AI-assisted content. This post was researched and written with AI assistance. All programmes and events described are documented in public sources including court filings, leaked NSA and GCHQ documents published by The Guardian and Der Spiegel, and official government admissions. We have not speculated beyond what is publicly confirmed.
- The important thing to say first
- Echelon — where it started
- The Five Eyes alliance
- GCHQ Tempora — tapping the cables
- NSA XKeyscore — searching everything
- PRISM — the tech companies
- What is actually being collected about you
- What your router traffic reveals
- What actually helps — and what does not
- The honest conclusion
1. The important thing to say first
Everything in this post is based on confirmed, documented information. The Snowden revelations of 2013 produced hundreds of thousands of classified NSA and GCHQ documents, many of which were published by major newspapers after legal review. Court cases in the UK and US have confirmed the existence and scope of these programmes. Parliamentary committees have investigated them. This is not speculation.
The second important thing: mass surveillance does not mean you are personally being watched. The scale is too large for that. These systems collect and store enormous quantities of data, most of which is never looked at by a human being. The concern is not that an analyst is reading your emails — it is that everything is stored, searchable, and available if you ever become a person of interest. And the definition of a person of interest can change.
We are not going to suggest that reading this makes you a surveillance target, that you should be paranoid, or that the solution is to buy anything. The honest answer is that most people have nothing to fear from government surveillance specifically. The more relevant threats for ordinary people are commercial data collection, criminal hackers, and data breaches — all covered in our internet security guide. This post is about understanding what exists, because understanding it is the starting point for making informed decisions.
2. Echelon — where mass surveillance at scale started
BeginnerEchelon is the oldest of the major signals intelligence networks. It began as a Cold War project in the 1950s — a collaboration between the US, UK, Canada, Australia and New Zealand to intercept Soviet communications. The network grew to encompass ground stations, satellite interception facilities, and submarine cable tapping points around the world.
By the 1990s Echelon had expanded far beyond Cold War military targets. A 2001 European Parliament report confirmed that Echelon was being used for commercial espionage — intercepting business communications and sharing intelligence with US and UK companies to give them competitive advantages over European rivals. The report named specific cases including Airbus losing a contract to Boeing after commercial intelligence was passed to American competitors.
Echelon worked primarily through keyword filtering. Communications — telephone calls, faxes, emails — were intercepted and scanned for trigger words and phrases. Anything matching was flagged for human review. The rest was discarded. This was the architecture of mass surveillance before the internet made everything digital and searchable.
Fig 1. Selected Echelon ground stations across the Five Eyes nations. The full network encompasses dozens of facilities worldwide including submarine cable tapping points.
3. The Five Eyes alliance
BeginnerThe Five Eyes is a signals intelligence alliance between the United States, United Kingdom, Canada, Australia and New Zealand. It formalises intelligence sharing between these countries and has been in operation since the UK-USA Agreement of 1946, originally signed to share intelligence after the Second World War.
The Five Eyes arrangement has a practical implication for surveillance that most people miss. Domestic surveillance is legally restricted in each country — the NSA is not supposed to spy on American citizens without a warrant, GCHQ is not supposed to spy on British citizens without authorisation. The Five Eyes arrangement allows each country to have allies collect intelligence on their own citizens and share it back. This creates a legal grey area that has been the subject of significant legal challenge in multiple countries.
| Country | Agency | Primary role | Key facility |
|---|---|---|---|
| USA | NSA (National Security Agency) | Global signals intelligence, internet backbone access | Fort Meade, Maryland |
| UK | GCHQ (Government Communications HQ) | Submarine cable interception, European coverage | Cheltenham + Bude, Cornwall |
| Canada | CSE (Communications Security Establishment) | Arctic coverage, diplomatic signals | Ottawa |
| Australia | ASD (Australian Signals Directorate) | Asia-Pacific coverage | Pine Gap joint facility |
| New Zealand | GCSB (Government Communications Security Bureau) | Pacific coverage | Waihopai station |
Beyond Five Eyes there are extended partnerships — Nine Eyes adds Denmark, France, Netherlands and Norway. Fourteen Eyes adds Germany, Belgium, Italy, Spain and Sweden. These are less formal intelligence sharing arrangements but confirmed in the Snowden documents.
4. GCHQ Tempora — tapping the cables
IntermediateTempora is a GCHQ programme revealed by Edward Snowden in 2013. It is one of the most significant surveillance programmes to be publicly confirmed and it is directly relevant to anyone in the UK using the internet.
