Monday 18 November 2013

Barr. Timothy Tion discusses the NCC directive to cybercafe owners and cybercrime Part 1


Recently I was on “ICT WORLD”, a radio Benue program to discuss the Nigeria Communication Commission (NCC) directive to cybercafé operators which came into effect on the 1st of November, 2013 directing all cybercafé licencees and operators in the country to maintain an up to date data base of its subscribers/users detailing information such as; full names, names of corporate body (in the case of a corporate establishment), traceable physical address, full faced passport photograph, telephone numbers, permanent residential address(not P. O. Box), evidence of registration with Corporate Affairs Commission(CAC)(applicable to corporate bodies only) and other forms of identification including international passport, driver’s licence, national identity card, etc.
According to the NCC, this database is to aid law enforcement authorities in fighting the increasing rate of cybercrime committed through cybercafés across the country.
Here is the link to download the discussion. To download; click the "download" icon in green. Listen and let me get your feedback. Thank you.

UPDATE 22 DECEMBER 2020
The above link to the discussion is dead. Here is a new link to the discussion which is divided into parts 1 and 2. Listen to part 1 here and part 2 here

Friday 1 November 2013

PRIVACY, NIGERIA COMMUNICATIONS COMMISSION AND CYBERCAFES


On the 21st of October, 2013 Nigeria’s telecommunications regulator; the Nigeria Communications Commission (NCC), issued a public notice via its twitter handle; @NgComCommission, which came into effect on the 1st of November, 2013 directing all cybercafé licencees and operators in the country to maintain an up to date data base of its subscribers/users detailing information such as; full names, names of corporate body (in the case of a corporate establishment), traceable physical address, full faced passport photograph, telephone numbers, permanent residential address(not P. O. Box), evidence of registration with Corporate Affairs Commission(CAC)(applicable to corporate bodies only) and other forms of identification including international passport, driver’s licence, national identity card, etc.  According to the NCC, this database is to aid law enforcement authorities in fighting the increasing rate of cybercrime committed through cybercafés across the country.

It is not in doubt that cybercrime is rampant in Nigeria. A February 2010 report by the Internet Crime Complaint Centre named Nigeria the top African nation and third in the world (after USA and UK) in its global cybercrime ranking.  It has also been reported that Nigerian consumers lost a total of N1.246 trillion to cybercrime in 2012 and recently the Central Bank of Nigeria (CBN) reported that the Nigerian banking sector lost over 20billion through internet fraud. There is therefore every need to fight this cankerworm called cybercrime in Nigeria.However,the Government (NCC, law enforcement agents, etc.)must ensure that the fight against cybercrime is done within the limits of the law and must avoid infringing;without lawful justification, the constitutional right to privacy of millions of innocent Nigerians who use cyber cafes or do anything that may negatively impact on that right. It is yet to be proven by NCC that most of these crimes are committed using cybercafés. It is even debatable if these internet crimes are perpetrated using cybercafés considering the availability of faster internet on smartphones coupled with cheap internet plans been offered by the GSM service providers(for instance on 31 October 2013, Globacom slashed its blackberry internet subscription (BIS) tariffs by half.The Absolute Month platform which hitherto was N2,800 with 3GB data, now goes for N1, 000 with 3GB data) and the convenience of browsing the internet on smartphones, tablets and personal laptops which are increasingly becoming affordable.

Without conceding that cybercafés are used to commit most of the cybercrimes in Nigeria, let us assume that it is actually the case and NCC rightfully desires to step in to curb this monstrous menace of cybercrime by urging cybercafé lincencees and operators to keep an up to date data base of its subscribers/users (that is assuming the users in the case of non-corporate bodies; submit their actual data and not fictitious data). What then becomes of this huge data base of personal and sensitive information of individuals in the hands of cybercafé operators since there are no data protection laws regulating the use of such data in Nigeria? How long will such data be kept? What remedies are available for any person whose personal information has been misused? The data; for instance, phone numbers could be sold or leaked to companies who could use it to send spam or unsolicited/unwanted text messages(adverts) to people. Someone’s identity could also be stolen and used by criminals for e.g. the name, passport and phone number could be used to fabricate or produce a fake identity card and left at a crime scene. The Police on arrival at the crime scene could pick up the identity card and arrest the person whose name, picture and address appear on the card and interrogate or let’s say torture (because a times that is what their interrogation is all about) the person. In the long run it may be discovered that the identity card was fabricated and the person whose details appear on the card was not actually at the crime scene, however, such person may have suffered bodily injuries (sometimes severe) from the torture by the Police.

