EU-FBI: EU-FBI telecommunications system moves two steps nearer


Statewatch bulletin vol 9 no 2 (March-April 1999)

The EU-FBI telecommunications surveillance system is developing apace through two separate, but intrinsically intertwined, initiatives (see Statewatch, vol 7 no 1 & 4 & 5; vol 8 nos 5 & 6). First, the Council has proposed a new draft Council Resolution to extend the 1995 "Requirements" Resolution to cover "new technologies" - the Internet and satellite-based telecommunications. Second, the Council is on the brink of agreeing a formula to provide a legal base for "remote" access to the Iridium satellite "ground station" in Italy - through new clauses in the draft Convention on Mutual Legal Assistance in criminal matters. This draft Convention will provide the legal framework for the interception of all forms of telecommunications in the EU required to put into effect the EU-FBI surveillance system. Both measures are expected to be agreed at the 27-28 May meeting of the Justice and Home Affairs Council.

Background

The 1995 Council Resolution on the lawful interception of telecommunications setting out the "Requirements" was slipped through the EU by what is known as "written procedure" on 17 January 1995. "Written procedure" is a decision-making process whereby a measure is sent out to EU member states for agreement between meetings of the Council of Ministers. In October 1994 the US Congress had adopted its version of the "Requirements" drawn up by the FBI. Not wishing to wait three months until the next meeting of the Justice and Home Affairs Council the German Presidency took the initiative to use "written procedure" (all Member States are obliged to reply though they may add statements to be included in the Council minutes). Using the "written procedure" process had another effect, the "Requirements" Resolution remained hidden from view until November 1996 when it was published in the EU's Official Journal. In the USA civil liberties groups have campaigned against the new surveillance powers since 1993, however the EU end of the EU-FBI axis only became apparent when Statewatch published its first report in February 1997.

The "new technologies"

In July 1998 the Austrian Presidency of the EU put forward a proposal for a "Draft Joint Action on the interception of telecommunications" which was discussed by the Police Cooperation Working Party (Experts' meeting - Interception of telecommunications) at its meeting on 3-4 September in Brussels. This draft Joint Action was intended to extend the 1995 "Requirements" to "new technologies" (the Internet and satellite-based telecommunications) and to place on network operators and service providers an obligation to provide information and assistance in the interception of telecommunications. The idea of a Joint Action was dropped by the end of July as a number of EU member states were not prepared, or ready, to adopt a binding commitment to place an "obligation" on network and service providers at national level.

However, the same meeting of the Police Cooperation Working Party was also considering reports drawn up by three "expert groups": the IUR (International User Requirements) and the STC (Standing Technical Committee) from their meeting in Rome on 14-16 July 1998 plus the conclusions of an earlier meeting of ILETS (International Law Enforcement Telecommunications Seminar). The role of these non-EU working groups is made explicit in ENFOPOL 98 which had "been drafted by the technical groups ILET, STC and IUR."

There were further meetings of IUR, 20-22 October in Vienna and 27-28 October in Madrid. By November 1998 meetings of ILETS, IUR and STC concluded that "adjustments" to the 1995 "Requirements" to cope with the "new technologies" was "an urgent necessity".

The key group is ILETS, revealed by Statewatch in February 1997 (vol 7 no 1) and pinned down by Duncan Campbell in an article in the Guardian's Online. ILETS was founded by the FBI in 1993 and is comprised of: the US, Canada, Norway, Australia, New Zealand and Hong Kong (it is not known if Hong Kong is still particitpating) plus the 15 EU states. Those attending these meetings are from the "law enforcement agencies".

The core of the ILETS group are the US, Canada, Australia, New Zealand and the UK - the UKUSA group, started in 1946, which runs up a global surveillance system to service the military and overseas intelligence agencies (ECHELON). There are thus two global systems: ECHELON serving the "military and intelligence community" (external, eg: GCHQ and MI6 in UK) and the EU-FBI telecommunications surveillance system to serve the "law enforcement community" (police, internal security, customs and immigration).

