Out-Law News 2 min. read
20 Feb 2015, 5:06 pm
The Intercept has reported that Netherlands-based SIM card manufacturer Gemalto was targeted in a joint operation by the UK's lead surveillance body GCHQ and the US' National Security Agency (NSA). The publication said secret documents from 2010 leaked by former NSA employee Edward Snowden revealed the breach of Gemalto's security.
GCHQ has said its surveillance activities are "carried out in accordance with a strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate", according to a report by the BBC.
Paul Beverly, a Gemalto executive vice president, said he was disturbed and concerned about the claims in the Intercept's report. He said that to the best of his knowledge neither the NSA nor GCHQ had ever asked the company for access to the encryption keys for SIMs it had manufactured, according to the Intercept report.
"The most important thing for me is to understand exactly how this was done, so we can take every measure to ensure that it doesn’t happen again, and also to make sure that there’s no impact on the telecom operators that we have served in a very trusted manner for many years," Beverly said, according to the Intercept report. "What I want to understand is what sort of ramifications it has, or could have, on any of our customers."
The existing UK legal framework on the interception of communications, the retention of communications data and powers of access to that data is largely set out under the Regulation of Investigatory Powers Act (RIPA) and the Data Retention and Investigatory Powers (DRIP) Act.
RIPA provides law enforcement bodies in the UK with a right to intercept communications under certain circumstances. The Act requires the bodies to obtain the UK home secretary's authorisation to intercept the communications before they can do so, and the home secretary must, before authorising a warrant, assess whether the request to intercept communications is necessary and proportionate in order to protect the UK's national security interests, prevent and detect terrorism and serious crime or to safeguard the UK's economic well-being.
The home secretary must consider certain factors relating to the necessity and proportionality of any interception before authorising it, including "whether the information which it is thought necessary to obtain under the warrant could reasonably be obtained by other means".
However, RIPA provides for two different types of warrants to be issued, one which applies when the law enforcement agencies wish to intercept 'internal communications' and one which applies when they wish to intercept 'external communications'. An external communication is defined under the Act as "a communication sent or received outside the British Islands".
When seeking to intercept internal communications, the bodies must specify either the identity of the subject of the interception or the single set of premises where they wish to intercept communications, together with a number of other details. These warrants are known as 'section 8(1)' warrants.
However, warrants for intercepting external communications (section 8(4) warrants) do not have to specify the intended target of the interception and can be issued if the home secretary believes the surveillance to be necessary. A number of additional safeguards apply in the case of these "certified warrants".
In accordance with section 16 of RIPA, intercepted external communications may only be read, looked at or listened to if the home secretary has deemed it necessary and, generally, if the information is "referable to an individual who is known to be for the time being in the British Islands; and has as its purpose, or one of its purposes, the identification of material contained in communications sent by him, or intended for him". However, other limited conditions also apply to enable the contents of communications to be read, looked at or listened to.