PRISM: A Technical Analysis

As a libertarian I am automatically suspicious that government agencies may be spying on us all the time, though the story about PRISM in this week has aroused my technical curiousity.

The article in the Guardian appears to rely on a single Powerpoint file of dubious provenance. It was provided by a chap who hides his head and keyboard under a blanket when logging in so his password cannot be seen, despite him alleging that he’s aware of a program that can read most emails and messages on the planet. He is now ‘in hiding’ in a Hong Kong hotel room.

Whilst the Director of National Intelligence, James Clapper, has admitted that there is collection of data on non-US citizens under Section 702 of FISA, he said that the reports in the Guardian and Washington Post “contain numerous inaccuracies“. Also, several of the companies whose data is allegedly being accessed have already denied this.

I am not disputing that a collection programme exists, only that the scope of it portrayed in those newspapers is highly unlikely. I am still uncertain whether Clapper or Obama were referring to the Verizon court order, uncovered the previous day, in their limited admissions.

[Please note that many of the included calculations are rough and ready – I’ve a day job and am blogging this in my lunchtime! If someone wants to pay me to undertake a more accurate assessment then I’m happy to elaborate.]

Information On Slides Released So Far

One slide lists the following providers: Microsoft, Google, Yahoo!, Facebook, PalTalk, YouTube, Skype, AOL and Apple.

Courses and Types of data available from PRISM

Slide from Guardian showing sources and types of data available from PRISM

The same slide then asserts “What Will You Receive in Collection (Surveillance and Stored Comms)?” and then lists the following: E-mail, Chat (video, voice), Videos, Photos, Stored Data, VoIP, File transfers, Video Conferencing, Notifications of target activity – logins, etc., Online Social Networking details and Special Requests (sic).

Now firstly, let’s analyse what is meant by both Surveillance and Stored Comms. Surveillance means to watch someone, taking note of their activities, such as when they send a message and to whom. Many online are correctly referring to this as metadata, that is data that refers to other data. Interestingly my reading of the situation is that collection and analysis of this metadata many not need a warrant under US (and other countries’ legislation), whereas looking at what’s in the message definitely does. If the PRISM system was just collecting metadata then the collection requirements would be considerably less, though still enormous based on the providers and services listed above.

Secondly, let’s consider Stored Comms. This means storing the actual communication. With an email this can be as small as a few thousand bytes, instant messaging would be even less. Picture data would be huge, and videos would be even larger. Videoconferencing would be enormous – around 1MB of data per minute at least, increasing up to 11MB per minute for HD quality videoconferencing.

Let’s take a couple of examples. Firstly Facebook.

Facebook users are adding 350 million new picture files a day and Facebook already holds over 240 billion pictures (2012 figures). To support this growth Facebook engineers have to deploy (install) 7 Petabytes of new storage per month. That’s 7,000 Terabytes; or 7,000,000 Gigabytes; or 7,000,000,000 Megabytes. A conservative estimate of cost is around $3m per month for purchasing additional storage alone. If hosted on Amazon’s Glacier storage (the lowest price, slowest recovery storage) it would cost $20m a year just for Facebook photos alone!

A second example is Skype.

Skype: Skype does not record calls so for VoIP calls to be recorded the NSA would need to record every single conversation in real-time. Architecturally this is impossible as many calls do not route through Skype equipment, but are still connected peer-to-peer, despite changes to the Skype architecture listed in the blog above. A quick conservative estimate of Skype voice data is at least 147 Terabytes a month alone (based on June 2012 data from the Skype blog above), without any other transferred files or chat.

Other services to consider briefly:

  • Apple: iCloud storage of all iPhones, iPods and iPads with automatic backups enabled.
  • Microsoft: Hotmail (360 million users in July 2011) plus, one assumes, all cloud hosted email via Office 365 (over a million users).
  • Google: All Google search data (100 Billion per month), plus Gmail (425 million active users a month).
  • Yahoo!: Email and searches.
  • YouTube: Videos – one estimate here is 22.7 Terabytes per day.

The cumulative data requirements could easily be estimated from their press releases and blogs, sadly I don’t have time to do this.

Put The Captured Data In The Cloud?

Using commercial cloud providers has been suggested as to how the NSA can store all this data – because “it’s cheap”. No it isn’t. The storage costs would be phenomenal, plus the processing costs. Any data I/O to remote datacentres is even more costly. If the NSA were to do this they would have to host it in the data source companies’ datacentres or its own military-grade secure facility, connected by dark fibre to each datacentre of each data source.

