EU-FBI telecommunications surveillance plan: Secret services and G8 intervene
Statewatch bulletin vol 9 no 6 (November-December 1999)
The EU-FBI telecommunications surveillance plan has been held up since early summer over the revised set of "Requirements" to be laid on internet and service providers (ENFOPOL 19) and the draft Convention on Mutual Assistance in criminal matters - now held up for nearly two years due to the inclusion of provisions on interception and the inability of EU member states to reach agreement (see Statewatch vol 7 no 1, 4 & 5; vol 8 nos 5 & 6; vol 9 no 2).
The intervention of new players is partly responsible for the hold-up. First, the internal security services of EU member states have directly intervened because they considered the restrictions of their "freedom" to conduct surveillance could be limited by the draft provisions in the draft Convention. The potential role of the internal security services (like MI5) cropped up earlier in the discussion over the provisions in the draft Convention because the UK is the only EU member state to formally give, by law, a role to MI5 to assist the police in their crime role. The other EU member states have no problems as they maintain the draft Convention only covers "crime" and policing - which has always begged the question that if this Convention is not to cover surveillance by internal security services what does? The answer is nothing covers or limits or makes accountable their surveillance of telecommunications. The Justice and Home Affairs Council on 2 December agreed that the draft Convention, while placing a general obligation on the "intercepting" member state to inform the member state in which the interception is carried out, this will only apply to "criminal" proceedings and investigations - and not to "interceptions undertaken for national security purposes". The effect is that the surveillance of telecommunications by internal security agencies is left untouched by the draft Convention but allows them to take advantage of access to telecommunications being opened by the "Requirements" to be laid on internet and service providers under the EU-FBI plan.
The EU-FBI telecommunications surveillance plan is intended to serve the "law enforcement community" as distinct from the "military-intelligence community" (which uses ECHELON). The latter covers intelligences agencies like NSA and the CIA in the US and MI6 (the overseas Secret Intelligence Service) in the UK. This leave internal security agencies primarily dependent on the EU-FBI plan for its surveillance work. So, although EU member states have to at least create the appearance of control and accountability and even data protection for policing activities these provisions could limit, or lead to the exposure of, internal security service surveillance. This is especially the case when the line between traditional "internal security" and "combatting crime" is increasingly blurred in fields like computer crime, environmental and political protests, and "illegal immigration".
While the draft Convention on Mutual Assistance in criminal matters sets out powers of surveillance and interception within the EU the "Requirements", which will also apply within the EU, are subject to international agreement through a series of hidden working parties.
These secret working groups include: i) the EU Police
Cooperation Working Group (Telecommunications) and its Technical Questions Sub-Group; ii) IUR, the International Users Requirements group; iii) STC, Standards Technical Committee; and ILETS, International Law Enforcement Telecommunications Seminar. ILETS is a key group comprising the Cold War UKUSA countries -the US, Canada, Australia, New Zealand and UK - plus Hong Kong and Norway and 14 EU member states (15 minus the UK which was a founding member). Aside from strictly technical questions membership of these groups overlap so that EU member representatives on the Police Cooperation Working Group may also be on ILETS. The drafts of the original IUR 95 "Requirements" adopted by the EU in January 1995 and the proposed revisions in 1998 (to include internet service providers and satellite phones) in ENFOPOL 98 (and its two revised versions) came from this group into the EU policymaking process.
The "Lyon Group"
While ILETS works on technical matters (and their policy implications) a much more high-powered driving force on the global interception of telecommunications is the "Lyon Group" and especially its "High-tech Crime Subgroup of G8 Senior Experts' Group on Transnational Organised Crime."
The G8 Senior Experts' Group on Transnational Organised Crime came out of the G8 Prime Ministers meeting on 27 June 1996 in Lyon, France. The first "G" Prime Ministers' Summit was held in Rambouillet, France in 1975 comprised of US, France, UK, Germany, Italy and Japan. Canada joined in 1976 (making G7) and in 1977, at the London Summit, the European Community joined its membership. The European Community's delegation is made up of a EU Presidency representative (currently Finland), the head of the European Commission (Romano Prodi, who previously attended as part of the Italian delegation) plus the Commissioner for external affairs (Chris Patten). Since 1994 Russia attended its meetings and became a full member at the Birmingham Summit in 1998, making up G8.
All "Summit" meetings, such as EU Summits and G8 Summits try to sort out outstanding differences between members but the real work is done beforehand by officials and "experts" - and much of the latter's work goes through "on the nod" into the final conclusions. G8 Summits (and other meetings) are prepared by high-ranking officials known as "sherpas" and "sous-sherpas". National "sherpas" are each supported by two "sous sherpas" (one covering foreign affairs and finance, the other "political" matters including justice and home affairs).
