1997-2002: The EU-FBI telecommunications surveillance system

Introduction

The second revision of ENFOPOL 98 is shorter still and represents the basic needs of the “law enforcement community” to extend surveillance to the “new technologies”.

TEXT

EUROPEAN UNION, THE COUNCIL

3 December 1998

10951/2/98

REV 2

LIMITE

ENFOPOL 98

NOTE

from: Austrian Presidency

to: Police Cooperation Working Party

prev. docs: OJ C 329, 4.11.1996, p.1; 10102/98 ENFOPOL 87; 10951/98 ENFOPOL 98 REV 1

Subject: Interception of telecommunications – Draft Council Resolution on new technologies

Preliminary remark

Delegations will find attached the second revised draft version of the Council Resolution on Interception of Telecommunications in Relation to New Technologies.

Since the Council Resolution of 17 January 1995, telecommunications technology has made further rapid progress and new telecommunications technologies have since been discussed not only in the meetings of the Police Cooperation Working Party but also at meetings of ILETS and IUR (International User Requirements)/ST experts, which regarded adjustments of the requirements of the Council Resolution of 17 January 1995 as an urgent necessity.

The appropriate documents on the various fields concerned were drafted within the abovementioned institutions, and summarised in ENFOPOL 98 following the layout of the requirements and glossary as set out in the Council Resolution of 17 January 1995.

Since the wide range covered by ENFOPOL 98 was not conducive to ready comprehension, the existing requirements were compared with the old requirements at a drafting meeting (from 20 to 22 October 1998 in Vienna) attended by IUR experts from a number of Member States, which carefully verified the extent to which the new requirements were already contained in the text of the existing requirements. The result of this verification, continued and concluded at the meeting of IUR experts (27 to 28 October 1998 in Madrid), contained the revised version of ENFOPOL 98, which was submitted to the Police Cooperation Working Party on 5 November 1998.

On the basis of this outcome of the consultations, the latest revised version (REV 2) of ENFOPOL 98 is forwarded for information and approval after verification at the forthcoming meeting of the Police Cooperation Working Party under German chairmanship.

At a later stage the text of the Council Resolution of 17 January 1995, the text of a Council Resolution now to be adopted concerning details relating to new technologies, other Council Resolutions to be adopted, e.g. on user-related data falling partly outside the requirements for interception of telecommunications, and other areas and technical descriptions of the various technologies, could be published in a manual.

ANNEX

Draft

COUNCIL RESOLUTION

of ……….

on the lawful interception of telecommunications in relation to new technologies

THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on European Union, and in particular Articles K.1 (9) and K.2(2) thereof,

Reaffirming the considerations put forward in the Council Resolution of 17 January 1995 on the lawful interception of telecommunications, and

Aware of the fact that the requirements of 17 January 1995, after careful verification of their continued validity, are to apply to both existing and new technologies, and that the requirements must consequently be clarified and supplemented to take account of the ongoing process of technical development,

HEREBY ADOPTS THIS RESOLUTION:

The Council notes that the requirements of law enforcement agencies with regard to network operators and service providers for the purposes of lawful interception of telecommunications, as described in the Council Resolution of 17 January 1995 (96/C 329/01) are applicable both to existing and new communications technologies, for example satellite communications and Internet communications.

The Council is however of the opinion that in view of ongoing progress in telecommunications technology, the requirements need to be clarified on a number of points. The Council considers that the explanations as annexed should be taken into account in the implementation of measures for lawful interception of telecommunications and requests Member States to call upon the Ministers responsible for telecommunications to support this view and to cooperate with the Ministers responsible for Justice and Home Affairs with the aim of implementing the clarified requirements and definitions in relation to network operators and service providers.

Annex to the ANNEX

EXPLANATIONS

of the requirements and definitions of concepts in the glossary of the Council Resolution of 17 January 1995, published together with its Annex in the Official Journal of the European Communities (OJ 96/C 329/01)

Part I: General explanations

The requirements of law enforcement agencies for lawful interception of telecommunications in relation to network operators and service providers, with glossary, of the Council Resolution of 17 January 1995 shall apply also to new technologies in existence, e.g. satellite and internet communications, and to future additional telecommunications technologies.

The technical terms used in the Council Resolution of 17 January 1995 on the basis of the then state of telecommunications technology are to be interpreted as applying to new telecommunications technologies already in existence and to future additional telecommunications technologies. In this context, a number or other electronic identifier in the 1995 requirements means e.g. in the case of the Internet, the static and dynamic IP address (electronic address assigned to a party connected to the Internet), account number and E-mail address.

Certain requirements, especially Nos 1, 1.4 – 1.4.6, 2 and 3.1, can be fulfilled in the case of the Internet for example by virtue of its design because the call content and the data relating to the call are never transmitted separately in any case.

Part II: Explanations of the Requirements

re 1.4.2. of the requirements

Called party number includes any identifier of the called party.

re 1.4.3. of the requirements

Calling party number includes any identifier of the calling party.

re 2. of the requirements

In the context of the provision of call associated data, “as soon as possible” means transmission of the data within a few seconds.

re 3.4. of the requirements

Fixed and switched corlnections include all types of switched connections including circuit-switched and packet-switched connections. IP connections are not included.

re 8. of the requirements

For international systems the maximum number of simultaneous interceptions needs to be derived from combining national requirements.

Part III: Explanatorv Definitions in the Glossary

re CALL

A call includes any connection irrespective of the technology of the network, e.g. packet-switched data.

re INTERCEPTION INTERFACE

In newer telecommunications technologies the interception interface may be a virtual interface within the network.

ACCESS

To set up the technical capability for lawful interception of telecommunications exclusively for the law enforcement agencies.

Source: Statewatch

TEXT

EUROPEAN UNION, THE COUNCIL

3 July 1998

10102/98

ENFOPOL 87

NOTE

from: Presidency

to: Police Cooperation Working Party

No. prev. doc.: OJ C 329, 4.11.1996, p. 1

Subject: Draft Joint Action on the interception of telecommunications – Discussion paper

I. Structure

Article 1: Puroose

Article 2: Definitions

Article 3: Oblination to provide information

Article 4: Oblination to assist

Article 5 et seq.: Snecial provisions (e.q.. for oPen networks, crvotooraphy, etc.)

II. Proposed text

Article 1: Purpose

This Joint Action lays down the obligations of network operators and service providers in providing information and assistance, pursuant to national legal provisions on the interception of telecommunications.

Article 2: Definitions

For the purposes of this Joint Action, the following definitions apply:

1. Telecommunications:

Any transfer of signs, signals, writing, images, sounds, data or intelligence of any nature transmitted in whole or in part by wire, radio, electromagnetic, photoelectronic or photooptical closed or open systems.

2. Interception:

Access to the telecommunications traffic passing over a connection and delivery of call associated data to the law enforcement agencies.

3. Law enforcement agencies:

Courts and authorities legally empowered under national law to order (decide upon, authorise) and/or carry out the interception of telecommunications.

4. Lawful authorisation:

The court order/permission or other official warrant granted under national law to intercept specified telecommunications.

5. Network operator:

A network operator is the operator of a public infrastructure for the purpose of telecommunications between defined network termination points.

6. Service provider:

A natural or legal person providing a public telecommunications service and/or any kind of encryption. A telecommunications service consists of the transmission and routing of telecommunications. Cryptography is the encryption of telecommunications.

7. Interception order:

An order placed on a network operator/service provider for assisting a law enforcement agency (obligation to provide information and assistance).

8. Interception subject:

Person or persons identified in the lawful authorisation/order and his/their connection, the telecommunications over which are to be intercepted and monitored.

9. Call:

Any fixed or temporary connection capable of transferring information between two or more users of a telecommunications system.

10. Access:

The technical capability to interface with a communications facility, such as a communications line or switch, so that law enforcement agencies can acquire and monitor telecommunications and call associated data carried on the facility.

11. Call associated data:

Signalling information passing between a target service and the network or another user. Includes signalling information used to establish the call and to control its progress (e.g. call hold, call handover). Call associated data also includes information about the call that is available to the network operator/service provider.

12. Interception interface:

The physical location in the network operator’s/service provider’s telecommunications facilities where access to the intercepted telecommunications or call associated data is provided. The interception interface is not necessarily a single, fixed point.

13. Quality of service:

The quality specification of a communications channel, system, virtual channel, computer-communications session, etc. Quality of service may be measured, for example, in terms of signal-to-noise ratio, bit error rate, message throughput rate or call blocking probability.

14. Reliability:

The probability that a system or service will perform in a satisfactory manner for a given period of time when used under specified operating conditions.

15. Roaming:

The ability of subscribers of mobile telecommunications services to place, maintain, and receive calls when they are located outside their designated home serving area.

16. Target service:

A service associated with an interception subject/monitored connection and usually specified in a lawful authorisation for interception.

TEXT

EUROPEAN UNION, THE COUNCIL

3 September 1998

10951/98

LIMITE

ENFOPOL 98

NOTE

from: Austrian Presidency

to: Police Cooperation Working Party

No. prev. doc.: OJ C 329, 4 November 1996, p.1, 10102/98 ENFOPOL 87

Subject: Interception of telecommunications Council Draft Resolution in relation to new technologies

Preliminary remark:

For the expert meeting of the Working Party “Police Co-operation” on 3/4 September 1998 the delegations will receive the draft of a Council Resolution on interception of telecommunications concerning explanatory memoranda, supplementary requirements and definitions in relation to new technologies, such as S-PCS, Internet, provision of subscriber related and call associated data, cryptography and security measures at network operators/service providers, the individual text passages having been drafted by the technical expert groups ILET, STC and IUR.

DRAFT

COUNCIL RESOLUTION

of 00.00.0000

on the Lawful Interception of Telecommunications

in relation to New Technologies

THE COUNCIL OF THE EUROPEAN UNION

(PREAMBLE)

HAS ADOPTED THIS RESOLUTION:

1. The Council notes that due to the continuing evolution of telecommunications technology also the requirements of law enforcement agencies on network operators and service providers for the purposes of lawful interception of telecommunications, as described in the Council Resolution of 17 January 1995 (96 C 329/01), have changed.
2. The Council considers that the requirements contained in the Council Resolution of 17 January 1995 are also suited to be applied analogously to new existing technologies, in particular satellite communications, Internet, cryptography, prepaid cards etc. as well as to new future technologies.
3. The Council furthermore holds the opinion that the progress of the technical development in the field of telecommunications has necessitated supplementary requirements including those on security measures at network operators and service providers as well as supplementary definitions.
4. The Council considers that the aforementioned explanatory memoranda and supplementary requirements as annexed should be also taken into account in the implementation of measures for lawful interception of telecommunications and requests Member States to call upon the Ministers responsible for telecommunications to support this view and to co-operate with the Ministers responsible for Justice and Home Affairs with the aim of implementing the supplementary requirements and definitions in relation to network operators and service providers.

ANNEX

REGARDING NEW TECHNOLOGIES

to the Council Resolution of 17 January 1995 on the lawful interception of telecommunications (96C 329/01) published in the Official Journal of the European Communities.

Part 1: Explanatory Memoranda

Introduction regarding S-PCS:

The purpose of this explanatory memorandum is to provide an assessment of applicability of law enforcement requirements to mobile satellite services (MSS). Specifically, for each of the requirements, an assessment of technical and jurisdiction issues is provided. The technical issues relate to capability and capacity of an intercept solution in an MSS network. The jurisdictional issues relate to the national policy issues that may impact the ability of law enforcement when dealing with a multinational MSS service provider.

These services are comprised of various operational architectures including voice, data and paging services. Operational scenarios include mobile-to-mobile (satellite); mobile-to-mobile (terrestrial); mobile (satellite or terrestrial)-to-public switch telephone network (PSTN); and PSTN-to-mobile (satellite or terrestrial). The interception of such satellite services is subject to the national laws of the requesting law enforcement agency as well as the gateway host country.

Introduction regarding the INTERNET:

The International Requirements for Interception were developed by law enforcement agencies to express their common requirements for the guidance of the telecommunications industry. These Requirements (Version 1.0) were adopted by the Council resolution of 17 January 1995 on the lawful interception of telecommunications and published in the Official Journal of the European Communities No. C329, 4 November 1996, p1. The governments of the United States of America, Canada and Australia have formally agreed to take the Requirements into account in national policies and to recommend that they be used as a basis for discussion with the telecommunications industry, standards bodies and others.

The Requirements document contains all of the requirements of the agencies but experience has shown that further explanation is needed in some cases and that their application to new and emerging technologies also needs to be clarified.

To ensure that the International Requirements for Interception continue to serve the purpose for which they were intended, Explanatory Memoranda expand and clarify the basic document in a manner agreed by the law enforcement agencies as expressing their common requirement.

Scope

General

This Explanatory Memorandum relates to the requirements of law enforcement agencies for the interception of public IP-based (Internet) services.

Applicable Services

Examples of Internet services to which this Memorandum applies include but are not limited to:

Dial – in services

* Services connected by HFC cable

* Services supplied by satellite

* Directly connected services, e.g. LANs connected via a router

1. Law enforcement agencies require access to the entire telecommunications transmitted, or caused to be transmitted, to and from the number or other identifier of the target service used by the interception subject. Law enforcement agencies also require access to the call-associated data that are generated to process the call (Requirements Item 1 – OJ 96/C 329/01)

Explanation with regard to S-PCS:

The terrestrial network architecture for an MSS network is very similar to that of cellular or PCS networks. The MSS networks employ similar concepts of mobility as in the IS-41 or GSM-based terrestrial wireless networks. Data services may have a different architecture without such components.