Technical Flaw – Telecoms

One of the slide graphics released suggests that there is a system called ‘Upstream’ that allows access to telecoms data “from fiber cables and infrastructure as the data flows past“.

Slide from Guardian showing 'Upstream' data collection

Slide from Guardian showing ‘Upstream’ data collection

Whilst gathering data from optical fibre cables is technically possibly, it would be very difficult physically and would be noticeable to the telecoms provider due to drops in signal strength. A fibre contains many channels (or wavelengths) of light, each of which will also have many channels of data multiplexed into it. Therefore this single statement alone damages the technical credibility of the presentation. Also there are too many cables coming in and out of the US for them to tap into all the actual fibres. (I was involved in the project to build just one of the existing transatlantic cables a decade ago, so have experience in this area).

If they were just connecting to telecoms ‘infrastructure’ (switches, multiplexers, etc.) then it would be more believable, although this is still pretty much impossible as the data volumes are enormous and much data is encrypted.

To tap into an interactive conversation, as per the Bourne films, whether over chat, voice or video would not be possible in real-time without knowing a considerable number of parameters, many unknown even to the network provider. Recording the data for later reference (with or without court order) would still require phenomenal amounts of storage. Cisco’s latest Visual Networking Index estimates global IP Internet traffic last year was 43,570 Petabytes per month (43,570,000 Terabytes, 43,500,000,000 Gigabytes): this equates to 16,700 Gigabytes of IP traffic a second. This would require 20 x 900 Terabyte hard drives a second to store this, costing approximately $6,000 a second!

Conclusion

While I don’t think the scope of data collection from servers as envisaged by the Guardian is impossible, I do think it’s highly improbable and would cost many $Billions per annum (just look up the IT storage costs of the companies above for an indication). If PRISM does exist it is likely to only capture metadata, that is data about conversations. This would still be a considerable amount of data and would require costs orders of magnitude above the $20m cited in the other slide below.

Guardian slide on PRISM sources

Guardian slide on PRISM sources

My personal instinct is that this Powerpoint is a fraud, for whatever reason. Whether the PRISM data collection programme exists is another question. If it does I don’t think the above released information would accurately reflect its capabilities nor its effectiveness. At best, it enables the NSA to search many metadata databases, though the legality of this, as either participant could be a US Citizen, is also dubious.

I still don’t trust any government with access to my data, but I’m not convinced any government, especially the US Government, has this capability. Yet.

Footnotes

The copyright of this article remains with the author. It can be used only if attributed to The New Liberty blog.

P.S. To the NSA, if you ever want to build something like PRISM properly then give me a call, I’m sure you know my number and my billing rates!

UK Uncut, Corporation Tax And The Politics Of Envy

Introduction

On Saturday 8th of December the activist organisation UK Uncut held demonstrations at “more than 40” Starbucks Coffee branches across the UK (44 apparently). UK Uncut have a history of activism against companies it considers to be ‘tax avoiders’. Previous “targets” have included Vodafone, Tesco, Barclays and Boots. UK Uncut has boasted that its goal is to protect the taxpayer-funded public services from cuts that the coalition government have said are necessary to reduce the public deficit. UK Uncut instead states that the shortfall can be met solely by clamping down on ‘tax avoidance’ by large companies.

This article is not going to debate the cuts, nor government claims they are necessary.

The Financial Aspects Of Starbucks ‘Tax Avoidance’

From UKUncut’s downloadable flyer:

“What’s wrong with Starbucks? Plenty. UK Uncut are targeting Starbucks over their tax avoidance, in the last three years they’ve paid no corporation tax at all, despite making sales of £1.2bn.”

Interestingly over four years the Guardian Media Group made comparable revenue (sales) and ‘paid no corporation tax at all’. In fact  the group’s revenue from the four tax years 2009-2012 was £1.1bn. It made a cumulative £237.6m loss over this period and received total tax ‘credits’ of £30.4m (made up of refunds in three of the four years). This is a perfectly legal within UK tax law and would have been approved by Her Majesty’s Revenue and Customs (HMRC).

The flyer continues with this brilliant line: “Because of the way they’ve managed to shift money around inside their global corporate empire…” Empire? Who are they subjegating? Which countries did they invade? Can anyone hear Darth Vader’s theme tune now?

Next they say: “Starbucks has managed to pay no taxes by shifting money around between Starbucks companies in different countries, so that its accounts show it made a loss in the UK. As corporation tax is paid on profits, by recording no profits they weren’t due to pay any tax.”

