Tempora

Audio readout of this entry.

Background and context

The institutional context within which Tempora emerged was the post-2000 GCHQ recognition that shifting global internet-traffic-routing patterns positioned the UK telecommunications infrastructure as the principal European hub for transatlantic and adjacent internet traffic. The institutional development of GCHQ's Mastering the Internet (MTI) programme — initiated in approximately 2007 and budgeted at over £1 billion for bulk-internet-collection capability — and the paired Global Telecoms Exploitation (GTE) programme produced the foundation from which Tempora emerged.

The UK statutory framework within which Tempora operated was the Regulation of Investigatory Powers Act of 2000 (RIPA). RIPA, as interpreted by GCHQ and as implemented through Section 8(4) certificates issued by the Foreign Secretary, authorised the bulk interception of "external communications" — defined as communications with at least one party located outside the United Kingdom — without the individual-warrant requirement that Section 8(1) RIPA collection required. The operational consequence was that Tempora operated under a blanket Section 8(4) certificate framework rather than under individual warrants.

The contested institutional question across the Tempora period was the interpretation of "external communications" under RIPA. The GCHQ position was that bulk internet traffic transiting UK-territory infrastructure constituted external communications under Section 8(4) even where the targeted communications involved two UK-domestic parties — on the institutional ground that the routing pattern of internet traffic could not be individually determined at the moment of interception. The subsequent Investigatory Powers Tribunal judgments and European Court of Human Rights judgments contested that interpretation.⁴⁵

Cable-landing-station architecture

The operational pattern is the institutional cooperation between GCHQ and the UK telecommunications carriers to access the transatlantic and adjacent submarine fibre-optic cables landing at UK shore-stations. The principal documented landing infrastructure includes:

• Bude (Cornwall) — the principal UK-territory transatlantic cable-landing-station, hosting major transatlantic cables including TAT-14 and FA-1 South. The GCHQ facility at Bude performs the principal Tempora collection role.
• Goonhilly (Cornwall) — the secondary UK-territory cable-landing-station, hosting subsidiary transatlantic cables.
• Adjacent UK-territory landing-stations — additional supporting infrastructure across the UK coast.

The documented carrier-cooperation pattern comprises seven principal partner-codename arrangements: REMEDY (British Telecom), GERONTIC (Vodafone Cable, acquired post-2012 by Vodafone), DACRON (Verizon Business), PINNAGE (Global Crossing, acquired by Level 3 in 2011), LITTLE (Level 3), VITREOUS (Viatel), and STREETCAR (Interoute). The operational substance is that the partners provided GCHQ with the technical capability to access the passing internet-and-telephone traffic at the cable-landing-station infrastructure and at the subsequent backbone-routing infrastructure.

Buffer capacity and operational throughput

The documented Tempora operational throughput across 2010–13 was substantial. The programme processed traffic at approximately 10 gigabits per second per probe across more than 200 probes, with aggregate throughput reaching approximately 21 petabytes per day; content was buffered for approximately three days, with metadata retained for approximately thirty days. The operational consequence was that the larger portion of internet traffic transiting UK-territory infrastructure was not retained: the Tempora architecture required operational filtering for targeted communications, with only matched communications retained.

The operational filtering pattern involved approximately 40,000 selectors — specific email addresses, telephone numbers, communications identifiers, and content-pattern signatures against which the passing traffic was matched. Matched communications were forwarded to the paired XKEYSCORE search-and-analysis platform (documented in the technology-section entry on XKEYSCORE) for subsequent analysis.¹

Five Eyes institutional integration

The collected Tempora product was shared with the Five Eyes partner services under the UKUSA framework. The consequence is that NSA, CSE, ASD, and GCSB had institutional access to Tempora-collected material — augmenting NSA's PRISM and Upstream collection with traffic that transited UK-territory infrastructure. The paired pattern — GCHQ Tempora collection shared with NSA, NSA PRISM and Upstream collection shared with GCHQ — was the operational core of the post-2008 Five Eyes collaboration on internet collection.

Disclosure

The institutional disclosure of Tempora proceeded across the June 2013 Guardian reporting and the subsequent institutional record.

The 21 June 2013 Guardian report by Ewen MacAskill, Julian Borger, Nick Hopkins, Nick Davies, and James Ball — published as GCHQ taps fibre-optic cables for secret access to world's communications — disclosed the operational architecture. The report documented the institutional facts: the per-probe and aggregate throughput figures, the approximately 40,000 selectors, the paired-tap pattern across approximately 200 probes and internet links, and the blanket Section 8(4) RIPA certificate framework under which the programme operated. The disclosure was the principal institutional disclosure of UK SIGINT operational architecture in the post-2013 published record.

The UK government's response across the post-2013 period was a pattern of neither-confirm-nor-deny on specific operational details combined with institutional defence of the RIPA framework as the lawful authority for the operational pattern. The Foreign Secretary, the Director of GCHQ, and the Intelligence and Security Committee of Parliament defended the programme as essential to UK national-security purposes.¹⁷⁸

Investigatory Powers Tribunal proceedings

The UK Investigatory Powers Tribunal — the specialised tribunal that adjudicates complaints against UK intelligence services — conducted multiple proceedings on the Tempora pattern across the post-2013 period. The principal proceedings included Liberty v. GCHQ across 2014–16, Privacy International v. GCHQ, and adjacent institutional proceedings.