The new draft Resolution

The European Parliament was consulted (that is, its views are sought but they can be ignored) on the second revision of ENFOPOL 98, dated 3 December 1998. A later version of the same report, now renamed ENFOPOL 19, dated 15 March 1999 contains two significant differences to the version given to the European Parliament.

1) In the version discussed by the European Parliament the "General explanations" seek to amend the 1995 requirements to include identifier data on internet users by including:

"IP address (electronic address assigned to a party connected to the Internet), account number and E-mail address" (ENFOPOL 98 REV 2)

In the new version it says:

"IP address (electronic address assigned to a party connected to the Internet), credit card number and E-mail address"

(ENFOPOL 19) (our emphasis)

An earlier document makes clear that the "account number" is not needed because this data comes with the "IP address".

2) The second difference is either sleight of hand or a deliberate mistake. In the section on the "Explanations of the Requirements" describing the changes to be made to the 1995 requirements it says that concerning access to "fixed and switch connections":

"IP connections are not included" (ENFOPOL 98 REV 2)

In the new version it says:

"IP connections are not excluded" (ENFOPOL 19) (our emphasis)

Moreover, the first revision of ENFOPOL 98 (ENFOPOL 98 REV 1, dated 10 November 1998), not considered by the European Parliament, also says "not excluded".

The general concerns over the contents of ENFOPOL 19 are: a) under the heading "Interception interface", the inclusion of: "In newer technologies the interception interface may be a virtual interface within the network". This would involve specialised software being installed at Internet Service Providers which would be remotely ("virtual") controlled by the law enforcement agencies. The effect would be to automate the transmission of messages etc.

b) many of the detailed requirements of the law enforcement agencies expressed through ILETS and the EU's Police Cooperation Working Party present in ENFOPOL 98 - but not in ENFOPOL 19 which is limited to amending the 1995 "Requirements" - are likely to be placed in an operational manual which will not be subject to public debate or parliamentary scrutiny.

EP discusses the EU-FBI surveillance system

As noted above the European Parliament was "consulted" on the proposal in ENFOPOL 98 REV 2. This is the first opportunity that the European Parliament had to formally comment on the EU-FBI telecommunications surveillance system.

The main committee considering the Council proposal was the Civil Liberties and Internal Affairs Committee and its report by Gerhard Schmid (PSE, Socialist group, rapporteur) "approves the Council proposal" and was adopted unanimously at its meeting on 20 April. It proposes minor amendments to the opening "Recitals" and suggest that the Council report back by July 2000 on how many EU states have effected the amended 1995 "Requirements" Resolution into national law.

The five-paragraph "Explanatory Statement" says that the "resolution is not binding" (which is correct) and that it is simply intended to make clear that the 1995 "Requirements" Resolution "apply to both existing and new communications technologies, e.g. satellite and Internet communications." The report simply concludes that: "It does not, therefore, affect the tension between fundamental rights and internal security." The "Opinion" of the Legal Affairs and Citizens' Rights Committee, attached to the main report, was adopted on 25 March by 7 votes to 4. Its conclusion was that the Committee: "rejects the Council proposal."

The report notes that the 1995 "Requirements" are not binding and that "national legislation applies". It goes on to say: "The Registrar's office of the European Court of Human Rights has told the rapporteur that the ECHR has not yet ruled on the violation of the secrecy of correspondence in respect of electronic mail."

Neither report used the wealth of information now available on the EU-FBI surveillance system (which is not mentioned). The report was adopted at the European Parliament plenary session on Thursday 6 May.

In this context it should be observed: a) that most national legislation does not cover the interception of the Internet and e-mails nor satellite telecommunications and that most EU countries are likely to have new measures before their parliaments over the next two years; b) although the amended 1995 "Requirements" Resolution is not legally binding on EU member states network operators and service providers will not be granted new/extended operating licences at national level unless they comply due to international agreements reached in non-EU bodies - the STC, IUR and ILETS.

The "remote approach"

Alongside the plans on the EU-FBI telecommunications surveillance system within the EU are the parallel discussions taking place over the provisions on interception to be included in the draft Convention on Mutual Legal Assistance in criminal matters which will give EU states the legal powers to carry out cross-border interceptions.