The United Kingdom is one of the world's most important hubs for transatlantic internet traffic. Dozens of submarine fibre optic cables come ashore in the UK — primarily at Bude in Cornwall and Skewjack in west Cornwall — carrying internet traffic between Europe, North America and beyond. GCHQ, working with the NSA, tapped directly into these cables at the landing points.
Tempora collected two categories of data. Content — the actual substance of communications, emails, messages, web pages accessed — was buffered for three days. Metadata — who communicated with whom, when, from where, for how long — was stored for thirty days. The scale was described in the Snowden documents as collecting more data than the NSA.
According to documents published by The Guardian in 2013, at its peak Tempora was processing 21 petabytes of data per day — roughly equivalent to sending 192 billion pages of A4 text every 24 hours. The programme had access to 200 fibre optic cables and was using 300 analysts from GCHQ and 250 from the NSA to process the collected intelligence.
The legal basis for Tempora in the UK was Section 8(4) of the Regulation of Investigatory Powers Act 2000, which allowed for bulk interception of external communications. The definition of external was interpreted broadly. The European Court of Human Rights ruled in 2021 that the UK's bulk interception regime had violated human rights law — specifically Article 8 (right to private life) and Article 10 (freedom of expression). The UK government subsequently made amendments under the Investigatory Powers Act 2016.
5. NSA XKeyscore — searching everything
IntermediateXKeyscore is an NSA system described in leaked documents as the widest-reaching tool for searching internet data. Where Tempora collected data by tapping cables, XKeyscore provided the search interface — allowing analysts to search collected data by email address, phone number, name, IP address, keyword, browser activity, or any combination of these.
According to NSA training documents published by The Guardian, XKeyscore allowed analysts to search through days of internet history without prior authorisation in many cases. An analyst could type an email address and see a person's browsing history, email content, online searches and chat logs going back as far as the retention window allowed.
The documents showed that XKeyscore had collection points — called Field Collector Sites — in numerous countries. Some of the data fed into XKeyscore came from direct cable taps like Tempora. Some came from cooperation with internet companies under programmes like PRISM. Some came from compromised routers, switches and other network infrastructure.
Fig 2. XKeyscore collects from multiple sources into a searchable distributed database. Analysts can search by almost any identifier without prior authorisation in many cases.
6. PRISM — the technology companies
BeginnerPRISM is an NSA programme that collected internet communications from major US technology companies. The Snowden documents showed that PRISM participants included Microsoft, Yahoo, Google, Facebook, PalTalk, YouTube, Skype, AOL and Apple — though the nature and extent of each company's participation was disputed.
The legal basis was Section 702 of the Foreign Intelligence Surveillance Act, which allowed collection of communications of non-US persons located outside the US. In practice the programme collected vast quantities of data on US persons as well, as a side effect of collecting communications that crossed US borders.
Each company's participation was different. Some provided direct access to servers. Others responded to legal orders requiring them to hand over specific data. Some fought the orders in court. The common thread was that data held by US companies — emails, messages, documents, search histories — was accessible to US intelligence agencies through legal process that companies were prohibited from disclosing to users.
If your data is stored on servers operated by US companies — Gmail, Google Drive, iCloud, OneDrive, Dropbox, Facebook, WhatsApp — it is potentially accessible to US intelligence agencies through legal process. This is not paranoia. It is the documented legal and technical reality. End-to-end encrypted services where the provider cannot read your data are a meaningful technical protection against this — Signal, ProtonMail, and properly configured iCloud Advanced Data Protection being examples.
7. What is actually being collected about you
BeginnerGiven everything above, what is realistically being collected about an ordinary person in the UK going about their daily life online? Here is an honest assessment.
Almost certainly collected and retained: metadata about your internet connections — what IP addresses you contacted, when, for how long. DNS queries — every domain name your devices have looked up. Mobile phone cell tower connections — which towers your phone connected to and when. Call records — who you called, when, for how long. These are collected either directly or via legal orders to telecoms companies under the Investigatory Powers Act 2016.
Potentially collected and retained: content of unencrypted communications. Browsing activity on HTTP sites. Content of communications held by US technology companies. Social media activity.
Practically protected by encryption: content of HTTPS web sessions. Content of end-to-end encrypted messages. Content of properly implemented VPN tunnels. However — metadata about these sessions is still visible even when content is not.
The honest bottom line: the pattern of your online activity — who you communicate with, what services you use, when you are active, where your devices are physically located — is far more accessible to intelligence agencies than most people realise. The content of most modern encrypted communications is genuinely protected. The metadata surrounding those communications is not.
