In July 2013, GCHQ, Britain’s equivalent of the U.S. National Security Agency,forced journalists at the London headquarters of The Guardian to completely obliterate the memory of the computers on which they kept copies of top-secret documents provided to them by former NSA contractor and whistleblower Edward Snowden.
However, in its attempt to destroy information, GCHQ also revealed intriguing details about what it did and why.
Two technologists, Mustafa Al-Bassam and Richard Tynan, visited Guardianheadquarters last year to examine the remnants of the devices. Al-Bassam is an ex-hacker who two years ago pleaded guilty to joining attacks on Sony, Nintendo, and other companies, and now studies computer science at King’s College; Tynan is a technologist at Privacy International with a PhD in computer science. The pair concluded, first, that GCHQ wanted The Guardian to completely destroy every possible bit of information the news outlet might retain; and second, that GCHQ’s instructions may have inadvertently revealed all the locations in your computer where information may be covertly stored.
Editors of The Guardian chose to destroy the files and the devices they lived on after the British government threatened to sue them and halt further reporting on the issue, including stories on how GCHQ utilized data collected by the NSA on communications from many major Internet companies.
Footage of Guardian editors physically destroying their MacBooks and USB drives, taken by Guardian executive Sheila Fitzsimons, wasn’t released until months later, in January 2014. The GCHQ agents who supervised the destruction of the devices also insisted on recording it all on their own iPhones.
The Guardian’s video reveals editors using angle-grinders, revolving drills, masks that GCHQ ordered them to buy, and a “degausser,” an expensive piece of equipment provided by GCHQ, which destroys magnetic fields and thereby erases data. The procedure eliminated practically every chip in the device, leaving almost no recognizable piece of machinery behind. The whole process lasted over three hours.
But while Paul Johnson, The Guardian’s deputy editor, chalked the exercise up to “purely a symbolic act” of power on the part of the British government — given that copies of the Snowden files still existed in New York — there may be more to it.
At a speech given at the Chaos Communication Camp technology conference a few weeks ago in Germany, Al-Bassam and Tynan explored the details surrounding GCHQ’s decisions about how to destroy the devices, and hypothesized about what the government’s intentions might have been beyond intimidation.
“Normally people just destroy the hard drive,” said Al-Bassam. But GCHQ took it several steps further. The spy agency instructed Guardian editors to destroy parts of multiple MacBook Airs’ track pad controllers, power controllers, keyboards, CPUs, inverting converters, USB drives, and more.
According to “Joint Services Publication 440,” a 2001 British government document released by WikiLeaks, the U.K. Ministry of Defense mandates total destruction of top-secret information in order to protect it from “FISs [foreign intelligence services], extremist groups, investigative journalists, and criminals.”
However, when Al-Bassam and Tynan sent an email asking the British government for the “HMG (Her Majesty’s Government) Information Assurance Note 5,” the government-wide document that contains the U.K.’s “sanitization” policies — i.e., the specific steps necessary to destroy top-secret data — the government denied their request. The sanitization policies of the other members of the so-called “Five Eyes” intelligence alliance — the U.S., New Zealand, Canada and Australia — are public, and appeared to have very similar requirements to the techniques used to destroy The Guardian’s computers.
But in allowing The Guardian’s editors to destroy the devices themselves, and hold onto the remaining shards of computer dust, the British government essentially revealed those policies — by making it possible for people like Al-Bassam and Tynan to analyze just why they might have destroyed each part in such a specific way.
What Al-Bassam and Tynan theorized was that the government may have targeted parts of the Apple devices that it “doesn’t trust”: pieces that can retain bits of electronic information even after the hard drive is obliterated.
The track pad controller, they said, can hold up to 2 megabits of memory. All the different “chips” in your computer — from the part that controls the device’s power to the chips in the keyboard — also have the capacity to store information, like passwords and keys to other data, which can be uploaded through firmware updates. According to the public documents from other members of Five Eyes, it is incredibly difficult to completely sanitize a device of all its content. New Zealand’s data deletion policies state that USB memory is only destroyed when the dust is just a few millimeters in length. “This wasn’t a random thing,” said Tynan, pointing to a slide displaying a photo of a completely destroyed pile of USB chip shards.
These hidden memory storage locations could theoretically be taken advantage of, Tynan and Al-Bassam said, by a computer’s owner, hackers, or even the government itself, either during its design phase or after the computer is purchased. The Russian cybersecurity firm Kaspersky Lab has presented evidence that an organization it calls “Equation Group,” which is reportedly linked to the NSA, has developed ways to “create an invisible, persistent area hidden inside [a computer’s] hard drive” that would be virtually undetectable by the computer’s owner. This area could be used “to save exfiltrated information which can be later retrieved by the attackers.”
Other technologists and computer experts agreed with Al-Bassam and Tynan that significant data could theoretically be stored on a computer’s various chips. “It’s actually possible to store quite a bit of data in a small space — look at Micro SD cards!” wrote Dan Kaminsky, a computer security specialist, in an e-mail to The Intercept. “But generally these other data stores are small. [They] can certainly store cryptographic keys pretty much anywhere though; those things are minuscule.”
Steve Burgess, a computer forensics and data recovery expert, echoed Kaminsky’s technical points: “Certainly data could be stored on any kind of flash memory or SSD (if there was one), or on the computer’s BIOS, and of course on the hard disk’s rotating media — and its own on-board flash storage.”
But in terms of GCHQ’s intentions, Kaminsky thinks the answer lies somewhere between a power play and protocol based on real concern on the part of the agency. “I think GCHQ was doing half theater and half genuine threat response here. The likelihood that The Guardian had anything hidden in the trackpad was low, but from GCHQ’s perspective they’d hide something in the trackpad so why wouldn’t anyone else?”
To Tynan and Al-Bassam, the methods GCHQ used revealed just how little control we have over our data, and how difficult it is to permanently delete it when necessary. When the pair asked various companies, including Dell and HP, how different parts of the devices are designed to store information and which chips “could potentially betray us,” none were willing to reveal any specifics publicly, they said. When a member of the audience asked Tynan what laptop he’d recommend for journalists and activists who rely on privacy and control of their data, he didn’t have an answer.
“From a privacy perspective, we need to empower users with knowledge about what their devices do,” Tynan concluded.