. 11

however, I propose that the factors introduced with the conceptual realm of

“cyberspace” mean that this is no longer necessarily the case.

If knowledge is power in the information world, those who have the most information possess the greatest advantage. Mass surveillance and data collection through signals intelligence allows powerful nations such as the United States and the United Kingdom to most effectively retain their power in this new digital environment. Since the individual-focused nature of cyberspace can pose problems to security in traditional concepts of the state model, cooperation in signals intelligence allows larger bodies of actors to overcome their newfound vulnerability. Not unlike traditional military alliances, pooling signals intelligence data cooperatively provides the most comprehensive archive of information for all nations involved. While this allows for effective security of a collective body like the state, digital strategy stands on weak foundations if individual ports cannot be secured as well.

This shift towards the individual also means that the reception of government actions on security matters will depend on where the individual has traditionally stood in terms of civil liberties and rights. This typically varies among nations, and differences can even be found when comparing two otherwise similar democracies. My thesis explores the individual and the collective state in both the

United States and the United Kingdom, discussing how the different concepts in priority and separation account for the subsequent responses to the revelation of government-mandated surveillance and its justification as pivotal in protecting

national security. On this topic, I also intend to delve into the implications oversight has on the potential future conceptualizations of individual privacy.

2. Notes on Terminology

The relatively technical quality of this thesis requires that key terminology be defined. In this paper, signals intelligence (SIGINT) refers to intelligence retrieved through signal interception. Communication intelligence (COMINT) refers to a specific type of signals intelligence gained from the communication signals between people. Telecommunications refers to communication between two parties using technology, and a telecommunications network facilitates data exchange between two parties—commonly with computers on a computer network or wirelessly on cellular or mobile networks.

In specific reference to the disclosed documents, a distinction between data and metadata is made. Data is used synonymously with content in these contexts, referring to information from which the identity of the person can easily be identified. Metadata, on the other hand, refers to “information about digital files or actions, such as dates, times, entities involved and other descriptive characteristics.” Encryption refers to the process of encoding information, while decryption is the reverting of this encoded information back to readable language.

Encryption and decryption are both achieved with a string of data referred to as an encryption key.19

19 P. W. Singer and Allan Friedman, Cybersecurity and Cyberwar: What Everyone Needs to Know (New York: Oxford University Press, 2014), 104. 13

Cyberspace or digital space will refer to the theoretical space in which network communications occur. Cyberspace is a metaphorical concept that differs from the Internet and the World Wide Web, the distinction of which will be made later in further detail. Finally, the many definitions of the term cybersecurity can have many definitions and the issues surrounding the term will be elaborated on in the literature review section.

3. A Brief History of UKUSA Surveillance Cooperation

While my thesis will be primarily focused on information revealed in the document leaks of 2013, the history of joint surveillance cooperation between the

United States and the United Kingdom stretches back to the formation of the original British-US Communications Intelligence Agreement in 1946. The BRUSA

Agreement not only established the rules for intelligence collection and sharing, but was also pivotal in “the development of the special relationship between the two wartime allies” after World War II and through the Cold War.20 Both countries share an extensive history of espionage cooperation that has since extended into the digital age, according to the information in the leaked documents.

Though its prioritized secrecy means little information is publicly available, several documents covering the agreement and its activities were

20 Duncan Gardham, “Document that formalised 'special relationship' with the US,” The Telegraph, June 24, 2010, http://www.telegraph.co.uk/news/worldnews/northamerica/usa/7852136/Document- that-formalised-special-relationship-with-the-US.html. 14

declassified by both the NSA and GCHQ and released to the public in 2010.21 The documents released by the NSA generally covered the alliance’s evolution from the 1946 BRUSA Agreement to the 1956 UKUSA Agreement that formally added

Canada, Australia, and New Zealand as “UKUSA-collaborating Commonwealth countries.” While these three nations enjoyed priority over other third parties to the agreement, their status required that they agree to the regulations laid out in

“Explanatory Instructions and Regulations concerning the handling of Signals

Intelligence,” and that most surveillance activity performed by the collaborating nations was supervised and dictated under direct guidance of the NSA and

GCHQ.22 Meanwhile, GCHQ showcased the enormous scope of UKUSA surveillance capabilities with the release of the Soviet Block Reports, a series of analyses detailing the situation in Soviet Russia. These reports were the end result of piecing together intercepted conversations and correspondences from Soviet citizens, military personnel, and Communist Party officials.23

Whispers of a secret cooperative surveillance network had surfaced long before the text of the agreement saw official release. The Five Eyes SIGINT data collection network ECHELON was first disclosed in 1988 by investigative journalist Duncan Campbell, who warned about its domestic surveillance

21 The text of the declassified UKUSA documents can be found at the GCHQ National Archives (http://www.nationalarchives.gov.uk/ukusa/) and the NSA (https://www.nsa.gov/news- features/declassified-documents/ukusa/). 22 United States of America, National Security Agency, New UKUSA Agreement - 10 May 1955, https://www.nsa.gov/news-features/declassified- documents/ukusa/assets/files/new_ukusa_agree_10may55.pdf. 23 United Kingdom, GCHQ National Archives, UKUSA Agreement Highlights Guide, June 2010, http://www.nationalarchives.gov.uk/documents/ukusa-highlights-guide.pdf. 15

capabilities in the New Statesman article “Somebody’s listening.”24 Another account on the UKUSA Agreement and ECHELON was published in 1996 by New

Zealand journalist Nicky Hager. His book Secret Power mostly covered the specific role of the New Zealand Government Communications Security Bureau

(GCSB), but it also provided insight into the hierarchy and division of roles in the

Five Eyes network. Hager also looked into the function of surveillance networks like ECHELON, emphasizing its overwhelming capabilities:

It reads every word and number in every single incoming message and picks out all the ones containing target keywords and numbers. Thousands of simultaneous messages are read in ‘real time’ as they pour into the station, hour after hour, day after day, as the computer finds intelligence needles in the telecommunications haystack.25

The documents leaked by Edward Snowden confirmed the existence of both the ECHELON surveillance network and the Five Eyes alliance. As more documents have been released through various media outlets, the existence of countless other programs dedicated to collecting massive amounts of signals intelligence have also come to light.26 Since his initial disclosure in early June

2013, Snowden promised that more documents would be released over the course of the next few years despite threats to his life and well-being. Though the precise size of his document arsenal is unknown, officials estimate that Snowden took at least tens of thousands of intelligence files from each agency, and has had cursory

24 Duncan Campbell, “Somebody's Listening,” New Statesman Society, August 12, 1988, 10-12. 25 Nicky Hager, Secret Power (Nelson, NZ: Craig Potton Publishing, 1996), 46. 26 Duncan Campbell, “Global Spy System ECHELON Confirmed at Last – by Leaked Snowden Files,” The Register, August 3, 2015, http://www.theregister.co.uk/2015/08/03/gchq_duncan_campbell/. 16

access to more than a million additional documents as well.27 From these estimates, it is safe to assume that additional information on the Five Eyes activity will be made available in a steady stream for the next several years.

4. Chapter Outline

Chapter 1 lays the foundation for this thesis with a theoretical framework that includes an interpretation of cyberspace, a review of relevant literature, and an outline of the research methodology used. Chapter 2 takes an in-depth look into the activity of the Five Eyes alliance and maps out its surveillance activity as revealed and interpreted by its media outlet upon information release. Chapter 3 compares the specific cases of the United States and the United Kingdom, outlining the role of surveillance in their national security strategies as well as domestic response to the 2013 revelations. Chapter 4 discusses the findings of the previous chapters and proposes suggestions on how to encourage beneficial use of signals intelligence.

Chapter 5 closes with a summary of findings, identifies thesis limitations, and entertains the possibility for future research in areas that were only briefly explored.

27 Christopher Joye, “Interview Transcript: former Head of the NSA and Commander of the US Cyber Command, General Keith Alexander,” Financial Review, May 08, 2014. http://www.afr.com/technology/web/security/interview-transcriptformer-head-of-the-nsa-and- commander-of-the-us-cyber-command-general-keith-alexander-20140507-itzhw. 17

II. Analytical Approach

“The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy we've ever had.” — Eric Schmidt, CEO of Google28

This chapter acts as the theoretical foundation to my analysis. Starting with an outline of relevant established security theory and political factors, I aim to apply these concepts to a meaningful interpretation of cyberspace. I will also be reviewing the literature available on the subject of cybersecurity and surveillance.

Finally, my research question will be presented, as well as potential hypotheses and the methodology I will use to answer my question.

1. Theoretical Framework

1-1. Security Theory

The study of international security has been traditionally based in realism, particularly the neorealism introduced by Kenneth Waltz. Focusing on structure instead of human nature as the motivator for action, neorealism explains that state actions are the result of their priority to survive in an anarchic system. Ensuring individual survival in anarchy requires an acute awareness of the surrounding environment and reacting strategically, whether that is by banding with other nations to balance a rising power or building internal defenses while maintaining a degree of skepticism toward surrounding neighbors.29 The security dilemma

28 Jerome Taylor, “Google Chief: My Fears for Generation Facebook,” The Independent, August 18, 2010, http://www.independent.co.uk/life-style/gadgets-and-tech/news/google-chief-my-fears-for- generation-facebook-2055390.html. 29 Kenneth N. Waltz, Theory of International Politics (Reading, MA: Addison-Wesley Publishing, 1979), 118. 18

illustrated by the latter action presents a particular situation in which increasing one’s own security simultaneously decreases the security of everyone else, prompting them to increase their own capabilities and repeat the cycle. The ability for states to cooperate in spite of this dilemma will then depend on the dynamic between offensive and defensive positions: whether the two postures are distinguishable, and which side holds the advantage.30 An alternate neorealist theory presented to explain security states that while balancing occurs more often than bandwagoning, state actors often prioritize balancing against the perception of threat rather than distribution of power. Threat level is determined by geographic proximity, offensive capabilities, and suspected intentions.31 The “balance of threat” was used by Stephen Walt to explain the success of the United States in terms of forging global alliances and maintaining its strong position on the international stage.

These traditional interpretations have a tendency to focus on security in terms of military and wartime terms. Some scholars have considered this scope to be too narrow, arguing that a wider agenda and a constructivist approach is needed to account for new, nonmilitary sources of threat. Barry Buzan, Ole Wæver, and

Jaap de Wilde collaborated to create a security framework that widened the scope of observation, classifying threats across five sectors of interaction: military, environmental, economic, social, and political. Each sector has different objects of

30 Robert Jervis, “Cooperation under the Security Dilemma,” in The Use of Force: Military Power and International Politics, ed. Robert J. Art and Kenneth N. Waltz, 46-47. 31 Stephen M. Walt, The Origins of Alliances (Ithaca: Cornell University Press, 1987), 5. 19

reference, which in turn change what will be considered an existential threat. This framework (dubbed the Copenhagen school of security by critics) also introduced the concept of securitization, which proposed that the rhetoric surrounding security is strong enough that any public issue could be promoted as a matter of security when given the right sense of urgency.32 The Copenhagen school framework has been criticized in turn by realists, who argue that widening the scope of security studies too far runs the risk of destroying its intellectual coherence, therefore making it difficult to construct meaningful solutions to important issues.33

While cybersecurity seems to operate on an alternate dimension separate in many ways, several aspects of both traditional neorealist and the Copenhagen schools of security can be meaningfully applied to the formation of the Five Eyes alliance. Both balance of power and balance of threat can serve as reasonable explanations for the cooperation of five strong developed democracies, but the balance of threat appears to fit the situation more appropriately: the Five Eyes alliance combines their capabilities and range to counter the threat of a future unknown attacker who could otherwise go undetected. Meanwhile, the 2013 disclosures revealed that the sheer amount of data indiscriminately collected can hardly be considered an attempt at “balancing” against any one state power.

The encompassing nature of cyberspace and civilian accessibility to it requires that we look beyond the state as a singular unit when considering solutions

32 Buzan et al, Security, 21-29. 33 Stephen M. Walt, “The Renaissance of Security Studies,” International Studies Quarterly 35 (1991): 212-213, doi:10.2307/2600471. 20

for security issues. Because ICT is now used to monitor and facilitate advancement in so many different areas, it is fitting to view security of these technologies in relation to these sectors. While security of cyberspace may not fit neatly in one of the five sectors put forth by the Copenhagen school, the methods of defining a sector and its actors can be useful in keeping track of the large range of threats to cyberspace. Previous analysis of cyberspace from a Copenhagen school approach have highlighted the importance of the private sector as well as the synthesis of the individual and the collective in the form of networks.34

1-2. Applications in Cyberspace

Cyberspace has remained an enigma in international relations and security for a long time. For one, cyberspace as a whole is very hard to define: while it is an information environment made up of the very data it stores, it is also not purely virtual and involves the systems and infrastructure housing and transmitting the information to others.35 The unseen nature of cyberspace also nullifies many assumptions in traditional security and international relations theory. Physical restrictions such as defined borders and territorial laws are rendered meaningless in cyberspace, and temporal restrictions are all but eliminated entirely. In a traditional security perspective, technology and geography are considered the two factors in determining whether the attacker or defender has the advantage in conflict. From a

34 Lene Hansen and Helen Nissenbaum, “Digital Disaster, Cyber Security, and the Copenhagen School,” International Studies Quarterly 53, no. 4 (2009): 1162-1163, doi:10.1111/j.1468- 2478.2009.00572.x. 35 Singer and Friedman, Cybersecurity and Cyberwar, 13-14. 21

physical security perspective, both of these factors would favor the defender;36 however, many observers of cyberspace activity would now agree that the attacker holds a greater advantage.

The lack of geography and time constraints have already been discussed in security scholarship, but these are not the only notable differences to consider. In order to create a more comprehensive model of cyberspace and the role of communication signals, I wish to initially root my conceptualization of this metaphorical realm in the way humans and machines interact from a psychological perspective. Human-computer interaction is often explored in cognitive and behavioral sciences, where the process of dialogue exchange between a human and machine is found to be very similar to an interaction between two humans.

Between the separate tasks and processing performed on the human and machine sides, there is a window called the “human-computer interface” where signals and code are converted from one form to another. Considering its quality of containing both the virtual environment and the machines that house it, this intersection is a likely candidate for where we could begin to “locate cyberspace”.

36 Jervis, “Cooperation,” 52. 22

Figure 2. Human-Computer Interface37

The previous model illustrates an open-ended machine environment, simulating the infinite possibilities of the virtual world. This can be intimidating, but computer psychology fortunately has another definition for cyberspace: a transitional or intermediate space that acts as a mental projection of the user’s knowledge.38 After all, the information contained in the digital plane technically exists as a string of numbers until it can be deciphered and given meaning by an outside source—an explanation that parallels the technical packet-switching process of data during transfer.39 Much like the mental space that ascribes meaning when two people engage in conversation, a “closed” space can also be created with two humans interacting with data through a machine. This is most easily displayed

37 Kent L. Norman, Cyberpsychology: An Introduction to Human-Computer Interaction (Cambridge: Cambridge University Press, 2008), 63. 38 Azy Barak and John Suler, “Reflections on the Psychology and Social Science of Cyberspace,” in Psychological Aspects of Cyberspace: Theory, Research, Applications, ed. Azy Barak (Cambridge: Cambridge University Press, 2008), 3-5. 39 Singer and Friedman, Cybersecurity and Cyberwar, 17-24.

by mirroring the previous figure and “closing” the machine environment, though this figure can be misleading. In reality, cyberspace is accessed through and surrounded by millions of individual task environments and their intersections. The idea of a “closed” theoretical space is actually perforated by human-machine interface access points.

Figure 3. Cyberspace Formation with Computer-Facilitated Interaction

This model is not necessarily new: this combination of psychological projection with the mechanical aspects of the human-computer interface could be considered a simplified version of Martin Libicki’s physical-syntactic-semantic model of cyberspace. The model is inclusive of its physical infrastructure components, as opposed to a purely exclusive model that solely counts the virtual space. If “cyberspace” consists of the digital data, their created connections, and the infrastructure that houses it, the multi-level medium is analogous to a “global fluid”. Since this fluid is not restricted to any one location or layer of perception, cyberspace can be considered a terrain that is constantly in flux, and constantly changing.40

40 David Betz and Tim Stevens. Cyberspace and the State: Toward a Strategy for Cyber-power. London, U.K.: IISS, The International Institute for Strategic Studies, 2011. Kindle edition. 24

Now that we have an idea of where cyberspace lies in relation to our interactions, we can reapply our concepts of political and security theory. A noticeable change with the different dynamics of the cyberspace environment is that power and agency seem to shift online, tilting away from larger bodies like the state and toward smaller units like the individual. The composite virtual, manmade, and global nature of cyberspace means that full utilization of all these components will translate as power in this “region”. Since cyberspace has been established as a constantly changing environment, an actor is required to be vigilant in updating their knowledge on the “terrain” as well as know how to act upon it. By comparison, an individual unit has greater capacity to act quicker to an event than a larger group, the members of which must all be brought to speed and briefed on how to coordinate. The permeable nature of cyberspace also favors the individual as it makes the millions of human-machine intersections akin to millions of unguarded sentry posts. A national plan can attempt general protection, but only one portal is needed to bring security risk to a shared space. Between this and the aforementioned concerns, a common theme that stands out when factoring in cyberspace is a transfer of agency and general sense of unpredictability.

This effect of digital relations has been discussed by Joseph Nye in his papers on security in the information age. In a process he calls power diffusion, more events occur outside the control of even the most powerful states. As individuals are given greater capabilities and agency, the physical state will subsequently become less influential. While the state actor will not disappear in

relevance, they will find themselves fighting for dominance over a variety of actors that were previously inconsequential.41 While agency is undoubtedly affected, it should be noted that the target is affected as well. Notably, the idea of what constitutes an existential threat needs to be altered: while code can rarely threaten a person’s physical well-being, the malicious usage of cyberspace can easily bring harm to the livelihood and overall life quality of a target.

2. Literature Review

The numerous applications for information security in international relations means that there is a wide range of literature that covers cybersecurity; however, the body of literature available on this subject lacks cohesiveness due to the various definitions attributed to the term “cybersecurity”. Common themes that can be found revolve around the problem of defining the cyber domain and the general impact of cyberspace, but scholarship topics are wildly scattered beyond that.42

There are two general trends when approaching cybersecurity as a political concept. The first is in the perspective of traditional military power, in which the goal of cybersecurity is to defend against digital attacks from other states looking to gain access to certain assets. Interactions appear to be purely state-based.

Discussions of cyberattacks and cyber power also extend to the usage of code to

41 Joseph S. Nye, Jr., “Cyber Power,” Harvard Kennedy Belfer Center for Science and International Affairs, May 2010. 42 Robert Reardon and Nazli Choucri, “The Role of Cyberspace in International Relations: A View of the Literature,” April 1, 2012. Prepared for the 2012 ISA Annual Convention in San Diego, CA. 26

attack physical infrastructure, such as the role of Stuxnet in the malfunction of

Iranian nuclear centrifuges. In these cases, cyberspace is seen as simply an extension of military exercise, and the goals of “cybersecurity” revolve around maintaining military control and exercising power. Cybersecurity is also approached from an Internet governance perspective. Many of these sources emphasize the impending future of a “global civil society” and the necessity to set regulations and laws for future newcomers. Cyberspace is then viewed as a new land requiring the establishment of universal rules, individual rights, and global

Internet standards.

Despite acknowledgement of its unique qualities from both sides, cyberspace has often been viewed as a vehicle for traditional agendas rather than an entirely separate plane of potential conflict, with cybersecurity falling closely behind. In earlier works, there are far too many assumptions made that are altered greatly or even rendered entirely irrelevant when dealing with online activity.

While later scholarship does recognize many of these differences, many seem to struggle with arriving at a consensus at how these factors affect international interactions in digital space. The reality is that not only does cyberspace have its own factors to consider, but it also requires a certain level of technical accessibility to fully comprehend. The fact that the advancement rate of communications technology rapidly exceeded the ability of many early decision makers to catch up has even rendered the prefix “cyber” synonymous with a technical ineptitude in policy.

At the same time, literature on the technical end has a tendency to swing too far on the opposite side of the spectrum. Many technical “cybersecurity” resources exist in the form of handbooks addressed to individual security practitioners or businesses planning to secure their data. These audiences are relatively small and are generally limited to the private sector, and often do not contain national or international perspectives. Allusions to international conflict or the possibility of a foreign cyberattack may be addressed, but these are mostly in reference to protecting an individual or company’s assets from becoming collateral damage.

This myopic spectrum of analyses on both ends is understandable: many policymakers in office have not been able to fully understand the significance of today’s communications networks having grown up without it, and many individual security practitioners are not regularly faced with a large-scale threat to their own assets. As issues of cybersecurity are brought to the foreground, it will be necessary to begin pulling these ends closer together to piece together a comprehensive context.

As for literature on surveillance, the studies and reports on electronic surveillance in other countries are fairly prevalent, but often in the context of oppressive dictatorships using it to silence or censor opposition. Very few case studies of signals intelligence surveillance in democratic states have been made because the practice seemed incongruous to the ideals upheld in democracy.

Extensive and detailed literature on the UKUSA Agreement’s specific surveillance

activity is understandably limited, as the surveillance practices were intended to remain a secret. Most scholarship on both democratic surveillance and SIGINT collection in the Five Eyes alliance is dated after the first disclosures were released to the public.

3. Research Question and Methodology

My research question looks into how the concept and execution of national security has evolved with the growing capabilities in signals intelligence collection and surveillance. The scope of this research is limited to developed democracies, specifically the habits of the United States and the United Kingdom. By delving into the documents that have been released between the years 2013-2015, I will be focusing discussion on the individual as a security target and how the fragmented nature of cyberspace prevents traditional security strategy for the state from achieving its highest effectiveness.

My analysis of the documents themselves will be largely qualitative, as I will be reporting on the information that has been disclosed and interpreted through media sources such as Intercept, Der Spiegel, The Guardian, The New York Times, and The Washington Post. I will also be consulting books on the subject, polls on certain subjects from a variety of sources, and accessing archives of the documents in full through catalogued portals like the Snowden Digital Surveillance Archive43 and Snowden Doc Search.44 I do intend to look at the primary documents

43 "Snowden Surveillance Archive." Canadian Journalists for Free Expression. https://snowdenarchive.cjfe.org/greenstone/cgi-bin/library.cgi. 44 "Snowden Doc Search." Snowden Doc Search. https://search.edwardsnowden.com/. 29

themselves, though this is mostly for the sake of relatively shallow data interpretation. There are many documents that have large portions redacted or classified, making their sole existence the only information able to be gathered from them. I do not plan to ascribe meaning or make judgments on these vague documents outside of what has been already confirmed in their disclosed media sources.

III. The FVEY Surveillance Network

“Rather than look for a single needle in the haystack, his approach was, ‘Let’s collect the whole haystack’…Collect it all, tag it, store it…And whatever it is you want, you go searching for it.” — Former senior U.S. intelligence official on NSA collection strategy45

The United States, United Kingdom, Canada, Australia, and New Zealand united under the 1956 UKUSA Agreement to form the Five Eyes network

(henceforth referred to as FVEY). Since the beginning of the Cold War, these five nations have collaborated to collect signals intelligence data and create an unimaginably comprehensive archive of citizen data. This chapter introduces the main functions of the FVEY surveillance network as outlined by the UKUSA

Agreement and highlights the programs created since its inception. In this chapter,

I will also be analyzing the documents released by media outlets from 2013-2015 and examining the data collection patterns of FVEY.

1. The Five Eyes and Beyond

The original BRUSA Agreement of 1943 was a small alliance ensuring cooperation in regards to “special intelligence” between the British Government

Code and Cypher School and the United States War Department. Both parties agreed to “…exchange completely all information concerning the detection, identification, and interception of signals from, and the solutions of codes and

45 Ellen Nakashima and Joby Warrick, “For NSA Chief, Terrorist Threat Drives Passion to ‘Collect It All,’” Washington Post, July 14, 2013, https://www.washingtonpost.com/world/national-security/for- nsa-chief-terrorist-threat-drives-passion-to-collect-it-all/2013/07/14/3d26ef80-ea49-11e2-a301- ea5a8116d211_story.html. 31

ciphers used by, the Military and Air forces of the Axis powers, including secret service.” Collection duties were split based on geographic proximity, with the

United States assuming responsibility of Japanese communications while the

United Kingdom spied on Germany and Italy. In doing this, the BRUSA

Agreement would enable the two countries “to fulfill our immediate needs for special intelligence from these sources and will safeguard our long-term interests by allowing us to gain the experience required for achieving independence in this field.”46

When drafting the newer version of the UKUSA Agreement, the parties agreed to keep changes from the original BRUSA Agreement to a practical minimum. The shared communications intelligence was laid out in further detail to include, “collection of traffic, acquisition of communications documents and equipment, traffic analysis, decryption and translation, and acquisition of information regarding organizations, procedures, practices, and equipment.”47 The newly added Commonwealth nations of Australia, Canada, and New Zealand were given very specific tasks and reported directly to the NSA and GCHQ.

Outside of these five nations, third parties were also granted limited access to signals intelligence in the agreement. Known alliance extensions include the

Nine Eyes (Denmark, France, Norway, and the Netherlands) and the Fourteen Eyes

46 United States of America, War Department, Agreement between British Government Code and Cipher School and U.S. War Department in Regard to Certain "Special Intelligence" - 10 June 1943. https://www.nsa.gov/news-features/declassified-documents/ukusa/assets/files/spec_int_10jun43.pdf. 47 USA, NSA, New UKUSA Agreement - 10 May 1955. 32

(adding Germany, Belgium, Italy, Spain, and Sweden). Since the 2013 disclosure, the list of approved coalitions and third parties has been revealed below.

Table 1. U.S. NSA List of Approved SIGINT Partners48

Second Parties Third Parties Australia Algeria Hungary Romania Canada Austria India Saudi Arabia New Zealand Belgium Italy Singapore United Kingdom Croatia Japan Spain Czech Republic Jordan Sweden Denmark Korea, South Taiwan Coalitions/Multilateral Ethiopia Macedonia Thailand AFSC Finland Netherlands Tunisia NATO France Norway Turkey SSEUR Germany Pakistan UAE SSPAC Greece Poland

The disclosed documents revealed that the FVEY use a variety of programs to gather endless amounts of signals data. Shortly before the drafting of their new agreement, FVEY established a global network of satellites that could read and store the various signals transmitted daily. Intercepted signals are then stored on supercomputers and catalogued by key words in the ECHELON

Dictionaries, which can later be searched and recorded for future use.49 Though the function of ECHELON had been previously disclosed, the documents also revealed the existence of programs that more closely targeted citizen data. An example of this is PRISM, which obtained citizen information from several participating

48 Glenn Greenwald, “Collect it All,” in No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State (New York, NY: Henry Holt, 2014), Kindle edition. 49 Jane Perrone, “The Echelon Spy Network,” The Guardian, May 29, 2001, http://www.theguardian.com/world/2001/may/29/qanda.janeperrone. 33

technology companies.50 BOUNDLESS INFORMANT is another program of massive scale, illustrating the priority of data collection through metadata with a global “heat map” of surveillance activity. Upon revelation of these programs, it was speculated that their primary purpose was to let nations circumvent domestic laws and gather data on their own citizens.

Figure 4. BOUNDLESS INFORMANT Surveillance Heat Map51

2. Analyzing FVEY Surveillance Activity

2-1. Reading the Disclosed Documents

Edward Snowden stated that he only released documents with privacy- infringing aspects, so it can be assumed that the general nation-state spying activities of FVEY are far greater than indicated in the documents released. Many

50 Barton Gellman and Laura Poitras, “U.S., British Intelligence Mining Data from Nine U.S. Internet Companies in Broad Secret Program,” Washington Post, June 7, 2013, https://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet- companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845- d970ccb04497_story.html. 51 Glenn Greenwald and Ewen MacAskill, “Boundless Informant: The NSA’s Secret Tool to Track Global Surveillance Data,” The Guardian, June 11, 2013, http://www.theguardian.com/world/2013/jun/08/nsa-boundless-informant-global-datamining. 34

online databases that keep track of the documents published will report between

500 and 600 total documents. The document set and sorting methods I employed in my personal data set were taken from the Snowden Surveillance Archive, made available by the Canadian Journalists for Free Expression (CJFE). The CJFE archive lists around 550 documents between June 2013 and December 2015, and is the number I will be using for my analysis. Of the current documents published,

United States agencies have created 405 while United Kingdom agencies are responsible for 120, leaving 25 documents collectively created by Canada,

Australia, and New Zealand. By far, the United States and United Kingdom are shown to have authored the most documents, which is another reason why I have chosen to focus on these two nations in my data analysis.

All documents are marked with a classified tagging system at the top and bottom (classification terms have been defined in Table 2). In the United States, these markings are three parts separated by sets of double slashes: their classification level, sensitive compartmented information (SCI), and dissemination markings. The United States classification level indicates the degree to which unauthorized disclosure would put national security in danger. The United

Kingdom also has a STRAP classification system operating similar to the United

States in terms of protection.52

52 In October 2013, the United Kingdom released a new government security classification system that is much more similar to the United States one, with tags of Official, Secret, and Top Secret. This classification system came into force on April 2, 2014. 35

Table 2. US and UK Classification Terms53

Classification Levels Top Secret Unauthorized disclosure could be expected to cause exceptionally grave damage to national security Secret Unauthorized disclosure could be expected to cause serious damage to national security Confidential Unauthorized disclosure could be expected to cause damage to national security Unclassified Designation used to mark information that does not meet the criteria for classified national security information STRAP Designated in order of increasing sensitivity and access control: STRAP 1 (lowest), STRAP 2, AND STRAP 3 (highest) SCI Compartments COMINT/SI Contains technical and intelligence information derived from monitoring of foreign communication signals by other than the intended recipients TALENT Contains information and activities related to space-based KEYHOLE collection of imagery, signals, measurement and signature (TK) intelligence, certain products, processing, and exploitation design, and the design, acquisition, and operation of reconnaissance satellites Dissemination Markings FOUO For Official Use Only: Unclassified official government information that is withheld from public release until approval by originator ORCON Originator Controlled: Originators of classified national intelligence information allowed to maintain knowledge, supervision, and control of distribution beyond original dissemination NOFORN Not Releasable to Foreign Nationals: Information may not be released in any form to foreign governments, foreign nationals, foreign organizations, or non-US citizens without permission of the originator REL TO Authorized for Release to: Information has been predetermined by originator to be releasable or has been released to foreign countries indicated; NOFORN to all other foreign countries not indicated USA/[LIST] For use only on an electrical SIGINT reporting EYES ONLY

53 All classification term definitions are as outlined in the United States (U) Intelligence Community Markings System Register and Manual and the United Kingdom Defence Manual of Security. 36

Due to the secretive nature of their content, many of the documents have large portions that have been redacted, with some censored to such a degree that it is rendered unreadable. Code words are also frequently employed in reference to certain programs or espionage initiatives. Fortunately, the news sources and books that have been publishing the documents have also provided explanations for the significance of each particular disclosure. Though the heavily censored nature of these documents may make analysis appear fruitless or impossible, meaningful analysis can still be made beyond the readable content. Many researchers who are dedicated to archiving the documents released by Snowden have been able to report a multitude of information that would otherwise go unrecognized by the average reader, including pertinent dates (creation and publication) and targets.

While comparative analysis across data is necessary for significant observations, the very presence of other kinds of data can also be telling of FVEY intentions and motivations.

2-2. Data Collection and Reporting

Figure 5. Targeted Content of Disclosed Documents (2013-2015) 54

300 240 250 200 150 118 100 44 55 29 23 36 50 5 0

The CJFE database has catalogued the documents by a number of sorting criteria, from the agency that created the document to its security classification.

Individual documents will also show which programs are mentioned and the type of information revealed to be targeted by intelligence agencies. As expected, many of the documents focus on the communications signals gathered and the intelligence that can be gained from it. Several documents show that the agencies were also dedicated to data collection, metadata interpretation, and breaking encryption.

Of the 550 documents published, only 27 were designated as specifically targeting domestic communications, with 24 being produced by the United States.

54 All data references in this thesis are from the (as of right now) 550 available documents hosted on the “Snowden Surveillance Archive,” Canadian Journalists for Free Expression, https://snowdenarchive.cjfe.org/greenstone/cgi-bin/library.cgi. 38

Most of these appear to be administrative in nature and on internal procedures, but several presentation slides also mention certain programs like MUSCULAR or

XKEYSCORE. Closer looks into the content of the presentations make it clear that these are briefings for internal meetings. Of these documents on domestic communications, 13 are designated with a NOFORN dissemination tag, meaning that the information contained is not released to FVEY. While there is a large suspicion that FVEY utilized its alliance to circumvent national laws and exchange citizen data, it is worth observing where FVEY makes the distinction between

“foreign” and domestic coverage.

Across the documents, FVEY is shown to collect signals intelligence indiscriminately around the world, with at least 53 countries mentioned specifically by name. 98 files are dedicated to documenting foreign communications, with an additional 15 specifically targeting diplomatic conversations. All five countries are also represented in this pool, meaning that all are participating in collecting foreign communications signals. While the United States and the United Kingdom have a large range of international data collected, Australia’s targeting of Indonesia and

Southeast Asia along with New Zealand’s targeting of Samoa, Vanuatu, Nauru, and Fiji show that data collection duties among FVEY are still somewhat determined by geographic location. Even the United Kingdom is shown to collect significantly more data in the Middle East and Europe over other countries.

An interesting point in the chart is the very low number of documents that specifically focus on counterterrorism measures. Considering how officials

frequently cite terrorism as a justification for these surveillance capabilities, it is surprising that there are so few reports dedicated to this mission. By comparison, the objective to gather seemingly pedestrian data on everyday civilians seems to possess a far higher priority.

197 of the documents observed were exclusively disseminated to the rest of the FVEY network, while another 34 documents signified data sharing with other third party nations. Among these third party nations, there is relatively narrow representation: many are not classified as FVEY but instead meant for one member, while it is mostly European nations that are otherwise shown to be granted access. Aside from foreign communications data, a significant portion of shared information revolved around encryption and the ability to break through it.

A majority of composite data shared among FVEY appears to be focused on mobile phones, collecting call records, cell phone locations, text messages, and voice IP data. Meanwhile, most metadata collected seems to be generated from

Internet activity.

While the five nations share a significant amount of information among each other, there is a significant portion of documents with visibility restricted to the creating nation. 110 documents are classified as denied to foreign nationals, while an additional 38 are designated as “For Official Use Only.” The distribution of types of intelligence are generally the same as what is disclosed, which could be an indicator that the information was to be seen by the rest of FVEY after a period of time.

3. The Security Priorities of the UKUSA Agreement and FVEY

What do these five nations, who already dominate so much of global affairs, hope to gain in these massive exercises of both domestic and international surveillance? As stated earlier, the major theme surrounding the changes brought on by a digital environment revolve around unpredictability, and that an individual is more likely to be able to quickly take advantage of an opportunity than a state body. At the same time, coordinated action can provide a range that an individual may not be able to possess. In this way, such massive overhead surveillance could be an indication of FVEY recognizing this and utilizing their resources to benefit everyone involved in the UKUSA Agreement, even if the capabilities may seem excessive. Security as outlined in the UKUSA Agreement and demonstrated by

FVEY appears to be more focused on protecting the influence of states via information possession rather than individual protection.

This can mostly be justified through traditional security paradigms.

Information is key in kinetic conflicts as well, and the intelligence collected on other nations’ military capabilities is undoubtedly helpful to informed strategy and policy formation. Many of the documents presented here, however, are not concerned with military preparation. Because the data collected focuses much more on societal concerns and appears to be motivated more for reference rather than actively stopping external threats, it can be concluded that there are additional factors that must be considered. Considering that the UKUSA Agreement does not outline any specific security agenda for the five nations as a collective, we need to

look to national security strategies for context. While we can conclude that these five nations work together because of the similarities in their background and ideologies, the same pool of data collected can be utilized very differently.

IV. Case Studies in Disclosure and Aftermath

“We can never say it enough. The United States and the United Kingdom enjoy a truly special relationship. We celebrate a common heritage. We cherish common values. […] (And) above all, our alliance thrives because it advances our common interests.” — U.S. President Barack Obama55

This chapter focuses on the security goals and subsequent homeland actions of the United States and United Kingdom. These two nations share a lot in common and are often cited as having a special bilateral relationship that is incredibly close. Both country analyses will inspect officially released statements outlining national security goals, how each country used signals intelligence at their disposal, and consequent domestic response to the 2013 document leaks.

From there, I will compare the observations between the two nations and explore possible explanations for differences in security approach and domestic reception. I will also discuss possible implications these findings may have for the future of these two nations and their bilateral cooperation in signals intelligence.

1. The United States of America

1-1. National Security Strategy

The most recent version of the United States National Security Strategy was released on February 2015. In it, President Barack Obama noted that

“America’s growing strength is the foundation of our national security and a critical source of our influence abroad.” Challenges to security included violent

55 Alan Silverleib, “Obama, Cameron Blast Release of Lockerbie Bomber,” CNN, July 20, 2010. http://edition.cnn.com/2010/POLITICS/07/20/obama.cameron.visit/index.html. 43

extremism, the rise of terrorism, and aggression from Russia. Cybersecurity is very briefly mentioned, but not emphasized in President Obama’s introduction. In order to maintain security and rise above these threats, the US national security strategy emphasizes that, “America must lead. Strong and sustained American leadership is essential to a rules-based international order that promotes global security and prosperity.” To accomplish this leadership, the strategy plan stressed the importance of mobilizing and collective international action. On the section dedicated to security, the United States again emphasizes that, “Collective action is needed to assure access to the shared spaces—cyber, space, air, and oceans— where the dangerous behaviors of some threaten us all.” To accomplish this, the strategy details efforts to maximize capabilities and cooperating with the owners and operators in the private sector. A subsection on cybersecurity adds that there is a “special responsibility to lead a networked world,” aiming to maintain high standards and protect intellectual property and online freedom.56

The United States Department of Defense released a separate Cyber

Strategy guide in April 2015, where it outlined its goals based around three missions: defend the US homeland, defend US national interests against cyberattacks of significant consequence, and support operational and contingency plans. According to the Cyber Strategy, the strategic goals are:

56 United States of America, White House, National Security Strategy, 2015. 44

I. Build and maintain ready forces and capabilities to conduct cyberspace operations, II. Defend the DoD information network, secure DoD data, and mitigate risks to DoD missions, III. Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyberattacks of significant consequence, IV. Build and maintain viable cyber options and plans to use those options to control conflict escalation and to shape the conflict environment at all stages, V. Build and maintain robust international alliances and partnerships to deter share threats and increase international security and stability.