These concerns and issues raised above could be addressed to a large extent with a data protection law. In recent times many subscribers of the GSM providers in Nigeria have been flooded with promotional or commercial messages. These messages sometimes are unwanted text messages including commercial messages otherwise known as spam which could be annoying and intrusive. In the United States, two laws– the Telephone Consumer Protection Act (TCPA) and the Controlling the Assault of Non- Solicited Pornography and Marketing (CAN- SPAM) Act – have been enacted to address spam. The TCPA and the Federal Communications Commission’s (FCC) rules ban many text messages sent to a mobile phone using an auto dialer(auto dialer; according to Wikipedia, is an electronic device or software that automatically dials telephone numbers. Once the call has been answered, the auto dialer either plays a recorded message or connects the call to a live person). These texts are banned unless (1) you previously gave consent to receive the message or (2) the message is sent for emergency purposes.In the UK, the Privacy and Electronic Communications Regulations 2003 cover the way organisations send direct marketing by electronic means, including by text message (SMS). Organisations cannot send you marketing text messages you didn’t agree to receive, unless: (a) the sender has obtained your details through a sale or negotiations for a sale; (b) the messages are about similar products or services offered by the sender; and (c) you were given an opportunity to refuse the texts when your details were collected and, if you did not refuse, you were given a simple way to opt out in all the text messages you received.

China too is not left out in the legislative efforts to curb spam and protect personal data thus on October 25, 2013, the Chinese Congress passed an amendment to the Peoples’ Republic of China Law on the Protection of Consumer Rights and Interests (the “Amendment”);to address growing problems related to the misuse of consumers’ personal information in contemporary China.The Amendment establishes strict rules on how business operators should collect and use personal information, and how offenders may be punished. The Amendment emphasizes that the personal information collected by a business operator and its staff must be kept strictly confidential. It also prohibits business operators from leaking, selling or illegally providing such information to others, and requires operators to adopt appropriate technical measures to safeguard the information. At the same time, business operators may not send commercial messages to a consumer unless the consumer has provided consent or requested the information.

Apart from those countries mentioned above, many other countries have a law or laws aimed at protecting personal information or data. In South Africa, the Protection of Personal Information Act has been passed by parliament and is awaiting assent by the President; and in Mauritius the Data Protection Act 2004 (the “MU DPA”) was enacted for the protection of the privacy rights of individuals in response to the developments in the techniques used to capture, transmit, manipulate, record or store data relating to individuals. The MU DPA came into operation in February 2009. Data Protection Regulations were issued in 2009 by the Data Protection Office. It is also responsible for ensuring compliance with the Data Protection Act and bringing enforcement actions.

Furthermore, in the UK they have the Data Protection Act;while in Mexico they have the Federal Data Protection Act. Also, in Japan they have the Personal Data Protection Act while in Canada they have the Personal Information Protection and Electronic Documents Act (PIPEDA).

In the United States they have a host of laws aimed at protecting personal information or data some of which include the Right to Financial Privacy Act of 1978whichrequires a  subpoena  or  search  warrant  for  law  enforcement  ocials  to  obtain nancial records, the Telephone Consumer Protection Act of 1991whichprovides certain remedies from repeat telephone calls by telemarketers; and the Driver’s Privacy Protection Act of 1994, which restricts the states from disclosing or selling personal information in their motor vehicle records.

It would therefore be of great help if NCC (as a regulator with so much of our data) and other stakeholders could push for data protection laws as is the case in other countries mentioned above.

Moreover, it is even doubtful if this directive by the NCC would be of much assistance in investigating cybercrime cases as by merely maintaining a database of subscribers/users one cannot tell which user browsed the internet for a fraudulent purpose.

Wednesday 17 July 2013

BREAKING THE LAW AND GETTING AWAY WITH IT


Fellow Nigerians it is not only in our country that the rich, powerful or influential get away with breaking the law. Even in the United States it seems that the rich, powerful and influential can get away with breaking the law.
James Clapper, the Director of the National Intelligence lied to the US Congress when he was asked: “Does the National Security Agency collect any type of data at all on millions or hundreds of millions of Americans?” clapper replied “No, sir.” However, the leaks by Edward Snowden have shown that he lied and not only does the NSA spy on American citizens; it also spies on the rest of world. Lying to Congress is a felony under American law yet as I write he has not been charged knowingly lying to Congress unlike Roger Clemens who was charged with the same offence in 2010.

RIGHT TO PRIVACY IN THE INFORMATION AGE: MYTH OR REALITY

Introduction
We live in a world today where vast Information and Communications Technology (ICT) infrastructures and extensive flows of information have become natural and unquestioned features of modern life. For instance in when I sat for the Senior School Certificate Examination (SSCE), I registered for the examination via a non-electronic method. Nowadays, candidates for that examination register for it online, in much the same way as candidates for the Universities Matriculation Examinations (UME) and several other examinations. The tremendous growth of online services—everything from social media to ecommerce—has come to define our day-to-day lives in ways we could never have imagined a decade ago. This increasingly pervasive, unpredictable, and rapidly changing interaction between ICT and society poses a great threat to the right to privacy; especially informational privacy. The revelations that the US National Security Agency (NSA), Britain’s Government Communications Headquarters (GCHQ) and other government agencies are spying on or in the case of Nigeria; trying to acquire surveillance equipment to spy on their citizens’ internet communications and the rapid digitization of our routine activities, has brought to the front burner the question whether the right to privacy in the information age is a myth or reality. This article will examine the right to privacy in the information age. It will briefly examine certain laws or instruments providing for the right to privacy and how the right is been threatened or eroded in the information age and it would conclude on whether this right still exists.
Definition of terms:
<!--[if !supportLists]-->1.           <!--[endif]-->Information age: According to the online Free Dictionary, the information age is:
The period beginning around 1970 and noted for the abundant publication, consumption, and manipulation of information, especially by computers and computer networks.
<!--[if !supportLists]-->2.           <!--[endif]-->Privacy: Privacy  is  the  ability  of  an  individual or    group  to  seclude  themselves or information   about   themselves   and thereby reveal themselves selectively. According to a privacy think tank; Privacy International:
Privacy is the right to control who knows what about you, and under what conditions. The right to share different things with your family, your friends and your colleagues. The right to know that your personal emails, medical records and bank details are safe and secure. Privacy is essential to human dignity and autonomy in all societies.

Frank La Rue (Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression) in his report to the 23rd session of the Human Rights Council also defined privacy as:
…the presumption that individuals should have an area of autonomous  development,  interaction  and  liberty,  a  “private  sphere”  with  or  without interaction  with  others,  free  from  State  intervention  and  from  excessive  unsolicited intervention  by  other  uninvited  individuals. The  right  to  privacy  is  also  the  ability  of individuals  to  determine  who  holds  information  about  them  and  how  is  that  information used.
The law recognizes two types of privacy, namely; informational and physical privacy. Informational privacy basically relates to an individual’s right to control his or her personal information held by others while physical privacy according to the online encyclopedia; Wikipedia: can be referred to as the right to prevent intrusions into ones physical space or solitude. I am more concerned with informational privacy in this article.

