EU-FBI telecommunications surveillance system
THE BATTLE SHIFTS TO TRYING TO UNDERMINE EU PRIVACY



The debate over the surveillance of telecommunications in the EU has shifted from the "third pillar" (justice and home affairs/law enforcement agencies) to the "first pillar" (community law/industry). At issue is the length of time service and network providers have to keep data on all telecommunications (e-mails and internet usage). EU community law requires providers to retain data only for purposes of billing and then to erase it. The law enforcement agencies (police, customs, immigration and internal security services) want all communications to be kept for at least 7 years (see Statewatch vol 10 no 6).

The shift from the "third" to the "first" pillar

When ENFOPOL 98 was produced in September 1998 it was followed by extensive criticism in the media for wanting to extend the EU-FBI "Requirements" for the surveillance of telecommunications to e-mails and the internet. The final version of this document, ENFOPOL 19, was never adopted by the Council of the European Union (the governments) because of the "negative press" reaction (see Statewatch, vol 10 nos 2 & 3/4).

In the spring of 2000 the EU's Working Party on police cooperation decided that issues previously discussed under "interception of telecommunications" will now come under "advanced technologies". In July 2000 a document from the same working party entitled "Advanced technologies: relations between the first and third pillars" said there needed to be an "inter-pillar dialogue" over the "Information Society" (an over-arching EU term referring to e-mails and the internet).

From then the debate shifted with EU law enforcement agencies and EU working parties seeking to change, and if possible remove, the protection given to individuals under existing EU laws on data protection and privacy and proposed new Regulations on privacy and rules for the industry. Current, and planned, EU laws protecting individual rights are seen by the EU's law enforcement community as standing in their way.

The protection of privacy

The European Commission has put forward a proposal to update the 1997 Directive on the protection of privacy in the telecommunications sector (97/66/EC) which has only been in force for a couple of years. The proposed revision is primarily intended to update the 1997 Directive to allow for "new and foreseeable developments in electronic communications and services and technologies" (COM(2000)385 final).

It includes proposals to allow (Article 15) derogations (under Article 9) to restrict the scope of rights and obligations where national security, criminal investigations and "unauthorised use of electronic communications system(s)" are concerned.

As background to its proposal the Commission has put out a Communication on "Creating a Safer Information Society by improving the security of information infrastructures and combating computer-related crime". This report notes the ongoing work on the much-criticised draft Council of Europe Convention on cybercrime (see Statewatch, vol 10 no 6) and says that: "EU approximation could go further than the CoE Convention, which will represent a minimum of international approximation." (p15)

In a section on legal issues the report says that at present:

"Interceptions are illegal unless they are authorised by law when necessary in specific cases for limited purposes."(p16)

At present legislation in EU member states requires that interception by law enforcement agencies is authorised by a judicial order or by a senior Minister. This legislation, the report says, has to be in line with Community law and provide:

"safeguards for the protection of the individual's fundamental right of privacy, such as limiting the use of interception to investigations of serious crimes, requiring that interception in individual investigations should be necessary and proportionate, or ensuring that the individual is informed about the interception as soon as it will no longer hamper the investigation." (p16)

These protections are precisely what the law enforcement agencies want to overturn.

Moreover the report notes "with grave concern reports on alleged abuses of interception capabilities" in reference to the ECHELON inquiry set up by the European Parliament.

The report then deals with the "retention of traffic data". Under the 1995 and 1997 EC Directives traffic data must be erased unless it is needed for billing purposes. For flat-rate or free-of-charge access to telecommunications services the service providers are "in principle not allowed to preserve traffic data" (p18). Member states "may" adopt legislative measures to restrict the obligation to erase data where necessary for the prevention, investigation or prosecution of crime or the unauthorised use of the telecommunications system. But such measures have to be appropriate, necessary and proportionate as required by Community and international law. It concludes that:
This is particularly relevant for measures that would involve the routine retention of data on a large part of the population.

The European Parliament has generally taken a stance in favour of the "strong protection of personal data". In the context of combating child pornography on the internet the parliament favoured "a general obligation to preserve data for a period of three months".

Data protection supervisory authorities have taken the position that to protect privacy "traffic data should in principle not be kept only for law enforcement purposes". The Commission's Data Protection Working Party has issued a strong report on the question:

"Large-scale exploratory or general surveillance must be forbidden... the most effective means to reduce unacceptable risks to privacy while recognising the needs for effective law enforcement is that traffic data should in principle not be kept only for law enforcement purposes and that national laws should not oblige telecommunications operators, telecommunications services and Internet Service Providers to keep traffic data for a period of time longer than is necessary for billing purposes. (Recommendation 3/99, 7.9.99)

The Data Protection Working party also made recommendations on anonymity concluding that: "remaining anonymous is essential if the fundamental rights to privacy and freedom of expression are to be maintained in cyberspace". This, they say, should be balanced against proportionate restrictions in limited and specific circumstances.

