EU: Surveillance extended to Internet and satellite phones Statewatch home page
Statewatch bulletin, vol 8 no 6 (November-December 1998)
The EU is to extend the EU-FBI telecommunications surveillance plan to the Internet and to new generation satellite mobile phones (see Statewatch, vol 7 no 1 & 4 & 5; vol 8 no 5). At the same time EU Interior Ministers are seeking to resolve their differences over the legal powers they intend to give the "law enforcement agencies" to intercept all forms of telecommunications under the new Convention on Mutual Legal Assistance. In the US the same issues are being openly discussed - the Federal Communications Commission has deferred a decision on an FBI proposal to extend surveillance to the Internet. In October 1994 the US Congress passed an FBI-proposed law, the Communications Assistance for Law Enforcement Act. On 17 January 1995 the EU adopted a Resolution on the "Requirements" to be placed on network and service providers to carry out surveillance of all telecommunications. These "Requirements" were exactly the same as those drafted by the FBI. Now these "Requirements" are to be extended from covering traditional phone networks and GSM mobile phones to the Internet and to the new satellite-based mobile phones run by multinational companies like Iridium. Under the plan telecommunications network and service providers would have to give access to communications from "mobile satellite services" (provided by multinationals like Iridium via their "ground station" in Italy, see Statewatch, vol 8 no 5) and to e-mail sent and received via ISPs (internet service providers) in addition to phone calls and faxes sent through the traditional system (land and sea lines and microwave towers).
The new draft "Requirements" cover the "realtime" (as it is actually happening) surveillance of phone-calls and e-mails including where messages are redirected, voice-mail and conference calls. They even extend to passing over data when a connection has not been made for both outgoing and incoming calls/messages. All details concerning e-mails accounts have to be handed over by IP providers. "Realtime" is defined as routing the surveillance in "milliseconds".
In a parallel development the EU Justice and Home Affairs Council is discussing the draft Articles on the "interception of telecommunications" in a new Convention on Mutual Legal Assistance in Criminal Matters. This is intended to extend the application of a 1959 Council of Europe Convention with the same title.
The new "Requirements" and the new legal powers are being presented as being necessary to combat organised crime. However, the scope of the 1959 Council of Europe Convention simply covers any:
"offences the punishment of which falls within the competence of the judicial authorities of the requesting Party. Provisions is thus made for minor offences as well as for other, serious, offences.." (Explanatory report on the European Convention on mutual assistance in criminal matters, Council of Europe, 1969, p11)
The issue of police officers and/or judicial authorities being called on to give what will in effect be instantaneous authorisations for intercepts "within minutes" is not addressed by the draft EU Convention.
Nor is the issue of telecommunications surveillance by the security and intelligence services - the new legal powers are only intended to authorise interception for criminal investigations. To the embarrassment of EU Interior Ministers the UK has objected to the draft Convention because in the UK -unlike in other member states - there is a single law covering the Security Service's (MI5) surveillance in connection with national security and its role assisting the police on organised crime. Neither the first set of "Requirements" not the proposed revised set of "Requirements" require approval or reference to parliaments, national or European. The new draft Convention, when eventually signed by the 15 EU member states has to be ratified by national parliaments - but they are not allowed to change or amend anything, even a dot or comma.
The Justice and Home Affairs Council (JHA Council) of the European Union is to extend the EU-FBI telecommunications surveillance plan to the Internet and to new generation satellite mobile phones (see Statewatch, vol 7 no 1 & 4 & 5). At the same time EU Interior Ministers are seeking to resolve their differences over the legal powers they intend to give themselves to intercept all forms of telecommunications under the new Convention on Mutual Legal Assistance. In the US the same issues are being openly discussed - the Federal Communications Commission has deferred a decision on an FBI proposal to extend surveillance to the Internet.
The secret making of policy
Within the formal structures of the EU, under the Justice and Home Affairs Council, the work on the interception of telecommunications is carried out by the Police Cooperation Working Party (Interception of telecommunications). This Working Party in turn is represented on three non-EU "technical expert groups" - ILET (International Law Enforcement Telecommunications), STC (Standards Technical Committee) and the IUR (International User Requirements). The findings on these non-EU groups are in turn brought back within the EU structures through the Police Cooperation Working Party and presented to the K4 Committee, COREPER and the JHA Council as being:
"agreed by the law enforcement agencies as an expression of their joint requirements"
Meetings in Rome on 14, 15 and 16 July of the IUR and STC were reported back to the meeting of the EU's Police Cooperation Working Party on 3-4 September in Brussels. Further meetings of the IUR in Vienna on 20-22 October and in Madrid on 27-28 October led to a draft Resolution from the Austrian Presidency to the Police Cooperation Working Party, dated 4 November, on the "interception of telecommunications in relation to new technologies".
