This GCHQ document from March 2010 presents a checklist of factors analysts should consider before going ahead with an operation to infiltrate a communications network, by physical or other means. Among the concerns raised is the risk that British actions may enable US authorities to conduct operations “which we would not consider permissible”: see the Boing Boing article Doxxing Sherlock, 2 February 2016.
This undated page from GCHQ’s internal GCWiki shows that the agency’s usual retention periods for metadata and content can be extended for cyber defence purposes: see the Intercept article Profiled: From Radio to Porn, British Spies Track Web Users’ Online Identities, 25 September 2015.
This undated presentation from NSA’s UK-based Menwith Hill station describes the various uses of open source intelligence (OSINT) in computer network operations, including the monitoring of hacker forums and spotting opportunities for so-called “Fourth Party Collection”: see the Intercept article XKEYSCORE: NSA’s Google for the World’s Private Communications, 1 July 2015.
This 61-page NSA presentation from May 2010 provides analysts with a guide to tracking individuals within XKeyScore using the system’s fingerprint capability: see the Intercept article XKEYSCORE: NSA’s Google for the World’s Private Communications, 1 July 2015.
These undated slides from GCHQ’s National Defence Intelligence and Security Team claim that the agency collects “around 100,000,000 malware events per day”: see the Intercept article Popular Security Software Came Under Relentless NSA and GCHQ Attacks, 22 June 2015.
This page from GCHQ’s internal GCWiki, last updated on 6 February 2012, describes progress on LOVELY HORSE, a tool that automates the monitoring of open-source information related to information security: see the Intercept article Western Spy Agencies Secretly Rely on Hackers for Intel and Expertise, 4 February 2015.