The Cyber Strategy does make mention of alliances in terms of

“complementary capabilities that can augment those of the United States,” and even mentions the UKUSA Agreement by name. The Department of Defense states that, “Strategically, a unified coalition sends a message that the United States and its allies and partners are aligned in collective defense.” The threats listed here are of a more technical nature, including malware dispersion and risks to the

Department of Defense’s critical infrastructure. Implementation measures revolve around increasing counterintelligence capabilities while simultaneously developing intelligence in anticipation of threats.57

Just as in the case with literature on the subject, the term “cybersecurity” is hardly well-defined in government publication. The United States National

Security Strategy uses the term frequently but only directly refers to it as a tool to promote and protect democratic ideals. Even in the Department of Defense’s

57 United States of America. Department of Defense. Cyber Strategy. 2015. 45

publication, the terms cybersecurity and cyberspace are never explicitly defined

(presumably because the reader is expected to know what it means already).

Strategies to accomplish cybersecurity goals tout cooperation within the international and private sectors, but many of the other goals for security express similar sentiments. In a way, the lack of a concrete definition for cybersecurity and equally vague strategies to accomplish this give the United States much leeway in the methods to accomplish their initiatives.

1-2. UKUSA SIGINT Utilization58

United States agencies are responsible for creating a vast majority of the documents that have currently been disclosed, and it is fair to assume that they gather a majority of signals intelligence as well. The breakdown of types of content targeted by United States agencies is in line with the general trends of total information collected: a significant amount of communications and intelligence, with additional dedication to data, metadata, and decryption capabilities (as illustrated in Figure 6). Figure 7 also shows that the United States possesses the widest spread and furthest reach in terms of surveillance capabilities. Mapping all of the nations whose signals were targeted by the United States portrays an indiscriminate global survey with particular focus on Europe, Asia, and South

America.

58 For a full data set of documents created by the United States, see Appendix B.

Figure 6. Content Targeted by United States

Misc, 18 None, 19

Metadata, 46

Communication s, 152 Intelligence, 100

Data, 27 Decryption, 43

Figure 7. Nations Targeted by United States

The map also reveals that the United States collected signals data from the other four allies in FVEY, though analysis suggests that the surveillance performed here were simply utilizing existing resources, making them cooperative efforts with the allies in question rather than attempts to gather information undetected.

For example, the NSA’s relationship with New Zealand and the GCSB is described

as “supportive and cooperative,” with the United States providing information of interest and technical equipment in exchange for diplomatic communications information on East and Southeast Asia, South America, the South Pacific Islands,

Pakistan, India, and Iran. New Zealand also collects information on nuclear testing data in New Caledonia.59 Similar understandings were formed with Canada, who

“cooperated closely” with the NSA in communications across the Middle East and

North Africa.60 While granted the same privileges as its other allies in FVEY, the

United Kingdom’s GCHQ requested even broader access to data collected by a number of NSA initiatives, including controversial programs like PRISIM in April

2013. Though there is no indication of whether such extended access was granted, the NSA was supportive of the idea and had previously granted GCHQ special access to PRISM during the 2012 London Olympics.61

While the United States shares much of its information with the FVEY, they also make significant efforts to control the release of new data, keeping it secret until it is deemed ready for release. A majority of United States documents with the dissemination marking NOFORN are very recent, with a total of 60 created in the years 2012 and 2013. By comparison, the documents with FVEY

59 Matt Nippert, “UK Foreign Secretary Philip Hammond Says It's Time to 'Move On' from Snowden,” The New Zealand Herald, March 11, 2015, http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1. 60 Amber Hildebrandt, “Communication Security Establishment's Cyberwarfare Toolbox Revealed,” CBCnews, March 23, 2015, http://www.cbc.ca/news/canada/communication-security-establishment- s-cyberwarfare-toolbox-revealed-1.3002978. 61 Ryan Gallagher, “British Spy Chiefs Secretly Begged to Play in NSA's Data Pools,” The Intercept, May 1, 2014, https://theintercept.com/2014/04/30/gchq-prism-nsa-fisa-unsupervised-access- snowden/. 48

dissemination are shown to have a much more gradual stream of creation and release. Though the breakdowns are similar, the fact that the total numbers are fairly close warrants further discussion.

Table 3. US Documents with FVEY vs. NOFORN Dissemination

Year FVEY NOFORN 2003 3 1 2004 4 6 2005 2 3 2006 6 2 2007 9 7 2008 11 6 2009 25 5 2010 41 10 2011 17 7 2012 23 24 2013 15 36 Total 164 109

We can gain a better understanding of the NOFORN tag from the United

States markings system manual. The NOFORN tag takes priority over any others, as the section on its relationship to other markings shows that it cannot be used simultaneously with the REL TO or EYES ONLY tags. It is interesting to note that many programs listed in the SCI compartments also had the default requirement of a NOFORN dissemination tag. From this, we can gather that while the United

States collects and shares the most information of the members in the UKUSA alliance, it also takes advantage of its situation by experiencing the privilege of being the first to look at fresh information.

The surveillance patterns of the United States fall perfectly in line with the sentiment laid out in its National Security Strategy: “America must lead.” Staying one step ahead of the other members of FVEY not only allows the United States to create their own strategy on how to use new information before everyone else, but also allows them a chance to anticipate possible ways FVEY may use this information. Such a position is very advantageous, for access to new information is becoming increasingly more critical in competitive situations.62 This strategy is also incredibly viable in terms of cyberspace as an environment, where an upper hand in knowledge of the present situation is vital.

1-3. Post-Disclosure Domestic Activity

Polls conducted in June 2013 found that American citizens were somewhat evenly divided over Snowden’s actions and their effect on the national interest. A poll conducted by the Pew Research Center and USA Today found that 44% believed the document disclosure harmed the public interest while 49% said the disclosures served the public interest.63 Other polls found wider variance: a poll from Gallup64 reported a majority of domestic disapproval at 53%, but a poll conducted by the Washington Post65 showed that 56% of Americans found the

62 Joseph S. Nye, The Future of Power, (New York, NY: PublicAffairs, 2011), 117. 63 Meredith Dost, “Public Split over Impact of NSA Leak, But Most Want Snowden Prosecuted,” Pew Research Center for the People and the Press, June 17, 2013, http://www.people- press.org/2013/06/17/public-split-over-impact-of-nsa-leak-but-most-want-snowden-prosecuted/. 64 Frank Newport, “Americans Disapprove of Government Surveillance Programs,” Gallup, June 12, 2013, http://www.gallup.com/poll/163043/americans-disapprove-government-surveillance- programs.aspx. 65 Jon Cohen, “Most Americans Back NSA Tracking Phone Records, Prioritize Probes over Privacy,” Washington Post, June 10, 2013, https://www.washingtonpost.com/politics/most-americans-support- 50

NSA’s access of telephone calls “acceptable”. Many of these polls reflected little change in general public opinion in comparison to a similar survey conducted by the Washington Post and ABC News in 2006 on the NSA’s collection of phone call records.66

Despite heavy skepticism from privacy advocates, the justification for mass surveillance as a deterrent for terrorist activity proved to sway many in favor of the revealed activity. Poll questions that were worded to explicitly mention terrorism almost universally reported the majority approving data collection as a means to snuff out terrorist threats in 2013. When presented with a choice between investigating terrorism or preserving individual privacy, many would choose the fight against terrorism as the greater priority. While the Gallup poll reported a minority approval despite mentioning terrorism, 28% (out of a net 37%) cited combating terrorism as their primary reasoning.67 The Washington Post also found that 62% believed it was more important to investigate terrorist threats, even if the methods used infringed upon personal privacy.68 Again, this is a sentiment that remained relatively unchanged from similar questions in 2006.

nsa-tracking-phone-records-prioritize-investigations-over-privacy/2013/06/10/51e721d6-d204-11e2- 9f1a-1a7cdee20287_story.html. 66 Richard Morin, “Poll: Most Americans Support NSA's Efforts,” Washington Post, May 12, 2006, http://www.washingtonpost.com/wp-dyn/content/article/2006/05/12/AR2006051200375.html. 67 Newport, “Americans Disapprove of Government Surveillance Programs.” 68 Cohen, “Most Americans Back NSA Tracking Phone Rcords.” 51

Figure 8. Terrorism vs. Privacy in the United States (2006-2013)69

Which is more important?

Investigate terrorist threats Not intrude on privacy

68% 65% 62%

32% 34% 26%

Jan. 2006 Nov. 2010 Jun. 2013

The United States emphasis on terrorism in shaping policy has been especially strong since the attacks carried out by Islamic terrorist group al-Qaeda in

September 2001. Surveys show that the percentage of those who feared they could fall victim to a terrorist attack rose dramatically from 24% to 59% after 2001 and has remained at a heightened average of 40% in the following years.70 This tense environment after September 11 has been cited as a factor in facilitating the passage of the USA PATRIOT Act, which restructured domestic defense and increased oversight procedures in efforts to combat terrorism.

Title II enhanced domestic surveillance capabilities and increased the powers of the government bodies conducting it. Sections 201 and 202 granted additional authority to “intercept wire, oral, and electronic communications”

69 “Majority Views NSA Phone Tracking as Acceptable Anti-Terror Tactic,” Pew Internet & American Life Project. 70 Frank Newport, “Gallup Review: U.S. Public Opinion on Terrorism,” Gallup, November 17, 2015, http://www.gallup.com/opinion/polling-matters/186665/gallup-review-public-opinion-terrorism.aspx. 52

relating to terrorism, which has been defined in the United States Code as involving the use of weapons of mass destruction or providing financial/material support to suspect individuals.71 Section 209 was also altered to remove certain restrictions that made obtaining a warrant for seizure of voiceless messages more difficult than for similar electronic counterparts.72 Perhaps the most contentious part of this title is Section 215, which operated in close conjunction with the

Foreign Intelligence Surveillance Act of 1978 (FISA) and allowed government agencies to collect vast amounts of data for the purposes of investigating terrorism.

Not only could these investigations be undertaken without the knowledge of all parties involved, but it also permitted NSA analysts to justify investigations on extended circles to the second and third degrees through telephone data and

Internet records—known technically as “second and third hop queries”.73 Section

215 has been regarded as the primary basis for the presidential executive order authorizing the NSA’s telephone metadata collection.

The USA PATRIOT Act had been seen as controversial as far back as its inception. When combined with the effects of FISA,74 the NSA and other

71 “18 U.S. Code § 2332a - Use of Weapons of Mass Destruction,” LII / Legal Information Institute. 2001, https://www.law.cornell.edu/uscode/text/18/2332a. 72 Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001 (Washington, D.C.: U.S. G.P.O., 2001), Section 209. 73 Spencer Ackerman, “NSA Warned to Rein in Surveillance as Agency Reveals Even Greater Scope,” The Guardian, July 17, 2013, https://www.theguardian.com/world/2013/jul/17/nsa- surveillance-house-hearing. 74 Sec. 102: “Notwithstanding any other law, the President, through the Attorney General, may authorize electronic surveillance without a court order under this title to acquire foreign intelligence information for periods of up to one year…” Foreign Intelligence Surveillance Act of 1978: Hearings, 95th Congress, 2nd Session, 1978. Washington, D.C.: U.S. G.P.O., 1978. 53

government agencies were essentially allowed to bypass regular law enforcement processes and conduct warrantless surveillance under the justification of terrorism prevention. Despite media confrontation in 2006, the continued reassurance of its use as a “terrorist surveillance program” that has saved lives met relatively little public resistance.75 The PATRIOT Act was thus reauthorized and extended three times in 2005, 2010, and 2011 despite continued criticisms. FISA had also been amended in 2008 to provide cooperating telecommunications companies with immunity and increase time permitted for warrantless surveillance.76

Surveys show that opinions on surveillance as a legitimate means to combat terrorism had changed little from 2006. Even so, criticism of the NSA’s actions were much more vocal and US public opinions began to shift fairly quickly. Congressman Jim Sensenbrenner, author of the PATRIOT Act, sent a letter to Attorney General Eric Holder shortly after the revelations were made expressing concern over the collection of phone records by Verizon.

“I am extremely troubled by the FBI’s interpretation of this legislation. While I believe the Patriot Act appropriately balanced national security concerns and civil rights, I have always worried about potential abuses. […] Seizing phone records of millions of innocent people is excessive and un-American.”77

75 David E. Sanger and John O'Neil, “White House Begins New Effort to Defend Surveillance Program,” New York Times, January 23, 2006, http://www.nytimes.com/2006/01/23/politics/white- house-begins-new-effort-to-defend-surveillance-program.html. 76 Paul Kane, “House Passes Spy Bill; Senate Expected to Follow,” Washington Post, June 21, 2008, http://www.washingtonpost.com/wp-dyn/content/story/2008/06/20/ST2008062001087.html. 77 Jim Sensenbrenner, “Author of Patriot Act: FBI's FISA Order Is Abuse of Patriot Act,” Congressman Jim Sensenbrenner, June 06, 2013, http://sensenbrenner.house.gov/news/documentsingle.aspx?DocumentID=337001. 54

Notable changes in US public opinion also began to take hold. A poll conducted by the Pew Research Center compared public opinions on government surveillance in January 2014, seven months after its original poll directly after the first disclosures was made (results duplicated in Figure 9). While approval and disapproval ratings had been evenly matched in June 2013, approval ratings had dropped to 40% by January 2014. The same survey also reported an increasing wariness toward the continued surveillance programs, with 52% of Americans polled being “very concerned” or “somewhat concerned” with the government’s collection of electronic citizen data.

Figure 9. Approval Ratings of Government Surveillance78

100 90 80 70 53 60 48 50 50 40 47 44 40 30 20 10 0 Jun-13 Jul-13 Aug-13 Sep-13 Oct-13 Nov-13 Dec-13 Jan-14

Approval Disapproval

78 Lee Rainie and Shiva Maniam, “Americans Feel the Tensions between Privacy and Security Concerns,” Pew Research Center, February 19, 2016, http://www.pewresearch.org/fact- tank/2016/02/19/americans-feel-the-tensions-between-privacy-and-security-concerns/.

Increasing public disapproval toward mass oversight was combined with decreasing faith in the government’s abilities, both in keeping collected data secure and in effectively preventing terrorism. Post-Snowden, more people perceive electronic channels such as social media sites, messaging, and email to be insecure to some degree when regarding their personal private information.79 Mentions of terrorism in polling questions would still receive more answers of approval for security over privacy in 2015,80 yet trust in the government to protect citizens from terrorists dropped to its lowest rate of 68% since September 2001.81 By the time the

PATRIOT Act was due for expiry in May 2015, sixty percent of likely voters believed that the act needed to be revised in some way.82 Three domestic programs were eventually shut down with their expiration in the PATRIOT Act as a result, including the phone records collection program. Shortly after, President Barack

Obama signed the USA FREEDOM Act into law, placing greater limits on the collection patterns of the NSA’s surveillance program. While the FREEDOM Act allowed the NSA to continue its activities for another six months while it

79 Mary Madden, “Public Perceptions of Privacy and Security in the Post-Snowden Era,” Pew Research Center Internet Science Tech, November 12, 2014, http://www.pewinternet.org/2014/11/12/public-privacy-perceptions/. 80 62% of those polled by the Washington Post said that it was more important to “investigate terrorist threats” than to preserve personal privacy, and 56% found the collection of phone call data “to investigate terrorism” to be acceptable. “Majority Says NSA Tracking of Phone Records “acceptable” - Washington Post-Pew Research Center Poll,” Washington Post, January 21, 2015, https://www.washingtonpost.com/page/2010-2019/WashingtonPost/2013/06/10/National- Politics/Polling/release_242.xml. 81 Rebecca Riffkin, “Trust in U.S. Government's Terrorism Protection at New Low,” Gallup, June 10, 2015, http://www.gallup.com/poll/183557/trust-government-terrorism-protection-new-low.aspx. 82 Spencer Ackerman and Sabrina Siddiqui, “NSA Surveillance Opposed by American Voters from All Parties, Poll Finds,” The Guardian. May 18, 2015, https://www.theguardian.com/us- news/2015/may/18/us-voters-broadly-opposed-nsa-surveillance. 56

restructures its program, privacy advocates celebrated its passage as a victory for civil liberties.83

2. The United Kingdom

2-1. National Security Strategy

The United Kingdom’s most recent security strategy report, National

Security Strategy and Strategic Defence and Security Review, was released in

November 2015 and shares many similarities to the security strategy of the United

States. In his foreword, Prime Minister David Cameron immediately underscores the importance of economic security in national security strategy, identifying the first step as maintenance of a strong national economy.84 The threats Cameron identifies include instability in the Middle East, the Ukrainian crisis, cyberattacks, and pandemics. Regarding terrorism and cyberattacks, the security strategy recognizes the need to counter both state-based and transnational threats effectively and pledges to, “deter state-based threats, tackle terrorism, remain a world leader in cyber security and ensure we have the capability to respond rapidly to crises as they emerge.”85 Three main objectives can be identified in the United Kingdom’s national security strategy: protect our people, project our global influence, and promote our prosperity.

83 Patricia Zengerle and Warren Strobel, “Obama Signs Bill Reforming Surveillance Program,” Reuters, June 02, 2015, http://www.reuters.com/article/us-usa-security-surveillance-passage- idUSKBN0OI2I920150603. 84 United Kingdom, HM Government, National Security Strategy and Strategic Defence and Security Review (2015), 5. 85 Ibid., 6.

The United Kingdom identifies its strengths as one of the fastest-growing developed economies and emphasizes a resilient domestic community. Section

2.12 also makes note of its “special relationship” with the United States as an essential aspect of British national security. The FVEY alliance is also mentioned here, as well as plans to expand its cooperative network into the European Union.

Domestic and global challenges to British national security included terrorism and extremism, migration, regional instability, and global health. The section on domestic challenges frequently cites the Middle East and South Asia as examples of these points. State threats such as Russia and continuing risks are also mentioned as part of the national strategy, but the extensive detail for security on the domestic front seems to highlight this as a priority. The strengths and challenges presented in the United Kingdom national security strategy all revolve around the general theme of globalization and the uncertainty it brings to the security context.

Just as in the United States, cybersecurity and cyber threats are mentioned briefly in the United Kingdom’s national security strategy; however, there is notably more weight added to the subject here. For one, the role of technology and cybersecurity are more strongly regarded as their own separate problem rather than an aspect of other security issues (as they are presented in the United States). The

United Kingdom also takes a harder approach to the threats cyberspace may host.

The British security strategy states that while there is an “inherent resilience” in the decentralized nature of the Internet, day-to-day networks are constantly vulnerable

to attack. Terrorism is focused on significantly more when discussing technological capabilities and as a potential motivator for encrypted communications.86

Because they were regarded separately from other security threats, the solutions presented in the United Kingdom security strategy are more definite, closely aligning with those in the United States Department of Defense Cyber

Strategy guide. Strategies to maintain cybersecurity in the United Kingdom are mainly focused on quick detection, analysis, and preemptive counterattack against potential cyber attacks. To accomplish this, the British government has planned to invest heavily in new technology and capabilities as well as create new institutions dedicated to bolstering national response.87

The United Kingdom also released a security strategy plan specific to cybersecurity activities and initiatives in December 2014, though the national security strategy stated that a new publication would be released in 2016. The objectives outlined focus on making the United Kingdom a secure place to conduct business online as well as protect national interests. To accomplish these goals, the

National Cyber Security Programme centers its actions on improving cyber capability and improving risk management and general education among UK businesses. Judging from the higher emphasis on cybersecurity in relation to local

86 United Kingdom, National Security Strategy (2015), 19. 87 United Kingdom, National Security Strategy (2015), 40-42. 59

businesses, securing cyberspace could be considered an extension of increasing economic security within the United Kingdom.88

While the United Kingdom appears to have a more thorough cyber strategy laid out, it is interesting to note that like the United States, the solutions provided for cybersecurity are not aimed at any particular threat. This makes sense when considering threats in cyberspace on their own: due to the unpredictable nature of and inability to properly attribute cyber attacks, the best strategy to execute would be to bolster defensive capabilities and preemptively prepare for general attacks.