Legal framework
The human right to privacy is recognized at the international level by instruments such as the United Nations Universal Declaration of Human Rights. Article 12 of the Declaration states that:
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, or to attacks upon his honour and reputation.  Everyone has the right to the protection of the law against such interference or attacks.
In Europe Article 8 of the European Convention on Human Rights (ECHR) protects the right to privacy in Article 8.
In the US, privacy is protected by their constitution and through a plethora of privacy legislation dealing with specific types of personal information.  For example the Family Educational Rights and Privacy Act of 1974, 20 U.S.C. §§ 1221 note, 1232g — protects the privacy of school records. Right to Financial Privacy Act of 1978, 12 U.S.C. §§ 3401–3422 — requires a  subpoena  or  search  warrant  for  law  enforcement  ocials  to  obtain nancial records. Health Insurance Portability and Accountability Act of 1996 — gives the Department of Health and Human Services (HHS) the authority to promulgate regulations governing the privacy of medical records. There are also several ways the US constitution protects privacy; for example the First Amendment right to speak anonymously, the First Amendment freedom of association, which protects privacy of one’s associations, the Fourth Amendment’s protection against unreasonable searches and seizures and the Fifth Amendment’s privilege against self-incrimination.
Section 37 of the 1999 Constitution of the Federal Republic as amended provides that the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is guaranteed and protected.
The   right   to   privacy   was affirmed   in   the   case   of   Medical and Dental Practitioners Disciplinary Tribunal Vs.   Dr.   John Emewulu Nicholas Okonkwo (2001) 7 NWLR Pt.  711 p. 206 @ 244 Para E.
There are other statutory examples which seem to safeguard the right to privacy.  For  example  section  182  of  the  Evidence  Act, 2011 protects the confidentiality of communication during marriage by providing that no husband or wife shall be compelled to disclose any communication made to him  or  her  during  marriage  by  any  person  to  whom  he  or  she  is  or  has  been married; nor shall he or she be permitted to disclose any such communication, unless the person who made it, or that person's representative consents, except in suits  between  married  persons,  or  proceedings  in  which  one  married  person  is prosecuted for certain specified offenses.
There  are  limits  imposed  by  law on  a  person’s  rights  to  privacy. Examples  are  laws  dealing  with taxation  which  provide  for  certain specific     disclosures     by     the  individual. See also section 45 of the Nigerian constitution.
The right to privacy may also be trammeled where the trammeling activity, including communications surveillance, is justified by a prescribed law, necessary to achieve a legitimate aim, and is proportionate to the aim pursued.