Terrestrial gateway stations are a common and easy location for intercept solutions for accessing telecommunications and call associated data, but mobile-to-mobile communications may allow mobiles to communicate with each other without inclusion of terrestrial gateway stations, thereby necessitating additional complexity to the intercept solution.

The number for target service used by the interception subject may be either part of existing country codes or a separate country code for an MSS provider.

Capacity in most MSS networks is limited to the amount of frequency bandwidth and/or satellite power available within the satellite constellation. The intercept requirement will impact MSS network capacity for mobile-to-mobile calls that would typically not require a link to a terrestrial gateway.

Most MSS providers are planning their network architecture based on technical and cost issues. The current proposed architectures accommodate some of these issues by serving multiple nations from a single terrestrial gateway. This raises several national policy and sovereignty issues for nations involved.

Accessing information for subscribers or from gateways associated with other nations may be subject to sovereignty issues regarding each involved nation.

Interception orders from one nation may have to be transferred to another nation for the service provider to activate intercepts.

Explanation with regard to the INTERNET:

The term “telecommunications” is defined in the glossary of the International Requirements. In the Internet context, telecommunications to and from the target service (see below) means all IP datagrams transmitted to and from the target host plus e-mail deposited in an e-mail server for later collection by the interception subject. It also includes telecommunications between the interception subject and the Internet Service provider for purpose such as changing password.

The identifier for an Internet service which is a target service will usually be the means by which the service is known to the service provider and used to authenticate (and possibly to bill) a person attempting to use the service and/or the means by which traffic is directed to the service. Examples of service identifiers are:

IP address (for services with a fixed IP address)

Account number

– Logon id/password

– PIN number

– E-Mail address

Call associated data refers to the signalling information contained within the IP datagrams and also where appropriate, to the calling line identifier of the telephone service used by the interception subject to connect to the Internet provider. Call associated data is discussed in more detail later in this Memorandum.

1.1. Law enforcement agencies require access to all interception subjects operating temporarily or permanently within a telecommunications system (Requirements Item 1.1. – OJ 96/C 329/01)

Explanation with regard to S-PCS:

Separated or partitioned gateways may physically or logically separate subscriber profile data and channel resources by service provider or nation, thereby creating a barrier to law enforcement access to a subscriber’s or user’s profile data, call associated data and telecommunications.

The definition of a “telecommunication system” may have a major impact for an MSS provider. For some MSS providers, the system covers the entire globe. A telecommunications system’s access by Law enforcement may need to be limited to a nation. If the MSS is an international service provider, international law may become applicable making acquisition of a subscriber’s or user’s communications possible.

Explanation with regard to the INTERNET:

An interception subject is considered to be operating permanently within a network if the host has a permanent physical connection to the Internet Service provider. This is analogous to a wireline telephone service.

Access is also required when an interception subject has personal or terminal mobility as is the case for dial-in access. This is analogous to a roaming mobile telephone service. Access is required whenever the interception subject is connected to the Internet.

It should be noted that national laws may restrict the conditions under which an interception order is valid. In some cases for example, it may not be lawful to intercept a service if the interception subject or the point-of-presence is outside the jurisdiction of the interception order.

1.2. Law enforcement agencies require access in cases where the interception subject may be using features to divert calls to other telecommunications services or terminal equipment, including calls that traverse more than one network operator/service provider before completing (Requirements Item 1.2. – OJ 96/C 329/01)

Explanation with regard to S-PCS:

Any impacts associated with supplementary services used within cellular, PCS, and wireline networks such as advanced calling features, voice mail, etc. also will be relevant to MSS due to similarities in terrestrial infrastructure.

There is a distinction between inter-network and intra-network traffic.

Explanation with regard to the INTERNET:

In the circuit-switched environment, this requirement relates to call directed towards the target service. In the Internet environment it relates to sessions that are not initiated by the target service (usually e-mail directed towards the target service). In these cases, access is required to all telecommunications, even when they are diverted to another destination as, for example, when e-mail is redirected.

1.3 Law enforcement agencies require that the telecommunications to and from a target service be provided to the exclusion of any telecommunications that do not fall within the scope of the interception authorization (Requirements Item 1.3 – OJ 96/C 329/01)

Explanation with regard to S-PCS:

There should be no impacts or issues specific to an MSS provider. Every MSS should be able to meet this requirement.

Explanation with regard to the INTERNET:

For both circuit-switched and packet-switched services, this requirement means that law enforcement agencies require the network operator/service provider to extract interception product from a composite or multiplexed stream before providing it to the law enforcement agency.

1.4 Law enforcement agencies require access to call associated data such as (Requirements Item 1.4 – OJ 96/C 329/01):

1.4.1 Signalling of access ready status (Requirements Item 1.4.1. – OJ 96/C 329/01)

Explanation with regard to S-PCS:

Physically separated or logically partitioned gateways may separate subscriber profile data by service provider or nation, which may be different from the service provider or nation served with a request for an intercept from law enforcement. This separation may create an obstacle to Law enforcement’s access to a subscriber’s or user’s profile data.

Law enforcement requires this data during the initial and all subsequent registrations of the mobile to the network.

Explanation with regard to the INTERNET:

Requirement 1.4.1. describes the signalling information required by law enforcement agencies in regard to circuit-switched services.

In the Internet context, this specific requirement is irrelevant as the signalling information is contained within the header of the IP datagrams.

1.4.2 Called party number for outgoing connections even if there is no successful connection established (Requirements Item 1.4.2. – OJ 96/C 329/01)

Explanation with regard to S-PCS

If a mobile is in a nation temporarily, this information may not be available for unsuccessful connections.

Physically separated or logically partitioned gateways may separate subscriber profile data by service provider or nation, which may be different from the service provider or nation served with a request for an intercept from law enforcement. This separation may create an obstacle to Law enforcement’s access to a subscriber’s call associated data.

It is essential that this information be available to law enforcement.

Explanation with regard to the INTERNET:

Requirement 1.4.2. describes the signalling information required by law enforcement agencies in regard to circuit-switched services.

In the Internet context, this specific requirement is irrelevant as the signalling information is contained within the header of the IP datagrams.

1.4.3. Calling party number for incoming connections even if there is no successful connection established (Requirements Item 1.4.3. – OJ 96/C 329/01)

Explanation with regard to S-PCS:

MSSs with intersatellite links can minimize connection charges by routing calls through the intersatellite links to the nearest MSS gateway instead of to the specific intercept-provisioned MSS gateway (if different) for mobile originated calls. For MSSs with gateways serving large areas, least cost routing to a gateway redundant to the subscriber’s intercept-provisioned gateway may circumvent intercepts for both internationally and nationally originated calls.

It is essential that this information is available to law enforcement regardless of what gateway is being utilized by the subscriber’s or user’s service.

Explanation with regard to the INTERNET:

Requirement 1.4.3. describes the signalling information required by law enforcement agencies in regard to circuit-switched services.

In the Internet context, this specific requirement is irrelevant as the signalling information is contained within the header of the IP datagrams.

1.4.4. All signals emitted by the target, including post-connection dialled signals emitted to activate features such as conference calling and call transfer (Requirements Item 1.4.4. – OJ 96/C 329/01)

Explanation with regard to S-PCS:

There should be no impacts or issues specific to an MSS provider. Every MSS should be able to meet this requirement.

This includes call origination signalling and post-cut through signalling.

Explanation with regard to the INTERNET:

Requirement 1.4.4. describes the signalling information required by law enforcement agencies in regard to circuit-switched services.

In the Internet context, this specific requirement is irrelevant as the signalling information is contained within the header of the IP datagrams.

1.4.5. Beginning, end and duration of the connection (Requirements Item 1.4.5. -OJ 96/C 329/01)

Explanation with regard to S-PCS:

There should be no impacts or issues specific to an MSS provider. Every MSS should be able to meet this requirement.

Explanation with regard to the INTERNET:

Requirement 1.4.5. describes the signalling information required by law enforcement agencies in regard to circuit-switched services.

In the Internet context, this specific requirement is irrelevant as the signalling information is contained within the header of the IP datagrams.

1.4.6. Actual destination and intermediate directory numbers if call has been diverted (Requirements Item 1.4.6. – OJ 96/C 329/01)

Explanation with regard to S-PCS:

For calls forwarded over a satellite channel, pared down satellite signalling (due to scarcity of satellite resource) compared to wireline signalling may present a limit to the depth of call associated data that is available for law enforcement.

Protocol translation between national networks may introduce a loss of information.

Explanation with regard to the INTERNET:

Requirement 1.4.6. describes the signalling information required by law enforcement agencies in regard to circuit-switched services.

In the Internet context, this specific requirement are irrelevant as the signalling information is contained within the header of the IP datagrams.

1.5. Law enforcement agencies require information on the most accurate geographical location known to the network for mobile subscribers (Requirements Item 1.5. – OJ 96/C 329/01)

Explanation with regard to S-PCS:

The distance of satellites from earth introduces a high level of granularity for subscriber location compared to terrestrial wireless systems ranging from hundreds of metres to many kilometres.

Because the location capability is not precise, an MSS may be unable to correctly associate an intercept subject that is within several kilometres from different national boarders with the correct nation.

Explanation with regard to the INTERNET:

For dial-in services, law enforcement agencies require the calling line identifier where this is available to the service provider.

1.6. Law enforcement agencies require data on the specific services used by the interception subject and the technical parameters for those types of communication (Requirements Item 1.6. – OJ 96/C 329/01)

Explanation with regard to S-PCS:

For an intercept subject roaming from one nation to another, only a portion of the subscriber profile will be available at the roaming gateway. Law enforcement would need a means of acquiring the remaining information from the home gateway that is in another nation.

Explanation with regard to the INTERNET:

For an Internet service, this includes the means of connection (dial-in, LAN, satellite, cable etc.), the transmission speed in each direction and information relating to e-mail servers used by the interception subject.

2. Law enforcement agencies require a real-time, full-time monitoring capability for the interception of telecommunications. Call associated data should also be provided in real-time. If call associated data cannot be made available in real time, law enforcement agencies require the data to be available as soon as possible upon call termination (Requirements Item 2. – OJ 96/C 329/01)

Explanation with regard to S-PCS:

The global topology of MSS may add more delay to the delivery of call associated data than terrestrial cellular-type wireless services.

Call content shall be delivered to law enforcement in real-time. Call associated data should be made available within milliseconds of post call event rather than post call completion. 100 milliseconds – 500 milliseconds is the desirable target. It is imperative that the call associated data be available within this short time frame to allow for correlation of call event with call details.

Explanation with regard to the INTERNET

In the Internet context, reference to call associated data is not applicable.

3. Law enforcement agencies require network operators/service providers to provide one or several interfaces from which the intercepted communications can be transmitted to the law enforcement monitoring facility. These interfaces have to be commonly agreed on by the interception authorities and the network operators/ service providers. Other issues associated with these interfaces will be handled according to accepted practices in individual countries (Requirements Item 3. – OJ 96/C 329/01)

Explanation with regard to S-PCS:

The intercept may be provisioned on an MSS gateway located in any number of nations, various types of transmission facilities or signalling protocols could be used for transfer of intercepted telecommunications and call associated data to law enforcement.

During such transmission or transfer, the intercepted data cannot be altered or corrupted in any way.

There must be co-ordination between the network operator(s) and service provider(s) and between the network operator(s) and services provider(s) and law enforcement.

Explanation with regard to the INTERNET:

This requirement applies unchanged to Internet services.

Explanation with regard to the PROVISION OF SUBSCRIBER RELATED DATA AND CALL ASSOCIATED DATA

This requirement includes provision of commonly agreed interfaces that will allow transmission of subscriber details.

3.1 Law enforcement agencies require network operators/service providers to provide call associated data and call content from the target service in a way that allows for the accurate correlation of call associated data with call content (Requirements Item 3.1. – OJ 96/C 329/01)

Explanation with regard to S-PCS

Law enforcement needs to know from where this information is originating.

Explanation with regard to the INTERNET:

This requirement is not applicable.

3.2. Law enforcement agencies require that the format for transmitting the intercepted communications to the monitoring facility be a generally available format. This format will be agreed upon on an individual country basis (Requirements Item 3.2. – OJ 96/C 329/01)

Explanation with regard to S-PCS:

The format utilised must not be a “proprietary” format, but should be a readily available and “reasonable” format.

Explanation with regard to the INTERNET:

This requirement applies unchanged to Internet services.

3.3. If network operators/service providers initiate encoding, compression or encryption of telecommunications traffic, law enforcement agencies require the network operators/service providers to provide intercepted communications en Claire (Requirements Item 3.3. – OJ 96/C 329/01)

Explanation with regard to S-PCS:

This requirement includes call detail information as well as call content data.

Explanation with regard to the INTERNET:

This requirement applies unchanged to Internet services. Note that where a target modifies the traffic by encoding or encryption or by applying any other process, it is the responsibility of the intercepting agency to extract intelligence from the received product.