Statewatch vol 8 no 5 reported how the EU was planning to take advantage of the offer by Iridium of "remote" access to telecommunications passing through its global network, which is: "from a technical point of view, a convenient option". It transpires that it is also "convenient" from a legal/political point of view as well.

Two questions have been taxing the EU working parties, first, to what extent should the EU member state in which Iridium's ground station is located - Italy - have any involvement or responsibility for "remote interception" and second, should the draft Convention expressly provide for the "remote approach". The answer to the second question is yes, provisions should cover the "remote approach" both to cover Iridium and future network providers.

The first question divided the EU member states. 13 member states think the "remote approach" does not infringe the rights of the "host" member state. Italy, the "host", takes a different point of view and Germany thinks the draft Convention should expressly refer to the "remote approach" being applied "for the purpose of criminal investigation". The majority of EU member states take the view that the "host" state does not have a substantial role and it does not have legal responsibility for the interception of telecommunications made via the "ground station".

The crux of the discussion is set out in a Note from the Italian delegation at the end of February. Two options were on the table. First, the "centralised" option, based on present practice, would involve each interception to be authorised through "International Letters of Request". For the "host", Italy, this means single authorisations being granted by the Italian authorities "following Letters of Request from member states". The "centralised" option meant pursuing the present system where each, single, interception has to be authorised by the competent authorities. This was seen as too slow and cumbersome and it was "impossible" for the EU member states to reach agreement on a text. Instead they have opted for, in the words of the Italian delegation's report, the "remote approach" which would mean:

"a single, general, "order", given by Italy to its ground station to adjust its structures in order to allow the autonomous activation of interception by the national service providers and the automatic transmission thereto of the conversations intercepted."

This "general" order granted to member states would cover both communications between satellite handsets (air/air), which the "ground station" would, in technical jargon, "hock into" then "duplicate" and between satellite handsets and fixed terminals, or GSM, mobile phones (air/ground), when the "ground station" would simply "listen to.. the communication already in transit within its own structure."

The Italian concerns are that the interception is on "Italian territory", that the "remote approach" means limiting Italian sovereignty, and that by issuing a "single order" which will once and for all replace all single authorisations granted by the competent Italian authorities it will need to be given some "guarantees". Under its constitution its President, the President of the Council of Ministers and members of the Italian parliament cannot be the "object of investigations" except under very specific conditions. As for "national security" there were responsibilities to parliament if part of its sovereignty were to be relinquished "without having guaranteed the fundamental interests of the State". The response, two weeks later, of the majority group of 13 EU member states was not sympathetic:

"The member state hosting the ground station cannot export its constitutional principles to other member states."

To which the Italian delegation responded by saying they should be entitled to make: "a declaration.. specifying certain limits for interception via the ground station by remote control which other member states must respect."

The issues raised by Italy's constitutional objections are wider than their position makes apparent. It is proposed to move from the current system whereby every interception request to Italy from another EU member state requires a Letter of Request and an order from the Italian authorities to a system which through one general order automatic authorisation will be granted to all interceptions without any review as to their legitimacy or legality (either before of after the event) under Italian law. It is therefore possible that 14 EU member states will each be granted a single, general, order to use the "remote" interception facility made available by Iridium from Italy and that the same may happen with the Globalstar "ground station" located in France (which is going online soon).

Iridium sales failure

Iridium, of "Iridium is God manifesting himself through us" fame, lost $440 million in the last quarter of 1998. This follows substantial problems with the production of handsets and has led to a substantial shortfall in Iridium subscriptions. The company had expected to have 40,000 subscribers by the end of 1998, in the event they only had 3,000 and most of these were to the US government and military. Iridium hopes to have 500,000 plus subscribers by the end of 1999.

Figures like these go some way to explain why Iridium is so anxious to please EU member states by facilitating the interception of telecommunications from its ground station in Italy. Commentators say that Iridium has to make major inroads into the "wireless" market in the EU because the US is dominated by a solid single "wired" network created by AT&T. This may explain why it has met all the costs of ensuring that its Italian ground station can provide a "remote" interception service for law enforcement agencies.