Erosion of the Right to Privacy
Technological innovation and the proliferation of cellphones, tablets, and other basic tools of modern life, has given governments and companies the ability to extract, analyze, and indefinitely archive every single oral communication, text, key stroke, search term, website visit, and any other digital transaction that we make. Despite the widespread recognition of the obligation to protect privacy, governments especially of the western world have been carrying on surveillance activities which severely undermine the right to privacy. The leaks by Edward Snowden, a former contractor for the CIA, which exposed US spy programmes clearly shows that the right to privacy of internet users is seriously been threatened by the US which has prided herself as the defender of civil liberties. President Obama, a lawyer specializing in US constitutional law, was also critical about the restrictions on civil rights and liberties (e.g. The Patriot Act) enacted in connection with President George W. Bush's "War on Terror." However, since becoming the president, he has not reversed those restrictions he complained of during the Bush administration. President Obama in his forward to the White House privacy report stated that:
Americans have always cherished our privacy. From the birth of our republic, we assured ourselves protection against unlawful intrusion into our homes and our personal papers. At the same time, we set up a postal system to enable citizens all over the new nation to engage in commerce and political discourse. Soon after, Congress made it a crime to invade the privacy of the mails. Citizens who feel protected from misuse of their personal information feel free to engage in commerce, to participate in the political process, or to seek needed health care. This is why the Supreme Court has protected anonymous political speech, the same right exercised by the pamphleteers of the early Republic and today‘s bloggers.
In spite of this forward by President Obama which seemed as if he had interest in protecting the privacy of Americans his administration still went ahead to eavesdrop on or spy on internet communications of millions of Americans and foreigners alike through spying programs like Prism which allows the NSA to tap directly into the servers of nine internet firms including Facebook, Google, Microsoft and Yahoo to track online communication. The leaks also show that Britain's electronic eavesdropping agency GCHQ has also been gathering information on the online activities of internet users via Prism.  
In defending the NSA surveillance Obama said that the government is only looking at phone numbers and durations of calls, however, by knowing who an individual speaks to, when, and for how long, intelligence agencies can build up a detailed picture of that person, their social network, and more. Combine  that information with other data sets being collected, like credit card bills, and you could even deduce when a woman is pregnant before her own family knows, thereby violating her privacy (i.e. the right to control who knows about her pregnancy and under what conditions.)
The right to privacy is also been eroded or undermined by for-profit companies like Google and Facebook which collect our personal data and use them to make profit through targeted adverts. (Targeted advertisements are advertisements that take the data you provide to offer adverts specific to you.) For instance if on your Facebook profile you state that you like jazz music Facebook uses that data or information to provide you with jazz related adverts or if you log onto Facebook and your IP address (a unique series of numbers assigned to every computer or device connected to the internet) shows you are from Nigeria you will be targeted with adverts from Nigerian companies/websites or Nigerian products/services.
As the number of people who use smartphones/tablets increases so does our right to privacy diminishes or dies away. Smartphones have applications that make it easy for privacy to be breached. For example functions like geotagging, which when turned on can show the geographical location at which pictures have been taken thereby revealing your location which you would probably have preferred not to disclose.
Certain smartphone apps (applications) that we install on our phones are known to secretly upload phone contacts (address book) to servers/computers without users’ permission and this resulted in a class-action lawsuit against Facebook, Apple, Twitter and 15 other companies in 2012 for invasion of privacy.
Daniel J. Solove, a leading privacy law expert in his book; “The Digital Person: Technology and Privacy in The Information Age” on pages 23 to 25 details how browsing the web impacts on your privacy. Permit me to quote extensively from his book. He explains thus:
Currently, there are two basic ways that websites collect personal information.  First, many websites directly solicit data from their users.  Numerous websites  require  users  to  register  and  log  in,  and registration  often  involves  answering  a  questionnaire.  Online merchants amass data from their business transactions with consumers.
For  example,  I  shop  on  Amazon.com(since this article is targeted mainly to a Nigerian audience I prefer replacing Amazon.com with konga.com or jumia.com.ng which are two of the leading Nigerian online shops used by many Nigerians; in order to make this explanation more clearer),  which  keeps  track  of  my  purchases in books, videos, music, and other items. I can view its records of every item I’ve ever ordered... When I click on this option, I get an alphabetized list of everything I bought  and  the  date  I  bought  it.  Amazon.com uses its extensive records to recommend new books and videos. With a click, I can see dozens  of  books  that  Amazon.com  thinks  I’ll  be  interested  in.  It is eerily good, and it can pick out books for me better than my relatives can. It has me pegged.
Websites can also secretly track a customer’s websurng. When a person explores a website, the website can record data about her ISP(internet service provider), computer  hardware  and  software,  the  website  she  linked  from,  and exactly what parts of the website she explored and for how long. This information is referred to as “clickstream data” because it is a trail of how a user navigates throughout the web by clicking on various links. It enables the website to calculate how many times it has been visited and what parts are most popular. With a way to connect this information to particular web users, marketers can open a window into people’s minds. This is a unique vision, for while marketers can measure the size of audiences for other media such as television, radio, books, and magazines, they have little ability to measure attention span. Due to the interactive nature of the Internet, marketers can learn how we respond to what we hear and see.  A website collects information about the way a user interacts with the site and stores the information in its database.  This information will enable the website to learn about the interests of a user so it can better target advertisements to the user. For example, Amazon.com can keep track of every book or item that a customer browses but does not purchase.
To connect this information with particular users, a company can either require a user to log in or it can secretly tag a user to recognize her when she returns.  This latter form of identification occurs through what is called a “cookie.” A cookie is a small text le of codes that is deployed into the user’s computer when she downloads a web page. Websites place a unique identification code into the cookie, and the cookie is saved on the user’s hard drive. When the user visits the site again, the site looks for its cookie, recognizes the user, and locates the information it collected about the user’s previous surng activity in its database. Basically, a cookie works as a form of high-tech cattle-branding.
Cookies have certain limits. First, they often are not tagged to particular individuals—just too particular computers.  However, if the website requires a user to log in or asks for a name, then the cookies will often contain data identifying the individual.  Second,  typically, websites  can  only  decipher  the  cookies  that  they  placed  on  a  user’s computer; they cannot use cookies stored by a dierent website.
To get around these limitations, companies have devised strategies of information sharing with other websites. One of the most popular information sharing techniques is performed by a firm called DoubleClick. When a person visits a website, it often takes a quick detour to DoubleClick. DoubleClick accesses its cookie on the person’s computer and looks up its prole about the person. Based on the prole, DoubleClick  determines  what  advertisements  that  person  will  be most responsive to, and these ads are then downloaded with the website  the  person  is  accessing.  All this occurs in milliseconds, without the user’s knowledge. Numerous websites subscribe to DoubleClick. This means that if I click on the same website as you at the very same time,  we will  receive  dierent  advertisements  calculated  by  DoubleClick  to  match  our  interests.  People may not know it, but DoubleClick cookies probably reside on their computer. As of the end of 1999, DoubleClick had amassed millions of customer proles.
Another information collection device, known as a “web bug,” is embedded into a web page or even an email message. The web bug is a hidden snippet of code that can gather data about a person. For example, a company can send a spam email with a web bug that will report back when the message is opened. The bug can also record when the message is forwarded to others. Web bugs also can collect information about people as they explore a website. Some of the nastier versions of web bugs can even access a person’s computer les.
Companies also use what has become known as “spyware,” which is software that is often deceptively and secretly installed into people’s computers. Spyware can gather information about every move one makes when surng the Internet. This data is then used by spyware    companies    to    target    pop-up    ads    and    other    forms    of advertising.
Flowing from the above it can be deduced that we have lost our right to privately make purchases or to make certain purchases unnoticed, our right to read a book privately as some books are published only in e-book format and some newspapers only exist online thereby forcing one to read them online where one’s clicks and page views are tracked and companies are doing everything in their power to associate those clicks and page views with one’s names, addresses, demographic information, and other personal information.

Conclusion
Considering the extent to which the right to privacy (and please do remember I am more concerned in this article with the right to informational privacy) is been eroded as has been earlier explained above, it may not be out of place to conclude that the right to privacy in the information age is a myth. However, the extent to which this is correct depends on where you live in the world. People living in countries with less internet penetration rates (penetration is the rate of a country's population which are internet users) may not have lost their right to privacy as much as people in countries with high internet penetration rates.
The conclusion that the right to privacy in the information age is a myth is somewhat buttressed by Glenn Greenwald, a former constitutional lawyer and now columnist on civil liberties and US national security issues for the Guardian and also author of the book: “With Liberty And Justice For Some: How The Law Is Used To Destroy Equality And Protect The Powerful.” Greenwald while commenting on the NSA’s mass and indiscriminate bulk collection of the internet communications of millions of citizens of Brazil said thus:
That the US government - in complete secrecy - is constructing a ubiquitous spying apparatus aimed not only at its own citizens, but all of the world's citizens, has profound consequences. It erodes, if not eliminates, the ability to use the internet with any remnant of privacy or personal security.
The conclusion is further buttressed by the documentary: “‘Terms and Conditions May Apply” which exposes what corporations and governments learn about people through internet and cell phone usage, and what can be done about it, if anything. In reviewing the documentary Lloyd Grove of dailybeast.com, hit the nail on the head thus: 
With the Facebooks and the AT&Ts of the world hungry to know you better for the bottom line's sake, and with the government empowered to ask them to pass along what they know without the bother of a Fourth Amendment search- and- seizure test, the goose of privacy has been cooked, sauced and served.
Privacy is a very important right which enables us to exercise and enjoy other rights like freedom of expression which is guaranteed under section 39 of the 1999 constitution of Nigeria as amended. It empowers us to feel that we can speak freely, associate freely, and access information freely.
It is therefore sad that this right appears to be dead as even the tools which exist to ensure privacy online are not user-friendly or common place compared to the ones which do not protect our privacy as explained by Timothy B. Lee in the article: NSA Proof Encryption Exists. Why Nobody Doesn’t Anyone Use It? Tor Browser is good for protecting privacy but can only be used effectively by those who are highly skilled computer users.
You may be wondering why it is sad but the right to privacy also includes  the  ability  of individuals  to  determine  who  holds  information  about  them  and  how  is  that  information used. However, once your personal information is collected by the numerous websites you visit on the internet, you may lose control over how and what they can do with that information.  You therefore lose your right to privacy. Remember also that privacy is  the  ability  of  an  individual or    group  to  seclude  themselves or information   about   themselves   and thereby reveal themselves selectively. On the internet it is very difficult to seclude information about yourself and reveal it selectively.
There are certain programmes like Adblock Plus, Ghostery (which blocks the invisible tracking cookies and plug-ins on many web sites, showing it all to you, and then giving you the choice whether you want to block them one-by-one, or all together so you'll never worry about them again. The best part about Ghostery is that it's not just limited to social networks, but will also catch and show you ad-networks and web publishers as well) and Do Not Track. These will only protect your personal information from been tracked, collected and analyzed for advertisement purposes but not against secret, overly broad and unlawful surveillance or monitoring by NSA or GCHQ.