GCHQ and the US National Security Agency (NSA) have access to intercepted emails sent and received by all members of the UK Parliament and peers, including with their constituents, a Computer Weekly investigation has established.

The intelligence agency in Cheltenham has been able to harvest traffic details of all parliamentary emails, including details of the sender, recipient and subject matter, for at least three years. As a result, details of private email correspondence between MPs and constituents are being collected by GCHQ as a matter of routine.

GCHQ documents classified above top secret, released by NSA whistleblower Edward Snowden, also reveal that the spy agency has the capability to scan the content of parliamentary emails for “keywords” through an established cyber defence network that is connected to commercial software used to filter spam emails from MPs’ inboxes.

Disclosures raise new questions over IP Bill The disclosures, which come as the House of Commons prepares for the Third Reading of the government’s controversial Investigatory Powers Bill on Monday 6 June, raise new questions over the sweeping powers to be granted in the bill to police and the security services. The controversial decision by Parliament to replace its internal email and desktop office software with Microsoft’s Office 365 service in 2014, means that parliamentary data and documents constantly pass in and out of the UK to Microsoft’s datacentres in Dublin and the Netherlands, across the backbone of the internet. Because files and emails leave the UK’s borders in this way, they are automatically accessible to GCHQ’s bulk interception system, Tempora. According to previously published Snowden documents, Tempora uses “probes” on commercial optical fibre cables crossing the Irish Sea and English Channel to harvest data. Under existing law, GCHQ is permitted automatically to store datasets containing details of the senders, recipients and headings of all emails in and out of the UK, including internal UK-to-UK messages.

Forensic analysis shows 65% of Parliamentary emails routed overseas Computer Weekly has carried out a forensic analysis of hundreds of emails sent to the magazine or the writers from parliamentary email addresses, using “header” information within the emails to trace the route of the emails. The study showed that most of the mail messages (65%) were routed internationally, through Dublin and the Netherlands. About one-third were relayed by Microsoft’s new London datacentre. Cloud providers, such as Microsoft, use load-sharing procedures to distribute emails and data to more than one datacentre. Every message also contained references to having been passed through clusters of scanning computers connected to GCHQ and located in the UK, France and Germany. The NSA’s Prism system offers access to all parliamentary documents and email through Microsoft Office 365 software, as a result of secret directives given to Microsoft under controversial US 2008 surveillance laws. The directives were implemented at the same time as Microsoft was selling its cloud system, Office 365, to the Houses of Parliament. Since concerns were raised about the NSA’s ability to access data stored by US technology companies, Microsoft has been rushing to build two new UK datacentres.

Wilson Doctrine does not protect MPs MPs’ communications have been partially protected from interception for over 40 years under the “Wilson Doctrine”, introduced by the former prime minister Harold Wilson in 1968. But this offered no protection to communications that leave the UK’s borders, which are subject to automatic bulk collection by GCHQ. “The House of Commons administration has serious questions to answer,” according to former Home Office minister and Conservative MP David Davis. “On whose authority was ‘consent’ granted to view members’ emails? How did they manage to obtain that consent from every one of the 650 members whose constituents’ confidentiality is affected? “The government too has questions to answer as to why it did not explain this when asked on many occasions about the effect of the Wilson Doctrine,” he added. “The government should also make it clear to parliament the extent to which scanning of all mail by a US-controlled company has made Parliamentary communications vulnerable to agencies of a foreign power, namely the American NSA." How Parliament’s emails are under scrutiny GCHQ’s Tempora system collects internet communications from optical fibre cables and automatically stores metadata, including sender, recipient and subject line, from MPs’ emails as they pass from the UK to Microsoft’s datacentres in Dublin and Holland, through tapped internet cables. The US National Security Agency (NSA) and FBI has automatic access, using the Prism system, to documents saved by MPs on Office 365 OneDrive and held in Microsoft datacentres used by Parliament. GCHQ has direct access to scan parliamentary email through a secret cyber-defence network, known as Haruspex, for “national security” purposes. Labour deputy leader Tom Watson MP told Computer Weekly: “This will shock many of my parliamentary colleagues and provides a further illustration of why it is right for the government to give additional protections in law to MPs, lawyers and journalists. Theresa May has the opportunity to do this during the passage of the IP Bill in Parliament.” “There is no doubt that MPs, by virtue of their work, are more likely to be targeted by the UK’s enemies. It is understandable that our security services want to takes steps to protect them, but any and all measures they introduce must be based on consent,” he added. SNP spokesperson Gavin Newlands MP said: “The SNP share the concerns that have been expressed over the partial removal of protection offered to privileged correspondence. It is of the upmost importance to any modern democracy that parliamentarians are able to communicate with constituents and advisers in complete confidence.” The MP's comments came as the home secretary, Theresa May, made last-minute concessions on the Investigatory Powers Bill to strengthen the Wilson Doctrine. Under revisions announced on 1 June, the prime minister must in future give explicit approval for law enforcement agencies to hack into MP’s computers and phones or to access their communications data.

