The investigators are inside the system they are investigating¶

The surveillance apparatus faces outward as well as inward. Anyone who interacts with the cloud provider’s infrastructure generates data. Clients generate data by using it. External parties generate data by probing it. Investigators generate data by investigating it. The apparatus does not distinguish between these in any way that limits what it collects.

This is not a secondary concern. It is the situation the MCLU is currently in.

What this investigation has generated¶

The MCLU has sent communications, received documents, submitted formal requests, and engaged with technical advisors, some of which passed through infrastructure connected to the cloud provider’s network. We did not know this when we began. We have since taken steps, while acknowledging that the past cannot be similarly addressed.

The MCLU has always assumed its work is observed. This is the rational baseline for any organisation in this city that pursues matters the powerful would prefer left alone. What is different here is the mechanism: not informants or opened correspondence, but commercial infrastructure we chose to use without understanding its data flows. Which is, as it happens, precisely the situation of every client we have been writing about.

What to do if you are investigating this¶

Be aware that you are probably being logged while doing so. Use channels that do not pass through infrastructure connected to the provider. The MCLU acknowledges the irony of publishing this guidance on a platform that may itself be observed. We have assessed the alternatives and concluded that saying something imperfectly is preferable to saying nothing correctly. We have a pamphlet. It now has a section on this specific problem. The section is short, because the honest answer is that you largely cannot investigate surveillance without being surveilled in the process, and the MCLU has always preferred accuracy to comfort.