Firstly: “shifting money around”, that is paying another part of the business for goods or services, in this case coffee beans and brand licensing (intellectual property). I would argue that without the coffee beans or the brand it wouldn’t be Starbucks.

Secondly: “its accounts show that it made a loss”. Correct, it made a loss. “…by recording no profits” – because there were none – “they weren’t due to pay any tax.” Correct – next statement of fact please?

So how do the international business experts at UK Uncut propose to deal with this? “The government can clamp down on tax avoidance by changing the UK’s tax rules to stop companies funnelling millions of pounds of profits out of the UK.” Well, sort of. While the UK government can enact legislation concerning corporation tax profits made here, there exist various tax treaties between countries, including the prevention of ‘double taxation’, that is tax charges being levied on the same profits in two countries of operation.

UK Uncut make this solution sound simple; it’s not. Even Paul Lewis, a financial journalist who frequently reports these tax arrangements on Twitter, has said: “The problem about legislating to stop these cunning cross border tax evoidance (sic) schemes is that it involves multinational agreement.”

Corporation Tax Is Confusing

Even worse, UK Uncut admits it has no idea how much tax is ‘the appropriate amount’. Danni Wright, representative of UK Uncut interviewed by the BBC, was unclear on how much tax Starbucks should be paying.

Interviewer: “How much tax do you think Starbucks ought to be paying? I asked your colleague this earlier and she couldn’t tell me. What, what figure do you think they should be paying?”

Danni: “They should be paying, um, you know, the, the appropriate amount. Part of the problem with the tax…”

Interviewer: “Well they’re paying the appropriate amount within the law, they would argue.”

Danni: “Well that’s the problem, you know, it’s about greater transparency of the tax system, stronger regulation and clearer signs from the government as to what the correct amount it.”

So the accusations are based on the fact that Starbucks pays the legally required and approved amount of tax as agreed between itself, its accountants and HMRC, the UK Government’s tax collector; but UK Uncut believes they should pay more. The Guardian, which has paid less tax than Starbucks on comparable revenues, also pays the legally required and approved amount of tax. So why the different approaches to these two ‘tax-avoiding’ companies, as UK Uncut would claim?

The Politics Of Envy

So why target Starbucks, a successful American-owned multinational brand? Is it possibly related to the brand’s inclusion in Naomi Klein’s book on anti-globalisation, No Logo, which criticises Starbucks for aggressive invasion (sic) of a region?

Google, Amazon, Apple and Microsoft, have also come in for criticism for the way they conduct their UK tax affairs, although strangely little has been said about these yet by UK Uncut; maybe they would struggle to survive without these, or is that criticism unfair? (Or should that be UK Unfair?)

Other targets have included the banks that were bailed out by the previous Labour government to the tune of £65bn, Lloyds Banking Group and Royal Bank of Scotland, and, strangely, banks that were not: Barclays and HSBC. The issue UK Uncut appears to have with these banks is that they pay their staff bonuses.

So it’s not just ‘tax avoidance’ – it’s wealth creation in general that upsets these activists. Whether its creators meant it to or not, UK Uncut has become a vehicle for the usual band of ‘anti-globalisation’ (i.e. anti-capitalists), such as Socialist Worker – as can be seen clearly here in this video; watch out for the prominent ‘Tax the rich’ signs at 00:10.

Conclusion

This group no longer has credibility, if it ever did, and its actions at Starbucks are reprehensible. The intimidation of customers and staff (often immigrant baristas) can be seen in this video; chants including “Starbucks: Pay your tax or we will shut you down” demonstrate their attempts at bullying the staff and customers into taking their business and labour elsewhere. It is often wrong on the facts of what has been paid and conversely it demonstrates no concept of what it thinks should be paid. It targets popular businesses but ignores others with similar tax profiles, such as the Guardian (with its similarly dubious approach to reporting corporation tax cases), demonstrating its inherent political bias.

So in summary: a movement that uses implied force, targets a foreign-owned business, but not a comparable organisation that aligns with its politics. Isn’t this how the brownshirts began their brand of revolution?

UK Uncut insists that Starbucks should pay some indeterminate higher amount of tax, not decided by tax legislation enacted by parliament, or enforced with the rule of law, but instead decided and coerced by the baying mob. Witness the politics of envy in action.

Lies, Damned Lies and Dodgy Statistics – The Guardian’s approach to financial reporting

Introduction

Before we begin let me make a few statements:

  1. Firstly, I love the Guardian. Its style, commentators and quality of journalism are nearly unsurpassed in the UK’s daily newsprint media. Only the FT is better in my opinion;
  2. Secondly, I cannot abide the misuse of statistics or data, whether unintentional, through ignorance, or intentionally through malice;
  3. Lastly, I have no time for the Conservative Party[1], nor any political party, and am always dubious of political donations, whether from company or union.

The article

On Tuesday the fifth of June, 2012 The Guardian published a piece on page 7 about Lycamobile and their donation to the Conservative party. This was written by Rajeev Syal and Solomon Hughes.

In it they referred to the donations of “more than £300,000 over the last nine months”. I cannot and do not disagree with this data, as I have no independent way to verify it; the data is purported to come from the electoral commission. However the first line of the article stated that the company “has paid no corporation tax for three years”. It then later in the article states that the company “did not pay any tax between 2008 and 2010, despite generating a turnover of between £47m and £88m”. Before I start any analysis just a basic understanding of the way company accounting works suggests that this is in fact two financial years, 2008-2009 and 2009-2010 (their financial year runs from 1st March to 28th February the following year; so this is not actually ‘three years’. Also, confusingly, why is there such a variance in the revenue figures of £47m and £88m – that’s quite an error margin!

Corporate Taxation 101

Now let us start with some basics for those not initiated in corporate taxation; if you are then please skip this paragraph. Revenue is the money the company earns due to its principal business activities. Then a company has costs, or outgoings. These costs are paid for from the revenue or from savings (capital carried over from previous years or other investments, such as share capital or loans). If the costs cannot be met by revenue or savings and investments then the company is insolvent and can be declared bankrupt. If the outgoings are less than the revenue then the difference is called a profit (the opposite case is called a loss). These profits are subject in most countries to some form of taxation on profits. In the UK this is called Corporation Tax (or CT). If a loss is made then no tax is due. Losses can be carried over to subsequent years when profits are made to balance them out. This is logical, otherwise a company gets taxed on the upside, when it is profitable, but has no help on the downside.

The Guardian’s analysis

Now let us go back to the Guardian’s first sentence: “A mobile phone company that has paid no corporation tax for three years”. Can you see where this may be going yet? So having checked the published company accounts from Companies House I can clarify this misstatement as containing a number of errors:

  1. The figures are in fact for two financial years: 2008-2009 and 2009-2010 (24 months), as I suspected. Reporting this as “for three years” is factually incorrect and either professionally negligent or deliberately misleading.
  2. The revenue figures quoted are £47m for 2008-2009 (actually £47.9m, conventionally rounded to £48m) and £83.9m (not £88m) for 2009-2010 respectively. To report this as “between £47m and £88m” is semantically incorrect as well as professionally incompetent.
  3. The company made a loss in both 2008-2009 (-£10.9m) and 2009-2010 (-£8.3m). Therefore no UK Corporation Tax should be due on earnings in these years. However £8,465 was paid in CT in 2008-2009, possibly due to its minimal profits carried over from the previous year of £40,863. Therefore the statement “paid no corporation tax” is also untrue and either professionally negligent or deliberately misleading.

Interestingly the company did make a profit in 2010-2011 of £4.6m from revenues of £116.8m. And paid no Corporation Tax! This is because it was able to completely legally offset this profit against its loss of £8.3m the previous financial year. Some of those with a socialist leaning may not like this ability to offset losses against profits, but it has been around for a long time. I am surprised the Guardian didn’t lead with the more sensational, but at least factually correct, headline that ‘the company made £249m in revenue over three years (correct as 2008-2011) and has paid minimal corporation tax‘(£8,465). In reality across four years it has made a £14.6m loss and has paid 8,465 Corporation Tax on that, which seems pretty fair. Even if it hadn’t made its enormous political donations of £300,000 to the Conservative Party, alleged by the Guardian, this would not have reduced those losses.

The Company’s market

It could be implied from the article that the company should somehow be more profitable; to the innumerate that this could all appear to be some elaborate tax-dodge. However Lycamobile, which started in late 2006, operates as what is called a ‘virtual network mobile operator’; that is it has no physical mobile telephony infrastructure itself, only usually having the billing platforms that are traditionally associated with the real mobile provider (of which we only have 4 now in the UK[2]). Frequently the virtual network operator is supplied all the necessary IT and network infrastructure by the actual network services provider company, who ‘white-labels’ its service to them. Virgin Mobile is a well-known operator in this market place. This type of company makes an extremely low profit margin as it is typically taking a few pence per transaction and relies on huge volumes to drive revenues sufficient to overcome its fixed costs and therefore make a passable operating profit.

History repeating itself?

Sadly for verity, the Guardian has form with this type of financial legerdemain. On Saturday the 18th of February 2011 the Guardian published a front page article entitled: “Barclays bank forced to admit it paid just £113m in corporation tax in 2009”. This article, by Jill Treanor, rather luckily coincided with a time of UKUncut protests, and as such caused a firestorm on Twitter over that weekend. The article suggested that Barclays had earned £11.6bn of profits in 2009 (their tax year is also the calendar year) and only paid £113m Corporation Tax. A quick reference to the accounts shows firstly that £6.8bn was a one-off profit due to the sale of Barclays Global Investors (BGI) to Blackrock, which is treated differently for tax reasons (possibly under legislation introduced by Gordon Brown, though I am happy to be corrected on this, if wrong). In that year Barclays incurred a £43m tax liability on the disposal of BGI. Excluding the one-off disposals this leaves the profit from operations of £4,559m (notice that £4,559m plus £6,777m do not make £11.6bn, but £11.3bn – the Guardian appears as bad at basic maths as its reputation is for spelling). On this £4,559m operating profit it paid £1,047m in tax, an effective rate of 23.0%. The Guardian claimed that Barclays only paid £113m in Corporation Tax: It did; Corporation Tax is the UK’s name for its tax on company profits, but a tax on profits isn’t unique to the UK. Companies usually pay their tax on profits in the country in which those profits are earned. This is common and obvious: why would a government let a company trading locally repatriate all of its profits to pay tax in a lower tax regime, unless forced to by tax treaties[3]? So Barclays paid overall 23.0% tax on its operating profits, although only 10.8% of this was to the UK tax authorities. Is that a bad thing? For the UK, possibly yes. For the other countries in which Barclays operates, employs people, offers their services and pays tax: no, it’s a good thing. If people want to be jingoistic, racist or just ‘patriotic’ and believe that UK-based companies should only pay a tax on profits in the UK, then let them have their outdated attitudes. However we should recognise that we inhabit a global market, and so many UK brands and companies are no longer owned by UK companies: Santander owns a whole swathe of former UK banks and building societies; Telefonica owns O2; etcetera. To believe that a UK company is UK only and should only pay tax here is a ridiculous view in this day. In addition to the payment of tax in the locale that the profits are earned in there is another mitigating factor already covered: the carrying over and offsetting of losses in previous years. Barclays was one of many UK banks that suffered due to the nearly global collapse of the banking markets in the sub-prime crisis of 2008, the preceding year to that targeted by the Guardian’s article. There were undoubtedly considerable losses: its value on the balance sheet fell by £673bn in 2008 and £111bn in the following year. As a comparison Guardian Media Group earned £591m in revenue across the two comparable financial years covering 2008-2010 and paid ‘no Corporation Tax’ by their definition (actually receiving a £30m tax credit, equating to 5.1% tax refund). This was because they made a loss of £267.7m.

Conclusion

At a time when journalism as a profession is under detailed scrutiny from both the Leveson Enquiry and the Select Committee for Culture, Media and Sport, I would expect the Guardian to ensure an article that is couched in such accusatory terms (“Tory donor firm paid no corporation tax”) is at least technically correct. On the financial aspects it is not; it could be considered professionally negligent of Syal and Hughes at best, or deliberately misleading by its enemies. It highlights a potential lack of governance controls at the paper, which Alan Rusbridger and the rest of the Guardian Media Group board should be concerned with, for the attention that sloppy reporting like this may bring in the current climate. Also if Lycamobile was an exchange-listed company there could be a significant impact on its share price and trading volumes following publication of an article such as this, potentially resulting in investigations from the Financial Services Agency or other exchange-based authorities.

For the sake of the Guardian, a newspaper I love, I would hope this is just basic negligence on a long bank holiday weekend. They should be concerned, as it wouldn’t take much scrutiny from Jay and Leveson, with their power to access emails and texts, to get to the cause of such sloppy reporting and identify governance failures. Guardian: I expect better.


[1] Declaration: I was a member of Essex University’s Conservative and Unionist Association, affiliated to the Federation of Conservative Students, in 1987-1989. I resigned on principles of libertarianism.

[2] Telefonica O2, Everything Everywhere (the merged Orange and T-Mobile), 3 and Vodafone.

[3] The Republic of Ireland is a useful example: at 12.5% its corporation tax rate is one of the lowest of major countries in the EU and so many companies, especially from the UK, have relocated their head offices there to take advantage.