Alongside G8 is "P8" ("Political 8") which deals amongst other matters with terrorism, crime and illegal migration which since the Lyon decision has led to the creation of a series of other groups and meetings (such as the G8 Justice and Interior Ministers who last met in Moscow on 19-20 October 1999).
Sub-Group on High-Tec Crime
The "problems" for the G8/P8 states were broadly defined at the 1998 Birmingham Summit under the UK Presidency as:
"The main obstacle facing a G8 achievement of any goals set out in Birmingham appears to be the barrier of red tape obstructing law enforcement agencies from cooperating across national jurisdictions. The G8 will need to address the inconsistencies between justice systems from one member country to another if the problem of international crime is to be dealt with effectively."
The key phrases here are "red tape" (procedures, control and accountability) and "inconsistencies between justice systems" (data protection and legal restrictions). In this context the Minutes of the G8 Subgroup on High-Tec Crime held in Paris on 18-21 May 1999 sets out a whole agenda influencing the EU-FBI plan.
The first issue the Minutes cover is the "Preservation of Traffic data" covering "historical traffic data" and the "collection of future data". The Minutes state that:
"Delegations agreed that privacy legislation (e.g. implementing the 1995 and 1997 EU Data Protection Directives), national laws implementing the Directives, and market forces are among the significant obstacles to law enforcement's ability to obtain historical data for use in criminal investigations. (Disclosure of that traffic to foreign investigators is also complicated by these and other impediments). Privacy directives, to the extent they require the deletion of connection information, can effectively erase the trail of connections that might otherwise identify the source of criminal activity."
It goes say that a further impediment is "anonymous free Internet services.. contribute to the absence of useful traffic data." Two solutions are suggested for this "problem". The meeting of G8 Justice and Interior Ministers in Moscow on 19-20 October adopted "Principles on Transborder access to stored computer data" defined simply as covering "law enforcement agents employed by law enforcement agencies.. investigating criminal matters". The "Principles" say "each State" will ensure that data is preserved, "particularly data held by third parties such as service providers" for the purpose of seeking:
"access, search, copying, seizure or disclosure, and ensure that preservation is possible even if necessary only to assist another State."
The second "problem" with "historical data" is that there is no obligation for service and internet providers to keep data of their users messages etc. The 1997 EU Directive on Telecommunications Sector Data Protection allows service providers to keep traffic data for billing disputes but this is rarely used as users are not billed by individual connection. Some countries allow traffic data to be preserved to guard against subscriber fraud but the Minutes observe there are no provisions for "infrastructure protection" or "other suspected illegal activity". The Sub-Group's view is that G8 should prepare "G8 Recommendations on Data Preservation" and that at national level the EU Directive should "either mandate or allow ISPs to retain particularly critical categories of traffic data for minimum time periods."
As to "future traffic data" ("real-time connection information", as it is happening) a number of delegations reported that national laws "imposed heightened limitations" on the "ability of law enforcement" to obtain future traffic data and "share it with foreign law enforcement". Several countries treated "future traffic data" as "interception" which "involves more stringent prerequisites and may only be available for certain offences". Moreover, although national laws may permit the "capture of future traffic data for domestic purposes, its laws may not permit it to do so solely for the benefit of a foreign state". The Sub-Groups solutions to this "problem" include treating "future traffic data" on the same basis as "historical data" to avoid being defined as interception and amending Mutual Legal Assistance Agreements (MLAA's) and national laws to allow interception on behalf of foreign states and agencies.
It also suggests that "important investigative techniques" could be used: "for the benefit of a foreign government and in the absence of a criminal offence or serious criminal offence, in the conduit country". This perhaps fits in with the "hypothetical intrusion exercise" the Sub-Groups agencies are testing their investigative techniques on - this suggests an interventionist, pro-active approach which could "interfere" with telecommunications.
The "Principles on Transborder Access", agreed in Moscow, also covered instances where there was a formal request for access to data (under MLAA's) and "Transborder access to stored data not requiring legal assistance" - this latter aspect covers accessing "publicly available (open source) data" and: "accessing, searching, copying, or seizing data stored in a computer system located in another State, if acting in accordance with the lawful and voluntary consent of a person who has the lawful authority to disclose to it that data." In effect, US or UK security agencies could gain access to data where authorised to do so by a US or UK multinational operating in the surveilled country.
The G8 states have set up a 24-hour "point-of-contact network" that also acts as a "warning system" which "could be used proactively". All EU and Council of Europe states have been invited to join the network, with Spain and Denmark responding first.
The Irish government has told the EU that it is currently unable to cooperate fully in assisting other states on the interception of telecommunications. Under present legislation "interception cannot be ordered to assist in the investigation of a criminal offence in a foreign jurisdiction." If, however, a foreign law enforcement agency is "cooperating in a joint investigation" with the Garda Siochana then it is up to the GS Commissioner to decide whether to make an application for "interception authorisation".
The EU Directive on Data Protection does not cover justice and home affairs issues and only recently have the Council (EU governments) been considering whether or not to include such provisions in a series of measures - some adopted, some planned such as Europol, the Customs Information System or Eurodac. One of the reports on this internal discussion says:
"if the objective of the Horizontal Working Party on Data Processing were primarily to look for "the lowest common denominator" in physical data protection under the Third Pillar, how would it be possible to disregard Council of Europe Convention No 108 of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data?"".
In its 31st report the UK's House of Commons' European Scrutiny Committee has said that it is: "somewhat surprised that the UK does not impose restrictions on the use of information it supplies to other EU member states". This arose in reaction to the Home Office's comments on a German proposal for data protection to be inserted in the draft Convention on Mutual Assistance in Criminal Matters. The proposal would allow intercepted data supplied to another state "not only to be used for the purpose for which it has been communicated but also for other purposes", including unrelated criminal investigations and prosecutions. The Home Office comments:
"This proposal may be controversial since some Member States provide information on condition that it is used only for the purposes specified in the request, or for other purposes with the prior consent of the requested state. The UK does not impose this condition."
The UK therefore supports the German proposal because "it would avoid the need for prior consent from the requested state before making use of information in other criminal investigations."
ECHELON and Italy
On 3 March 1999, the Rome attorney's office opened a preliminary investigation into ECHELON to find out whether this surveillance activity violates the Italian penal code. Stefano Rodota, the Italian ombudsman for the protection of personal data, welcomed the initiative because "it can contribute to offer public opinion with precise information to base its judgements on." He added that research into the technical aspects of the ECHELON network is crucial in order to develop legal and technological measures which, he feels, must be established at a supranational level, due to ECHELON's characteristics. He was critical of the refusal by countries involved in the ECHELON network to respond to allegations, in spite of an explicit request from the European Parliament. Rodota said it was not a simple question of national sovereignty "through this surveillance, one effectively enters the physical borders of a country. What suffers is the freedom of every citizen, whose physical movements and communications are controlled, step after step." Furthermore, he reasons, if it is used to discover commercial information, as has been alleged, such a network becomes invaluable.
"Echelon - Dichiarazione del Prof. Rodota all'Agenzia Agi su avvio indagine Procura di Roma", 3.3.99.
ECHELON and Denmark
"We know that we don't know anything apart from what has been reported in the press". This is in essence the response of Danish ministers when asked about possible Danish involvement in the in international surveillance system ECHELON. The latest attempt to get information about ECHELON was during a debate in the Danish Parliament 9 December. Three Ministers - Justice, Defence and research - were asked to answer the following question from the MP's, Mr Keld Albrechtsen (the Red-Green Alliance/Enhedslisten) and Mr Knud Erik Hansen (Peoples Socialist Party/SF): "What can the ministers say about the parliamentary control of ECHELON and other surveillance systems abroad and at home.. and what are Government intentions to strengthen parliamentary control?" The Minister of Defence, Mr Hans Haekkerup, said: "Neither the Ministry of Defence nor the military intelligence participates or contributes to ECHELON. But during the debate he repeated what he had already said to the parliament's Europe Committee in September: Denmark has established co-operation agreements with a number of countries leading to information being exchanged. The interception of communications by the military intelligence service is only related to Danish security interest abroad. But he also admitted that Denmark receives information's from foreign intelligence services and that he did not know if they had been intercepted according to legal guarantees for the individual. The debate ended with a majority of the parties -"the unified listening parties" as they were called during the debate - in parliament rejecting the proposal from Enhedslisten and SF. The Danish debate about ECHELON has now been going on for nearly three years and took off again when British journalist Duncan Campbell spoke at a meeting in Copenhagen in September about the report "Interception Capabilities 2000".
Sources: P8 - Senior Experts Group Recommendations: "To combat Transnational Organised Crime" (Paris, 12 April 1996); Summit Performance Assessments by Issue: G8 1998 Birmingham: Crime; Evaluation Report on Ireland on Mutual Legal Assistance and Urgent Requests, ref 9079/99, CRIMORG 70, 18.8.99; Protection of personal data in the Third Pillar of the European Union: Proposals on determining the remit of the Horizontal Working Party on Data Processing, ref 7718/99, JAI 36, 26.4.99; Draft Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union - data protection, from the German delegation, ref 11084/99, COPEN 37, 17.9.99; Select Committee on European Scrutiny, 31st report, 19.11.99.
Source: Statewatch bulletin