3.4. Law enforcement agencies require network operators/service providers to be able to transmit the intercepted communications to the law enforcement monitoring facility via fixed or switched connections (Requirements Item 3.4. – OJ 96/C 329/01)

Explanation with regard to S-PCS:

There should be no impacts or issues specific to an MSS provider. Every MSS should be able to meet this requirement.

Explanation with regard to the INTERNET:

This requirement applies unchanged to Internet services.

3.5. Law enforcement agencies require that the transmission of the intercepted communications to the monitoring facility meet applicable security requirements (Requirements Item 3.5. – OJ 96/C 329/01)

Explanation with regard to S-PCS:

There should be no impacts or issues specific to an MSS provider. Every MSS should be able to meet this requirement. Reference is made to the International User Requirements (IUR) – Security document for additional details.

The definition of “applicable security requirements” may have a major impact on multinational MSS providers.

Security issues for international information exchange may face sovereignty issues.

Explanation with regard to the INTERNET:

This requirement applies unchanged to internet services.

4. Law enforcement agencies require interceptions to be implemented so that neither the interception target nor any other unauthorized person is aware of any changes made to fulfil the interception order. In particular, the operation of the target service must appear unchanged to the interception subject (Requirements Item 4. – OJ 96/C 329/01)

Explanation with regard to S-PCS:

There can be no degradation of voice quality of the target’s service due to the interception. This includes, but is not limited to things such as: delay of call setup; delay of voice transmission; delay of inability to initiate features; denial of service; degraded voice quality, and “anomalous” indications displayed on the target’s mobile.

The need for international Law enforcement co-operation may increase significantly the number of “authorized” personnel with access to an intercept order.

The definition of “unauthorized person” may have severe impact on the intercept administration for an MSS provider. For a gateway serving multiple nations, foreign citizens may have access to interception orders.

Explanation with regard to the INTERNET:

This requirement applies unchanged to Internet services.

5. Law enforcement agencies require the interception to be designed and implemented to preclude unauthorized or improper use and to safeguard the information related to the interception (Requirements Item 5. – OJ 96/C 329/01)

Explanation with regard to S-PCS:

The need for international Law enforcement co-operation may increase significantly the number of “authorized” personnel with access to an intercept order.

The definition of “unauthorized person” may have severe impact on the intercept administration for an MSS provider. For a gateway serving multiple nations, foreign citizens may have access to interception orders.

Unauthorized personnel cannot have access to the “product” of the intercept or audit information or other intercept related data.

Explanation with regard to the INTERNET:

This requirement applies unchanged to Internet services.

5.1. Law enforcement agencies require network operators/service providers to protect information on which and how many interceptions are being or have been performed, and not disclose information on how interceptions are carried out (Requirements Item 5.1. – OJ 96/C 329/01)

Explanation with regard to S-PCS:

There should be no impacts or issues specific to an MSS provider. Every MSS should be able to meet this requirement.

This requirement includes target identification information.

Explanation with regard to the INTERNET:

This requirement applies unchanged to Internet services.

Explanation with regard to the PROVISION OF SUBSCRIBER RELATED DATA AND CALL ASSOCIATED DATA:

This requirement includes a requirement to protect all information associated with requests for subscriber details.

5.2. Law enforcement agencies require network operators/service providers to ensure that intercepted communications are only transmitted to the monitoring agency specified in the interception authorization (Requirements Ibm 5.2. – OJ 96/C 329/01)

Explanation with regard to S-PCS:

There should be no impacts or issues specific to an MSS provider. Every MSS should be able to meet this requirement.

Explanation with regard to the INTERNET:

This requirement applies unchanged to Internet services.

5.3. According to national regulations, network operators/service providers could be obliged to maintain and adequately protected record of activations of interceptions (Requirements Item 5.3. – OJ 96/C 329/01)

Explanation with regard to S-PCS:

There should be no impacts or issues specific to an MSS provider. Every MSS should be able to meet this requirement.

Explanation with regard to the INTERNET:

This requirement applies unchanged to Internet services.

6. Based on a lawful enquiry and before implementation of the interception, law enforcement agencies require: (1) the interception subject’s identity, service number or other distinctive identifier, (2) information on the services and features of the telecommunications system used by the interception subject and delivered by network operators/service providers, and (3) information on the technical parameters of the transmission to the law enforcement monitoring facility (Requirements Item 6. – OJ 96/C 329/01).

Explanation with regard to S-PCS:

This includes the terrestrial telecommunications service provider(s), if any, to whom the subscriber or user has access.

The information needed by law enforcement to provision an intercept may reside on gateways owned and operated by a foreign organization or company.

This information may also reside with the service provider providing the targeted service.

Explanation with regard to the INTERNET:

This requirement applies unchanged to Internet services.

7. During the interception, law enforcement agencies may require information and/or assistance from the network operators/service providers to ensure that the communications acquired at the interception interface are those communications associated with the target service. The type information and/or assistance required will vary according to the accepted practices in individual countries (Requirements Item 7. – OJ 96/C 329/01)

Explanation with regard to S-PCS:

There should be no impacts or issues specific to an MSS provider. Every MSS should be able to meet this requirement.

If a country requires that a person from a network operator/service provider be present in a court to verify, this may be an issue for multinational MSS providers.

Explanation with regard to the INTERNET

This requirement applies unchanged to Internet services.

Explanation with regard to the PROVISION OF SUBSCRIBER RELATED DATA AND CALL ASSOCIATED DATA:

With the introduction of such telecommunication network functionality as number portability, this requirement is extended to include the requirement for the network operator/service provider to notify the intercepting agency if the target service is “ported” to another network operator/service provider while an interception order is in force.

8. Law enforcement agencies require network operators/service providers to make provisions for implementing a number of simultaneous intercepts. Multiple interceptions may be required for a single target service to allow monitoring by more than one law enforcement agency. In this case, network operators/service providers should take precautions to safeguard the identities of the monitoring agencies and ensure the confidentiality of the investigations. The maximum number of simultaneous interceptions for a given subscriber population will be in accordance with national requirements (Requirements Item 8. – OJ 96/C 329/01)

Explanation with regard to S-PCS:

Because a given MSS gateway may serve satellite coverage to multiple nations, capacity for intercepts should include requirements of each nation served.

The maximum number of simultaneous interceptions for a given subscriber may need to abide by capacity requirements of multiple nations. Multiple countries may have interceptions for the same mobile subscriber being served out of one gateway.

National requirements are defined as multiple countries requirements.

“Flagged” numbers must be such as to accommodate all the capacity needs of the national law enforcement agencies requirements.

Explanation with regard to the INTERNET:

This requirement applies unchanged to Internet services.

9. Law enforcement agencies require network operators/service providers to implement interceptions as quickly as possible (in urgent cases within a few hours or minutes). The response requirements of law enforcement agencies will vary by country and by the type of target service to be intercepted (Requirements Item 9. – OJ 96/C 329/01)

Explanation with regard to S-PCS:

Language, time differences, technical interfaces may increase significantly the sophistication, and therefore, the time required to provision intercepts in gateway serving multiple countries.

Sovereignty issues may cause further delays if co-operation of law enforcement from different countries is required.

Explanation with regard to the INTERNET:

This requirement applies unchanged to Internet services.

Explanation with regard to the PROVISION OF SUBSCRIBER RELATED DATA AND CALL ASSOCIATED DATA:

This requirement includes providing access to subscriber data needed to obtain and implement the warrant as quickly as possible.

10. For the duration of the interception, law enforcement agencies require that the reliability of the services supporting the interception at least equals the reliability of the target services provided to the interceptions subject. Law enforcement agencies require the quality of service of the intercepted transmissions forwarded to the monitoring facility to comply with the performance standards of the network operators/service providers (Requirements Item 10. – OJ 96/C 329/01)

Explanation with regard to S-PCS:

Performance standards must be of an acceptable level and are subject to the standards of the original call.

Explanation with regard to the INTERNET:

This requirement applies unchanged to Internet services.

Part 2: Supplementary Requirements

1. REQUIREMENTS RELATING TO THE PROVISION OF SUBSCRIBER

RELATED DATA AND CALL ASSOCIATED DATA

General

This Explanatory Memorandum relates to the requirements of law enforcement agencies for information about:

the identity of subscribers;

• the services, equipment and features used by subscribers, and;
• the use made by subscribers of telecommunications services (billing records, Internet footprints, etc.).

Applicable services

Law enforcement agencies require access to information about subscribers to all telecommunications services including, but not limited to, the following:

circuit switched telephony services, e.g. PSTN, ISDN;

• terrestrial mobile services, e.g. GSM, AMPS, D-AMPS, CDMA, DCS-1800;
• satellite-based mobile services, e.g. IRIDIUM, Globalstar, ICO;
• Trunked mobile services, e.g. TETRA;
• Internet services both dial -in and fixed based;
• calling card services both pre-paid and account based;
• call-back services;
• long distance and international services;
• paging services;
• data services, e.g. X.25, X.400, ATM, frame relay, and;
• voice mail services.

Law enforcement agencies also require the means to access information about subscribers in other countries in situations where those subscribers may be operating within the agency’s jurisdiction. Examples of these situations include, but are not limited to the following:

Internationally roaming mobile subscribers;

• Subscribers to S-PCS services such as Iridium, and;
• Subscribers to international carriers where the subscriber database is in another country.

Requirements

On the basis of the Council Resolution of 17 January 1995, the existing requirements as specified in item 6 shall be supplemented with items 6.1 to 6.7.

6. Based on a lawful enquiry and before implementation of the interception, law enforcement agencies require: (1) the interception subject’s identity, service number or other distinctive identifier, (2) information on the services and features of the telecommunications system used by the interception subject and delivered by network operators/service providers, and (3) information on the technical parameters of the transmission to the law enforcement monitoring facility (Requirements Item 6. – OJ 96/C 329/01).

SUPPLEMENTARY REQUIREMENTS WITH REGARD TO ITEM 6

6.1. Law enforcement agencies require access to information kept by the providers of telecommunications networks, telecommunications services and Internet services on the subject’s identity. Examples of this information include, but are not limited to, the following:

the full name and address of the interception subject, including postal code;

• the full name and address, including postal code, of the party which pays the bill for the services provided to the interception subject;
• sufficient credit card details to identify the account if the interception subject pays by credit card, and
• the directory name and address as shown in the directory.

6.2. Law enforcement agencies require the means to access information on the numbering plans or identification numbers for telecommunications services to help identify an interception subject’s provider. Typical service plans that may require identification are, but are not limited to, the following:

ISDN-services;

• packet switched services and circuit switched services;
• for telex services;
• Internet domain names;

6.3. Law enforcement agencies require access to information kept by the providers of telecommunications networks, telecommunications services and Internet services on the interception subject’s service number or other distinctive

identifier. Examples of this information may include, but are not limited to the following:

Types of services and features used by the interception subject;

• Wire line directory numbers;
• Technical identifiers and codes of the telecommunications equipment such as the MSISDN, IMSI and IMEI GSM identifiers, which are supplied by the provider to the interception subject;
• The means by which a provider identifies a subscriber of Internet on cable TV;
• User identifier or code given by a caller and used by an Internet provider to authenticate and bill the user;
• Cable or channel identifiers for fixed point services;
• IP address for users of fixed Internet services;
• Associated directory number on a voice mail service;
• E-mail address;
• The PIN or code given by the caller and used by the provider to authenticate and bill a user of calling card services, and;
• The means by which an international or long distance service provider authenticates a caller.

6.4. Law enforcement agencies require access to information kept by the providers of telecommunications networks, telecommunications services and Internet services on the interception subject’s optional service’s and features. Examples of this information may include, but are not limited to the following:

For wireline PSTNs these features include call diversion, call waiting, call completion, pre-selection of a long distance carrier, Voice mail and abbreviated dialling;

• For GSM mobile these features include additional MSISDN for FAX and data, Voice mail, SMS, special roaming approval and high speed data, and;
• For Internet services these may include both the e-mail and e-mail redirection.

This requirement is also applicable for those services which incorporate the use of prepaid card technology.

6.5. Law enforcement agencies require access to traffic and billing records of an interception subject.

6.6. Law enforcement agencies require the providers of telecommunications networks, telecommunications services and Internet services to keep an up-to-date register of Individual Mobile Equipment Identity codes of mobile communications equipment which is sold by these providers to their clients.

6.7. Law enforcement agencies require all subscriber information to be obtained from a search commencing with:

the service number or other distinctive identifier, or

• any of the elements of the subscriber’s identity as outlined in the sections above, such as name or address or credit card service.

1. REQUIREMENTS RELATING TO THE SECURITY MEASURES AT NETWORK OPERATORS/SERVICE PROVIDERS

Introduction

The requirements relating to security measures are specified for network operators/service providers to comply with. These requirements are laid down in order to safeguard the interests of the services authorized by law to carry out telecommunications interceptions (Law Enforcement Agencies).

These requirements can be seen as a further elaboration on the requirements of the Council Resolution of 17 January 1995 (items 3.5, 5., 5.1, 5.2, 5.3), (OJ 96/C 329101).

Compliance with the requirements will ensure the following:

protecting the interests of those affected by an intercept from disclosure of their telecommunications to parties other than the intercepting agency.

preventing that the telecommunication access of intercepting agencies is blocked, and

preventing and also tracing the abuse of the technical telecommunications intercept facilities used by network operators/service providers.

SUPPLEMENTARY REQUIREMENTS:

11. Law enforcement agencies require that the network operator/service provider implements security procedures on it’s site. These procedures have to be agreed with the Law enforcement agencies.

11.1. The network operator/service provider shall co-operate with regular security reviews by the Law enforcement agencies.

11.2. Interception orders and interception data shall be classified in accordance with the appropriate national security level. Law enforcement agencies require that the network operator/service provider will ensure the confidentiality of all interception orders and interception data.

11.3. Interception orders must be destroyed by the network operator/service provider within a certain period, as required by national legislation and procedures.

11.4. Law enforcement agencies require that in case of violation of the integrity and/or the confidentiality of the interception order or interception data, the network operator/service provider shall take all necessary action to prevent dissemination of the information. It will notify the host nation s responsible agency as soon as possible about the violation. Furthermore the Law enforcement agencies require the network operator/service provider to take all due action to prevent such an event to occur in future.

12. Law enforcement agencies require that all people who handle or control interception orders or who are involved in the interception process, have had a security check, as required by national authorities.

12.1. A list with the names and job descriptions of these persons has to be handed over to the Law enforcement agencies.

13. Law enforcement agencies require the network operator/service provider to take all necessary organisational and technical measures in order to protect all technical interfaces used to route intercepted telecommunications and all administration components serving to implement or change interceptions, from abuse.

13.1. The network operator/service provider has to assure that the integrity and the confidentiality of the interception data during transmission is safeguarded to the level required by the Law enforcement agencies. Therefor all communication lines used for interception purposes are to be protected.

13.2. Law enforcement agencies require that information with regard to the actual interceptions implemented in a particular telecommunication system, shall not be made available to unauthorised persons.

14. Law enforcement agencies require that the sites containing interception orders and data shall be restricted areas with a controlled access. The network operator/service provider has to notify the Law enforcement agencies about the location of the sites and the implemented security measures, and has to hand over a list of the employees who have authorised access to these sites.

14.1. Law enforcement agencies require the network operator/service provider to store the interception order as specified by national security standards. The network operator/service provider is not allowed to store the call content.

1. REQUIREMENTS RELATING TO SERVICE PROVIDERS

WITH REGARD TO CRYPTOGRAPHY

15. Based on a lawful enquiry and given a target identifier or other information about the target or encrypted dab with related information, law enforcement agencies require:

• full details of the target including service number;
• information that will fully identify the cryptographic services used by the target; and
• the technical parameters of the method used to implement the cryptographic service.

16. Law enforcement agencies require access to the decrypted message as quickly (in urgent cases within a few hours or minutes). the law enforcement agencies will specify how it wishes to achieve this result; either through the provision of cryptographic key material and all necessary information to decrypted the data or exceptionally by provision of the data as plaintext. Access to the decrypted message must be available for those encryption systems that allow for both national and international operation.

16.1. The handover of cryptographic key material should be immediate. the computational and operational process a law enforcement authority needs to undertake to decrypt the data, including any reconstruction or rebuilding of keys, should involve minimal time and resources to ensure an efficient, economic and timely operation.

16.2. The provision of data as plaintext should take place as soon possible; in urgent cases within a few hours or minutes.

17. Law enforcement agencies require the decryption process to be designed and implemented to preclude unauthorised or improper use and to safeguard the information relating to the operation.

17.1. Where cryptographic key material is being provided, it must be delivered, either in electronic format or another agreed format using a secure means of transmission. this must be protected to ensure the authenticity, integrity and confidentiality of such material, and that it is provided in a non-repudiational manner.

17.2. The cryptographic key material or plaintext data must only be transmitted to the agency specified in the authorization.

17.3. Law enforcement agencies require providers of cryptographic services not to disclose to the target or any third party:

• That there has been an authorization;
• the target of the authorization;
• that cryptographic key material or plaintext data has been supplied; and
• any information on how the operation has been carried out.

18. Subject to national regulations, providers could be obliged to maintain an adequately protected record of provision of key material and data but which can only be made available to authorised personnel.

Part 3: Additional Definitions Supplementing the Glossary contained in the Council Resolution of 17 January 1995

ACCESS (Glossary OJ 96/C 329/019)

The technical capability to interface with a communications facility, such as a communications line or switch, so that a law enforcement agency can acquire and monitor communications and call associated data carried on the facility.

AUTHENTICITY (New)

Establishing the validity of a claimed identity of a user, device or another entity in an information or communications system.

AVAILABILITY (New)

The property that data information and information and communications systems are accessible and usable on a timely basis in the required manner.

CALL (Glossary OJ 96/ C 329/019)

Any connection (fixed or temporary) capable of transferring information between two or more users of a telecommunications system.

CALL ASSOCIATED DATA (Glossary OJ 96/C 329/019)

Signalling information passing between a target service and the network or another user. Includes signalling information used to establish the call and to control its progress (e.g. call hold, call handover). Call associated data also includes information about the call that is available to the network operator/service provider (e.g. duration of connection)

CONFIDENTIALITY (New)

The property that data or information is not made available or disclosed to unauthorised individuals, entities or processes.

CRYPTOGRAPHY (New)

The discipline which embodies principles, means and methods for transformation of data in order to hide its information content, establish its authenticity, prevent its undetected modification, prevent its repudiation and/or prevent its unauthorised use.

CRYPTOGRAPHIC KEY (New)

Parameter used with a cryptographic algorithm to transform, validate, authenticate, encrypt or decrypt data.

CRYPTOGRAPHIC SERVICES (New)

The facilities which provide cryptographic.

DATA (New)

The representation of information in a manner suitable for communication, interpretation, storage, or processing.

DECRYPTION (New)

The inverse function of encryption

ENCRYPTION (New)

The transformation of data by the use of cryptography to produce unintelligible data (encrypted data) to ensure its confidentiality.

HOST (New)

Any (end-user) computer system that connect to a network.

INTEGRITY (New)

The property that data or information has not been modified or altered in an unauthorized manner.

INTERCEPTION DATA (New)

It means call content, call associated data and subscriber related data.

INTERCEPTION (Glossary OJ 96/C 329/019)

As used here, the statutory based action of providing access and delivery of a subject’s telecommunication and call associated data to law enforcement agencies.

INTERCEPTION INTERFACE (Glossary OJ 96/C 329/019)

The physical location within the network operators/service providers telecommunications facilities where access to the intercepted communications or call associated data is provided. The interception interface is not necessarily a single, fixed point.

INTERCEPTION ORDER (Glossary OJ 96/C 329/019)

An order placed on a network operator/service provider for assisting a law enforcement agency with a lawful authorised telecommunications interception.

INTERCEPTION SUBJECT (Glossary OJ 96/C 329/019)

Person or persons identified in the lawful authorisation and whose incoming and outgoing communications are to be intercepted and monitored.

INTERNET (New)

The collection of networks and gateways that use the TCP/IP protocol suite and function as a single, co-operative virtual network. The Internet provides universal connectivity and three levels of network services: applications level services like electronic mail the build on the first two.

INTERNET PROTOCOL / IP (New)

(Internet Protocol). The TCP/IP standard protocol that defines the IP datagram as the unit of information passed across an internet and provides the basis for connectionless, best-effort packet delivery service. IP includes the ICMP (Internet control and error message protocol) as an integral part. The entire protocol suite is often referred to as TCP/IP because TCP and IP are two most fundamental protocols.

IP ADDRESS / Internet-Address (New)

The 32-bit address assigned to hosts that want to participate in a TCP/IP internet.

IP DATAGRAM (New)

The basic unit of information passed across a TCP/IP internet. It contains a source and destination address along with data.

IUR (New)

International User Requirements

LAW ENFORCEMENT AGENCY (Glossary OJ 96/C 329/019)

A service authorised by law to carry out telecommunications interceptions.

LAW ENFORCEMENT AGENCY with regard to cryptography (New)

An organisation authorised by lawful authorization, based on national law, to receive cryptographic key material and all necessary information to decrypt the data or the plaintext data.

LAW ENFORCEMENT MONITORING FACILITY (Glossary OJ 96/C 329/019)

A law enforcement facility designated as the transmission destination for the intercepted communications and call associated data for a particular interception subject. The site where monitoring/recording equipment is located.

LAWFUL ACCESS (Glossary OJ 96/C 329/019)

Access by third party individuals or entities, including governments, to plaintext, or cryptographic keys, of encrypted data, in accordance with law.

LAWFUL AUTHORISATION (Glossary OJ 96/C 329/019)

Permission granted to a law enforcement agency under certain conditions to intercept specified telecommunications. Typically this refers to an order or warrant issued by a legally authorised body.

NETWORK OPERATOR/SERVICE PROVIDER (Glossary OJ 96/C 329/019)

Networkoperator = the operator of a public telecommunications infrastructure which permits the conveyance of signals between defined network termination points by wire, by microwave, by optical means or by other electromagnetic means; and

Serviceprovider = the natural or legal person providing (a) public telecommunications service(s) whose provision consists wholly or partly in the transmission and routing of signals on a telecommunication.

PLAINTEXT (New)

Intelligible data.

QUALITY OF SERVICE (Glossary OJ 96/C 329/019)

The quality specification of a communications channel, system, virtual channel, computer-communications session, etc. Quality of service may be measured, for example, in terms of signal-to-noise ratio, bit error rate, message throughput rate or call blocking probability.

RELIABILITY (Glossary OJ 96/C 329/019)

The probability that a system or service will perform in a satisfactory manner for a given period of time when used under specified operating conditions.

ROAMING (Glossary OJ 96/C 329/019)

The ability of subscriber of mobile telecommunications services to place, maintain, and receive calls when they are located outside their designated home serving are.

SESSION (New)

The term “session” is used in this document to describe a related set of transactions between the same two parties e.g. a series of requests for file transfer from the same source, and the subsequent transfer, would be regarded as a single “session”. A customer connection to the Internet through a dial-in service may conduct several “sessions” in serial or parallel before disconnecting.

TARGET SERVICE (Glossary OJ 96/C 329/019)

A service associated with an interception subject and usually specified in a lawful authorisation for interception.

TCP (New)

(Transmission Control Protocol). the TCP/IP standard transport level protocol that provides the reliable, full duplex, stream service on which many application protocol depend.

TELECOMMUNICATION (Glossary OJ 96/C 329/019)

Any transfer of signs, signals, writing, images sounds, data or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system.

This is partly due to the complex discussions – including the role of internal security agencies – on the interception of telecommunications provisions in the Convention on Mutual Assistance in criminal matters. The delay in adoption is also partly due to acknowledged “negative” media coverage (which tended to confuse Echelon with the EU-FBI system but nonetheless raised the issue of the surveillance of telecommunications).

The legal powers for the interception of telecommunications EU-wide are set out in the Convention on Mutual Assistance in criminal matters which was signed by the EU member states at the meeting of the Justice and Home Affairs Council on 29 May 2000. It now has to be ratified by the national parliaments of all 15 EU states – in the UK this is a mere formality as under the “Ponsonby rules” (dating from 1924) it is simply “laid before” parliament and agreed unless there a very substantial objections.

The delay in adopting the revised “Requirements” has not stopped EU member states, like the UK, ameding their interception of telecommunications laws to include the “Requirements”.

TEXT

EUROPEAN UNION, THE COUNCIL

15 March 1999

6715/99

LIMITE

ENFOPOL 19

NOTE

from: Presidency

to: Police Cooperation Working Party

No. prev. doc.: 10951/2/98 ENFOPOL 98 REV 2 + COR 1

Subject: Interception of telecommunications – Draft Council Resolution on new technologies

Delegations will find attached the text of the above Council Resolution as it stands following the meeting of the Police Cooperation Working Party on 11 March 1999.

Draft COUNCIL RESOLUTION of … on the lawful interception of telecommunications in relation to new technologies

THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on European Union, and in particular Articles K.1(9) and K.2(2) thereof,

Reaffirming the considerations put forward in the Council Resolution of 17 January 1995 on the lawful interception of telecommunications,

Whereas the requirements listed in the Annex to that Resolution constitute an important summary of the needs of the competent agencies as regards the technical and organisational implementation of lawful interception measures,

Aware of the fact that the requirements of 17 January 1995, after careful verification of their continued validity, are to apply to both existing and new technologies, and that the requirements must consequently be clarified and supplemented to take account of the ongoing process of technical development,

HEREBY ADOPTS THIS RESOLUTION:

The Council notes that the requirements of law enforcement agencies with regard to network operators and service providers for the purposes of lawful interception of telecommunications, as described in the Annex to the Council Resolution of 17 January 1995 (96/C329/01) are applicable both to existing and new communications technologies, for example satellite telecommunications and Internet telecommunications.

The Council is, however, of the opinion that in view of ongoing progress in telecommunications technology, the requirements listed in the Annex to the Resolution of 17 January 1995 need to be clarified on a number of points.

The Council considers that the explanations as annexed should be taken into account in the implementation of measures for lawful interception of telecommunications and requests Member States to call upon the Ministers responsible for telecommunications to support this view and to cooperate with the Ministers responsible for Justice and Home Affairs with the aim of implementing the clarified requirements and definitions in relation to network operators and service providers.

ANNEX

EXPLANATIONS of the requirements and definitions of concepts in the glossary of the Council Resolution of 17 January 1995, published together with its Annex in the Official Journal of the European Communities (OJ 96/C329/01);

Part I: General explanations

The requirements of law enforcement agencies for lawful interception of telecommunications in relation to network operators and service providers, with glossary, of the Council Resolution of 17 January 1995 shall apply also to new technologies in existence, e.g. satellite and internet communications, and to future additional telecommunications technologies.

The technical terms used in the Council Resolution of 17 January 1995 on the basis of the then state of telecommunications technology are to be interpreted as applying to new telecommunications technologies already in existence and to future additional telecommunications technologies. In this context, a number or other electronic identifier in the 1995 requirements means e.g. in the case of the Internet, the static and dynamic IP-address (electronic address assigned to a party connected to the Internet), credit card number and E-mail address. Certain requirements, especially Nos 1, 1.4 – 1.4.6, 2 and 3.1, can be fulfilled in the case of the Internet for example by virtue of its design because the call content and the data relating to the call are never transmitted separately in any case.

Part II: Explanations of the Requirements

re 1.4.2. of the requirements

Called party number includes any telecommunications identifier of the called party.

re 1.4.3. of the requirements

Calling party number includes any telecommunications identifier of the calling party.

re 2. of the requirements

In the context of the provision of call associated data, “as soon as possible” means transmission of the data within a few seconds.

re 3.4. of the requirements

Fixed and switched connections include all types of switched connections including circuit-switched and packet-switched connections. IP connections are not excluded.

re 8. of the requirements

For international systems the maximum number of simultaneous interceptions needs to be derived from combining national requirements.

Part III: Explanatory Definitions in the Glossary

re CALL

A call includes any connection irrespective of the technology of the network, e.g. packet-switched data.

re INTERCEPTION INTERFACE

In newer telecommunications technologies the interception interface may be a virtual interface within the network.

re ACCESS

To set up the technical capability for lawful interception of telecommunications exclusively for the law enforcement agencies.

TEXT

EUROPEAN UNION, THE COUNCIL

10 November 1998

10951/1/98

REV 1

LIMITE

ENFOPOL 98

NOTE

from: Austrian Presidency

to : Police Cooperation Working Party

No. prev. doc.: OJ C 329, 4.11.96, p.1; 10102/98 ENFOPOL 87; 10951/98 ENFOPOL 98

Subject: Interception of telecommunications – Draft Council Resolution on new technologies

Preliminary remark

The delegations will find attached the revised draft version of the Council Resolution on Interception of Telecommunications in Relation to New Technologies.

This version was compiled at two IUR Expert Meetings (20 – 22 October 1998 in Vienna and 27 – 28 October in Madrid).

It was agreed to make a reference in the actual text of the (new) Council Resolution that the requirements of 17 January 1995 are applicable both to existing and new technologies, these requirements needing supplementary explanatory detail as a result of progress in telecommunications technology.

In Part 1 (Requirements) and Part 2 (Glossary) the provisions of the requirements 1995 are listed, explained and supplemented. Part 3 contains additional requirements and explanations. With regard to other technical areas which are indirectly related to the actual interception requirements (e.g. cryptography, call-associated and subscriber-related data), additional technical descriptions will be required. After completion, these might be published together with the Requirements 1995 and the above mentioned explanations and supplementary detail in a technical handbook.

DRAFT

COUNCIL RESOLUTION

of ……….

on the Lawful Interception of Telecommunications in relation to New Technologies.

THE COUNCIL OF THE EUROPEAN UNION

(PREAMBLE)

HAS ADOPTED THIS RESOLUTION:

1. The Council considers that the requirements of law enforcement agencies in regard to network operators and service providers for the purposes of lawful interception of telecommunications, as described in the Council Resolution of 17 January 1995 (96/ 329/01) are applicable both to existing and new technologies, for example satellite communications and the Internet.
2. The Council notes that, as a result of progress in telecommunications technology, the requirements have to be explained.
3. The Council further considers that progress in telecommunications technology has created a need for supplementary explanatory detail, including security measures and subscriber-related data in regard to network operators and service providers.
4. The Council considers that the aforementioned explanation and supplementary detail as annexed should be taken into account in the implementation of measures for lawful interception of telecommunications and requests Member States to call upon the Ministers responsible for telecommunications to support this view and to co-operate with the Ministers responsible for Justice and Home Affairs with the aim of implementing the supplementary detail and definitions in relation to network operators and service providers.

Part I: Explanation of Requirements

(The normal text correspondence to the requirements; the bold text are explanations)

Note: The Internet requires specific explanations.

1. Law enforcement agencies require access to the entire telecommunications transmitted, or caused to be transmitted, to and from the number or other identifier of the target service used by the interception subject. Law enforcement agencies also require access to the call-associated data that are generated to process the call.

1.1 Law enforcement agencies require access to all interception subjects operating temporarily or permanently within a telecommunications system.

1.2 Law enforcement agencies require access in cases where the interception subject may be using features to divert calls to other telecommunications services or terminal equipment, including calls that traverse more than one network operator/service provider before completing.

1.3 Law enforcement agencies require that the telecommunications to and from a target service be provided to the exclusion of any telecommunications that do not fall within the scope of the interception authorisation.

1.4 Law enforcement agencies require access to call associated data such as:

1.4.1 Signalling of access ready status.

1.4.2 Called party number for outgoing connections even if there is no successful connection established.

Note: Called party number includes any identifier of the called party.

1.4.3 Calling party number for incoming connections even if there is no successful connection established.

Note: Calling party number includes any identifier of the calling party.

1.4.4 All signals emitted by the target, including post-connection dialled signals emitted to activate features such as conference calling and call transfer.

1.4.5 Beginning, end and duration of the connection.

1.4.6 Actual destination and intermediate directory numbers if call has been diverted.

1.5 Law enforcement agencies require information on the most accurate geographical location known to the network for mobile subscribers.

1.6 Law enforcement agencies require data on the specific services used by the interception subject and the technical parameters for those types of communication.

2. Law enforcement agencies require a real-time, full-time monitoring capability for the interception of telecommunications. Call associated data should also be provided in real-time. If call associated data cannot be made available in real time, law enforcement agencies require the data to be available as soon as possible upon call termination.

Notes: In this context and in relation to call associated data, data is required within a few seconds.

3. Law enforcement agencies require network operators/service providers to provide one or several interfaces from which the intercepted communications can be transmitted to the law enforcement monitoring facility. These interfaces have to be commonly agreed on by the interception authorities and the network operators/ service providers. Other issues associated with these interfaces will be handled according to accepted practices in individual countries.

3.1 Law enforcement agencies require network operators/service providers to provide call associated data and call content from the target service in a way that allows for the accurate correlation of call associated data with call content.

3.2 Law enforcement agencies require that the format for transmitting the intercepted communications to the monitoring facility be a generally available format. This format will be agreed upon on an individual country basis.

3.3 If network operators/service providers initiate encoding, compression or encryption of telecommunications traffic, law enforcement agencies require the network operators/service providers to provide intercepted communications en clair.

3.4 Law enforcement agencies require network operators/service providers to be able to transmit the intercepted communications to the law enforcement monitoring facility via fixed or switched connections.

Note: Switched connections includes all types of switched connections including circuit-switched and packet-switched connections. IP connections are not excluded.

3.5 Law enforcement agencies require that the transmission of the intercepted communications to the monitoring facility meet applicable security requirements.

Note: Further security requirements are detailed in the attached paper.

4. Law enforcement agencies require interceptions to be implemented so that neither the interception target nor any other unauthorised person is aware of any changes made to fulfil the interception order. In particular, the operation of the target service must appear unchanged to the interception subject.
5. Law enforcement agencies require the interception to be designed and implemented to preclude unauthorised or improper use and to safeguard the information related to the interception.

Note: Further security requirements are detailed in the attached paper.

5.1 Law enforcement agencies require network operators/service providers to protect information on which and how many interceptions are being or have been performed, and not disclose information on how interceptions are carried out.

5.2 Law enforcement agencies require network operators/service providers to ensure that intercepted communications are only transmitted to the monitoring agency specified in the interception authorisation.

5.3 According to national regulations, network operators/service providers could be obliged to maintain an adequately protected record of activations of interceptions.

6. Based on a lawful enquiry and before implementation of the interception, law enforcement agencies require:

(1) the interception subject’s identity, service number or other distinctive identifier, (2) information on the services and features of the telecommunications system used by the interception subject and delivered by network operators/service providers, and (3) information on the technical parameters of the transmission to the law enforcement monitoring facility.

Note: Further subscriber-related data requirements are detailed in the attached paper.

7. During the interception, law enforcement agencies may require information and/or assistance from the network operators/service providers to ensure that the communications acquired at the interception interface are those communications associated with the target service. The type of information and/or assistance required will vary according to the accepted practices in individual countries.

Note: Further explanation concerning number portability is detailed in the attached paper.

8. Law enforcement agencies require network operators/service providers to make provisions for implementing a number of simultaneous intercepts. Multiple interceptions may be required for a single target service to allow monitoring by more than one law enforcement agency. In this case, network operators/service providers should take precautions to safeguard the identities of the monitoring agencies and ensure the confidentiality of the investigations. The maximum number of simultaneous interceptions for a given subscriber population will be in accordance with national requirements.

Note: For international systems the maximum number of simultaneous interceptions needs to be derived from combining national requirements.

9. Law enforcement agencies require network operators/service providers to implement interceptions as quickly as possible (in urgent cases within a few hours or minutes). The response requirements of law enforcement agencies will vary by country and by the type of target service to be intercepted.

– 10. For the duration of the interception, law enforcement agencies require that the reliability of the services supporting the interception at least equals the reliability of the target services provided to the interception subject. Law enforcement agencies require the quality of service of the intercepted transmissions forwarded to the monitoring facility to comply with the performance standards of the network operators/service providers.

Part II: Explanations of the Definitions in the {glossary in the Council Resolution of 17 January 1995 (OJ 96/C 329/019)

(The normal text correspondence to the requirements.The bold text are explanations)

ACCESS

The technical capability to interface with a communications facility, such as a communications line or switch, so that a law enforcement agency can acquire and monitor communications and call associated data carried on the facility.

Note: In this document access refers to interception access for the law enforcement agencies.

CALL

Any connection (fixed or temporary) capable of transferring information between two or more users of a telecommunications system.

Note: In this document a call includes any connection irrespective of the technology of the network, e.g. packet-switched networks.

CALL ASSOCIATED DATA

Signalling information passing between a target service and the network or another user. Includes signalling information used to establish the call and to control its progress (e.g. call hold, call handover). Call associated data also includes information about the call that is available to the network operator/service provider (e.g. duration of connection)

INTERCEPTION

As used here, the statutory based action of providing access and delivery of a subject’s telecommunication and call associated data to law enforcement agencies.

INTERCEPTION INTERFACE

The physical location within the network operators/service providers telecommunications facilities where access to the intercepted communications or call associated data is provided. The interception interface is not necessarily a single, fixed point.

Note: In some telecommunications technologies the interception interface may be a virtual interface within the network.

INTERCEPTION ORDER

An order placed on a network operator/service provider for assisting a law enforcement agency with a lawful authorised telecommunications interception.

INTERCEPTION SUBJECT

Person or persons identified in the lawful authorisation and whose incoming and outgoing communications are to be intercepted and monitored.

LAW ENFORCEMENT AGENCY

A service authorised by law to carry out telecommunications interceptions.

LAW ENFORCEMENT MONITORING FACILITY

A law enforcement facility designated as the transmission destination for the intercepted communications and call associated data for a particular interception subject. The site where monitoring/recording equipment is located.

LAWFUL AUTHORISATION

Permission granted to a law enforcement agency under certain conditions to intercept specified telecommunications. Typically this refers to an order or warrant issued by a legally authorised body.

NETWORK OPERATOR/SERVICE PROVIDER

Networkoperator = the operator of a public telecommunications infrastructure which permits the conveyance of signals between defined network termination points by wire, by microwave, by optical means or by other electromagnetic means; and

Serviceprovider = the natural or legal person providing (a) public telecommunications service(s) whose provision consists wholly or partly in the transmission and routing of signals on a telecommunication.

QUALITY OF SERVICE

The quality specification of a communications channel, system, virtual channel, computer-communications session, etc. Quality of service may be measured, for example, in terms of signal-to-noise ratio, bit error rate, message throughput rate or call blocking probability.

RELIABILITY

The probability that a system or service will perform in a satisfactory manner for a given period of time when used under specified operating conditions.

ROAMING

The ability of subscriber of mobile telecommunications services to place, maintain, and receive calls when they are located outside their designated home serving are.

TARGET SERVICE

A service associated with an interception subject and usually specified in a lawful authorisation for interception.

TELECOMMUNICATION

Any transfer of signs, signals, writing, images sounds, data or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system.

Part III Additional Requirements/Explanations

1. a) for INTERNET

Individual Telecommunications over the Internet is subject to the IUR 95. In this context number or other electronic identifier means e.g. fixed and dynamic IP addresses (the electronic address assigned to a participant in the Internet), account numbers and e-mail addresses.

Call associated data are not separate from the call content (esp. for requirements 1, 1.4. to 1.4.6, 2, and 3.1).

1. b) SECURITY

The growing amount of cross-border co-operation in the field of telecommunications interception requires a parallel level of security in the respective countries.

Its effect was that the EU adopted the “Requirements” as developed by the FBI (with a few small changes) and given a legal basis in the US in October 1994.

The “Requirements” set out the obligations of network and service providers to supply data to the “law enforcement community” (police, customs, immigration and internal security agencies) and to allow them direct (“real-time”) access to telecommunications (phones calls and faxes) as they happen.

ENFOPOL 98 (1998) and the later unadopted ENFOPOL 19 (1999) are intended to extend surveillance to the “new technologies” (the internet, e-mails and sateillite phones).

TEXT

THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty establishing the European Union, and in particular to Articles K.1.9 and K.2.2 thereof,

Reaffirming the need, when implementing telecommunications interception measures, to observe the right of individuals to respect for their privacy as enshrined in the territorially applicable national law,

Aware of the fact that observing that right comes up against specific legal and technical difficulties in view of technological developments,

Determined to identify and overcome these difficulties in implementing the requirements set out in the Annex while observing human rights and the principles of data protection,

Whereas in the laws of the Member States possibilities are provided for restricting the secrecy of communications and, under certain circumstances, intercepting telecommunications;

Whereas the legally authorized interception of telecommunications is an important tool for the protection of national interest, in particular national security and the investigation of serious crime;

Whereas interception may only be effected insofar as the necessary technical provisions have been made;

Whereas in accordance with a decision by the Trevi Ministers in December 1991 a study should be made of the effects of legal, technical and market developments within the telecommunications sector on the different interception possibilities and of what action should be taken to counter the problems that have become apparent,

HAS ADOPTED THIS RESOLUTION:

1. The Council notes that the requirements of Member States to enable them to conduct the lawful interception of telecommunications, annexed to this Resolution (“the Requirements”), constitute an important summary of the needs of the competent authorities for the technical implementation of legally authorized interception in modern telecommunications systems.
2. The Council considers that the aforementioned Requirements should be taken into account in the definition and implementation of measures which may affect the legally authorized interception of telecommunications and requests Member States to call upon the Ministers responsible for telecommunications to support this view and to cooperate with the Ministers responsible for justice and Home Affairs with the aim of implementing the Requirements in relation to network operators and service providers.

ANNEX

REQUIREMENTS

This section presents the Requirements of law enforcement agencies relating to the lawful interception of telecommunications. These requirements are subject to national law and should be interpreted in accordance with applicable national policies.

Terms are defined in the attached glossary.

1. Law enforcement agencies require access to the entire telecommunications transmitted, or caused to be transmitted, to and from the number or other identifier of the target service used by the interception subject. Law enforcement agencies also require access to the call-associated data that are generated to process the call.

1.1. Law enforcement agencies require access to all interception subjects operating temporarily or permanently within a telecommunications system.

1.2. Law enforcement agencies require access in cases where the interception subject may be using features to divert calls to other telecommunications services or terminal equipment, including calls that traverse more than one network or are processed by more than one network operatorlservice provider before completing.

1.3. Law enforcement agencies require that the telecommunications to and from a target service be provided to the exclusion of any telecommunications that do not fall within the scope of the interception authorization.

1.4. Law enforcement agencies require access to call associated data such as:

1.4.1. signalling of access ready status;

1.4.2. called party number for outgoing connections even if there is no successful connection established;

1.4.3. calling party number for incoming connections even if there is no successful connection established;

1.4.4. all signals emitted by the target, including post-connection dialled signals emitted to activate features such as conference calling and call transfer;

1.4.5. beginning, end and duration of the connection;

1.4.6. actual destination and intermediate directory numbers if call has been diverted.

1.5. Law enforcement agencies require information on the most accurate geographical location known to the network for mobile subscribers.

1.6. Law enforcement agencies require data on the specific services used by the interception subject and the technical parameters for those types of communication.

2. Law enforcement agencies require a real-time, fulltime monitoring capability for the interception of telecommunications. Call associated data should also be provided in real-time. If call associated data cannot be made available in real time, law enforcement agencies require the data to be available as soon as possible upon call termination.
3. Law enforcement agencies require network operators/service providers to provide one or several interfaces from which the intercepted communications can be transmitted to the law enforcement monitoring facility. These interfaces have to be commonly agreed on by the interception authorities and the network operators/service providers. Other issues associated with these interfaces will be handled according to accepted practices in individual countries.

3.1. Law enforcement agencies require network operators/service providers to provide call associated data and call content from the target service in a way that allows for the accurate correlation of call associated data with call content.

3.2. Law enforcement agencies require that the format for transmitting the intercepted communications to the monitoring facility be a generally available format. This format will be agreed upon on an individual country basis.

3.3. If network operators/service providers initiate encoding, compression or encryption of telecommunications traffic, law enforcement agencies require the network operators/service providers to provide intercepted communications en clair.

3.4. Law enforcement agencies require network operators/service providers to be able to transmit the intercepted communications to the law enforcement monitoring facility via fixed or switched connections.

3.5. Law enforcement agencies require that the transmission of the intercepted communications to the monitoring facility meet applicable security requirements.

4. Law enforcement agencies require interceptions to be implemented so that neither the interception target nor any other unauthorized person is aware of any changes made to fulfil the interception order. In particular, the operation of the target service must appear unchanged to the interception subject.
5. Law enforcement agencies require the interception to be designed and implemented to preclude unauthorized or improper use and to safeguard the information related to the interception.

5.1. Law enforcement agencies require network operators/service providers to protect information on which and how many interceptions are being or have been performed, and not disclose information on how interceptions are carried out.

5.2. Law enforcement agencies require network operators/service providers to ensure that intercepted communications are only transmitted to the monitoring agency specified in the interception authorization.

5.3. According to national regulations, network operators/service providers could be obliged to maintain an adequately protected record of activations of interceptions.

6. Based on a lawful inquiry and before implementation of the interception, law enforcement agencies require: (1) the interception subject’s identity, service number or other distinctive identifier; (2) information on the services and features of the telecommunications system used by the interception subject and delivered by network operators/service providers; and (3) information on the technical parameters of the transmission to the law enforcement monitoring facility.
7. During the interception, law enforcement agencies may require information andlor assistance from the network operators/service providers to ensure that the communications acquired at the interception interface are those communications associated with the target service. The type of information and/or assistance required will vary according to the accepted practices in individual countries.
8. Law enforcement agencies require network operators/service providers to make provisions for implementing a number of simultaneous intercepts. Multiple interceptions may be required for a single target service to allow monitoring by more than one law enforcement agency. In this case, network operators/service providers should take precautions to safeguard the identities of the monitoring agencies and ensure the confidentiality of the investigations. The maximum number of simultaneous interceptions for a given subscriber population will be in accordance with national requirements.
9. Law enforcement agencies require network operators/service providers to implement interceptions as quickly as possible (in urgent cases within a few hours or minutes). The response requirements of law enforcement agencies will vary by country and by the type of target service to be intercepted.
10. For the duration of the interception, law enforcement agencies require that the reliability of the services supporting the interception at least equals the reliability of the target services provided to the interception subject. Law enforcement agencies require the quality of service of the intercepted transmissions forwarded to the monitoring facility to comply with the performance standards of the network operators/service providers.

GLOSSARY

Access

The technical capability to interface with a communications facility, such as a communications line or switch, so that a law enforcement agency can acquire and monitor communications and call associated data carried on the facility.

Call

Any connection (fixed or temporary) capable of transferring information between two or more users of a telecommunications system.

Call associated data

Signalling information passing between a target service and the network or another user. Includes signalling information used to establish the call and to control its progress (e.g. call hold, call handover). Call associated data also includes information about the call that is available to the network operator/service provider (e.g. duration of connection).

Interception

As used here, the statutory-based action of providing access and delivery of a subject’s telecommunications and call associated data to law enforcement agencies.

Interception interface

The physical location within the network operator’s/service provider’s telecommunications facilities where access to the intercepted communications or call associated data is provided. The interception interface is not necessarily a single, fixed point.

Interception order

An order placed on a network operator/service provider for assisting a law enforcement agency with a lawfully authorized telecommunications interception.

Interception subject

Person or persons identified in the lawful authorization and whose incoming and outgoing communications are to be intercepted and monitored.

Law enforcement agency

A service authorized by law to carry out telecommunications interceptions.

Law enforcement monitoring

A law enforcement facility designated as the transmission destination facility for the intercepted communications and call associated data of a particular interception subject. The site where monitoring/recording equipment is located.

Lawful authorization

Permission granted to a law enforcement agency under certain conditions to intercept specified telecommunications. Typically this refers to an order or warrant issued by a legally authorized body.

Network operator/service provider

– network operator: the operator of a public telecommunications infrastructure which permits the conveyance of signals between defined network termination points by wire, by microwave, by optical means or by other electromagnetic means;

– service provider: the natural or legal person providing (a) public telecommunications service(s) whose provision consists wholly or partly in the transmission and routing of signals on a telecommunications network.

Quality of service

The quality specification of a communications channel, system, virtual channel, computer-communications session, etc. Quality of service may be measured, for example, in terms of signal-to-noise ratio, bit error rate, message throughput rate or call blocking probability.

Reliability

The probability that a system or service will perform in a satisfactory manner for a given period of time when used under specified operating conditions.

Roaming

The ability of subscribers of mobile telecommunications services to place, maintain, and receive calls when they are located outside their designated home serving area.

Target service

A service associated with an interception subject and usually specified in a lawful authorization for interception.

Telecommunications

Any transfer of signs, signals, writing, images, sounds, data or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system.

Statewatch bulletin, January-February 1997, vol 7 no 1

A special report by Statewatch published at the end of February detailed plans for a joint plan drawn up by the Council of the European Union and the US Federal Bureau of Investigations (FBI) to introduce a global system for the surveillance of telecommunications – phone calls, e-mails and faxes. Further investigations have revealed that:

1. The decision to go ahead was never discussed by the Council of Justice and Home Affairs Ministers – it was simply agreed by “written procedure” through an exchange of telexes between the 15 EU governments.
2. The “Requirements” to be placed on network and service providers by the European Union to enable the surveillance of communications adopted on 17 January 1995 – and not made public until November 1996 – is based on the “Requirements” drawn up by the FBI in 1992 (and revised in 1994).

The first attempt by the FBI in the United States to get through a new law to allow for the surveillance of all telecommunications was withdrawn from the Congress in June 1991. In March 1992 a redrafted proposal, the Digital Telephony Bill, was sent to the Congress but after major opposition by civil liberties groups it was quietly withdrawn in the autumn of 1992 just before the Presidential election which saw Clinton returned to the White House.

Part of the FBI’s campaign for these new powers included its report, “Law Enforcement REQUIREMENTS for the surveillance of electronic communications” (emphasis in original) put out in June 1992. During 1993 the FBI arranged a meeting in Quantico, USA attended by EU representatives plus Canada, Sweden, Norway, Finland, Hong Kong, Australia, New Zealand and the USA. In March 1994 the FBI released a new draft proposal ironically renamed: “The Digital Telephony and Privacy Improvement Act”. An updated version of the “REQUIREMENTS” were issued by the FBI in June 1994. By early August 1994 the FBI proposal, to be renamed again as “The Communications Assistance for Law Enforcement Act”, was formally introduced and on 25 October 1994 President Clinton signed it into law – which placed on the statute book identical powers to those adopted by the EU in January 1995.

EU slow to catch up

It was not until June 1993 that the EU Trevi Ministers, meeting for the last time in Copenhagen, addressed the subject seriously. They agreed the text of a “questionnaire on phone tapping” to be sent to each Member State in July 1993 and to the new members (Finland, Sweden and Austria) in September 1993. The issue was also raised at the “Friends of Trevi” meeting in Copenhagen attended by Deputy Attorney General Philip Heymann from the USA. However, this EU report was not completed until November 1995. When the new Council of Justice and Home Affairs Ministers held its first meeting in November 1993 in Brussels the Resolution they adopted on “The Interception of Communications” clearly expressed their concern:

“The Council: 1. calls upon the expert group to compare the requirements of the Member States of the Union with those of the FBI. 2. agrees the requirements of the Member States of the Union will be conveyed to the third countries which attended the FBI meeting at its headquarters in Quantico in order to avoid a discussion based solely on the requirements of the FBI.”

On 3 March 1994 the K4 Committee, followed by COREPER (the committee of Permanent Representatives of the 15 EU governments) on 10 March 1994, agreed a draft Recommendation calling for a study “to be made of the different technical PSCS-interception possibilities (PSCS, Personal Satellite Communications Services)”. In the event the Council of Justice and Home Affairs Ministers on 23 March 1994 discussed, but did not adopt, the Recommendation (not to be confused with the later “Resolution”). On 14-15 April it was back on the agenda of the K4 Committee and on COREPER’s on 27 April 1994 which cleared “the text of a confidential letter to be sent by the President of the JHA Council to the President of the Telecommunications Council.” In simple terms this meant, as Greece then held the EU Presidency, one Greek Minister sending a “confidential” letter to another Greek Minister in their respective roles as “Presidents” of two different Councils of Ministers.

What had been clear for some time was now transparent. For more than five years it had been clear to the US government and the EU governments that the combination of new satellite-based telecommunications and, for the Europeans, the privatisation of state-owned telephone companies, combined with the explosion in the use of mobile phones and the impending launch of e-mail via the Internet presented a new challenge for interception by the “law enforcement agencies”. The Council of Justice and Home Affairs Ministers did not consider the issue again.

This was despite the decision of the K4 Committee on 19-20 December 1994 that:

“The Committee agreed to suggest to Coreper and the Council that the above draft Resolution (“Draft Council Resolution on the lawful interception of telecommunications”) be adopted as an “A” item.” [An “A” item is adopted without debate in the Council of Ministers]

The next day, 21 December 1994 a decision was taken, under the German Presidency, not to wait for the next Council meeting in March 1995 but to adopted the “Resolution” setting out the “Requirements” by “written procedure”. The “written procedure” process of decision making meant that the draft Resolution was sent out by telex from Brussels to each Member State. On 9 January a further telex attached two statements by Denmark and France for agreement, and a final telex with a statement by the Netherlands was telexed out on 18 January – the day after the official adoption of the measure on 17 January 1995.

No publicity was given to this decision at the time. On 9 July 1996 the K4 Committee’s Police Cooperation Working Party proposed that the Resolution should be published in the Official Journal of the European Communities which it was in November 1996. This is the same Working Party which had reported in June 1995 that the new system should be able to:

“”tag” each individual subscriber in view of a possibly necessary surveillance activity.”

and that a major problem was that:

“initial contacts with various consortia… has met with the most diverse reactions, ranging from great willingness to cooperate on the one hand, to an almost total refusal even to discuss the question… it is very urgent for governments and/or legislative institutions to make the new consortia aware of their duties. The government will also have to create new regulations for international cooperation so that the necessary surveillance will be able to operate.” [emphasis added]

By the summer of 1996 the EU was beginning to catch up with the US. The European Telecommunications Standards Institute (ETSI) prepared the first of several drafts of a document entitled, “Requirements for Trusted Third Party Services” at its meeting on 15-16 July 1996. At the November 1996 meeting of the Council of Justice and Home Affairs Ministers a text was agreed to send out to the equivalent international standards bodies with the Resolution detailing the “Requirements”, the IEC, ISO and ITU, informing them that EU Member States would be applying “these requirements to network operators and providers of services.” If the significance, and global implications, of this new system was in any doubt Version 4 of the “Requirements for Trusted Third Party Services” prepared by ESTI, dated 25 November 1996 dispelled it:

“There is a need to facilitate the growing importance and development of electronic commerce, the European Information Infrastructure (EII) and the Global Information Infrastructure (GII) by the introduction of suitable measures to safeguard the integrity and confidentiality of electronic information.”

And on “Lawful Interception”:

“Lawful interception of telecommunications traffic is commonly recognized as an important instrument to fight crime and to assure national security. Law Enforcement Agencies (LEAs) have the need to intercept incoming and outgoing telecommunications traffic, which is transported via telecommunications networks, without knowledge of eg: the interception subjects and the foreign country or countries involved”.

To complete the strategy and ensure global compliance to the new, “tappable”, telecommunications standards the EU led on drawing up a “Memorandum of Understanding” to extend the EU-US system to non-EU countries which were invited to adopt the same “Requirements” for network and service providers. The contact addresses for signatory countries and for further information, which confirms the EU-USA link, should be sent to:

“a) Director Federal Bureau of Investigation,

Attention: Information Resource Division,

10 Pennsylvania Avenue, N.W.,

Washington D.C. 20535

1. b) General Secretary of the Council of the European Union, FAO The President,

Rue de la Loi 175,

B-1048 Brussels,

Belgium.”

The number of signatories to the “Memorandum” is open-ended, any country can join providing the existing member states agree. It invites “participants” because “the possibilities for intercepting telecommunications are becoming increasingly threatened” and there is a need to introduce “international interception standards” and “norms for the telecommunications industry for carrying out interception orders” in order to “fight.. organised crime and for the protection of national security.”

By October 1996 Australia, Canada and the US had informed the European Council in Brussels of their support for the “Requirements”, Norway had signed the “Memorandum of Understanding”, and Hong Kong and New Zealand are “considering the means by which they could support the “Requirements”.” Ongoing meetings of “experts” from these six countries and the EU are being organised under the “informal title of ILETS (International Law Enforcement Telecommunications Seminar)”.

The FBI “Requirements”

A comparison of the “Requirements” and the “Glossary” in the Resolution adopted in January 1995 by the EU and the two reports by the FBI entitled: “Law Enforcement REQUIREMENTS for the surveillance of electronic communications” (June 1992 and June 1994) shows them to be the same in almost every respect. The only difference is that the EU’s “Requirements” have a couple of additional provisions to cover the linking of different telecommunications providers (eg: Germany, Austria and Spain). Some of the terminology is quaint. The term “law enforcement agencies”, a American term, is used in both but is not defined in the EU version. It can be presumed to cover police, intelligence agencies (MI6 and GCHQ), internal security agencies (MI5), customs, tax, and immigration agencies. The US-FBI use of the term “transparency” has strange ring in European understanding, it is taken to mean ensuring that the subjects of the interception are “unaware of ongoing electronic surveillance”.

The nine “Requirements” in the FBI report are directly repeated in the EU’s ten “Requirements” with similar or in some cases the same terminology. For example, the EU’s “Requirement” no 1 says:

“Law enforcement agencies require access to the entire telecommunications transmitted, or caused to be transmitted, to and from the number or other identifier of the target service used by the interception subject.”

The FBI’s “Requirement” no 1 says:

“Law enforcement agencies require access to the electronic communications transmitted, or caused to be transmitted, to and from the number, terminal equipment, or other identifier associated with the intercept subject… “

While “Requirement” no 2 for the EU reads:

“Law enforcement agencies require a realtime, fulltime monitoring capability for the interception of telecommunications.”

And, the FBI’s “Requirement” no 2 reads:

“Law enforcement agencies require a realtime, fulltime monitoring capability for intercepts.”

“not a significant document” – the Home Secretary

The Chair of the Select Committee on the European Communities in the House of Lords, Lord Tordoff, took up the “Memorandum” with the Home Secretary, Michael Howard, in an exchange of letters on the Committee_s access to documents for scrutiny. On the subject of the “Memorandum of Understanding on the Legal Interception of Telecommunications” Mr Howard told Lord Tordoff:

“The Memorandum of Understanding is a set of practical guidelines to third countries on the lawful interception of telecommunications. It is not a significant document and does not, therefore, appear to meet the criteria for Parliamentary scrutiny of Title VI documents.” (emphasis added)

It is quite clear from this Briefing that the “Memorandum” is not an insignificant document concerning as it does a EU-US plan for global telecommunications surveillance.

After the Guardian newspaper carried a front-page report on Statewatch’s research Mr Howard wrote the following letter to the paper:

“You alleged, quite wrongly, that the United Kingdom was clandestinely joining its EU partners to create “an international telecommunications tapping system” (Britain to join FBI phone tap system, February 25).

We have never disguised the fact that interception of communications is an important tool in the fight against organised crime and, clearly, we need to ensure that we can keep up as organised criminals and their means of communication become increasingly sophisticated and international. But that does not justify the alarmist tone of your article, which confused a number of separate issues.

The UK is not party to any agreements concerning our interception of calls outside this country. Nor do we allow calls here to be Intercepted by foreign governments. The International User Requirement, which outlines recommended technical standards for lawful interception, far from being a secret document, was published in the EU Official Journal last year and repeated, in substance, in a document which has been placed In the libraries of both Houses of Parliament. Similarly, there is no secrecy attached to the Government’s proposals on encryption which were announced last June and will be set out in a consultation paper which will be published shortly.

It is no secret that discussions are taking place within the EU context about how current interception capability can be maintained as the use of “satellite” phones increases. Any changes to our interception regime to take account of this will almost certainly require domestic primary legislation, giving Parliament and the public full opportunity to discuss these matters.” Michael Howard (MP), Home Secretary, Queen Anne’s Gate, London SW1H 9AT.

Statewatch’s editor replied:

“Your report of our research on the new EU-FBI global telecommunications surveillance system (25 February) is termed “alarmist” by the Home Secretary Mr Howard (1 March).

Faced with a new generation of satellite-based telecommunications for phone calls, e-mails and faxes the EU Council of Ministers have laid down new standards for manufacturers and service providers if they want to get contracts. These “Requirements” will create a system which can monitor everyone and every form of communication and it is one which Mr Howard admits will require “primary legislation” to update the 1985 Interception of Communications Act.

Mr Howard says the new measure was deposited in parliament but this was after it had been agreed. He failed to refer the Resolution setting up this system to the Select Committee on the European Communities for parliamentary scrutiny when it was being discussed in the K4 Committee in April, November and December 1994. Or before it was discussed by the Council of Justice and Home Affairs Ministers in March 1994 and or finally agreed, in an unpublicised decision, by “written procedure” via telexes sent out from the Council in Brussels in January 1995. It was “secret” until it had been adopted without any parliamentary scrutiny. Mr Howard says “The UK is not party to any agreements concerning our interception of calls outside this country. Nor do we allow calls here to be intercepted by foreign governments”. Clause 2.3.d of the Police Bill currently before parliament would allow the tapping of phones and communications (and entry into homes and offices) on behalf of any “law enforcement agency” in the world. The UK does not allow interception by “foreign governments” it will do it for them.

He also seems to be unaware of the 1948 UKUSA agreement whereby the UK’s GCHQ in Cheltenham and the US National Security Agency (NSA) at Menwith Hill in Yorkshire and Morwenstow in Cornwall routinely intercept telecommunications including e-mails and faxes (through the ECHELON network).

The “Memorandum of Understanding” drawn up by the EU and the FBI extending the system to non-EU states like Canada, Australia, New Zealand, Norway, the USA and Hong Kong, is in Mr Howard’s words “not a significant document”.

People and parliament might have been “alarmed” if they had been told what was going on.” Tony Bunyan, Editor, Statewatch (paras 4, 5 & 6 were not printed)

Mr Howard did not reply.

Conclusion

Whether the EU effectively adopted in 1995 the “Requirements” drafted by the FBI back in 1992 is perhaps not the issue. What is however is that while in the US the taking of new, intrusive, surveillance powers by the “law enforcement agencies” was debated and adopted through their democratic process, in the EU the decision was taken in secret by “written procedure” with no democratic discussion at all in the parliaments of the European Union.

Sources: Publication of Council Resolution of 17 January 1995 on the lawful interception of telecommunications, Report from Police Cooperation Working Party to Steering Group II, 8977/96, Limite, ENFOPOL 121, 11.7.96; Interception of communications, report to COREPER, ENFOPOL 40, 10090/93, Confidential, 16.11.93; Memorandum of Understanding concerning the lawful interception of telecommunications, ENFOPOL 112, 10037/95, Limite, 25.11.95; Legally permitted surveillance of telecommunications systems provided from a point outside the national territory, report from the UK delegation to the Working Group on Police Cooperation, ENFOPOL 1, 4118/95, Restricted, 9.1.95; Electronic Privacy Information Center, Washington, USA; Chapter 4, “Pre-Wiretapping Telephones”, by David Banasar in Electronic Privacy Sourcebook (forthcoming, June 1997), John Wiley and Sons, NY. Copies of Statewatch’s interim report on “European Union and FBI launch global surveillance system” are available for £2.00 (inc p&p).

CHRONOLOGY

June 1991: first FBI Bill withdrawn from US Congress

June 1992: FBI produced “Law Enforcement REQUIREMENTS for the surveillance of electronic communications”

Autumn 1992: second FBI Bill withdrawn from US Congress

1993: FBI host a seminar in Quantico attended by the EU

29-30 November 1993

The first meeting of the new, post-Maastricht, Council of Justice and Home Affairs Ministers meeting in Brussels adopt a Resolution calling on experts to compare the needs of the EU “with those of the FBI”

March 1994: The Council of Justice and Home Affairs Ministers discuss but do not adopt a draft Recommendation of principle August 1994: third, and successful Bill introduced in US Congress April, November and December 1994: The K4 Committee discusses the draft Resolution on the lawful interception of telecommunications and the “Requirements” to be placed on network and service providers

October 1994: US Bill passed and signed by Clinton

November 1994: The K4 Committee discusses the draft “Memorandum of Understanding with third countries”.

17 January 1995: The Resolution on the “Requirements”, never discussed by the Council of Ministers is adopted by “written procedure”. It is not published in any form until 4 November 1996 when it appears in the Official Journal.

23 November 1995: The Council of Justice and Home Affairs Ministers agree the “Memorandum of Understanding”. It is not published in any form

7 May 1996: Michael Howard, the Home Secretary, tells the Chair of the Select Committee on the European Communities in the House of Lords that the “Memorandum of Understanding on the legal interception of communications” is “not a significant document”. 28 November 1996: The Council of Justice and Home Affairs Ministers agree the text of a letter to be sent out to other potential “participants” (countries) in the “Memorandum of Understanding”.