The effect will be to extend the Requirements to be placed on network and service providers adopted by the EU as the Resolution of 17 January 1995 (see Statewatch, vol 7 no 1). Under the plan telecommunications network and service providers would have to give access to communications from "mobile satellite services" (provided by multinationals like Iridium via their "ground station" in Italy, (see Statewatch, vol 8 no 5) and to e-mail sent and received via ISPs (internet service providers) in addition to phone calls and faxes sent through the traditional system (land and sea lines and microwave towers).
The EU's plans for the surveillance of all forms of telecommunications is being determined by non-EU bodies - ILETS, STC and IUR - on which the major players are: the EU (represented by the Police Cooperation Working Party and other experts), the USA (the FBI), Canada and Australia (New Zealand and Norway are also involved). The stakes for these governments are enormous. Just as important as the "law enforcement agencies" being able to set down the "Requirements" for intercepting every form of communication are the commercial profits to be made out of "agreed" standards, equipment and service provision. Once adopted, EU-US standards, are set to become "global". For example, Iridium, the first multinational to open a "ground station" in Italy to serve the EU with a global earth-satellite, "mobile satellite service" (MSS, or "Satellite Personal Communications System, SPCS) is using Motorola and Kyocera to make Iridium handsets. The initiative for creating Iridium came from Motorola. Moreover, the EU market is critical to Iridium's initial success because AT & T dominates the US with traditional land bases systems.
Spelling out "law enforcement" demands
Underneath the draft Resolution amending the 17 January 1995 EU Council Resolution is a detailed report ("Interception of telecommunications: recommendation for a Council Resolution in respect of new technology") explaining the need for "supplementary requirements and supplementary definitions in respect of new technologies including SPCS, the Internet..." This report was discussed at the Police Cooperation Working Party in Brussels on 3-4 September.
The report opens with the statement that the Resolution of 17 January 1995 - which was never even discussed by the JHA Council but adopted by "written procedure" (signed by the Brussels-based Permanent Representatives of each EU member state) - has to be changed to be:
"suitable for new technologies, especially satellite communication, Internet, cryptography, pre-paid cards etc"
Throughout the report distinguishes between the new "international requirements for surveillance.. developed by the law enforcement agencies" for: i) SPCS ("Satellite Personal Communications Systems") and ii) the Internet.
Introducing the "law enforcement agencies" needs for SPCS the report says:
"Operational scenarios comprise the following connections: mobile to mobile (via satellite), mobile to mobile (terrestrial), mobile (via satellite or terrestrial) to the public switched telephone network (PSTN) and PSTN to mobile (via satellite or terrestrial). Interception of such satellite based services is subject to the national laws of the requesting law enforcement agency as well as those of the state providing the gateway."
The report's introduction on the Internet is altogether simpler: "This explanatory memorandum refers to requirements of law enforcement agencies to the interception of ISP-based Internet services."
The report then looks at each of the already agreed "Requirements" and proposes new ones.
First, under "Requirement 1" the "law enforcement agencies require access to the entire telecommunications transmitted..". Traditional means of communications are simple and provide the "locations" of the two parties but this is not so for calls between two mobile phones (SPCS). However, a solution is provided by "a single terrestrial gateway [which] serves many countries from one site" (such as the Iridium ground station in Italy covering the whole EU). For the Internet access is required to:
"ISP address, customer's account number, logon-ID/password, PIN number, E-mail address."
Second, is the "Requirement" that "law enforcement agencies require a real-time, fulltime monitoring capability" as well as "call associated data". "Real-time" is defined: "100 milliseconds to 500 milliseconds are desirable".
Third, network operators and service providers are required to provide "one or several interfaces" for the new Iridium-style SPCS mobile phones and, of course, Iridium by offering the use of its facilities meets this need - "Interception can be planned as a MSS-gateway which serves several countries.." Equally, "Several countries can carry out interceptions of the same mobile subscriber who is served by a gateway."
Fourth, the need for immediate interception, "in urgent cases within a few hours or minutes" where "questions of sovereignty can cause further delays if cooperation of law enforcement agencies from different countries is required".
The "Supplementary requirements" state that network and service providers have to hand over full details of any customer:
"the complete name and complete address of the monitored person... the person who pays the bill for the services available to the monitored person.. sufficient credit card details to identify the customer account..."
Together with details of all the services used by the "customer", for example, conferencing, voice-mail, ISDN, telex, internet domain names, "roaming" permissions (for mobile phone users).
Network and service providers will have to provide their own secure means of ensuring the "security" of the intercepts. One reason given for this "security" is the comforting thought that the rights of the individual are to be protected:
"Protection of the interests of an interception subject from revelation of its telecommunications to other parties that the intercepting authority".
On the other hand, another "requirement" is that "neither the interception target nor any other unauthorised person is aware of.. the interception order."
The MLA "debate"
The draft Convention of Mutual Legal Assistance in Criminal Matters is still under discussion in the Justice and Home Affairs Council. The "outstanding" issues are whether or not data protection provisions should be included (only Italy, Austria, Belgium and the Commission are in favour), the role of the Court of Justice, its jurisdiction (the usual dispute between the UK and Spain over the status of Gibraltar) and the Articles on the interception of telecommunications.
It should be remembered that the primary purpose of this new Convention is to "supplement the provisions and facilitate the application" of the 1959 Council of Europe Convention on Mutual Legal Assistance in Criminal Matters. The Schengen Agreement (1985 and 1990) and the Benelux Treaty (1972) have been added. The 1959 Council of Europe Convention is not limited to "serious crime" or "organised crime", it simply concerns any punishable offence however minor. New powers contained in this new EU Convention on mutual assistance are, therefore, applicable also to any punishable offence (see Statewatch, vol 7 no 4 & 5). The draft Convention thus places no limits on the use of the proposed new powers of intercepting telecommunications - this is solely regulated by each member states' national law.
In the latest draft of the new Convention the Articles on the "Interception of telecommunications" are in Title III, Articles 11-14 and represent the third substantial revision. The major areas of "discussion" in the secret conclaves of the EU member states are as follows.
The issue starts with the question as to whether "where a Member State intercepts or intends to intercept a target present in another Member State.. and does not need any assistance from that Member State" it should tell the other Member State. As presently drafted Article 13 provides that: the "intercepting Member State" will inform the "visited Member State", that the "visited Member State" may "require that the interception not be carried out or be interrupted", and that the "visited Member State may lay down conditions on the use of material already intercepted". This issue particularly arises if the Iridium's EU ground station in Italy is able to provide access to call contents (for SPCS mobile phones) in different countries instantaneously.
Due to the different legal powers to authorise interception in EU states a discussion has emerged over the role of security and intelligence agencies. Fourteen EU member states believe that the new Convention only refers to "criminal investigations" and therefore excludes interceptions by security and intelligence agencies. In these countries interception by these agencies takes place either through administrative authorisation (for example, from an Interior Minister) or through a judicial warrant. In the UK the Security Service (MI5) is issued with warrants by the Home Secretary for both matters of national security and for criminal investigations (where they are working on serious organised crime). As presently drafted the UK would be obliged to inform other EU states when MI5 is intercepting communications in another member state.
What has been highlighted by this discussion between EU member states is that there is no existing or proposed regulation of the interception of telecommunications when carried by security and intelligence agencies. It also demonstrates that there is not a simple distinction between "criminal investigations" and "national security". One of the questions asked in the latest draft is whether there should be an obligation by a member state to inform other member states where "it would be likely to prejudice its security, ordre public or other essential interests?"
Another issue is whether other EU member states should be informed when the surveillance (of GSM mobile phone networks) is for less than 24 hours and may involve, in border areas, several EU member states.
The member states are also divided over whether the "visited Member State" should have the power to "require the interception not to be carried out or to be interrupted" and the power to "impose restrictions on the use of the already intercepted material".
At the JHA Council on 3-4 December the Ministers were asked to consider the following question:
"Which of the following reasons should be regarded as a basis for requiring interception not to be carried out or to be interrupted:
- national law of the visited Member State?
- fundamental principles of national law of the visited Member State, and/or ordre public?"
A new Article (no 14a) has now been included "to ensure an appropriate legal basis for the purpose of agreements on the use of the service provider solution [Iridium] regarding satellite telecommunications". The new Article states, in full:
"Nothing in this Title shall preclude any bilateral or multilateral arrangements between Member States for the purpose of facilitating the exploitation of present and future technical possibilities regarding the interception of telecommunications".
A proposal which, potentially, could drive a "coach and horses" through any provisions in the new Convention. The so-called "service provider" for the interception of telecommunications carried out through Iridium's EU ground station in Italy would mean that if a "target" moved from one country to another the surveillance would simply be "switched" from one country to another.
There is no provision in this new Convention for it to only come into effect when all 15 EU member states have ratified it. Under Article 18.4 it can come into effect between any two or more member states who declare that it should do so.
In the USA
In the US the Federal Communications Commission has invited public comments on FBI-proposed requirements that would enable law enforcement agencies to be given the location of people using cellular phones without a warrant and has deferred a decision on another request to place the Internet under surveillance.
The new powers to intercept telecommunications is by no means limited to any common perception of "serious crime". By including the interception Articles in a new Convention on Mutual Legal Assistance in Criminal Matters the limits are simply those set out in the 1959 European Convention on Mutual Assistance in Criminal Matters which refers to any punishable offence however minor. Once in place to "combat organised crime" these powers can be infinitely extended to all forms of offence including public order or "national security".
Sources: Council Resolution of 17 January 1996 on the lawful interception of telecommunications; Interception of telecommunications: recommendation for a Council Resolution in respect of new technology, ENFOPOL 98, 10951/98, 3.11.98 and ENFOPOL 98 REV 1, 10951/1/98, 4.11.98; Draft Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union, JUSTPEN 108, 13144/98, Limité, 19.11.98; PC Magazine, January 1999.
Source: Statewatch bulletin