British spies are allowed to intercept Google and Facebook traffic, official says

It is the first time a U.K. official has commented on the government's "vague surveillance legal framework", Privacy International said

British spies are authorized to spy on British citizens' Internet communications transiting through servers outside the U.K., a civil rights group has discovered.

Privacy International uncovered the information as part of a lawsuit it filed against the U.K. government over its alleged involvement in mass surveillance programs. It filed the suit with the U.K.'s Investigatory Powers Tribunal, a court that can investigate complaints about any alleged conduct by or on behalf of the intelligence services.

On Tuesday the group published a witness statement from Charles Farr, director general of the Office for Security and Counter Terrorism at the U.K.'s Home Office, who is among the government officials and other witnesses who have made depositions in the case. His statement was published ahead of a hearing by the tribunal scheduled to take place between July 14 and 18.

Farr, one of the U.K.'s most senior security officials, said British spies have the right to intercept Internet communications even if they are from British citizens because the services often use Web servers located outside the U.K. Many messages "such as a Google search, a search of YouTube for a video, a 'tweet' on Twitter, or the posting of a message on Facebook," could be qualified as external by the intelligence services, he said.

Under British laws, the country's intelligence services require a special warrant to monitor communications of British residents located within the U.K., which can only be granted if there is reason to suspect the person is involved in unlawful activity. However, only a general warrant is required for external communications, sent or received outside of the U.K., the Isle of Man, or the Channel Islands, collectively known as the British Islands.

"A Google search by an individual located in the U.K. may well involve a communication from the searcher's computer to a Google web server, which is received outside the British Islands; and a communication from Google to the searcher's computer, which is sent outside the British Islands. In such a case, the search would correspondingly involve two 'external communications'," Farr said.

In the case of Twitter and Facebook the recipient of the communication is the platform itself since the message is not meant for a particular person but broadcast to a group, Farr said. "Thus a user located in the British Islands posting a message on Facebook will communicate with a Facebook web server, located in a Facebook data center. If the Facebook data center is outside the British Islands, then the message will be an 'external communication'," he said.

The matter is somewhat different for emails. An email sent from London to someone in Birmingham would qualify as an internal communication, Farr said. However, when the sender uses a webmail service such as Gmail or Yahoo, the email could be routed through servers outside of the U.K.

If this is the case, the message would still qualify as an internal one. However, it could still be intercepted since there is no way of filtering out the internal conversations from the external ones beforehand, Farr said. Such a selection would have to happen after the emails are intercepted.

Privacy International said the government is conducting mass surveillance by intercepting and scanning through communications in order to work out whether they are internal or external.

"Classifying communications as 'external' allows the Government to search through, read, listen to and look at each of them," the campaign group said. "They consider that such interception 'has less importance' than whether a person actually reads the communication, which is where the Government believes 'the substantive interference with privacy arises,'" the group said, adding that even when privacy violations happen, the government doesn't see it as an "active intrusion" because the analyst reading or listening to an individual's communication will inevitably forget about it anyway.

The group and its fellow plaintiffs called for an end to this "wholesale violation" of Britons' right to privacy.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to

Join the CSO newsletter!

Error: Please check your email address.

Tags Privacy InternationalGooglesecuritylegalgovernmentU.K. Home OfficeprivacyFacebook

More about FacebookGoogleIDGPrivacy InternationalYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts