It has long been accepted that the individual Five Eyes spy agencies share tasks to avoid complications with their own national laws. For example, when a New Zealand judge declared the surveillance of Kim Dotcom to have been illegal, it was considered that the New Zealand spy agency (GCSB) had simply made an error of judgement – it had undertaken the surveillance itself rather than relying on the NSA. Both agencies are forbidden by law to spy on their own citizens; but both can spy on foreigners. Had the NSA conducted the surveillance on Dotcom for GCSB, no laws would have been broken. The error of judgement was that the New Zealand agency believed that as a resident rather than a naturalized citizen, Dotcom was a foreigner and an acceptable target.
Since then this has become explicitly accepted. Snowden revelations, says the UK's 4 News, show "how, by targeting each other's citizens, Britain and the USA could get around legal strictures on targeting their own."
But this is targeted surveillance, where an individual of specific interest is monitored. Targeted surveillance is generally legal and acceptable under judicial oversight. What is less acceptable and of dubious legality is the dragnet surveillance of everybody of the type undertaken by GCHQ and NSA and as revealed in the Edward Snowden leaks. However, it has been believed that there were still some restraints: for example, no agency would conduct dragnet surveillance on the citizens of another Five Eyes country.
Now new Snowden documents revealed by the Guardian and Channel 4 News show that this isn't necessarily so, at least for the NSA and UK citizens (there is no current information on the Canadian, Australian and New Zealand agencies). A by-product of monitoring an individual is the collection of a large amount of material on other people. This is classified as 'incidental' data. Since under the original UK/US agreement that forms the basis of the Five Eyes the agencies agreed not to spy on each other, this incidental surveillance of innocent people was simply deleted, or 'minimized'. But, says 4 News, "drawing on documents released by the whistleblower Edward Snowden... we can reveal exactly when and how that agreement was unpicked."
A secret draft NSA directive dated 2005 "reveals," says the Guardian, "the NSA prepared policies enabling its staff to spy on Five-Eyes citizens, even where the partner country has refused permission to do so." The draft is written with each paragraph given an individual security label. One marked NF (not for foreign eyes) states, "under certain circumstances, it may be advisable and allowable to target second party persons and second party communications systems unilaterally, when it is in the best interests of the US and necessary for US national security."
"The paragraph the UK intelligence partners got to see," notes 4 News, "says America is going to target British citizens 'with the full knowledge and co-operation of GCHQ.'"
It is not known whether this draft memo was ever made official policy. Nevertheless, it shows that the NSA was prepared to spy on UK citizens against the wishes and without the knowledge of GCHQ at least as early as 2005
But by 2007 this had all changed – the NSA got approval from GCHQ to spy on Brits; or more specifically, NSA analysts were allowed to 'unminimize' incidental data on British citizens without telling GCHQ. This new agreement between GCHQ and NSA was distributed to all NSA analysts. It is not known, despite requests by both the Guardian and 4 News to GCHQ and British politicians in office at the time, whether it came with political backing.
It is, says the Guardian, "the first explicit confirmation that UK citizens have been caught up in US mass surveillance programs."