When considering the United Kingdom’s national security strategy, both cybersecurity and terrorism were presented as intertwined concepts in the context of threats to national security yet were strategized to be solved separately. While differing from the American security strategy, this lack of explicit written connection between the two threats in its offered solutions allows for the United

Kingdom to exercise a similar freedom in how government agencies can ultimately use the tools at their disposal.

2-2. UKUSA SIGINT Utilization

The United Kingdom contributes a significant amount to the FVEY information pool, though not nearly as much as the United States. The ratios of shared information are comparable to the United States, with an emphasis on communications and intelligence while also focusing its efforts on decryption and

88 United Kingdom, Cabinet Office, The UK Cyber Security Strategy: Report on Progress and Forward Plans, 2014. 60

data/metadata interpretation.89 Mapping the countries targeted reveals that the

United Kingdom’s areas of concern are not as widespread as those of the United

States: the focus of documents created by GCHQ seem to be primarily concentrated in the European countries surrounding the United Kingdom as well as the Middle East and China. Comparing the map in Figure 11 with the countries targeted by the United States will also show possible evidence of a distribution of surveillance labor in South America countries, with the United Kingdom focusing its oversight efforts on Argentina, Venezuela, and Colombia rather than Brazil.

Figure 10. Content Targeted by United Kingdom

Communications, 53 Metadata, 9 Misc, 14

Intelligence, 16

Hardware, 4

Decryption, 18 Data, 5

89 For a full data set of documents created by the United Kingdom, see Appendix C. 61

Figure 11. Nations Targeted by United Kingdom

While the United Kingdom has a classification system in the form of

STRAP, there are not many documents within the set released that use the classification tag, with only one labeled STRAP 2. The United Kingdom’s contributions are relatively small as well, with 23 documents officially disseminated among FVEY. The majority of these documents were dedicated to communications, and specifically foreign communications data from the Middle

Eastern and North African regions. Considering the emphasis placed on regional terrorism and security in the Middle East, SIGINT surveillance seems to be a dominant part of the United Kingdom’s strategy to quietly preserve national security.

2-3. Post-Disclosure Domestic Activity

Four years after the United States terrorist attacks in September 2001, the

United Kingdom fell victim to a terrorist attack that killed 52 and injured over 700 in July 2005. Shortly after this, the Terrorism Act 2006 was drafted and put into effect. While this Act does not have any explicit provisions for signals intelligence

collection, the Terrorism Act 2006 was controversial primarily for its extension of the period for detention without charge. During the second reading of the bill,

Home Secretary Charles Clarke responded to some of these criticisms by pointing out that the extension was necessary to obtain all necessary data and evidence for an investigation. On top of mentioning CCTV footage and crime scene fingerprints, Clarke made clear to add access to technology as another tool at the disposal of terrorist networks; examining and decrypting data on hard drives was a meticulous process that would require the adequate amount of time to analyze properly.90

In contrast to the United States, polls conducted around this sensitive time reported a general dissatisfaction with the increased government access to oversight tools. In a poll jointly conducted by YouGov and The Daily Telegraph in

November 2006, 79% of those surveyed said that they would describe Britain as a

“surveillance state” due to increased use of CCTV cameras, biometric passports, and fingerprinting as well as 52% of people feeling generally unhappy at the possibility of being recorded in a national database. Skepticism in the government’s capabilities was also high, as 66% did not trust any government to keep said database information entirely confidential.91 Based off of further data in

90 Charles Clarke, “Orders of the Day — Terrorism Bill | Part of the Debate – in the House of Commons at 1:24 Pm on 26th October 2005,” TheyWorkForYou, October 26, 2005, http://www.theyworkforyou.com/debates/?id=2005-10-26b.340.3.

91 “YouGov / Daily Telegraph Survey Results,” YouGov, November 30, 2006, http://iis.yougov.co.uk/extranets/ygarchives/content/pdf/TEL060101024_3.pdf. 63

the survey, it may be said that the perception of a British surveillance state is not due to the prevalence of CCTV cameras. This poll asked its participants to state whether they would approve or disapprove of certain security propositions, the results of which have been replicated in Figure 12. Overall, increased CCTV camera installation was overwhelmingly seen as a positive improvement while they were more hesitant with the idea of collecting individualized information such as location, voice conversations, or biometric data. 62% of survey participants also commented that despite the presence of CCTV cameras, they generally do not feel like they are being spied upon.92

92 Ibid. 64

Figure 12. UK Citizen Approval of Proposed Security Measures, 2006

Using the chips in ID cards to track the 14 movements of every individual 70 possessing an ID card 16 Maintaining results of an individual’s 15 DNA on the national database even if 48 the individual has not been charged … 37 11 Speed cameras 39 50

Using high-powered microphones to 14 79 listen in on conversations in the street 7 7 CCTV cameras outside pubs 7 86 7 CCTV cameras in high streets 8 85 18 Fingerprinting airline passengers 37 45 11 Photographing airline passengers 17 72 14 CCTV cameras in taxis 21 65

CCTV cameras on tube trains and in 4 3 buses 93

Roadside fingerprinting of alleged 18 27 suspects 56

CCTV cameras in banks and building 2 1 societies 97

0 20 40 60 80 100 120

Don't know Disapprove Approve

When the practices of the NSA and GCHQ were disclosed in June 2013, domestic reaction was found to be similar to that in the United States in that public opinion was relatively divided. A YouGov poll in early June shortly after the revelations reported that 46% were happy that the United Kingdom security services were getting the information they needed to track down criminals and terrorists, while a slightly lower population of 39% were worried about whether

British agencies were abiding by established laws to undermine personal privacy.

42% also believed the government should be given greater investigative powers than they already had in order to effectively combat terrorism.93

A study on terrorism legislation in the United Kingdom was requested by the government and conducted in 2014. The final report in June 2015 stated that existing legislation was “fragmented and obscure”, and that “comprehensive and comprehensible” laws on intrusive powers were needed.94 Shortly after, a draft of an Investigatory Powers Bill was submitted to the House of Commons for review by Parliament. This bill would not only legalize a majority of the bulk collection practices by government agencies, but would also provide additional powers to security services. The IP Bill would also enforce that communication service

93 Joel F. Rogers, “Public Opinion and the Intelligence Services,” YouGov, October 11, 2013, https://yougov.co.uk/news/2013/10/11/british-attitudes-intelligence-services/. 94 “Surveillance Powers: New Law Needed, Says Terror Watchdog,” BBC News, June 11, 2015, http://www.bbc.com/news/uk-33092894. 66

providers to assist in the interception of data and retain customer records for twelve months.95

A roundup up survey results curated through Cardiff University in June

2015 revealed that public opinion had not wavered on the importance of combating security threats since two years prior. A poll jointly conducted by YouGov and the

Sunday Times in 2015 asked participants about the level of engagement between

Internet companies and combating Islamic terrorism, and 53% stated that Internet companies “could be doing a lot more than they currently are to work with countries’ security services and help combat terrorism.” The same poll also found that 52% agreed that the government should have more access to people’s data for the sake of security.96

3. FVEY and Surveillance in Democracies

Both the United States and United Kingdom have very similar approaches when it comes to national security and surveillance of signals intelligence. Each national security strategy emphasized the importance of preserving values and ideas as a measure of maintaining security and name things that endanger these values as legitimized threats. Cyber attacks are often mentioned as a threat to security yet are often vaguely defined or elaborated upon, and the solutions to which are often mentioned separately from terrorism despite being discussed in the

95 Alan Travis, “Investigatory Powers Bill: The Key Points,” The Guardian, November 04, 2015, https://www.theguardian.com/world/2015/nov/04/investigatory-powers-bill-the-key-points. 96 Jonathan Cable, “UK Public Opinion Review,” Cardiff University, June 18, 2015, http://sites.cardiff.ac.uk/dcssproject/files/2015/08/UK-Public-Opinion-Review-180615.pdf. 67

same breath in practice. In other words, government publications often discuss the security context in terms of medium and threat perception, yet leave out explicit mention of surveillance as a means of implementation.

While there are notable differences, the public reaction to the global surveillance disclosures of 2013 in both countries also had certain similarities. One statistic that remained constant across both countries (and globally) is that the younger generation is more likely to value personal privacy over surveillance in the name of security. When asked about whether the primary duty of social media sites in the United Kingdom lay in sharing data to protect against terrorism or protect the privacy of user data, the citizen age group of 18-24 was the only group to have a majority of privacy over security.97 United States citizens expressed similar opinions, with 60% of those under 30 showing marked concern over the government’s anti-terror policies and their restricting effect on the civil liberties of citizens.98 Both US and UK citizens were also more comfortable with the idea of surveillance targeting foreigners rather than themselves. A survey by Amnesty

International asked participants about the surveillance practices in their home country, and both US and UK had a greater majority of approval for surveillance on foreign nationals versus all citizens.

97 Cable, “UK Public Opinion Review.” 98 Meredith Dost, “Few See Adequate Limits on NSA Surveillance Program,” Pew Research Center for the People and the Press. July 26, 2013, http://www.people-press.org/2013/07/26/few-see- adequate-limits-on-nsa-surveillance-program/. 68

Figure 13. Surveillance on All Citizens vs. Foreign Nationals99

Do you think the [your country] Government should or should not intercept, store and analyse internet use and mobile phone communications of …

100

80 63 55 60 50 44 36 40 30 26 20 18 20 20 18 20

0 US citizens living in Foreign nationals UK citizens living in Foreign nationals US in US UK in UK

Should intercept, store and analyse internet use and mobile communications Should not intercept, store and analyse internet use and mobile communications Don't know

In terms of kinetic security contexts, there are certain distinctions that must be made between the United States and the United Kingdom that undoubtedly affect the results shown above. Geographically, the United States is much more isolated than the United Kingdom, which is closer in proximity to regional conflicts in the Middle East and South Asia. The security strategy of the United

Kingdom naturally places greater emphasis on the severity of these regional threats. Though everyone is tangentially affected by a terrorist attack in any one

99 “Global Opposition to USA Big Brother Mass Surveillance,” Amnesty International, March 18, 2015, https://www.amnesty.org/en/latest/news/2015/03/global-opposition-to-usa-big-brother-mass- surveillance/. 69

state, the closer proximity the United Kingdom has to the European Union means that they arguably have more at stake when terrorist attacks hit a European nation.

These conflicts exacerbate existing issues of migration: while both nations report issues with illegal entry of national borders, a significant ratio of immigrants in the

United Kingdom are arriving from an area that has consistently been highlighted in national security contexts as a regional threat. Combining existing tensions of cultural dissonance between immigrants and citizens with continued terrorist attacks in Europe have made for a relatively hostile climate toward foreigners and those who are not citizens.

The key difference between the United States and United Kingdom seems to lie in how citizen reaction has evolved in the post-Snowden era and its subsequent effect on policy. While United States opinion eventually diverged into a starker polarization of approval versus disapproval toward government surveillance practices, the ratio of citizen approval over United Kingdom oversight has generally remained the same since 2013. Citizens in the United States are demanding greater privacy rights and less government surveillance while British citizens have actually demanded more surveillance from their security agencies.

Ultimately, surveillance policy in the United States has found greater opposition and backlash in the public than similar legislation in the United Kingdom. There are a number of factors that could be attributed to this difference.

The first goes back to the publicized national security strategies of each country. Both nations pinpoint globalization as a factor changing the global stage,

yet have subtly differing attitudes toward the phenomenon. In many government publications, the United States has frequently mentioned globalization in the context of opportunity and optimism. While the United Kingdom does celebrate globalization in terms of economic opportunity, security publications are more likely to refer to globalization as a reason for caution. While this context can be picked up in the latest UK National Security Strategy and its emphasis on domestic resilience, this apprehension toward globalization and subsequent interdependence was much more apparent in the 2010 version of the British national security strategy titled, “A Strong Britain in an Age of Uncertainty.” This document warned that while there was no existential threat to security at the present, “we cannot be complacent.” This mentality played heavily into the 2010 security strategy’s perception of privacy, as it stated that, “To protect the security and freedom of many, the state sometimes has to encroach on the liberties of a few: those who threaten us.”100

Another reason along a similar vein is that the United Kingdom domestic strategy appears to hold a greater focus on the concept of community as integral to maintaining national security, while the United States rhetoric has been more focused on honoring the rights and liberties of the individual. This was already suggested with the mentality presented in the 2010 British security strategy with the idea of restricting the few for the benefit of the whole. The United Kingdom’s

100 United Kingdom, HM Government, A Strong Britain in an Age of Uncertainty: The National Security Strategy (London: TSO, 2010). 71

2015 national security strategy also places heavy emphasis on community effort in creating a strong resilient society as a highly important aspect of security. The subsequent effect this has on policy is apparent: the United Kingdom’s national strategy regarding cybersecurity and threats proposes educating the community as a whole, while the United States Cyber Strategy only mentions providing educational resources for government security officials.

As a result, citizens in both countries also have differing perceptions of security and what that entails. This is perhaps most apparent in the British citizens’ attitude toward CCTV and its overall acceptance. As seen earlier, CCTV was not necessarily considered to be active surveillance and was highly regarded as a nonintrusive and more appealing option for security than the collection of voice or biometric data.101 Meanwhile, CCTV is met with greater opposition when presented in the United States. After the bombings of the Boston marathon in 2013, the installation of additional CCTV cameras around the city met two public concerns. Many privacy advocates not only questioned the effectiveness of CCTV in deterring crime, but also expressed major concern over the possibility of abuse from government officials.102

This may be perceived as a difference in faith for the respective government in office, and while surveys from both the United States and United

Kingdom have reported a general distrust in the effectiveness of their politicians,

101 See Figure 12. 102 Heather Kelly, “After Boston: The Pros and Cons of Surveillance Cameras,” CNN, April 26, 2013, http://edition.cnn.com/2013/04/26/tech/innovation/security-cameras-boston-bombings/. 72

there may be some merit to this when analyzing government responses to concerns as a whole. Since the activities of their government agencies were exposed, there does appear to have been a more conscious effort from the United Kingdom to clarify legislation and understanding surrounding surveillance practices than in the

United States. While both government-released strategies have traditionally mentioned the work of their intelligence agencies and their importance to national security, the security strategy of the United Kingdom is more likely to go into detail about the nature of their work. British security strategies also tend to acknowledge and discuss where the secret nature of intelligence and surveillance lies in the grand scheme of security for the United Kingdom.

“Our security and intelligence agencies play a vital role in protecting our country from threats to our way of life. It is inherent in their work that most of it has to be done in secret to protect those who risk their lives for our security, and to maintain the confidence and cooperation of partners overseas. For the same reasons the exercise of oversight, whether by Parliament or through the courts, also has to involve a measure of secrecy. Here too we must strike a balance, between the transparency that accountability normally entails, and the secrecy that security demands.”103

When surveyed, British citizens primarily criticized the fact that the surveillance methods employed by the government may not have passed through the appropriate legal channels. While the Investigative Powers Bill is being heavily criticized for its proposed expansion of government oversight powers, the fact that it was preceded by a government-issued survey on the lack of cohesiveness in surveillance legislature speaks to the nation’s efforts to actively resolve publicly

103 United Kingdom, A Strong Britain in an Age of Uncertainty. 73

addressed concerns. On the other hand, legislation in the United States has often been passed relatively quietly and without attention to the general public. Action to change legislation in the United States has largely been dependent upon individuals who closely follow and politicians who have been willing to address these concerns on behalf of the people they represent.

Do these difference simply indicate divergent functionality between systems of government or do they rest in deeper ideas of social capital?

Considering how the concept of community can result in differing concepts of security and its place, there is strong evidence toward the latter. Though it was labeled as necessary for recovery after the terrorist attacks in September 2001, social capital does not have as prominent a place in United States federal analysis as it does in the United Kingdom.104 A decline in social engagement and capital in

American society had been reported by Robert Putnam in his book Bowling Alone, who attributed this lack of community to a distrust in government and consequent lowered levels of civic participation.105 A similar study conducted by Dora Costa and Matthew Kahn concluded with a similar decline, but also noted that “Both high income inequality and low ethnic homogeneity predicts low membership across western European countries.”106 These findings have particular implications for

104 Lisa Hudson and Chris Chapman, “The Measurement of Social Capital in the United States,” In OECD Proceedings of International Conference on the Measurement of Social Capital, London, September 2002. http://www.oecd.org/unitedstates/2382454.pdf. 105 Robert D. Putnam, Bowling Alone: The Collapse and Revival of American Community (New York: Simon & Schuster, 2000), 19. 106 Dora L. Costa and Matthew E. Kahn, “Understanding the American Decline in Social Capital, 1952-1998,” Kyklos 56, no. 1 (2003): 17-46. doi:10.1111/1467-6435.00208. 74

many European nations reporting immigration as a crisis. Considering the current tension towards foreigners in the United Kingdom, it would not be unreasonable to conclude that the preservation of a common community has become the primary driving force behind national security issues here. Compared to the relatively individual-centric rhetoric of the United States, British citizens interpret surveillance practices for security purposes as necessary to maintain a stronger community.

Taking all of this into account, which nation could be said to have done a better job of ensuring national security? When comparing security objectives with post-Snowden events, the United Kingdom arguably handled the fallout from the global surveillance disclosures in a way that was more productive toward its national security goals. By actively working toward clarifying its legislature and thereby addressing community concerns, the United Kingdom was still able to keep their society relatively undivided. As the possibility for discussion on the subject continues to languish in the United States, events that bring these concerns to light are met with greater hostility and further polarize stances on the subject.107

The lack of trust in post-Snowden political endeavors for the United States from its own citizens means that moving forward will be an uphill climb until the debate for privacy vs. security is appropriately addressed.

107 An example of this is the San Bernardino case in December 2015. The Federal Bureau of Investigation demanded Apple to write software that would extract data from the gunman’s iPhone. When the company did not comply, the FBI eventually extracted the data themselves while refusing to tell Apple how it was done. Danny Yadron, “San Bernardino IPhone: US Ends Apple Case after Accessing Data without Assistance,” The Guardian, March 29, 2016. 75

V. The Future of Signals Intelligence in Security

The previous conclusions were drawn from the national security strategies as they currently exist, working with current conceptions of civil liberties and surveillance. Whether the current state of surveillance as a whole is ultimately sustainable will be discussed next. In this chapter, I will be looking at the viability of the surveillance practices as outlined in the UKUSA Agreement as a potential model for other signals intelligence cooperative pacts and analyzing the inevitable debate of where civil liberties like privacy will lie in the context of national security. These will be presented in the form of policy suggestions for the future.

1. Surveillance in Democracies: Are There Other Options?

The main reason why the existence of the UKUSA Agreement was so controversial is that the ideals of individual freedom and privacy seemed contradictory to the mass surveillance practices imposed by these governments.

While surveillance ultimately makes sense in the context of preparing for the unexpected, many wonder if democracies have another option that does not compromise privacy.

Due to how we currently perceive concepts like privacy and security, it is safe to say that the average citizen will not voluntarily give up the entirety of their information to the government at this time. As a result, a nation wishing to maintain an accurate bank of citizen data will find it difficult to complete if a publicized mandate is made. Not only will people make active efforts to conceal their data, but even those who acquiesce may unconsciously censor themselves, 76

providing an ultimately incomplete picture. As it stands, the most reliable way for a national government to maintain complete and accurate citizen data is to conduct surveillance and data collection without public knowledge. Of course, this is hardly an option anymore with the disclosures of 2013. Once news of surveillance activity had been announced, this passive oversight has transformed itself into a panopticon108 situation for many concerned with personal privacy. Self-censorship occurred for many people regardless of the nation’s original intents to maintain secrecy and avoid such an outcome. A survey on American citizens in 2015 reported that 34% who were aware of the surveillance programs and data collection activity had taken personal measures to conceal their information from the government’s eyes.109

Can democratic values and mass surveillance coincide and be justified to work together? The current answer is almost overwhelmingly no: mass surveillance has been widely regarded as a violation of human rights that threaten not only the right to privacy and procedural fairness rights, but also “eradicates any considerations of proportionality, enabling indiscriminate surveillance…without gaining authorization for each individual case of interception.”110 Despite this, it

108 The Panopticon was a prison designed by Jeremy Bentham in the late 18th century in which prisoners could never see their warden yet the warden had full view of all prisoners. Because the prisoners could never know when they were and weren’t being watched, it encouraged prisoners to act like they were being watched at all times. Even if the warden could not physically observe all prisoners at once, the environment essentially controlled the behavior of the prisoners. Jeremy Bentham, The Works of Jeremy Bentham, Vol. 4 (Edinburgh: W. Tait, 1843). 109 Rainie and Madden, “Americans’ Privacy Strategies Post-Snowden.” 110 “Report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression, Frank La Rue,” United Nations Human Rights Office of the High Commissioner, April 17, 2013. 77

would be unrealistic to remove all traces of surveillance entirely due to how heavily integrated signals intelligence collection has become to modern national security.

Solutions presented often focus on strengthening and restructuring existing privacy laws and legal standards. While that is a good start, they often present surveillance as a practice that should be completely abolished. While it can be agreed that the revelation of surveillance at its current state has been detrimental to policy formation, it is likely that there exists a viable framework for signals intelligence collection to work as intended. Some of the findings of this paper lead to additional concrete policy suggestions to ensure oversight practices work to the benefit of both the state and the individual.

2. Transparency of Government and Enforcement

The United States and United Kingdom have both attempted to pass legislation cementing their capabilities post-Snowden. Most of the legislation that has cycled through the United States House and Senate has been passed without any notification to the public. Though citizens can take action if they actively follow these developments, the fact that many of these laws have been kept secret has left many citizens bitter toward the state. Democratic states would do well to remember that a solution people freely agree upon is more likely to be successful over policies that are forcibly implemented, especially when boasting the citizen’s ability to make their voice heard on such policies. While British citizens tend to agree that the United Kingdom’s Investigatory Powers Bill is not ideal legislation

at this time, none of the process has been kept secret from the public and can prove to be an example of a more productive discussion. So long as Parliament continues to listen to the criticisms expressed by their public, the same political environment that exists in the post-Snowden United States is unlikely to show.

The difference in policy handling by the United States and the United

Kingdom after the disclosures as well as the consequent domestic reaction is telling of the necessity for proper dialogue between the state and the populace on this subject. While other kinetic security aspects such as military and state leader interaction tangentially affect the average citizen, issues of ICT, surveillance, and privacy affect every user equally. Networks and cyberspace have frequently been described as a public good, but Elinor Ostrom’s classification of these as a

“common pool resource” is more appropriate.111 In this case, exclusion is difficult to achieve and exploitation by one party therefore subtracts value for other parties.

States may balk at the idea of complete transparency in surveillance activities and data collection, yet progress toward this goal may be the best way to ensure a positive experience for the greatest number of people. A clear statement from governments of when and in what circumstances surveillance is deemed appropriate and necessary can begin the discussion and hopefully foster a working compromise.

111 Nye, The Future of Power, 142.

3. The Individual in National Security

Referring back to the cognitive model of cyberspace, it has been evident for a while that the nature of attackers and targets is different on the virtual plane.

Combined with Ostrom’s previous classification of digital space as a common pool resource, ensuring collective security for all users requires that all users are equipped to protect themselves. Signals intelligence collection and cybersecurity in general have been used by the FVEY nations as a tool to supplement physical security objectives, but it is important to note that the traditional guarantee of individual security through collective security can no longer be considered effective online. Security in cyberspace must be achieved from the inside-out rather than from the outside-in.

Providing the public with tools and education to ensure properly secure practices when using online resources would be critical to keeping citizens of any age and experience with technology on equal footing. Democratic states that value civil liberties should also be sure to honor those in its public resources. Concerned individuals should be allowed to be informed of and have access to ways of ensuring one’s own privacy without consequent public federal backlash. These tools should extend to encryption methods, which have become the source of heated debate between privacy advocates and the government. I have found that publicly disallowing encryption as some states have is counterintuitive to overall security, as it advertises to others that the citizens in question are not as well protected and therefore easier targets for surveillance. As individuals improve and

secure their own usage habits, a nation as a whole will have built up a greater overall defense against outside attackers than entrusting all citizen data to a smaller, more accessible target. In fact, it could be said that the fact that Edward

Snowden was able to download and publicly release the documents in the first place is further indication of this point.

4. Introducing Technical Expertise

The technical aspects of policy making often refer to the realistic application and implementation of proposed measures. Because of the complex computational nature of cyberspace, remembering this dimension as an important aspect of policy is crucial to success. As illustrated by political rhetoric and subsequent ridicule in earlier days of ICT policy, the suffix “cyber” has come to be associated with technological ineptitude and general ignorance to the function of

ICT. While there will eventually come a point when policy makers will have grown up with and therefore understand the significance of the technology they write mandates for, current policy makers would do well to seek the counsel of experts that can gauge the feasibility of policies and accurately predict their effectiveness.

Technical expertise also plays into the state’s duty to provide resources for the individual. Creating greater accessibility to technical courses on ICT may encourage people to learn more about the inner workings of the machines and networks they use. Doing so will allow more people to have a greater general

understanding of ICT and motivate them to do their part in ensuring secure usage habits.

5. SIGINT Surveillance and Terrorism

Because this is the primary justification often provided by democratic states, it is important to discuss the realistic possibility of signals intelligence collection and its effectiveness in combating terrorism. The issue of retaining data and charging a citizen for “future crimes” has also been addressed by critics of national legislature. Ultimately, it is difficult to create surveillance laws that specifically target terrorism because doing so involves defining suspicious activity, which often raises questions or objections to the contrary. At the same time, surveillance programs as they exist have been regarded as the least physically intrusive manner of collecting information possible, so it seems there should be a way to use the information to deter or alert nations to terrorist attacks.

Many cases of successful terrorist plots that have gone undetected by the

NSA and GCHQ have pointed to the conclusion that overhead surveillance does not prevent terrorism any more than traditional espionage methods do. It is possible that this is indicative of another conclusion, which is that signals intelligence collection has limits. Information drawn from SIGINT may not be able to completely halt a terrorist plot, but it should be able to supplement existing investigations (this has often been the case anyway). While definitive laws specifying targets for terrorism may not be feasible, facilitating the legal process for appropriate intelligence to become supporting evidence while preventing

potential administrative abuse would be beneficial to national efforts in stopping terrorist attacks.

In the end, the idea of eradicating terrorism through signals intelligence collection alone seems highly unlikely. As many scholars point out, terrorism is symptomatic of greater issues existing within a nation. Efforts should ultimately be made to mitigate those first.

6. A Discussion about Privacy’s Future

People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that has evolved over time. — Mark Zuckerberg, founder of Facebook112

Edward Snowden chose to release the documents he has specifically because of their implications for personal privacy. Therefore, the topic of surveillance necessitates a separate discussion on privacy itself as a concept. There are many who believe privacy is becoming an increasingly outdated concept considering how much information we choose to share and broadcast on a regular basis. Despite this, survey results show that the younger generation values privacy to the point of prioritizing it over security from terrorism. While privacy is certainly not outdated by means of these poll results, there is indication that the concept is at least evolving.

112 Bobbie Johnson, “Privacy No Longer a Social Norm, Says Facebook Founder,” The Guardian, January 11, 2010, https://www.theguardian.com/technology/2010/jan/11/facebook-privacy. 83

Privacy as it currently exists has been considered to be at odds with the future of potential innovation. As the Internet of Things comes closer into light, the prospect of our daily devices being connected is worrisome to those who do not want their personal information exposed any more than it needs to be.

Interestingly, older populations are among the wariest, with 45% expressing distrust in a company’s ability to securely use their private data.113 Companies will inevitably need to find ways to share customer data without compromising privacy concerns, yet it is possible that our individual conceptions of privacy will need to meet them halfway.

Daniel Solove has noted in his work that a privacy framework should be flexible and has generally been too narrowly defined by certain concepts of privacy. Solove then uses this to show how privacy laws are too rigid to adequately address upcoming privacy issues. He remarks on the changing nature of privacy over time, adding that, “what it currently means to call them “private” differs from what was meant in other times during history.”114 Changes in culture and society will alter how we perceive privacy, and it is not unreasonable to believe that a similar change is occurring now. Solove’s idea of a flexible framework will certainly prove useful in a future of evolving privacy, not only for law but for national and international policy formation as well.

113 Stacey Higginbotham, “Companies Need to Share How They Use Our Data. Here Are Some Ideas,” Fortune, July 6, 2015, http://fortune.com/2015/07/06/consumer-data-privacy/. 114 Daniel J. Solove, “Conceptualizing Privacy,” California Law Review 90, no. 4 (2002): 1141. doi:10.2307/3481326. 84

VI. Concluding Analysis

1. Thesis Findings

This thesis has found a number of answers to the questions previously asked. While unannounced surveillance is counterintuitive to democratic values, the states within FVEY have recognized that the constantly changing environment of cyberspace increases uncertainty of an opponent’s actions and requires constant awareness to stay ahead. The collection duties as outlined in the UKUSA

Agreement reveal FVEY motivations are to ensure that citizen data is not used to their disadvantage by knowing about it first. The intelligence and data gathered by the FVEY alliance is pooled together, yet there appears to be no structured goals as a traditional alliance in terms of using this data. This signals intelligence pact seems to exist solely as a resource for the five nations to utilize the data in whatever way serves individual national interest.

The UKUSA Agreement is a standing embodiment of the “special relationship” between the United States and United Kingdom. While reports are equally shared among Canada, Australia, and New Zealand as well, the United

States and United Kingdom share significantly more data between each other as well as permit exclusive access to their SIGINT collection equipment. Though no agenda is laid out in the UKUSA Agreement, both nations mention the importance of their relationship with the other in their national security strategy. By using the data collected through FVEY to ensure their own national security interests, they are simultaneously assisting the other nation in achieving security as well. 85

The differences between the post-Snowden eras of the United States and

United Kingdom can be said to be due to differing perceptions of what is being protected in “national security”. Because the United States has historically emphasized the importance and benefits of preserving individual rights and liberties, citizens have been much more vocal in their disapproval for government surveillance practices. The United Kingdom’s historic interpretation of security as serving the community has not only encouraged a less heated response to the initial revelations, but has also resulted in active efforts by the government to restructure and reform privacy and investigation law. The community focus in the United

Kingdom as a priority would also encourage the greater oversight opinions it has attracted if the theories about income inequality and ethnic heterogeneity resulting in degraded social capital are true. Faced with greater geopolitical concerns in closer proximity, the United Kingdom can be said to have more at immediate stake and a greater sense of urgency than the United States. Subsequent policy formation in the United Kingdom has therefore been united and arguably more productive than in the United States.

Overall, the capabilities presented in mass surveillance and signals intelligence data collection have altered the concept of national security by shifting focus toward societal and individual needs. Unfortunately, national security strategies in democratic nations have not taken this fully into account, often citing cyberspace as an element to consider rather than its own fully developed security

objective. Until these issues are addressed properly, the debate on signals intelligence usage is bound to become sluggish and sterile.

2. Limitations and Future Research

While my thesis has discussed many ideas and events, there are many other aspects to the debates rising from the global surveillance disclosures of 2013.

Moreover, I worked with a specific scope of observation, and would like to recognize these areas I did not discuss here as potential topics I may pursue in future research.

Perhaps the most obvious limitation is that this paper only focused on the five democracies within the FVEY alliance, and additionally only went into significant detail for two of its members. This opens possibilities for research subjects in a number of ways. Not only could analysis be done on the citizen response and subsequent policies for Canada, Australia, and New Zealand, but also for the allied third parties with which signals intelligence data was shared through

FVEY. There is also significant opportunity in focusing on surveillance in developing states, as many questions that surround technology may be mitigated or compounded by existing kinetic developmental challenges.

I have also placed most of my focus on the dynamic between the individual and the state and how security and privacy affect that. Despite their relatively larger role in ICT policy, I have not added international companies or the private sector to my analysis. Considering how communications providers are often the mediating party in possession of a citizen’s data, I feel that this is an

important aspect that should have been discussed in greater detail. Companies like

Google and Apple have held prominent stances on the debate of security versus privacy, and analyzing their statements alongside their company practices and End

User License Agreements is a direction in my research that would be worth exploring.

Despite how both national security strategies emphasized the importance of a strong economy, I specifically chose to discuss security in respect to societal aspects and opinion rather than implement an economic analysis. While I felt that individual privacy played a greater role in societal definitions of security, prevention of cybercrime and cyber attacks on financial business infrastructure is absolutely critical to security as well.

Finally, document analysis is naturally limited to what Snowden has chosen to disclose. He had previously stated that he excluded “regular nation-state surveillance” and only leaked documents with negative implications for personal privacy and civil liberties. Although this thesis focused on the documents released within a set time range (June 2013 – December 2015), the disclosures are a living issue and will continue as long as surveillance practices do. Even so, interest on the subject is noticeably dissipating. It is curious to consider what kind of disclosures would reignite public interest to the same effect that the first disclosures had. Not only would I be interested in continuing my research as more documents are released, but looking into the kinds of foreign surveillance that was not released would be fascinating as well. Depending on what information exists within this

subset of disclosed documents, there could be major changes to the international data set I used in this paper.

Primarily, I would not only be interested in researching these additional subjects, but also pursuing a deeper analysis for a cognitive model for cyberspace.

Because of how intertwined socio-psychological factors already are with ICT and the concept of a “cyberspace network”, it is important to have a model of this concept that more accurately portrays that. As our perceptions and interpretations of the world around us continue to shape the norms and atmosphere online, it is critical to be aware of this and effectively integrate it as an aspect of creating security policy. The amplification effect our incredible connectivity has on these kinds of issues will undoubtedly hold an even greater significance than they already do in future years. Ultimately, this thesis is a small aspect of a large range of issues that while currently contentious and heated, the resolution of which will propel international society forward.

Bibliography

United States of America. Office of the National Counterintelligence Executive Special Security Directorate. (U) Intelligence Community Markings System Register and Manual. https://www.scribd.com/doc/223130300/Intelligence-Community- Markings-System-Manual-and-Register. "18 U.S. Code § 2332a - Use of Weapons of Mass Destruction." LII / Legal Information Institute. 2001. https://www.law.cornell.edu/uscode/text/18/2332a. United Kingdom. HM Government. A Strong Britain in an Age of Uncertainty: The National Security Strategy. London: TSO, 2010. "Abbreviations Explained: How to Read the NSA Documents." Der Spiegel. June 18, 2014. http://www.spiegel.de/international/world/glossary-of-nsa- abbreviations-a-975930.html. Ackerman, Spencer. "NSA Warned to Rein in Surveillance as Agency Reveals Even Greater Scope." The Guardian. July 17, 2013. https://www.theguardian.com/world/2013/jul/17/nsa-surveillance-house- hearing. Ackerman, Spencer, and Sabrina Siddiqui. "NSA Surveillance Opposed by American Voters from All Parties, Poll Finds." The Guardian. May 18, 2015. https://www.theguardian.com/us-news/2015/may/18/us-voters- broadly-opposed-nsa-surveillance. United States of America. War Department. Agreement between British Government Code and Cipher School and U.S. War Department in Regard to Certain "Special Intelligence" - 10 June 1943. https://www.nsa.gov/news-features/declassified- documents/ukusa/assets/files/spec_int_10jun43.pdf. Art, Robert J., and Kenneth Waltz. The Use of Force: Military Power and International Politics. 7th ed. Lanham, MD: Rowman & Littlefield, 2009. Barak, Azy. Psychological Aspects of Cyberspace: Theory, Research, Applications. Cambridge: Cambridge University Press, 2008. Bentham, Jeremy. The Works of Jeremy Bentham. Edited by John Bowring. Vol. 4. Edinburgh: W. Tait, 1843. Betz, David, and Tim Stevens. Cyberspace and the State: Toward a Strategy for Cyber-power. London, U.K.: IISS, The International Institute for Strategic Studies, 2011. Blackhurst, Chris, and John Gilbert. "US Spy Base 'taps UK Phones for MI5'" The Independent. October 23, 2011. http://www.independent.co.uk/news/uk/home-news/us-spy-base-taps-uk- phones-for-mi5-1364399.html.

Blanchard, Anita, and Tom Horan. "Virtual Communities and Social Capital." Social Science Computer Review 16, no. 3 (1998): 293-307. doi:10.1177/089443939801600306. Buzan, Barry, Ole Waever, and Jaap De Wilde. Security: A New Framework for Analysis. Boulder: Lynne Rienner Publishers, 1998. Buzan, Barry, and Lene Hansen. The Evolution of International Security Studies. Cambridge, UK: Cambridge University Press, 2009. Cable, Jonathan. "UK Public Opinion Review." Cardiff University. June 18, 2015. http://sites.cardiff.ac.uk/dcssproject/files/2015/08/UK-Public-Opinion- Review-180615.pdf. Campbell, Duncan. "Somebody's Listening." New Statesman Society, August 12, 1988, 10-12. Campbell, Duncan. "Global Spy System ECHELON Confirmed at Last – by Leaked Snowden Files." The Register. August 3, 2015. http://www.theregister.co.uk/2015/08/03/gchq_duncan_campbell/. Clarke, Charles. "Orders of the Day — Terrorism Bill | Part of the Debate – in the House of Commons at 1:24 Pm on 26th October 2005." TheyWorkForYou. October 26, 2005. http://www.theyworkforyou.com/debates/?id=2005-10-26b.340.3. Clarke, Richard A., Michael J. Morell, Geoffrey R. Stone, Cass R. Sunstein, and Peter Swire. The NSA Report: Liberty and Security in a Changing World. Princeton, NJ: Princeton University Press, 2014. Cohen, Jon. "Most Americans Back NSA Tracking Phone Records, Prioritize Probes over Privacy." Washington Post. June 10, 2013. https://www.washingtonpost.com/politics/most-americans-support-nsa- tracking-phone-records-prioritize-investigations-over- privacy/2013/06/10/51e721d6-d204-11e2-9f1a-1a7cdee20287_story.html. Costa, Dora L., and Matthew E. Kahn. "Understanding the American Decline in Social Capital, 1952-1998." Kyklos 56, no. 1 (2003): 17-46. doi:10.1111/1467-6435.00208. United States of America. Department of Defense. Cyber Strategy. 2015. Dahlgreen, Will. "Little Appetite for Scaling Back Surveillance." YouGov. October 13, 2013. https://yougov.co.uk/news/2013/10/13/little-appetite- scaling-back-surveillance/. Dahlgreen, Will. "Broad Support for Increased Surveillance Powers." YouGov. January 15, 2015. https://yougov.co.uk/news/2015/01/18/more- surveillance-please-were-british/. Dost, Meredith. "Public Split over Impact of NSA Leak, But Most Want Snowden Prosecuted." Pew Research Center for the People and the Press. June 17, 2013. http://www.people-press.org/2013/06/17/public-split-over-impact- of-nsa-leak-but-most-want-snowden-prosecuted/. Dost, Meredith. "Few See Adequate Limits on NSA Surveillance Program." Pew Research Center for the People and the Press. July 26, 2013.

http://www.people-press.org/2013/07/26/few-see-adequate-limits-on-nsa- surveillance-program/. Drake, Thomas. "Snowden Saw What I Saw: Surveillance Criminally Subverting the Constitution." The Guardian. June 12, 2013. http://www.theguardian.com/commentisfree/2013/jun/12/snowden- surveillance-subverting-constitution. Foreign Intelligence Surveillance Act of 1978: Hearings, 95th Congress, 2nd Session, 1978. Washington, D.C.: U.S. G.P.O., 1978. Gallagher, Ryan. "British Spy Chiefs Secretly Begged to Play in NSA's Data Pools." The Intercept. May 1, 2014. https://theintercept.com/2014/04/30/gchq-prism-nsa-fisa-unsupervised- access-snowden/. Gardham, Duncan. "Document That Formalised 'special Relationship' with the US." The Telegraph. June 24, 2010. http://www.telegraph.co.uk/news/worldnews/northamerica/usa/7852136/D ocument-that-formalised-special-relationship-with-the-US.html. Gellman, Barton, and Laura Poitras. "U.S., British Intelligence Mining Data from Nine U.S. Internet Companies in Broad Secret Program." Washington Post. June 7, 2013. https://www.washingtonpost.com/investigations/us- intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret- program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html. "Global Opposition to USA Big Brother Mass Surveillance." Amnesty International. March 18, 2015. https://www.amnesty.org/en/latest/news/2015/03/global-opposition-to-usa- big-brother-mass-surveillance/. United Kingdom. Cabinet Office. Government Security Classifications. April 2014. https://www.gov.uk/government/uploads/system/uploads/attachment_data/ file/251480/Government-Security-Classifications-April-2014.pdf. Greenwald, Glenn. "NSA Collecting Phone Records of Millions of Verizon Customers Daily." The Guardian. June 6, 2013. http://www.theguardian.com/world/2013/jun/06/nsa-phone-records- verizon-court-order. Greenwald, Glenn, and Ewen MacAskill. "Boundless Informant: The NSA's Secret Tool to Track Global Surveillance Data." The Guardian. June 11, 2013. http://www.theguardian.com/world/2013/jun/08/nsa-boundless-informant- global-datamining. Greenwald, Glenn. No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State. New York, NY: Henry Holt, 2014. Hager, Nicky. Secret Power. Nelson, NZ: Craig Potton Publishing, 1996. Hansen, Lene, and Helen Nissenbaum. "Digital Disaster, Cyber Security, and the Copenhagen School." International Studies Quarterly 53, no. 4 (2009): 1155-175. doi:10.1111/j.1468-2478.2009.00572.x.

Henderson, Greg. "Obama To Leno: 'There Is No Spying On Americans'" NPR. August 7, 2013. http://www.npr.org/sections/thetwo- way/2013/08/06/209692380/obama-to-leno-there-is-no-spying-on- americans. Higginbotham, Stacey. "Companies Need to Share How They Use Our Data. Here Are Some Ideas." Fortune. July 6, 2015. http://fortune.com/2015/07/06/consumer-data-privacy/. Hildebrandt, Amber. "Communication Security Establishment's Cyberwarfare Toolbox Revealed." CBCnews. March 23, 2015. http://www.cbc.ca/news/canada/communication-security-establishment-s- cyberwarfare-toolbox-revealed-1.3002978. Hudson, Lisa, and Chris Chapman. "The Measurement of Social Capital in the United States." In OECD. Proceedings of International Conference on the Measurement of Social Capital, London. September 2002. http://www.oecd.org/unitedstates/2382454.pdf. "ICT Facts and Figures – The World in 2015." International Telecommunication Union. 2015. http://www.itu.int/en/ITU- D/Statistics/Pages/facts/default.aspx. Johnson, Bobbie. "Privacy No Longer a Social Norm, Says Facebook Founder." The Guardian. January 11, 2010. https://www.theguardian.com/technology/2010/jan/11/facebook-privacy. Joye, Christopher. "Interview Transcript: former Head of the NSA and Commander of the US Cyber Command, General Keith Alexander." Financial Review. May 08, 2014. http://www.afr.com/technology/web/security/interview-transcriptformer- head-of-the-nsa-and-commander-of-the-us-cyber-command-general-keith- alexander-20140507-itzhw. Kane, Paul. "House Passes Spy Bill; Senate Expected to Follow." Washington Post. June 21, 2008. http://www.washingtonpost.com/wp- dyn/content/story/2008/06/20/ST2008062001087.html. Kelly, Heather. "Protests against the NSA Spring up across U.S." CNN. July 5, 2013. http://edition.cnn.com/2013/07/04/tech/web/restore-nsa-protests. Kelly, Heather. "After Boston: The Pros and Cons of Surveillance Cameras." CNN. April 26, 2013. http://edition.cnn.com/2013/04/26/tech/innovation/security-cameras- boston-bombings/. Kirchner, Emil J., and James Sperling. National Security Cultures: Patterns of Global Governance. London: Routledge, 2010. Kramer, Franklin D. Cyberpower and National Security. Washington, DC: Center for Technology and National Security Policy, 2009. Madden, Mary. "Public Perceptions of Privacy and Security in the Post-Snowden Era." Pew Research Center Internet Science Tech. November 12, 2014. http://www.pewinternet.org/2014/11/12/public-privacy-perceptions/.

"Majority Says NSA Tracking of Phone Records "acceptable" - Washington Post- Pew Research Center Poll." Washington Post. January 21, 2015. https://www.washingtonpost.com/page/2010- 2019/WashingtonPost/2013/06/10/National- Politics/Polling/release_242.xml. "Majority Views NSA Phone Tracking as Acceptable Anti-Terror Tactic." Pew Internet & American Life Project. June 10, 2013. http://www.people- press.org/2013/06/10/majority-views-nsa-phone-tracking-as-acceptable- anti-terror-tactic/. Morin, Richard. "Poll: Most Americans Support NSA's Efforts." Washington Post. May 12, 2006. http://www.washingtonpost.com/wp- dyn/content/article/2006/05/12/AR2006051200375.html. Nakashima, Ellen, and Joby Warrick. "For NSA Chief, Terrorist Threat Drives Passion to 'collect It All'" Washington Post. July 14, 2013. https://www.washingtonpost.com/world/national-security/for-nsa-chief- terrorist-threat-drives-passion-to-collect-it-all/2013/07/14/3d26ef80-ea49- 11e2-a301-ea5a8116d211_story.html. United States of America. White House. National Security Strategy. 2015. United Kingdom. HM Government. National Security Strategy and Strategic Defence and Security Review. 2015. United States of America. National Security Agency. New UKUSA Agreement - 10 May 1955. https://www.nsa.gov/news-features/declassified- documents/ukusa/assets/files/new_ukusa_agree_10may55.pdf. "Newly Released GCHQ Files: UKUSA Agreement." The National Archives. June 2010. http://www.nationalarchives.gov.uk/ukusa/. Newport, Frank. "Americans Disapprove of Government Surveillance Programs." Gallup. June 12, 2013. http://www.gallup.com/poll/163043/americans- disapprove-government-surveillance-programs.aspx. Newport, Frank. "Gallup Review: U.S. Public Opinion on Terrorism." Gallup. November 17, 2015. http://www.gallup.com/opinion/polling- matters/186665/gallup-review-public-opinion-terrorism.aspx. Nippert, Matt. "UK Foreign Secretary Philip Hammond Says It's Time to 'move On' from Snowden." The New Zealand Herald. March 11, 2015. http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1. Norman, Kent L. Cyberpsychology: An Introduction to Human-computer Interaction. Cambridge: Cambridge University Press, 2008. Nye, Joseph S., Jr. "Cyber Power." Harvard Kennedy Belfer Center for Science and International Affairs, May 2010. Nye, Joseph S. The Future of Power. New York, NY: PublicAffairs, 2011. Perrone, Jane. "The Echelon Spy Network." The Guardian. May 29, 2001. http://www.theguardian.com/world/2001/may/29/qanda.janeperrone. Pilkington, Ed, and Nicholas Watt. "NSA Surveillance Played Little Role in Foiling Terror Plots, Experts Say." The Guardian. June 12, 2013.

http://www.theguardian.com/world/2013/jun/12/nsa-surveillance-data- terror-attack. "President Obama and Chancellor Merkel on NSA Surveillance Issue." Deutsche Welle (English). July 19, 2013. https://youtu.be/qG0D3A8FkPo?t=4m. Putnam, Robert D. Bowling Alone: The Collapse and Revival of American Community. New York: Simon & Schuster, 2000. Rainie, Lee, and Mary Madden. "Americans' Privacy Strategies Post-Snowden." Pew Internet & American Life Project. March 16, 2015. http://www.pewinternet.org/2015/03/16/americans-privacy-strategies-post- snowden/. Rainie, Lee, and Shiva Maniam. "Americans Feel the Tensions between Privacy and Security Concerns." Pew Research Center. February 19, 2016. http://www.pewresearch.org/fact-tank/2016/02/19/americans-feel-the- tensions-between-privacy-and-security-concerns/. Reardon, Robert, and Nazli Choucri. "The Role of Cyberspace in International Relations: A View of the Literature." April 1, 2012. Prepared for the 2012 ISA Annual Convention in San Diego, CA. "Report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression, Frank La Rue." United Nations Human Rights Office of the High Commissioner. April 17, 2013. http://www.ohchr.org/Documents/HRBodies/HRCouncil/RegularSession/S ession23/A.HRC.23.40_EN.pdf. Riffkin, Rebecca. "Trust in U.S. Government's Terrorism Protection at New Low." Gallup. June 10, 2015. http://www.gallup.com/poll/183557/trust- government-terrorism-protection-new-low.aspx. Rogers, Joel F. "Public Opinion and the Intelligence Services." YouGov. October 11, 2013. https://yougov.co.uk/news/2013/10/11/british-attitudes- intelligence-services/. Sanger, David E., and John O'Neil. "White House Begins New Effort to Defend Surveillance Program." New York Times. January 23, 2006. http://www.nytimes.com/2006/01/23/politics/white-house-begins-new- effort-to-defend-surveillance-program.html. Sensenbrenner, Jim. "Author of Patriot Act: FBI's FISA Order Is Abuse of Patriot Act." Congressman Jim Sensenbrenner. June 06, 2013. http://sensenbrenner.house.gov/news/documentsingle.aspx?DocumentID= 337001. Silverleib, Alan. "Obama, Cameron Blast Release of Lockerbie Bomber." CNN. July 20, 2010. http://edition.cnn.com/2010/POLITICS/07/20/obama.cameron.visit/index. html. Singer, P. W., and Allan Friedman. Cybersecurity and Cyberwar: What Everyone Needs to Know. New York, NY: Oxford University Press, 2014.

"Snowden Doc Search." Snowden Doc Search. https://search.edwardsnowden.com/. "Snowden Surveillance Archive." Canadian Journalists for Free Expression. https://snowdenarchive.cjfe.org/greenstone/cgi-bin/library.cgi. Solove, Daniel J. "Conceptualizing Privacy." California Law Review 90, no. 4 (2002): 1087-156. doi:10.2307/3481326. Stobart, Janet. "Britain Denies Using PRISM to Get around Domestic Spying Laws." Los Angeles Times. June 10, 2013. http://articles.latimes.com/2013/jun/10/world/la-fg-wn-britain-nsa-prism- surveillance-program-20130610. "Surveillance Powers: New Law Needed, Says Terror Watchdog." BBC News. June 11, 2015. http://www.bbc.com/news/uk-33092894. Taylor, Jerome. "Google Chief: My Fears for Generation Facebook." The Independent. August 18, 2010. http://www.independent.co.uk/life- style/gadgets-and-tech/news/google-chief-my-fears-for-generation- facebook-2055390.html. United Kingdom. Ministry of Defence. The Defence Manual of Security. 2001. United Kingdom. Cabinet Office. The UK Cyber Security Strategy: Report on Progress and Forward Plans. 2014. Travis, Alan. "Investigatory Powers Bill: The Key Points." The Guardian. November 04, 2015. https://www.theguardian.com/world/2015/nov/04/investigatory-powers- bill-the-key-points. United Kingdom. GCHQ. National Archives. UKUSA Agreement Highlights Guide. June 2010. http://www.nationalarchives.gov.uk/documents/ukusa- highlights-guide.pdf. "UKUSA Agreement Release 1940-1956." National Security Agency. May 3, 2016. https://www.nsa.gov/news-features/declassified-documents/ukusa/. Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001. Washington, D.C.: U.S. G.P.O., 2001. "USA Must Not Persecute Whistleblower Edward Snowden." Amnesty International. July 2, 2013. https://www.amnesty.org/en/latest/news/2013/07/usa-must-not-persecute- whistleblower-edward-snowden/. Walt, Stephen M. The Origins of Alliances. Ithaca: Cornell University Press, 1987. Walt, Stephen M. "The Renaissance of Security Studies." International Studies Quarterly 35, no. 2 (1991): 211-39. doi:10.2307/2600471. Waltz, Kenneth N. Theory of International Politics. Reading, MA: Addison- Wesley Publishing, 1979. Yadron, Danny. "San Bernardino IPhone: US Ends Apple Case after Accessing Data without Assistance." The Guardian. March 29, 2016.

https://www.theguardian.com/technology/2016/mar/28/apple-fbi-case- dropped-san-bernardino-iphone. "YouGov / Daily Telegraph Survey Results." YouGov. November 30, 2006. http://iis.yougov.co.uk/extranets/ygarchives/content/pdf/TEL060101024_3 .pdf. Zengerle, Patricia, and Warren Strobel. "Obama Signs Bill Reforming Surveillance Program." Reuters. June 02, 2015. http://www.reuters.com/article/us-usa- security-surveillance-passage-idUSKBN0OI2I920150603.

Appendix A: Key ICT indicators 2005-2015 (totals and penetration rates)

86.7 39.1 47.2 80.8 32.9 45.4 81.3 34.1 46.4 82.2 35.3 43.4 9.4 7.1 39.0 14.5 91.8 96.8 29.0 10.8 2015* 120.6 2015* 81.8 27.9 37.2 78.9 31.0 43.6 78.6 31.5 43.9 79.5 32.4 40.6 2014 2014 6.6 39.9 10.0 15.2 91.1 96.1 28.3 10.3 119.9 74.0 17.4 27.3 76.8 29.2 41.8 76.3 28.6 41.2 76.9 29.5 37.8 2013 2013 6.2 9.9 40.8 10.6 15.9 87.8 93.1 27.5 118.4 66.4 12.4 21.7 74.8 27.3 40.0 72.6 24.2 37.1 73.8 27.0 35.2 2012 2012 5.4 9.0 42.2 11.2 16.7 82.1 88.1 25.7 116.0 8.3 56.8 16.7 72.5 25.1 37.8 69.3 20.5 33.6 67.7 24.1 31.8 2011 2011 4.9 8.4 43.4 11.5 17.2 77.4 83.8 24.6 113.5 4.5 (%) 44.7 11.5 71.4 22.6 35.8 66.3 16.4 29.9 66.5 21.1 29.2 2010 2010 4.2 7.6 44.6 11.9 17.8 68.5 76.6 23.5 113.3 3.0 9.0 Per 100 inhabitants 36.6 69.1 21.4 34.6 62.6 13.6 27.0 62.9 17.4 25.6 2009 2009 3.5 6.9 45.5 12.4 18.4 58.2 68.0 22.0 112.1 1.6 6.3 27.5 66.1 19.6 32.6 57.7 12.3 24.8 61.3 14.6 23.1 2008 2008 2.9 6.1 44.3 12.8 18.5 49.0 59.7 20.4 107.8 0.8 4.0 18.5 62.3 17.6 30.2 53.4 11.2 23.0 59.0 11.9 20.6 2007 2007 2.3 5.2 44.8 13.0 18.8 39.1 50.6 18.0 102.0 9.6 9.4 N/A N/A N/A 58.6 15.8 28.0 48.2 20.5 53.5 17.6 46.6 13.0 19.2 92.9 30.1 41.7 15.5 1.8 4.3 2006 2006 8.1 7.8 N/A N/A N/A 55.5 14.6 26.2 44.7 18.4 50.9 15.8 47.2 12.7 19.1 82.1 22.9 33.9 12.3 1.3 3.4 2005 2005 N/A N/A N/A N/A N/A N/A 491 572 365 429 794 2015* 1,063 1,517 5,568 7,085 1,090 2,368 3,459 2015* 1,035 2,139 3,174 N/A N/A N/A N/A N/A N/A 2014 2014 500 599 355 394 748 997 1,099 1,504 5,450 6,954 1,026 1,667 2,693 1,940 2,937 N/A N/A N/A N/A N/A N/A 2013 2013 510 628 926 344 365 710 961 1,138 1,481 5,185 6,666 1,027 1,953 1,743 2,705 N/A N/A N/A N/A N/A N/A 2012 2012 526 652 828 726 321 315 635 921 1,178 1,447 4,785 6,232 1,554 1,573 2,494 N/A N/A N/A N/A N/A N/A 2011 2011 540 661 707 475 306 282 588 841 1,201 1,411 4,453 5,863 1,182 1,383 2,224 N/A N/A N/A N/A N/A N/A 2010 2010 553 676 554 253 807 291 236 526 824 1,229 1,404 3,887 5,290 1,195 2,019 N/A N/A N/A N/A N/A N/A 2009 2009 562 692 450 165 615 271 197 468 776 974 1,254 1,383 3,257 4,640 1,751 (millions) (millions) N/A N/A N/A N/A N/A N/A 2008 2008 86 544 705 336 422 250 161 411 753 808 1,249 1,325 2,705 4,030 1,561 N/A N/A N/A N/A N/A N/A 2007 2007 43 546 708 225 268 219 127 346 719 645 1,254 1,243 2,125 3,368 1,365 N/A N/A N/A N/A N/A N/A N/A N/A N/A 2006 2006 96 565 696 188 284 649 502 1,261 1,127 1,618 2,745 1,151 N/A N/A N/A N/A N/A N/A N/A N/A N/A 2005 2005 71 570 673 992 148 220 616 408 1,243 1,213 2,205 1,024

Fixed-telephone subscriptions Fixed-telephone Developed Developing World subscriptions telephone Mobile-cellular Developed Developing World subscriptions Activemobile-broadband Developed Developing World subscriptions broadband Fixed Developed Developing World acomputer with Households Developed Developing World accessInternet with athome Households Developed Developing World Internet the using Individuals Developed Developing World

Appendix B: Disclosed Documents (United States)

DOC Agency Year CLASS Container Distribution Specific Communications Countries Target Targeted USA FISC 2013 TS SI NOFORN Metadata, telephony -001 USA NSA 2013 TS SI / ORCON NOFORN Metadata, Internet -002 USA NSA 2013 TS SI / ORCON NOFORN Metadata, Internet -003 USA NSA 2013 TS SI / ORCON NOFORN Metadata, Internet -004 USA NSA 2012 Unclassified FOUO Metadata, Internet -005 USA USAG 2007 S COMINT NOFORN Communications, -006 domestic USA USAG 2007 TS COMINT NOFORN Communications, -007 domestic USA DOJ 2007 S COMINT / NOFORN Communications, -008 ORCON domestic USA NSA 2009 TS STLW / COMINT NOFORN Communications, -009 / ORCON domestic USA NSA 2007 UNK UNK Communications, Europe -010 diplomatic USA NSA 2013 TS SI / ORCON NOFORN Metadata, Internet -011 USA NSA 2008 TS COMINT FVEY Metadata, Internet -012 USA NSA 2012 TS SI NOFORN Communications, -013 foreign USA NSA 2011 Unclassified FOUO Communications, -014 domestic USA NSA 2012 TS COMINT NOFORN Communications, -015 domestic USA NSA 2007 TS COMINT / MR NOFORN Communications, -016 foreign USA NSA 2011 TS SI NOFORN Metadata, Internet -017 USA USIC 2012 TS SI / TK NOFORN Intelligence, general -018 USA NSA 2007 TS COMINT FVEY Communications, Mexico, Brazil -019 diplomatic USA NSA 2010 TS SI FVEY Decryption, encrypted -020 communications USA NSA 2004 TS UNK Decryption, encrypted -021 communications USA NSA 2012 TS SI / TK NOFORN Decryption, encrypted -022 communications USA NSA 2010 TS SI FVEY Decryption, encrypted -023 communications USA NSA 2012 UNK UNK Metadata, Internet -024 USA NSA 2010 TS SI FVEY Metadata, telephony -025 USA NSA 2009 TS COMINT REL USA, ISR Intelligence, signals Israel -026 USA NSA 2010 TS COMINT FVEY Intelligence, financial -027 USA NSA 2011 S SI REL Metadata, Internet -028 USA NSA 2010 S SI FVEY Metadata, telephony -029 USA NSA 2013 TS SI / COMINT FVEY Decryption, encrypted -030 communications USA NSA 2006 TS SI FOUO Decryption, encrypted -031 communications USA NSA 2012 TS COMINT FVEY Decryption, encrypted -032 communications USA NSA 2012 TS COMINT FVEY Decryption, encrypted -033 communications USA NSA 2013 CONF FVEY Intelligence, general -034 USA NSA 2013 S SI / SI-GAMMA / FVEY Communications, -035 TK / ORCON / domestic PROPIN / RELIDO USA NSA 2012 TS SI NOFORN Communications, -036 foreign USA NSA 2012 TS SI NOFORN Metadata, Internet -037 USA NSA 2010 TS SI REL Communications, -038 diplomatic USA NSA 2013 UNK UNK Communications, -039 foreign 99 DOC Agency Year CLASS Container Distribution Specific Communications Countries Target Targeted USA NSA 2013 TS SI NOFORN Metadata, Internet -040 USA NSA 2013 TS SI / ORCON NOFORN Metadata, Internet -041 USA NSA 2013 TS SI NOFORN Communications, -042 foreign USA NSA 2010 TS COMINT NOFORN Communications, -043 diplomatic USA NSA 2006 Classified UNK Communications, -044 foreign USA NSA 2010 TS COMINT FVEY Communications, -045 diplomatic USA NSA 2012 TS COMINT NOFORN Communications, Spain -046 foreign USA NSA 2013 TS SI NOFORN Communications, -047 domestic USA NSA 2013 S SI REL USA, Communications, -048 GBR domestic USA NSA 2010 TS COMINT NOFORN Intelligence, general -049 USA NSA 2007 TS COMINT FVEY Communications, -050 foreign USA NSA 2007 S COMINT REL USA, Communications, -051 AUS, foreign CAN, GBR USA NSA 2009 TS COMINT FVEY Intelligence, general -052 USA NSA 2012 TS SI NOFORN Communications, -053 diplomatic USA NSA 2010 TS COMINT NOFORN Communications, -054 domestic USA NSA 2013 UNK UNK Communications, -055 domestic USA NSA 2009 S COMINT NOFORN Intelligence, general -056 USA NSA 2012 TS SI NOFORN Metadata, Internet -057 USA NSA 2007 TS COMINT UNK Communications, -058 domestic USA NSA 2001 Unclassified Unclassified Communications, -059 telecommunications USA NSA 2010 Unclassified Unclassified Communications, -060 telecommunications USA NSA 2011 Unclassified Unclassified Communications, -061 telecommunications USA NSA 2011 Unclassified Unclassified Communications, -062 telecommunications USA NSA 2011 Unclassified Unclassified Communications, -063 telecommunications USA NSA 2011 UNK Unclassified Communications, -064 telecommunications USA NSA 2004 Unclassified Unclassified Metadata, Internet -065 USA NSA 2010 Unclassified Unclassified Metadata, Internet -066 USA NSA 2013 TS COMINT NOFORN Communications, Norway -067 foreign USA USAG 2008 Unclassified Unclassified Communications, -068 Internet USA NSA 1986 Unclassified Unclassified Communications, -069 telecommunications USA NSA 2009 Unclassified Unclassified Communications, -070 telecommunications USA NSA 2011 Unclassified Unclassified Communications, -071 telecommunications USA NSA 2011 Unclassified Unclassified Communications, -072 telecommunications USA NSA 2011 Unclassified Unclassified Communications, -073 telecommunications USA USAG 2008 S NOFORN Intelligence, general -074 USA NSA 2009 Unclassified Unclassified Intelligence, general -075 USA NSA 2007 S COMINT UNK Intelligence, general -076 USA NSA 2007 Unclassified Unclassified Metadata, Internet -077 USA NSA 2005 S SI NOFORN Communications, -078 foreign USA NSA 2012 Unclassified FOUO Communications, -079 foreign USA NSA 2013 UNK UNK Communications, Afghanistan -080 foreign USA NSA 2012 TS COMINT FVEY Communications, -081 foreign 100 DOC Agency Year CLASS Container Distribution Specific Communications Countries Target Targeted USA NSA 2012 TS SI FVEY Intelligence, general -082 USA NSA 2012 TS SI NOFORN Communications, -083 domestic USA NSA 2013 TS SI FVEY Communications, -084 foreign USA NSA 2010 TS SI / TK FVEY Communications, -085 foreign USA NSA 2009 UNK UNK Communications, -086 domestic USA NSA 2012 TS COMINT FVEY Communications, -087 foreign USA NSA 2011 TS SI NOFORN Communications, -088 foreign USA NSA 2012 TS COMINT NOFORN Communications, Italy -089 foreign USA NSA 2013 TS COMINT NOFORN Communications, Sweden, Russia -090 foreign USA NSA 2013 TS SI FVEY Communications, Canada -091 foreign USA NSA 2012 TS COMINT FVEY Communications, -092 domestic USA NSA 2010 TS COMINT NOFORN Communications, -093 domestic USA NSA 2012 TS COMINT FVEY Communications, -094 foreign USA NSA 2013 S SI FVEY Communications, -095 foreign USA NSA 2008 S COMINT FVEY Communications, -096 foreign USA NSA 2010 TS COMINT FVEY Communications, -097 foreign USA NSA 2013 TS COMINT FVEY Communications, Sweden -098 foreign USA NSA 2013 TS SI NOFORN Communications, Sweden, Russia -099 foreign USA NSA 2013 TS SI NOFORN Communications, -100 foreign USA NSA 2013 TS COMINT NOFORN Communications, Sweden -101 foreign USA NSA 2013 TS SI NOFORN Communications, Sweden -102 foreign USA NSA 2013 TS COMINT NOFORN Communications, Sweden -103 foreign USA NSA 2006 TS SI UNK Communications, -104 foreign USA NSA 2009 Unclassified UNK Communications, Sweden -105 foreign USA NSA 2001 UNK COMINT / X1 NOFORN Intelligence, general -106 USA NSA 2006 S COMINT FVEY Communications, -107 domestic USA NSA 2008 TS COMINT FVEY Communications, -108 foreign USA NSA 2011 TS Classified FVEY Communications, -109 foreign USA NSA 2013 TS SI FVEY Communications, -110 foreign USA NSA 2013 TS SI / COMINT NOFORN Communications, -111 foreign USA NSA 2011 TS FVEY Intelligence, signals -112 USA NSA 2012 TS SI FVEY Intelligence, signals -113 USA NSA 2011 TS FVEY Data, text messages -114 USA NSA 2010 TS FVEY Data, cell phone -115 location USA NSA 2010 TS FVEY STRAP 1 Communications, -116 mobile USA NSA 2010 TS FVEY STRAP 1 Data, cell phone -117 location USA NSA 2009 TS REL Communications, -118 diplomatic USA NSA 2012 TS COMINT NOFORN Communications, Netherlands -119 foreign USA NSA 2011 TS SI NOFORN Data, location Yemen -120 USA NSA 2013 TS SI / TK / ORCON FVEY Communications, -121 / PROPIN domestic USA USAG 2013 Unclassified Unclassified Metadata, telephony -122 USA NSA 2013 TS SI NOFORN NLD Data, call records Somalia, -123 Pakistan USA NSA 2010 Unclassified Unclassified None -124 101 DOC Agency Year CLASS Container Distribution Specific Communications Countries Target Targeted USA NSA 2011 Unclassified Unclassified None -125 USA NSA 2011 Unclassified Unclassified None -126 USA NSA 2012 Unclassified Unclassified None -127 USA NSA 2006 TS COMINT NOFORN Communications, United States -128 domestic USA NSA 2009 TS SI / ORCON NOFORN Communications, -129 domestic USA NSA 2012 TS SI NOFORN Communications, -130 domestic USA USAG 2002 S X1 UNK Communications, -131 domestic USA NSA 2010 Unclassified FOUO Intelligence, general -132 USA NSA 2009 TS FVEY Communications, -133 computer USA NSA 2010 TS COMINT FVEY Communications, -134 computer USA NSA 2010 TS FVEY Communications, -135 computer USA NSA 2010 TS FVEY Communications, -136 computer USA NSA 2010 TS FVEY Communications, -137 computer USA NSA 2012 TS NOFORN Communications, -138 computer USA NSA 2005 TS REL Communications, -139 computer USA NSA 2009 UNK UNK Communications, -140 computer USA NSA 2012 TS SI REL Communications, -141 Internet USA NSA 2011 TS FVEY Decryption, encrypted -142 communications USA NSA 2012 S SI UNK Intelligence, general -143 USA NSA 2010 TS FVEY United Kingdom -144 USA NSA 2009 TS FVEY Communications, -145 foreign USA NSA 2010 TS REL Communications, -146 computer USA NSA 2011 Unclassified FOUO Data, call records -147 USA NSA 2011 TS FVEY Data, call records -148 USA NSA 2013 TS FVEY Metadata, telephony -149 USA NSA 2012 TS FOUO Intelligence, -150 communications USA NSA 2010 TS FVEY Communications, China -151 foreign USA NSA 2009 TS COMINT FVEY Communications, Malaysia, -152 foreign Somalia, Peru, Belarus, Guatemala, Colombia, Mali, Germany, Syria USA NSA 2009 S FOUO Intelligence, signals -153 USA NSA 2012 TS NOFORN Communications, -154 domestic USA NSA 2012 TS FVEY Communications, -155 foreign USA NSA 2013 TS NOFORN Communications, United Kingdom -156 foreign USA USIC 2013 TS SI NOFORN Communications, Kenya, -157 foreign Caribbean, Philippines, Mexico USA NSA 2013 TS NOFORN Communications, Bahamas -158 foreign USA NSA 2009 TS SI NOFORN Communications, -159 telecommunications USA NSA 2011 TS NOFORN Data, call records -160 USA NSA 2012 TS REL Data, call records Bahamas -161 USA DEA 2004 S SI FOUO Bahamas -162 USA NSA 2012 TS FVEY Data, biometric -163 USA NSA 2012 CONF FVEY Communications, -164 voice data 102 DOC Agency Year CLASS Container Distribution Specific Communications Countries Target Targeted USA NSA 2012 CONF FVEY Decryption, voice Caribbean -165 communications USA NSA 2012 TS SI FVEY Decryption, encrypted Europe -166 communications USA NSA 2012 Unclassified Unclassified Intelligence, general -167 USA US 2004 S FOUO Communications, Africa -168 ARMY foreign USA NSA 2006 TS FOUO Communications, Africa -169 foreign USA NSA 2011 Classified FOUO Communications, -170 foreign USA NSA 2012 TS FOUO Communications, North Africa -171 foreign USA NSA 2012 TS FVEY Communications, Africa -172 foreign USA NSA 2007 TS NOFORN Communications, -173 foreign USA NSA 2007 TS NOFORN Communications, Afghanistan -174 foreign USA USIC 2013 TS SI / TK NOFORN Communications, -175 foreign USA NSA 2007 S REL Communications, Africa -176 foreign USA NSA 2007 S SI REL Communications, Africa -177 foreign USA NSA 2007 S SI REL Communications, Africa -178 foreign USA NSA 2012 TS REL Communications, Africa -179 foreign USA NSA 2005 S SI UNK Communications, North Africa -180 foreign USA NSA 2010 UNK UNK Communications, -181 Internet USA NSA 2011 TS COMINT FVEY Data, location -182 USA NSA 2013 TS NOFORN Intelligence, -183 commercial USA NSA 2006 S FOUO Intelligence, general -184 USA NSA 2011 TS SI / TK NOFORN Intelligence, general -185 USA NSA 2013 TS SI NOFORN Intelligence, general -186 USA NSA 2013 TS SI NOFORN Intelligence, general -187 USA NSA 2008 S SI REL Intelligence, general -188 USA NSA 2005 S FOUO Intelligence, signals -189 USA NSA 2006 Classified FOUO Intelligence, signals -190 USA NSA 2008 TS FVEY Intelligence, signals -191 USA NSA TS FVEY Intelligence, signals Germany -192 USA NSA 2013 S NOFORN Intelligence, signals -193 USA NSA 2005 S REL USA, Intelligence, signals -194 AUS, CAN, DEU, GBR, NZL USA NSA 2012 S REL DEU, Intelligence, signals Germany -195 DNK, ESP, FRA, ITA, GBR, NLD, NOR, SWE, USA USA NSA 2012 S REL DEU, Intelligence, signals -196 DNK, ESP, FRA, ITA, GBR, NLD, NOR, SWE, USA USA NSA 2006 S UNK Intelligence, signals -197 USA NSA 2012 Unclassified FOUO Metadata, Internet -198

103 DOC Agency Year CLASS Container Distribution Specific Communications Countries Target Targeted USA NSA 2012 TS SI NOFORN Metadata, Internet -199 USA NSA 2010 UNK UNK Metadata, Internet -200 USA NSA 2013 UNK UNK Metadata, Internet -201 USA NSA 2013 UNK UNK Metadata, Internet -202 USA NSA 2013 UNK UNK Metadata, Internet -203 USA NSA 2010 S REL Metadata, telephony -204 USA NSA 2010 S REL Metadata, telephony -205 USA NSA 2013 UNK UNK Metadata, telephony -206 USA NSA 2003 Unclassified FOUO None -207 USA NSA 2004 Unclassified FOUO None -208 USA NSA 2013 TS SI NOFORN None -209 USA NSA 2013 S NOFORN None -210 USA NSA 2007 S SI REL USA, FRA None -211 USA NSA 2013 TS SI REL USA, None -212 DNK USA NSA 2010 TS COMINT NOFORN Communications, -213 foreign USA NSA 2008 TS COMINT NOFORN Intelligence, general -214 USA USAG 2010 S ORCON NOFORN Intelligence, general -215 USA USAG 2010 TS NOFORN Intelligence, general -216 USA FISA 2010 S UNK Intelligence, general -217 USA NSA 2008 TS COMINT FVEY Communications, -218 domestic USA NCTC 2013 S SI FOUO Intelligence, -219 counterterrorism USA NSA 2012 UNK UNK Intelligence, general -220 USA NSA 2013 TS SI NOFORN Communications, Saudi Arabia -221 foreign USA NSA 2013 TS SI NOFORN Intelligence, general Israel -222 USA DIA 1999 TS HVCCO REL USA, ISR Intelligence, general Israel -223 USA NCTC 2013 S NOFORN Data, biometric United States -224 USA NSA 2007 S FOUO Metadata, -225 communications USA NSA 2010 S FOUO Metadata, -226 communications USA NSA 2007 TS FVEY Metadata, -227 communications USA NSA 2013 S FVEY Metadata, -228 communications USA NSA 2004 S NOFORN Metadata, -229 communications USA USGOV 2005 S NOFORN Metadata, -230 communications USA NSA 2006 TS NOFORN Metadata, -231 communications USA USIC 2008 UNK UNK Metadata, -232 communications USA NSA 2007 TS NOFORN Metadata, telephony -233 USA NSA 2006 Classified FOUO Communications, Turkey, Iraq, -234 foreign Kurdistan USA NSA 2003 TS FVEY Communications, Turkey, Iraq -235 foreign USA NSA 2005 TS SI / TK FVEY Communications, Kurdistan, -236 foreign Turkey, Russia USA NSA 2005 TS FVEY Communications, Kurdistan, -237 foreign Turkey, Iraq USA NSA 2006 TS FVEY Communications, Turkey -238 foreign USA NSA 2007 TS FVEY Communications, Turkey -239 foreign USA NSA 2013 TS NOFORN Communications, Turkey -240 foreign USA NSA 2008 TS STRAP 1 Intelligence, Turkey -241 commercial 104 DOC Agency Year CLASS Container Distribution Specific Communications Countries Target Targeted USA NSA 2008 TS STRAP 1 Intelligence, Turkey -242 commercial USA NSA 2013 S NOFORN Intelligence, electronic Turkey -243 USA NSA 2006 TS SI / TK FVEY Intelligence, general -244 USA USIC 2009 S FVEY Communications, -245 foreign USA NSA 2010 TS SI FVEY Communications, -246 Internet USA NSA 2013 TS NOFORN Communications, -247 telecommunications USA NSA 2011 TS FVEY Intelligence, -248 communications USA NSA 2013 S FVEY Intelligence, signals New Zealand -249 USA NSA 2004 TS COMINT FVEY Communications, -250 Internet USA NSA 2010 TS SI FVEY Communications, -251 Internet USA NSA 2006 TS COMINT FVEY Intelligence, general -252 USA NSA 2003 TS COMINT / NOFORN Intelligence, general -253 ORCON USA NSA 2004 TS COMINT NOFORN Intelligence, general -254 USA NSA 2004 TS COMINT NOFORN Intelligence, general -255 USA NSA 2004 TS COMINT NOFORN Intelligence, general -256 USA NSA 2004 TS COMINT NOFORN Intelligence, general -257 USA NSA 2004 TS COMINT NOFORN Intelligence, general -258 USA NSA 2012 S SI NOFORN Intelligence, human -259 USA NSA 2013 S SI REL USA, Communications, -260 GBR telecommunications USA NSA 2009 TS FVEY -261 USA NSA 2010 TS FVEY Communications, -262 mobile USA NSA 2011 S FVEY Communications, -263 mobile USA NSA 2012 S SI FVEY Communications, -264 mobile USA NSA 2010 TS SI FVEY Communications, -265 mobile USA NSA 2010 TS FVEY VPN -266 USA NSA 2012 TS NOFORN Communications, Skype -267 Internet USA NSA 2007 TS FVEY Decryption, encrypted -268 communications USA NSA 2007 TS FVEY Decryption, encrypted -269 communications USA NSA 2007 TS FVEY Decryption, encrypted -270 communications USA NSA 2008 TS FVEY Decryption, encrypted -271 communications USA NSA 2009 TS FVEY Decryption, encrypted -272 communications USA NSA 2011 TS SI / TK FVEY Decryption, encrypted -273 communications USA NSA 2012 TS FVEY Decryption, encrypted -274 communications USA NSA TS FVEY Decryption, encrypted -275 communications USA NSA TS FVEY Decryption, encrypted -276 communications USA NSA 2012 TS REL Decryption, encrypted -277 communications USA NSA 2012 TS REL USA, AUS Decryption, encrypted -278 communications USA NSA 2012 TS REL Decryption, encrypted -279 communications USA NSA 2012 TS REL USA, AUS Decryption, encrypted -280 communications USA NSA 2011 TS FVEY Intelligence, -281 communications USA NIARL 2008 TS COMINT FVEY Intelligence, general -282 USA NSA 2007 TS SI / TK FVEY VPN -283 USA NSA 2011 TS FVEY VPN -284 105 DOC Agency Year CLASS Container Distribution Specific Communications Countries Target Targeted USA NSA TS FVEY Communications, -285 foreign USA NSA 2004 TS FVEY Decryption, computer -286 networks USA NSA 2006 TS FVEY Decryption, computer -287 networks USA NSA 2008 TS FVEY Decryption, computer -288 networks USA NSA 2010 TS FVEY Decryption, computer -289 networks USA NSA 2010 TS FVEY Decryption, computer -290 networks USA USNAVY 2012 TS FVEY Decryption, computer -291 networks USA NSA 2010 TS NOFORN Decryption, computer Syria -292 networks USA NSA 2008 TS NOFORN Decryption, computer -293 networks USA NSA 2005 TS UNK Decryption, computer -294 networks USA NSA 2012 TS TK FVEY Decryption, encrypted -295 communications USA NSA 2006 TS SI / TK FVEY Hardware -296 USA NSA 2010 TS FVEY Intelligence, signals -297 USA NSA 2011 TS FVEY Intelligence, signals China -298 USA NSA 2011 TS FVEY Intelligence, signals -299 USA NSA 2011 TS FVEY Intelligence, signals -300 USA NSA TS FVEY Intelligence, signals -301 USA NSA TS FVEY Intelligence, signals -302 USA NSA 2010 TS FVEY -303 USA USIC 2011 S REL USA, Intelligence, general -304 NATO USA NSA 2013 TS COMINT NOFORN Communications, Iran -305 foreign USA CIA 2008 S NOFORN Decryption, mobile -306 devices USA CIA 2008 S NOFORN Decryption, mobile -307 devices USA CIA 2009 TS SI NOFORN Decryption, mobile -308 devices USA CIA 2010 S NOFORN Decryption, mobile -309 devices USA NSA 2011 TS SI / TK NOFORN Decryption, mobile -310 devices USA CIA 2011 S NOFORN Decryption, mobile -311 devices USA CIA 2012 TS SI NOFORN Hardware, mobile -312 devices USA CIA 2012 S NOFORN Hardware, mobile -313 devices USA CIA 2012 S ORCON NOFORN -314 USA NSA 2009 TS COMINT FVEY Communications, Australia, New -315 foreign Zealand, South Pacific USA NSA 2013 TS SI FVEY Communications, New Zealand -316 foreign USA NSA 2013 TS SI FVEY Intelligence, general New Zealand -317 USA NSA 2013 TS SI FVEY Intelligence, general Canada -318 USA NSA 2006 TS UNK Communications, Iraq -319 foreign USA NSA 2008 Unclassified FOUO Data, voice -320 USA NSA 2011 Unclassified FOUO Data, voice -321 USA NSA 2011 TS FOUO Data, voice -322 USA NSA 2011 TS FOUO Data, voice Afghanistan, -323 Latin America USA USIC 2012 TS NOFORN Data, voice -324 USA USIC 2012 TS NOFORN Data, voice -325 USA NSA 2006 TS UNK Data, voice -326 106 DOC Agency Year CLASS Container Distribution Specific Communications Countries Target Targeted USA NSA 2006 TS UNK Data, voice -327 USA NSA 2006 TS REL Intelligence, -328 communications USA NSA 2012 TS FVEY Communications, Pakistan -329 foreign USA NSA 2012 TS FVEY Metadata, -330 communications USA NSA 2011 TS FOUO Communications, Afghanistan, Iraq -331 foreign USA NSA 2007 TS FVEY Communications, Iraq -332 foreign USA RCSW 2011 S FGI GBR REL USA, Communications, Afghanistan -333 ISAF, foreign NATO USA RCSW 2011 S FGI GBR REL USA, Communications, Afghanistan -334 ISAF, foreign NATO USA NSA 2011 TS FVEY Intelligence, -335 counterterrorism USA NSA 2008 TS HCS / SI / NOFORN Intelligence, Afghanistan, Iraq -336 ORCON / MR counterterrorism USA USIC 2012 TS NOFORN Intelligence, -337 counterterrorism USA NSA 2010 TS COMINT REL -338 USA NSA 2010 Unclassified FOUO None -339 USA NSA 2011 Unclassified FOUO None -340 USA NSA 2011 Unclassified FOUO None -341 USA NSA 2011 Unclassified FOUO None -342 USA NSA 2011 Unclassified FOUO None -343 USA NSA 2012 Unclassified FOUO None -344 USA NSA 2012 Unclassified FOUO None -345 USA NSA 2012 Unclassified FOUO None -346 USA NSA 2010 S FVEY Intelligence, general -347 USA NSA 2012 TS RELIDO / TK FVEY Decryption, computer -348 networks USA NSA 2013 UNK UNK Metadata, telephony -349 USA NSA 2008 TS COMINT FVEY Decryption, computer Kapersky Lab -350 networks USA NSA 2010 TS COMINT FVEY -351 USA NSA 2005 TS COMINT / NOFORN None -352 ORCON USA NSA 2010 TS SI NOFORN Communications, -353 diplomatic USA NSA 2010 S COMINT FVEY Communications, -354 Internet USA NSA 2010 S FVEY Communications, -355 Internet USA NSA 2009 TS COMINT FVEY Data, email addresses -356 USA NSA 2009 TS COMINT FVEY Data, phone numbers -357 USA NSA 2009 TS COMINT FVEY Data, social media -358 USA NSA 2009 TS COMINT FVEY Data, VoIP -359 USA NSA 2010 S FVEY Data, VoIP -360 USA NSA 2009 TS COMINT FVEY Data, web forum -361 USA NSA 2009 TS COMINT FVEY Data, web forum -362 USA NSA 2011 TS COMINT FVEY Decryption, computer -363 networks USA NSA 2010 Classified FOUO Intelligence, general -364 USA NSA 2008 TS COMINT FVEY Intelligence, general -365 USA NSA 2008 TS COMINT FVEY Intelligence, general -366 USA NSA 2009 TS COMINT / FVEY Intelligence, general -367 ORCON USA NSA 2009 TS COMINT FVEY Intelligence, general -368 107 DOC Agency Year CLASS Container Distribution Specific Communications Countries Target Targeted USA NSA 2009 TS COMINT FVEY Intelligence, general -369 USA Booz 2010 TS COMINT FVEY Intelligence, general -370 Allen USA NSA 2010 S FVEY Intelligence, general -371 USA NSA 2010 S COMINT FVEY Intelligence, general -372 USA NSA 2010 TS COMINT FVEY Intelligence, general -373 USA NSA 2010 S FVEY Intelligence, general -374 USA NSA 2010 TS COMINT FVEY Intelligence, general -375 USA NSA 2010 S FVEY Intelligence, general -376 USA NSA 2010 TS COMINT FVEY Intelligence, general -377 USA NSA 2010 TS COMINT FVEY Intelligence, general -378 USA NSA 2010 TS UNK Intelligence, general -379 USA NSA 2010 S UNK Intelligence, general -380 USA NSA 2010 CONF SI UNK Intelligence, general -381 USA NSA 2010 TS COMINT UNK Intelligence, general -382 USA NSA 2010 CONF UNK Intelligence, general -383 USA NSA 2009 TS COMINT FVEY Intelligence, mobile -384 digital network USA NSA 2009 TS COMINT FVEY Metadata, documents -385 USA NSA 2009 TS COMINT FVEY Metadata, Internet -386 USA NSA 2009 TS COMINT FVEY Metadata, Internet -387 USA NSA 2009 TS COMINT FVEY Metadata, Internet -388 USA NSA 2009 TS COMINT FVEY -389 USA LockH 2009 TS COMINT FVEY -390 USA NSA 2010 TS COMINT FVEY -391 USA NSA 2009 TS COMINT FVEY -392 USA NSA 2005 S FOUO Intelligence, Europe, North -393 communications America USA NSA 2011 TS FVEY Intelligence, -394 communications USA NSA 2012 TS FVEY -395 USA NSA TS NOFORN Intelligence, -396 communications USA NSA 2013 TS SI NOFORN Metadata, cable New Zealand -397 surveillance USA NSA 2007 UNK UNK Communications, Iran -398 foreign USA NSA TS FVEY Communications, Germany -399 foreign USA NSA TS FVEY Communications, China -400 foreign USA NSA 2003 TS SI / TK FVEY Intelligence, -401 communications USA NSA 2003 TS SI / TK FVEY Intelligence, -402 communications USA NSA 2004 TS SI / TK FVEY Intelligence, -403 communications USA NSA 2004 TS SI / TK FVEY Intelligence, -404 communications USA NSA 2012 TS SI / TK FVEY Communications, -405 foreign

108 Appendix C: Disclosed Documents (United Kingdom)

DOC Agency Year CLASS Container Distribution Specific Communications Countries Target Targeted GBR GCHQ 2010 TS STRAP 2 Communications, Belgium -001 foreign GBR GCHQ 2012 TS COMINT STRAP 1 Communications, -002 encrypted GBR GCHQ 2010 TS COMINT FVEY Communications, -003 diplomatic GBR GCHQ 2009 UNK Unclassified Communications, -004 domestic GBR GCHQ 2007 TS Classified FVEY Communications, Middle East -005 foreign GBR GCHQ 2007 TS Classified FVEY Communications, Middle East -006 foreign GBR GCHQ 2012 UNK UNK Communications, Africa -007 foreign GBR GCHQ 2012 TS FVEY Communications, -008 Internet GBR GCHQ 2010 S STRAP 1 Hardware, mobile -009 GBR GCHQ 2012 TS COMINT FVEY Communications, -010 hacktivist GBR GCHQ 2010 TS STRAP 1 Communications, -011 domestic GBR GCHQ 2012 TS COMINT FVEY Intelligence, general -012 GBR GCHQ 2012 TS SI FVEY Communications, -013 Internet GBR GCHQ 2012 S SI FVEY Communications, -014 domestic GBR GCHQ 2008 S STRAP 1 Data, webcam -015 GBR GCHQ 2007 TS FVEY Communications, -016 computers GBR GCHQ 2010 TS STRAP 1 Intelligence, -017 communications GBR GCHQ 2012 UNK UNK Communications, -018 Internet GBR GCHQ 2012 TS COMINT STRAP 1 Intelligence, general -019 GBR GCHQ 2010 S UNK Communications, -020 hacktivist GBR GCHQ 2010 TS COMINT FVEY STRAP 1 Decryption, port -021 scanning GBR GCHQ 2010 TS COMINT FVEY STRAP 1 Decryption, port -022 scanning GBR GCHQ 2008 S UNK Communications, Iraq, Kurdistan -023 foreign GBR GCHQ 2009 TS STRAP 1 Communications, Turkey -024 foreign GBR GCHQ 2008 S STRAP 1 Communications, Jordan, Belgium, -025 telecommunications Africa, Turkey, India, Kurdistan GBR GCHQ 2008 S STRAP 1 Communications, Iraq, Turkey, -026 telecommunications Syria, Saudi Arabia, UAE, Egypt, United Kingdom GBR GCHQ 2008 TS STRAP 1 Communications, Germany -027 telecommunications GBR GCHQ 2012 UNK UNK Communications, United Kingdom -028 telecommunications GBR GCHQ 2012 UNK UNK Communications, United Kingdom -029 telecommunications GBR GCHQ 2012 UNK UNK Communications, United Kingdom -030 telecommunications GBR GCHQ 2012 UNK UNK Communications, -031 telecommunications GBR GCHQ 2012 UNK UNK Communications, -032 telecommunications GBR GCHQ 2012 UNK UNK Communications, -033 telecommunications GBR GCHQ 2012 UNK UNK Communications, -034 telecommunications GBR GCHQ 2012 UNK UNK Communications, -035 telecommunications GBR GCHQ 2008 TS COMINT STRAP 1 Communications, -036 telecommunications GBR GCHQ 2008 TS COMINT STRAP 1 Communications, -037 telecommunications GBR GCHQ 2009 TS COMINT STRAP 1 Communications, -038 telecommunications 109 DOC Agency Year CLASS Container Distribution Specific Communications Countries Target Targeted GBR GCHQ 2012 TS COMINT STRAP 1 Communications, -039 telecommunications GBR GCHQ 2012 TS STRAP 1 Communications, -040 telecommunications GBR GCHQ 2012 S SI FVEY Communications, -041 mobile GBR GCHQ 2009 TS STRAP 1 Hardware, mobile -042 GBR GCHQ 2011 TS STRAP 1 Hardware, mobile -043 GBR GCHQ 2011 TS FVEY STRAP 2 Communications, -044 encrypted GBR GCHQ 2011 TS STRAP 2 Hardware, mobile Belgium -045 GBR GCHQ 2011 UNK UNK Misc -046 GBR GCHQ 2011 TS STRAP 2 Misc -047 GBR GCHQ 2011 TS STRAP 2 Misc -048 GBR GCHQ 2011 TS STRAP 2 Misc Belgium -049 GBR GCHQ 2011 UNK UNK Networks, computers Belgium -050 GBR GCHQ 2012 UNK UNK Networks, computers Belgium -051 GBR GCHQ 2012 S STRAP 1 Networks, computers -052 GBR GCHQ 2006 TS STRAP 1 Communications, -053 encrypted GBR GCHQ 2011 TS STRAP 1 Communications, -054 encrypted GBR GCHQ TS STRAP 1 Communications, -055 encrypted GBR GCHQ 2011 TS STRAP 1 Decryption, private -056 browsing GBR GCHQ 2011 TS STRAP 1 Decryption, private -057 browsing GBR GCHQ 2011 TS STRAP 1 Decryption, private -058 browsing GBR GCHQ 2010 TS FVEY Networks, computers -059 GBR GCHQ 2010 TS FVEY Networks, computers -060 GBR GCHQ TS STRAP 1 Networks, computers -061 GBR GCHQ 2012 TS COMINT STRAP 1 Data, social media -062 GBR GCHQ 2012 TS COMINT STRAP 1 Data, social media -063 GBR GCHQ 2012 TS SI / TK FVEY Intelligence, general India, China, -064 Central Asia, Tibet, Europe, Afghanistan GBR GCHQ 2011 TS STRAP 1 Data, ISMI numbers -065 GBR GCHQ 2010 TS STRAP 1 Decryption, -066 authentication keys GBR GCHQ 2011 TS STRAP 1 Decryption, -067 authentication keys GBR GCHQ 2011 UNK UNK Decryption, encryption -068 keys GBR GCHQ 2011 UNK UNK Decryption, encryption -069 keys GBR GCHQ 2011 UNK UNK Decryption, encryption -070 keys GBR GCHQ 2011 TS STRAP 1 Decryption, encryption -071 keys GBR GCHQ 2011 TS STRAP 1 Decryption, encryption -072 keys GBR GCHQ 2011 TS STRAP 1 Decryption, encryption -073 keys GBR GCHQ 2011 S STRAP 1 Decryption, encryption -074 keys GBR GCHQ 2011 TS STRAP 1 Decryption, encryption -075 keys GBR GCHQ 2008 TS STRAP 1 Decryption, mobile -076 devices GBR GCHQ 2010 CONF CONF Communications, Argentina -077 diplomatic GBR NAC 2011 FVEY STRAP 1 Communications, Argentina, Iran -078 diplomatic GBR GCHQ 2008 TS FVEY Communications, Argentina, -079 diplomatic Venezuela, Colombia 110 DOC Agency Year CLASS Container Distribution Specific Communications Countries Target Targeted GBR GCHQ 2009 TS STRAP 1 Communications, Argentina -080 diplomatic GBR GCHQ 2010 TS STRAP 1 Communications, Argentina -081 diplomatic GBR GCHQ 2011 UNK UNK Communications, Zimbabwe, -082 foreign Argentina GBR GCHQ 2009 S STRAP 1 Data, voice -083 GBR GCHQ 2011 TS STRAP 1 Counterterrorism -084 GBR GCHQ 2011 TS COMINT STRAP 1 Decryption, -085 cryptographic products GBR GCHQ 2011 TS COMINT STRAP 1 Intelligence, -086 commercial GBR GCHQ 2008 S UNK STRAP 1 Intelligence, general -087 GBR GCHQ 2010 UNK UNK Intelligence, general -088 GBR GCHQ 2007 TS FVEY STRAP 1 Misc Europe, North -089 America GBR GCHQ 2010 S UNK Misc -090 GBR GCHQ 2008 TS UNK Misc -091 GBR GCHQ 2008 UNK UNK Misc -092 GBR GCHQ 2010 S UNK Communications, -093 satellite access GBR GCHQ TS STRAP 1 Communications, Cyprus -094 satellite access GBR GCHQ 2011 TS Communications, -095 encrypted GBR GCHQ 2011 TS COMINT STRAP 1 Communications, France, Poland, -096 foreign Czech Republic, Dubai, United Kingdom GBR GCHQ 2012 UNK UNK Communications, -097 Internet GBR GCHQ TS COMINT STRAP 1 Communications, -098 Internet GBR GCHQ 2009 TS COMINT FVEY Communications, Pakistan -099 telecommunications GBR GCHQ 2010 TS STRAP 1 Communications, Europe -100 telecommunications GBR GCHQ 2011 TS COMINT STRAP 1 Decryption, port -101 scanning GBR GCHQ UNK UNK Intelligence, -102 communications GBR GCHQ 2009 S COMINT / STRAP 2 Intelligence, -103 ORCON communications GBR GCHQ S SI / ORCON FVEY STRAP 1 Intelligence, general -104 GBR GCHQ 2012 TS COMINT NOFORN STRAP 1 Intelligence, general -105 GBR GCHQ 2007 UNK UNK Intelligence, general -106 GBR GCHQ 2011 S STRAP 1 Intelligence, general -107 GBR GCHQ 2012 TS STRAP 1 Intelligence, general -108 GBR GCHQ 2012 TS COMINT STRAP 1 Intelligence, signals -109 GBR GCHQ 2010 S Intelligence, signals -110 GBR GCHQ 2011 TS FVEY STRAP 1 Metadata, Internet -111 GBR GCHQ 2007 UNK UNK Metadata, Internet -112 GBR GCHQ 2009 UNK UNK Metadata, Internet -113 GBR GCHQ 2008 TS STRAP 1 Metadata, Internet -114 GBR GCHQ 2009 S STRAP 1 Metadata, Internet -115 GBR GCHQ 2009 TS STRAP 1 Metadata, Internet -116 GBR GCHQ 2012 S STRAP 1 Metadata, Internet -117 GBR GCHQ S COMINT STRAP 1 Metadata, Internet -118 GBR GCHQ 2009 S COMINT / STRAP 2 Metadata, Internet -119 ORCON GBR GCHQ 2011 TS STRAP 1 Communications, -120 foreign

111