The judgments held that Tempora was lawful under the RIPA framework as it existed prior to the disclosure but that the prior institutional secrecy of the intelligence-sharing arrangements with the United States had rendered aspects of the prior pattern unlawful under the European Convention on Human Rights — establishing the institutional principle that a bulk-interception programme's lawfulness depends in part on the public availability of its surrounding oversight regime.³

European Court of Human Rights judgments

The European Court of Human Rights' judgments in Big Brother Watch and Others v. United Kingdom (the Chamber judgment of 13 September 2018 and the Grand Chamber judgment of 25 May 2021) held that aspects of the UK bulk-interception regime — the Tempora pattern as it operated under RIPA — did not satisfy the Article 8 (Right to Respect for Private and Family Life) and Article 10 (Freedom of Expression) standards of the European Convention.

The principal deficiencies the court identified were the insufficient end-to-end safeguards in the operational selection of bearers; the insufficient safeguards on the examination of related communications; and the insufficient safeguards on intelligence-sharing with foreign services. The judgments did not invalidate bulk interception as such; they specified the safeguards a compliant regime must contain.²

The Investigatory Powers Act 2016

The UK statutory response to the post-Tempora environment was the Investigatory Powers Act 2016, passed in November 2016 as the institutional successor to RIPA. The Act codified the previously existing bulk-collection pattern within a more elaborate oversight framework, including judicial-commissioner review of bulk-collection warrants, enhanced notification-and-consultation procedures, and explicit statutory authorisation for operational categories that RIPA had implicitly authorised.

The pattern of UK bulk-collection across the post-2016 period continues under the Investigatory Powers Act framework. The Anderson Review of June 2015 — A Question of Trust: Report of the Investigatory Powers Review by the Independent Reviewer of Terrorism Legislation David Anderson — and the March 2015 Intelligence and Security Committee of Parliament report Privacy and Security: A modern and transparent legal framework were the principal pre-2016-Act institutional reviews shaping the Act's drafting.⁴⁵⁶

Legacy and implications

The institutional consequences of Tempora across the post-2013 period have been substantial.

The operational consequence has been the continuing UK bulk-collection pattern — under the Investigatory Powers Act framework rather than RIPA, but with operational substance continuous with Tempora. The institutional pattern of UK bulk-collection at the UK-territory cable-landing-station infrastructure remains the operational core of UK SIGINT collection.

The political consequence has been substantial reform of the UK intelligence-services oversight framework. The judicial-commissioner pattern, the enhanced position of the Intelligence and Security Committee of Parliament, and the developed academic-and-policy commentary on UK SIGINT governance are the institutional products of the post-Tempora reform process.

The international consequence has been substantial European institutional engagement with UK SIGINT practice — through the European Court of Human Rights judgments, the related Court of Justice of the European Union judgments on EU-UK data-sharing arrangements, and the developing question of how the post-Brexit UK position interacts with the European data-protection framework.

Related agencies

• Government Communications Headquarters — the principal institutional operator of Tempora
• National Security Agency — the paired Five Eyes institutional partner that shares Tempora-collected material under the UKUSA framework

Sources and further reading

1. Ewen MacAskill, Julian Borger, Nick Hopkins, Nick Davies, and James Ball, GCHQ taps fibre-optic cables for secret access to world's communications, The Guardian, 21 June 2013 — the principal initial Tempora disclosure.
2. Big Brother Watch and Others v. United Kingdom, European Court of Human Rights, applications 58170/13, 62322/14, and 24960/15, judgments of 13 September 2018 (Chamber) and 25 May 2021 (Grand Chamber) — the principal European judicial response.
3. Liberty (The National Council for Civil Liberties) v. The Government Communications Headquarters and Others, UK Investigatory Powers Tribunal, IPT/13/77/H, judgment of 5 December 2014 — the principal UK judicial proceeding on Tempora.
4. Investigatory Powers Act 2016 (UK Public General Acts) — the successor statutory framework.
5. Anderson Review, A Question of Trust: Report of the Investigatory Powers Review, June 2015 — the principal pre-2016-Act institutional review by the Independent Reviewer of Terrorism Legislation David Anderson.
6. Intelligence and Security Committee of Parliament, Privacy and Security: A modern and transparent legal framework, March 2015 — the principal post-Snowden ISC institutional review.
7. Glenn Greenwald, No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State, Metropolitan Books, 2014 — chapters on the GCHQ Tempora pattern.
8. Luke Harding, The Snowden Files: The Inside Story of the World's Most Wanted Man, Vintage, 2014 — Guardian-perspective book-length reconstruction including Tempora content.
9. Ian Cobain, The History Thieves: Secrets, Lies and the Shaping of a Modern Nation, Portobello Books, 2016 — post-2013 reconstruction of UK SIGINT institutional history.
10. Susan Landau, Listening In: Cybersecurity in an Insecure Age, Yale University Press, 2017 — chapters on the Tempora-PRISM-Upstream institutional integration.