STOA report

A special report just completed for the Science and Technology Options Assessment Panel of the European Parliament (STOA) by Duncan Campbell entitled: Interception capabilities 2000 observes that:

"It should be noted that technically, legally and organisationally, law enforcement requirements for communications interception differ fundamentally from communications intelligence [eg: ECHELON]. Law enforcement agencies (LEA) will normally wish to intercept a specific line or group of lines, and must normally justify their requests to a judicial or adminsitrative authority before proceeding. In contrast, Comint [communications intelligence] agencies conduct broad international communications "trawling" activities, and operate under general warrants. Such operations do not require or even suppose that the parties they intercept are criminals. Such distinctions are vital to civil liberty, but risk being eroded if the boundaries between law enforcement and communications intelligence become blurred in future."

The "law enforcement agencies" in the EU are to be issued with general warrants to intercept the new generation of satellittee communications services offered by Iridium in Italy and Globalstar in France. In addition, the provisions of the amended 1995 "Requirements" Resolution, when combined with the EU legal framework in the draft Convention on Mutual Assistance in criminal matters, provide for real-time (as a communication is happening) interception which will require instanteous authorisation by a police officer or official. Moreover, police analysis software, such as the Harlequin system, is already widely used in the EU to "map" a target's business, political and friendship networks from data provided by telecommunications operators. The EU-FBI telecommunications surveillance system may not yet have the ability to "trawl" the ether but it will certainly be able to cast a very wide net.

Sources: Report on the draft Council Resolution on the lawful interception of telecommunications in relation to new technologies, Committee on Civil Liberties and Internal Affairs, Rapporteur: Gerhard Schmid, and Opinion from the Legal Affairs and Citizens' Rights Committee, PE 229.986.fin, 20.4.99; Draft Convention on Mutual Assistance in Criminal Matters between Member States of the European Union - Interception of telecommunications, Presidency to COREPER/Council, ref: 11173/98, Limite, JUSTPEN 87, 15.9.98; Draft Convention on Mutual Assistance in Criminal Matters between Member States of the European Union - Interception of subjects on national territory using national service providers ("remote approach"), Presidency to Working Party on Mutual Assistance in Criminal Matters, ref: 7196/99, Limite, JUSTPEN 22, 7.4.99; Draft Convention on Mutual Assistance in Criminal Matters between Member States of the European Union -application of the remote approach regarding interception of satellite telecommunications, Italian delegation to Working Party on Mutual Assistance in Criminal Matters, ref: 6284/99, Limite, JUSTPEN 9, 25.2.99; Draft Convention on Mutual Assistance in Criminal Matters between Member States of the European Union - application of the remote approach regarding interception of satellite telecommunications, Working Party on Mutual Legal Assistance in Criminal Matters, ref: 6195/99, Limite, JUSTPEN 7, 19.2.99 and COREPER to Council, ref: 6195/1/99, Limite, JUSTPEN 7 REV 1, 9.3.99; Draft Convention on Mutual Assistance in Criminal Matters between Member States of the European Union, Working Party on Mutual Assistance in Criminal Matters to COREPER/COUNCIL, ref: 13144/98, Limite, JUSTPEN 108, 19.11.98; Interception of telecommunications -Draft Council Resolution on new technologies, Presidency to Police Cooperation Working Party, ref: 6715/99, Limite, ENFOPOL 19, 15.3.99; Interception of telecommunications - Council Draft Resolution in relation to new technologies, Presidency to Police Cooperation Working Party, ref: 10951/98, Limite, ENFOPOL 98, 3.9.98 and ref: 10951/1/98, Limite, ENFOPOL 98 REV 1, 10.11.98 and ref: 10951/2/98, Limite, ENFOPOL 98 REV 2, 3.12.98; PC Magazine, May 1999; Duncan Campbell, "Intercepting the Internet", Guardian Online and on the telepolis site: http://www.heise.de/tp/english/special/enfo/6397/1.html;Interception Capabilities 2000, report by Duncan Campbell for the Science and Technology Options Assessment Panel of the European Parliament, 6.5.99.

Source: Statewatch bulletin