EU Working Party on police cooperation

The key player in this debate is the Council's Working Party on police cooperation made up of police and interior ministry officials from all the EU member states. Many of these same officials also go to G8 meetings on interception and others to the ILETS meetings (the International Law Enforcement Telecommunications Seminar, see Statewatch, vol 7 no 1 & 4 & 5; vol 8 no 5 & 6; vol 9 no 6), including some from the working party's technical sub-committee.

A report from this working party in November last year shows that six countries oppose ("expressed misgivings") the wording in Article 6 of the draft Directive on personal data and the protection of privacy (COM(2000)385). The wording is that all traffic data:

"must be erased or made anonymous upon completion of the transmission."

The six governments are Belgium, Germany, France, Netherlands, Spain and the UK.

Their reasoning is that it would not allow the "investigation services" to identify "perpetrators of serious offences involving the use of telecommunications networks" and then cite "child pornography and incitement to racial hatred" - which are specific offences but which do not justify total surveillance.

The draft Directive does, in Article 15, allow governments to adopt strong powers where they are necessary to "safeguard" national security, the investigation of criminal offences or the unauthorised use of telecommunications. The EU's law enforcement agencies do not like this provision as it would have to be specific and limited in scope:
It is impossible for investigation services to know in advance which traffic data will prove useful in a criminal investigation.

And it goes on to say,

"The only effective national legislative measure would therefore be to prohibit the erasure and anonymity of traffic data. However, such a measure would probably not be considered proportionate, as it would call into question the very aim of the draft Directive."

The report tries to use an economic argument to support its case. Telecommunications equipment is "standardised and produced by only a few market leaders" who would apply the general rule to erase traffic data. This would leave each EU member state having to adopt the so-called "safeguard clause" in Article 15 by way of exception and thus have to "re-jig standard equipment, entailing considerable extra expense". The report, however, does not state the obvious problem for law enforcement agencies - namely that surveillance will only work if all EU states have to apply the same rules of surveillance, that is to give access to every communication. If some states only get limited access to communications in specific cases EU-wide (and Europe-wide) then the surveillance breaks down.

The working party is also concerned about another proposed Directive from the Commission on setting a common framework for the authorisation of telecommunications networks. This is intended to simplify and encourage the "Information Society" for commerce. The proposed Directive would do away with individual licences. The report comments:

"The Working Party does not see how any Member State could then safeguard public policy and security interests (cf.Article 15). By taking no account of the storage of data on communications by operators/service providers, definition of storage time and making such data rapidly available to investigation services, that proposal would in general be likely to jeopardise State prerogatives such as crisis management, judicial interceptions etc."

The report then gives examples of what data the law enforcement agencies need: i) positioning; ii) inverse tracing; iii) number of caller and recipient - important for knowledge of environment eg: "relationships, ongoing conflicts or disputes, professional activities" is "paramount"; iv) prepaid cards, SIM cards; v) connection data; vi) navigation data and vii) positioning in stand-by mode:

"the real-time location (in stand-by mode or in the context of interception) must continue to be included on one of the files in mobile phone chip cards because of the importance of the situations - criminal investigations or rescue operations - in which they are utilised."

A number of examples follow of the use of such data. What is striking is that in some instances the examples used are about specific investigations - which are quite possible under existing rules.

It is also noticeable that the report uses examples, like child pornography and racial hatred and rescue operations, which would command wide support to try and justify the wholesale, indiscriminate monitoring of all communications by everyone about everything. Their rationale is:

"to ensure that a fair balance is struck between respect for privacy and freedoms and the right to security and protection from crimes committed using technological means."

The "fair balance" for the law enforcement agencies and this working party means putting their interests above those of the citizen.

It is possible to argue that the law enforcement agencies should be able to intercept communications for a specific investigation concerning serious crimes which is authorised by a judicial authority on each and every occasion - and the subject of the interception being informed of the fact. Such a system, which is subject to judicial and parliamentary accountability and review, could properly be used for investigating offences.

Sources: Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee of the Regions: Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime, COM (2000) 890 Final; Relations between the first and third pillars on advanced technologies - Proposal for a Directive of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector, submitted by the Commission, 12855/1/00 Rev 1, ENFOPOL 71, 27.11.00.

This report first appeared in Statewatch bulletin, vol 11 no 1 (January-Feruary 2001)



Statewatch News online

© Statewatch ISSN 1756-851X.Material may be used providing the source is acknowledged. Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement.