From maths to computer science, GCHQ has its tentacles in Bristol University.
A GCHQ document leaked last year by Edward Snowden did the rounds in a few publications and niche blogs before dropping off the radar – castigated to the annals of Google – or so some at the University of Bristol had hoped.
The document, authored in 2011, shed light on the top secret work conducted at the Heilbronn Institute for Mathematical Research (HIMR), a national mathematics centre based at the University of Bristol, in collaboration with the Government Communications Headquarters (GCHQ).
As the centre’s online description makes clear, it’s no state secret that HIMR is funded by and works closely with GCHQ. “Each member of the Institute spends half their time pursuing research directed by the Government Communications Headquarters, and the other half doing personal academic research.”
But as one might expect, the nitty gritty of HIMR’s collaboration with GCHQ is somewhat more difficult to decipher, making this leak all the more interesting. While the institute holds public speaker events, staff and researchers are gagged by the Official Secrets Act from disclosing the classified matters they work on.
The HIMR penned document, titled “Data Mining Research Problem Book”, and marked “top secret strap 1”, detailed key techniques used by GCHQ to sift through the gigantic volumes of data it hoovers up from the Internet and telephone networks. The guide was designed to assist the Five Eyes (FVEY) network- the surveillance agencies of Australia, New Zealand, UK, Canada and the US.
It was never intended for public eyes and for good reason, because it shines a revealing light on the extent of GCHQ’s blanket surveillance and HIMR’s complicity in advising them how to analyse it. The book candidly states, “we pull everything we see” – when it comes to metadata, data that describes and gives information about other data, i.e the senders and recipients of text messages/ emails and phone calls, rather than the contents.
By displaying patterns, metadata can actually be more revealing than the content itself. As presented in the document, analysis of such networks can provide a comprehensive picture of a target, revealing who is communicating with who and when, of power structures and relationships. It is this emphasis on network analysis, as Cory Doctorow for BoingBoing magazine highlights, that is particularly interesting.
There’s one specific section that should give researchers pause for thought when considering the ethical implications of university collaboration with the surveillance agency. The book clearly states that the right to privacy can also be violated for the “economic well-being (emphasis added) of the country…” GCHQ typically defends its surveillance on grounds of national security, a wide criterion in itself. But with the addition of ‘economic well-being’, many more people, groups, institutions and nation-states, could – and have – become potential surveillance targets. Think trade unionists, consumer boycotts, environmental activists and many more. This undoubtedly raises a whole raft of concerning legal and ethical questions.
An ongoing partnership
Judging by the contents of the document, it appears that HIMR’s contribution to meta-data analysis wasn’t intended to be a one off; whether further research in this area was actually conducted isn’t clear. But as spelt out in the introduction, “the idea to more permanently expand HIMR research beyond pure maths and into data mining was born.” Data mining, the process of identifying patterns and information in these large data sets, is vital for being able to make sense of the mass communications and online data being swept up by GCHQ and its international counterparts. As far as back as 2011, HIMR was clearly not just engaged in theoretical mathematical research, but in active computer science collaboration with GCHQ on controversial programs.
The Cable asked the HIMR what measures it had in place, if any, to ensure that research and work conducted by its staff and researchers in partnership with GCHQ and industry partners, was not used in a manner that may undermine or breach human rights. HIMR refused the Cable’s request for comment, referring us to the university press office, which subsequently directed us to GCHQ. We didn’t bother contacting them.
Beyond the Heilbronn Institute, the Department of Computer Science, in particular the Cryptography Research Group, has links to GCHQ, or more specifically the National Cyber Security Centre.
Back in 2012, Bristol University was awarded the status of Academic Centre of Excellence in Cyber Security Research by GCHQ. There are now 13 Universities in the UK that have been recognised as ACEs-CSR. The National Cyber Security Centre, a new arm of GCHQ dedicated to defensive cyber security has now taken responsibility for the ACE-CSR program.