8. What your router traffic reveals
IntermediateYour router is the single point through which all of your household's or office's internet traffic flows. Understanding what it reveals — even when you are using HTTPS and other protections — is important.
Every device on your network makes DNS queries. Even if the web pages you visit are encrypted, the domain names you look up are visible in DNS traffic unless you use encrypted DNS. A list of every domain your household queried over a month is an extraordinarily detailed picture of your life — health concerns, financial interests, relationship status, political views, news consumption habits.
Traffic analysis — looking at the size and timing of encrypted packets rather than their content — can often identify what service you are using even without reading the content. Netflix traffic has a recognisable pattern. VoIP calls have a recognisable pattern. Large file transfers are distinguishable from web browsing.
Your router's external IP address is tied to your physical location and your ISP account. Every connection you make carries this address. Every server you connect to logs it. Your ISP has a complete record of every IP address your router has contacted since you joined their service.
Enabling DNS over HTTPS on your router — so all devices query an encrypted DNS resolver rather than your ISP's unencrypted one — removes one significant visibility point. Your ISP can no longer see your DNS queries. They can still see that your router made connections to certain IP addresses, but cannot see the domain names. This is a meaningful protection, not a complete one. The OpenWrt guide on this blog covers how to configure it.
9. What actually helps — and what does not
IntermediateGiven what is documented above, here is an honest assessment of what protective measures actually achieve against surveillance at this scale.
| Measure | What it protects against | What it does not protect against |
|---|---|---|
| HTTPS | Content of web sessions from ISP and cable taps | Metadata — that you visited a site, when, for how long |
| Commercial VPN | ISP seeing your destinations. Your IP from websites | VPN provider can see all traffic. Metadata still exists. Fingerprinting. |
| Encrypted DNS | ISP seeing your DNS queries | IP-level traffic analysis. DNS provider still sees queries. |
| Signal / E2E messaging | Content of messages. Most metadata. | The fact that you use Signal. Who your contacts are at network level. |
| Tor | Your IP from destinations. ISP seeing destinations. | Exit node traffic analysis. Timing attacks. Mistakes. |
| ProtonMail / E2E email | Content of emails between E2E users | Metadata — who you emailed, when. Emails to non-E2E recipients. |
| OpenWrt with DNS over HTTPS | Network-level DNS visibility. Some tracking. | IP-level traffic patterns. Metadata at ISP level. |
Private browsing mode does not hide your activity from your ISP, your router, or surveillance systems — it only prevents your local browser from saving history. A VPN does not make you anonymous — it moves trust from your ISP to your VPN provider. Encrypted messaging does not hide the fact that you are communicating or with whom at the network level. No single tool provides complete protection.
10. The honest conclusion
BeginnerMass surveillance infrastructure of the scale described in this post exists and is operational. That is documented fact. The practical implication for ordinary people is more nuanced than either "nothing to worry about" or "everything is watched."
The realistic picture is this. Content of modern encrypted communications is genuinely well protected against bulk collection. Metadata — the pattern of your communications — is substantially more exposed and far more revealing than most people appreciate. The legal frameworks governing this collection are imperfect, have been found to violate human rights law in multiple jurisdictions, and are subject to ongoing legal challenge.
The most significant surveillance threat for ordinary people is not government intelligence agencies — it is commercial data collection by advertising networks, social media companies, and data brokers, which operates at a scale that rivals government collection and with far fewer legal constraints. Your Google search history, your Facebook activity, your location data from your phone — this is collected continuously, stored indefinitely, sold and re-sold, and used to build profiles of extraordinary detail.
A well-configured router running OpenWrt with encrypted DNS, a reputable VPN for sensitive browsing, end-to-end encrypted messaging for private communications, and good basic security hygiene addresses the realistic threat model for most people. It will not defeat a targeted intelligence operation against you specifically. It will meaningfully reduce your exposure to bulk collection, commercial surveillance, and opportunistic tracking.
Understanding what exists is the starting point. What you do with that understanding depends on your own assessment of your threat model and what matters to you.
The Snowden documents were published by The Guardian, Der Spiegel, The Washington Post and others from 2013 onwards. The Investigatory Powers Tribunal in the UK has published rulings on GCHQ programmes. The European Court of Human Rights ruling in Big Brother Watch v UK (2021) is publicly available. These are the primary sources — we recommend reading them rather than relying on any single secondary account including this one.