Secret cyber defence system has links to MessageLabs Computer Weekly’s investigation also confirmed that MPs’ incoming and outgoing emails are automatically scanned through a network run by MessageLabs, a subsidiary of another US corporation, Symantec, which has been contracted by Parliament to provide services including spam filtering and malware detection. MessageLabs provides GCHQ with direct access to parliamentary emails, through a secret cyber security network called Haruspex, according to GCHQ’s “Cyber Defence Operations” legal policy instructions disclosed by Edward Snowden. The scanning system has been in operation for at least a decade. The documents reveal that Haruspex has been extended beyond “the detection, analysis and prevention of network-based attacks” against government computer systems, to allow it to be used to report other activities, provided they are in the interests of “national security” – a concept the government has refused to define. Members of the Scottish National Party and Labour Party, who have scrutinised the Investigatory Powers Bill, have criticised the government for misusing “national security” to justify surveillance operations against trade unionists and critics of the police. The MessageLabs scanning system, used on all emails to and from Parliament, can be programmed to detect keywords as well as to look for malicious attachments or spam. MPs and peers have not been told about the MessageLabs system, nor specifically asked for permission for their emails to be scanned in this way. Computer Weekly put a series of questions to Symantec, the US corporation that supplies the MessageLabs service, about the role of MessageLabs in Parliament and its links to Haruspex. A spokesperson said: “Symantec has legal non-disclosure agreements with all of our customers and, as a result, cannot discuss specific cases.”

Parliament’s move to Office 365 Parliament began the path to an updated IT system that ultimately left MPs’ emails and documents exposed to greater risks of surveillance from the UK and US intelligence services in May 2013. Joan Miller, then the director of Parliamentary ICT (PICT), told the House of Lords management board: “Office 365 had a slightly higher risk relating to data sovereignty, but Microsoft’s and the House’s lawyers…felt that the chance of the risk materialising was low.” How emails to and from Parliament are monitored Government officials deny that Government officials deny that emails sent by MPs are open to surveillance by GCHQ and NSA - read our detailed examination of the evidence. Less than a month later the Guardian revealed the Snowden document leak and the existence of the NSA’s Prism programme, which requires US companies, including Microsoft, to build systems to allow the NSA and the FBI to access, on-demand, their customers’ messages and files, including documents held in cloud datacentres. Within a week, Miller told Parliament’s management board that “PICT had reviewed its advice on data sovereignty and cloud computing following news stories about PRISM and was content that the risk was unchanged.”

Low risk not no risk “We didn’t think there was no risk, we thought it was a low risk [in 2013],” she told Computer Weekly. Asked if “UK parliamentary data may end up being requisitioned by the NSA”, she said: “We did consider that, yes.” Miller, who retired as director of parliamentary IT in 2014, told Computer Weekly that Microsoft claimed to have doubts over the legality of the secret orders issued by the US government to obtain data under Prism and would be prepared to challenge it in court.