A 2012 Bristol university press release which announced the status explained, “the University will work more closely with the Government Communications Headquarters (GCHQ), the UK cyber community and industry. A Bristol University ACE-CSR PowerPoint presentation from the same year, also refers to a “roughly £5 million research portfolio” from various funding streams, including DARPA, an agency of the U.S. Department of Defense responsible for developing technologies for military use.
The Cryptography Group works on defensive cyber security research, and is a key part of the ACE-CSR. However, Nigel Smart, professor of Cryptology at Bristol University, told the Cable “we do not work on projects for GCHQ” adding, “there are no academics who do active research with GCHQ. We have some students who are sponsored by GCHQ.”
The Cryptography Group’s Industrial Advisory Board, which according to its website discusses the research portfolio and directions of the group, also includes an anonymous GCHQ representative. Speaking on the condition of anonymity, one person told the Cable that “some researchers from the Cryptography Group visit GCHQ on away days from time to time.”
“Personally I wouldn’t touch this sort of deal with the proverbial barge-pole” says Ross Anderson, Professor of Security Engineering at the Computer Laboratory, University of Cambridge. The university was recognised as an ACE-CSR in 2013, but its application was initially rejected on the grounds of Anderson’s refusal to participate says the professor. “The spooks’ selection committee complained that this showed Cambridge wasn’t a coherent group. Someone then took them aside and explained that a university isn’t like a regiment; you don’t have a chain of command.”
“My counterpart at Bristol, Nigel Smart did sign up for an ACE/CSR” says Anderson, “but to his credit protested strongly when the Snowden revelations showed that GCHQ had been messing around for years with security standards, helping the NSA to make them weaker.” Smart co-signed an open letter in 2013 calling on all “relevant parties to reveal what systems have been weakened so that they can be repaired.” The fact that GCHQ had been weakening cryptographic standards and installing back doors – a defect or hidden feature which enables unauthorised access – was obvious says Anderson, even before the NSA leaks.
That GCHQ is a major employer of mathematicians in the UK and has its tentacles in academia, similarly to other controversial industries, is old news to those in the world of mathematics. Indeed, the National Security Agency (NSA) – GCHQ’s US counterpart – is reported to be the largest employer of mathematicians in the world.
Tom Leinster, a mathematician based at the University of Edinburgh, told the Cable that many in the field are “highly uncomfortable with some of GCHQ’s activities.” Adding that “Heads of department should understand that cooperation with Heilbronn/GCHQ is a controversial choice, and encourage open discussion.”
There are undoubtedly those within the academic community who don’t find surveillance problematic, or have chosen to engage with GCHQ (or the NCSC) in specific areas, such as cyber-defence, on the basis that they are contributing to greater security. But can the definition between offensive and defensive security research be so simply drawn? Clearly in order to attack or intercept, weaknesses must be identified.
“GCHQ’s attempts to capture and control university research on security are annoying, but largely ineffective”. Anderson instead refers to a much wider problem, whereby ministers try to control the research budget for short-term political benefit, with research money ending up being used as an industrial subsidy and/ or wasted on ineffective projects.
Regardless of the effectiveness of these initiatives, there are serious ethical and legal questions, which should inform academic partnerships. “In fields such as medicine and psychology, ethical approval is a routine part of any project” says Leinster. While the HIMR in 2011 stated that GCHQ complies with UK law, a recent ruling by the European Court of Human Rights concluded that GCHQ’s indiscriminate retention of everyone’s metadata is unlawful.
Statements like ‘we pull everything we see” – as stated in the HIMR document, should not only concern those interested in the protection of civil liberties, but also our universities which are adverse to public relations damage. Ethical considerations, says Leinster, should be applied by mathematics and computer science departments “before they approve collaborations with a powerful and secretive organization such as GCHQ.”
For insightful analyses into the specifics of the HIMR “Data Mining Research Problem Book”, read these articles by BoingBoing, Arts Technia and George Danezis.