K4 Committee: Also set up under the Maastricht Treaty to coordinate the work on the “third pillar” – policing, immigration and asylum, and legal cooperation. Is comprised of senior officials from Interior Ministries and prepares report to go to the Council. Under the K4 Committee there are three Steering Groups covering policing and customs, immigration and asylum, and legal cooperation (civil and criminal) to which a series of Working Groups report.

COREPER: the Committee of Permanent Representatives from each EU state based in Brussels.

Statewatch bulletin, July-October 1997, vol 7 nos 4 & 5

The present situation – Council of Europe Convention and Protocol to Convention

The primary instrument currently governing mutual assistance between the EU member states is the Council of Europe (CoE) Convention on mutual assistance in criminal matters of 1959, which entered into force in 1962. This Convention has been supplemented by an Additional Protocol, signed in 1978, which entered into force in 1982. The Convention is now in force in 30 states, including all 15 member states of the EU. The Protocol is in force in 24 states, including 13 Member States of the EU (Belgium and Luxembourg have yet to ratify it). Once these two states ratify the Protocol, it will be binding on all Member States of the EU.

Both the Convention and the Protocol are instruments of public international law, whose legal effect for individuals is dependent upon how each state decides to give effect to rules of international law in its national legal system. There is no judicial system for reviewing or interpreting the Convention or Protocol, or for settling disputes relating to their application. National rules implementing the Convention or Protocol have to conform to the Human Rights Convention, notably Articles 5 (rights on detention) and 6 (rights to a fair trial). Both the Convention and the Protocol are subject to reservations on any of their provisions by any signatory.

What needs to emphasised, especially in relation to the new draft EU Convention is that the CoE Convention deals purely with relations between judicial authorities – policing and law enforcement issues entirely outside its scope.

Equally, enforcement of criminal sentences is a matter for separate Council of Europe Conventions, on transfer of prisoners, transfer of proceedings and the international validity of criminal judgements. These Conventions have fewer signatories than the mutual assistance Convention and have not yet been subject to any attempts to supplement them through the ‘third pillar’ of the EU.

The 1959 Convention does not apply to political offences or offences connected with political offences, or to fiscal offences. It also contains a very general exception which states can invoke to protect sovereignty, security or public order (ordre publique).

In practice the 1959 Convention works by means of “Letters Rogatory” sent by judicial authorities in the state which requests evidence (the “requesting state”) to the state which has the evidence (the “requested state”). The letters rogatory are sent through the Home Affairs ministries.

The 1959 Convention covers physical evidence as well as appearance of natural persons. Witnesses in the requested state can be summoned to the proceedings in the requesting state. However, the summons is not binding upon the witnesses and the requesting state can only enforce the summons against the witnesses if the witnesses cross into the requesting state, receive another summons from the authorities, and then ignore it. The Convention also covers people who are in custody in the requested state, where the requesting state wants them to testify. The person has the right to object to testifying in the requesting state.

The Protocol widens the scope of the 1959 Convention allowing it to be used for fiscal offences and makes it clear that the “double criminality” rule (requiring an offence to be punishable in both the requested and requesting state for the Convention to apply) is to be relaxed for such offences.

The subject of interception of telecommunications is not covered by either the 1959 Convention or the Protocol. The only relevant provision is Recommendation (85)10 of the Council of Europe Committee of Ministers.

The new draft EU Convention: first phase of discussions

The initial purpose of the negotiations on a EU Convention for mutual criminal assistance was to facilitate the operation of the 1959 Council of Europe Convention and Protocol – not to extend its scope into the field of criminal investigations.

The first drafts (April and July 1996) did, however, include some significant extensions in the powers of the authorities to gather evidence and to get witnesses into court. Article 2 allows requests to be made by “administrative authorities” concerning “infringements of public order provisions”, for example, by Germany.

Article 3 provides for an exception to the rule that a person must consent before a transfer (compared with Article 11 of the 1959 CoE Convention, which deals with transfers in different circumstances); the exception is that the person may be forcibly moved if “charged in the course of proceedings for which the investigation has been requested”. This provision runs the risk of allowing states to circumvent the guarantees provided for in extradition treaties, or encouraging them to bring additional charges against a person in custody in order to ensure the person’s transfer for “use” in another state’s proceedings. Article 6 is a completely new development in international judicial assistance, providing that witness statements may be taken by video conference. The requested state is generally obliged to summon a person to give evidence in this fashion (Article 6(3)), and the summoned person will then be under an obligation to give evidence. An obligation to give evidence does not exist under the present 1959 CoE Convention. The new Convention would provide for a substantial increase in the power of one Member State to compel a person in another Member State to give evidence. In this draft, it would have fallen to the requesting state to conduct the hearing (Article 6(4)), but to the requested state to ensure “due regard for the [witness’] fundamental rights” (Article 6.5)).

The July 1996 draft of the new Convention is a very good example of the case for national parliaments to be able to scrutinise early drafts of measures. There are no less than 36 reservations or differing views expressed by EU member states. While some of these are simply reservations on minor points, others are not. For example, “Scrutiny reservations on the whole text by German, Irish and United Kingdom delegations” and on the issue of the giving of evidence by video conference Austria, Finland and Portugal said this should not take place without the consent of the person concerned, France, Italy and the UK did not agree as the person would already have been summoned.

Second phase: Beyond traditional judicial assistance

The July 1996 draft of the new Convention had 11 Articles – the May 1997 draft has 20 Articles. Under the Irish Presidency it was decided that the scope of the new Convention should be expanded far beyond judicial criminal assistance as it is commonly understood. The EU Dublin Summit in December 1996 decided to set up the “High Level Group on Organised Crime” which reported back with its “Action Plan to combat organised crime” to the June 1997 EU Summit in Amsterdam. The “Action Plan” report had several recommendations which it was decided to slot into the draft Convention on mutual assistance on criminal matters, and which had implications well beyond any understanding of “organised crime”. At the same time the need to legitimise the interception of telecommunications was moving ahead.

New issues were put on the table for the Working Party on Mutual Assistance in Criminal Matters: Controlled deliveries, cross-border use of undercover investigators, cross-border surveillance and hot pursuit, cross-border bugging of vehicles or monitoring of vehicle movement, cross-border use of private informers or private undercover agents, joint teams, mutual assistance on Internet matters, and the surveillance of satellite communications were discussed.

By April a report was before the K4 Committee. The conclusions included:

1) the draft Convention “should contain additional provisions” on “controlled deliveries”: “all Member States consent to the use of this method”. The “method” according to the UN 1988 Convention on drugs is: “the technique of allowing illicit or suspect consignments of drugs to pass out of, through or into the territory of one or more countries, with the knowledge and under the supervision of their competent authorities”. The Working Party recommended the new Convention should extend this beyond drugs to cover “arms, money etc”.

2) “cross border use of undercover investigators (law enforcement agents)”: “undercover investigators” are “law enforcement agents as opposed to private persons” and: “In some Member States undercover investigators may be used as part of police work without any specific legal basis. In others national law contains more precise and direct provisions on this issue.” As the practice varies “no rules” can be established, so current unregulated bilateral cooperation continues.

3) the report says that the draft Convention does not need to include: “cross border surveillance and cross border hot pursuit”: already covered by Articles 40 and 41 of the 1990 Schengen Convention except for Ireland and UK; “cross border use of technical equipment attached to vehicles or objects for the sole purpose of monitoring movements..” : “used in all members states”, covered by “existing mutual assistance instruments”; “cross border use of technical equipment attached to or installed in vehicles to monitor communications taking place therein”: most member states do not provide for this in “national law”, in some “expressly forbidden”, but in member states where allowed it is covered by existing instruments”; “joint teams”: the Working Party concluded that there was no need for a provision in the draft convention as it was already covered by the 1959 CoE Convention and Article 47 of the 1990 Schengen Convention. The new draft thus includes in Article 10 that “controlled deliveries” shall be allowed “in the framework of criminal investigations into extraditable offences” – this formula of “extraditable offences” allows the remit to go beyond drugs. Only Portugal has a reservation on this extension (see Statewatch, vol 7 no 2 for the wide definition in the Extradition Convention). Article 4 on searches and seizure would delete the reservations which Member States have attached to Article 5 of the 1959 Council of Europe Convention. Without these reservations property could be searched or seized even if the property owner is accused of an offence which is not a crime in the state in which they resides; and the search or seizure could take place in a manner not authorised by national law.

The new Articles 6-9 on telephone tapping, including the bugging of all forms of telephones, not just satellite calls, are the most remarkable change from the earlier draft (see below). Article 12 of the revised Convention deals with witnesses’ statements in video conferences. Article 12(5) makes clear that the witness will be obliged to appear. Article 12(6) on the procedure is a much expanded version of Article 6(4) and 6(5) in the 1996 drafts. Here there is no longer a woolly reference to the requested state guaranteeing the witness’ fundamental rights, but there is no replacement covering the matter in more detail. It is not clear how these clauses will operate in practice. How can the guarantees for suspects’ and witnesses’ rights within the system of judicial protection of the requesting state be upheld, without substantial additional provisions providing for mechanisms by which the requesting state’s disclosure rules will apply to the cross-border provision of evidence and by which the witness has access to legal advice concerning the requesting state’s law?

Article 13 covers the transfer of a person to another Member State, which might be without consent (Article 13(6)). This leaves open the possibility that a person can be moved forcibly to another Member State, albeit temporarily, after procedural protections which might be lower than that provided for under extradition procedures. It is not clear how long the person concerned might be transferred for, with the risk that a remand prisoner might have their pending trial delayed as a result of the transfer; and the prisoner will in any case be forcibly separated from their families for the duration of the transfer. Article 14, provides for “spontaneous exchange of information”. There is no reference to data protection rules. Finally, Article 15 provides for expedited procedural rules for requests between authorities. While it is made clear here that the Convention is not meant to apply to “pure” police or customs cooperation, at least for controlled deliveries (Article 15(6)), it can still cover requests emanating from or to police or customs authorities, as long as one side is handling such requests via the judicial authorities. There is a risk that such a requirement may simply be a formalist restraint covering what is de facto direct cooperation between police or customs authorities in both Member States.

It should be noted that this draft Convention, in Article 18.4, takes a further step down the road to undermine the scrutiny by national parliaments in the ratification of Conventions. The Dublin Convention stipulated that all EU member states had to complete ratification before it could come into force, the Amsterdam Treaty says Conventions can only come into force when a majority of member states (8) have adopted it – this draft Convention allows the first two member states to ratify it to put it into practice immediately.

The Convention and the surveillance of telecommunications

The implementation of the EU-FBI surveillance plan was introduced into the draft Convention on mutual assistance in criminal matters, in Articles 6-9, this year. The May 1997 draft says in an “explanatory comment” that the Presidency believes: “in view of the absence an explicit Treaty basis for the interception of telecommunications – proposes that the Convention under consideration should make provision for investigation of all types of telecommunications”.

Article 6.2 says that an “order” from a competent authority of the “requesting Member State” can ask for either:

“the interception, recording and transcription of intercepted correspondence or for interception and direct transmission of intercepted correspondence to the requesting Member State for monitoring and for recording and transcription there.”

In plain language the results of an interception are either sent ex-post by the “requested” member state after the event to the requesting member state or, if the member state asks the interception is transmitted, real time (as it is happening) to the “requesting” member state. The term “correspondence” is taken from Article 8 of the European Convention on Human Rights and taken to encompass “both conversations and fax messages etc.” Article 6.3 covers the surveillance of mobile phones and messages in another member state or member states (or another state which is party to the agreement). Article 6.4 sets out that requests between member states should include: “as accurate a description as possible of the subject of the investigation..”; “the desired duration of the investigation”; and the “type of investigation” (as in Article 6.2 above).

Article 6.5 is intended to exclude, according to the explanatory comment, the use of information derived “between doctor and patient or client and lawyer and correspondence with religious advisers”.

Articles 7 and 8 deal respectively with: “Investigation of terrestrial telecommunications” and “Investigation of satellite communications”. Article 9 is currently blank to provide for additional provisions concerning third member state (in addition to the “requesting” and “requested” member states).

Article 7.2 says would allow the “requested” member state to refuse to execute the request “in view of the nature or non-seriousness of the offence or the personal status of the subject of the investigation” or if it considered the request was “unjustified given the circumstances of the case”. Article 7.3 a & b say that the “requested” Member State “may” set conditions that i) prior to the transfer of the data it would “destroy.. those parts of the correspondence which.. cannot be meaningful in the context..” or ii) the “requesting” member state which receives the data “real time” would do the same. The first condition 7.3.a cannot be imposed where the “requesting” member state has asked for interception and transmission (real time). Each member state would operate according to its national law -which may of course be different.

Articles 7.3.c & d say that the “requested” and “requesting” member states shall:

“inform the holder of the network connection number and the subject of the investigation.. that the investigation has been carried out.”

There is, of course, a catch to this provision: “in accordance with those authorities’ national law”. In the UK, for example, this would never happen (except perhaps where it had to be revealed in court).

Article 8 is almost exactly the same as Article 7 but the explanatory comments regarding satellite telecommunications shows the influence of the report of the High Level Group on Organised Crime. The request for “assistance” is to be made to the member state in which the “ground station” is located – the “ground station” could be located in member state A while the subject may be in member state B (see below for the significance of “ground stations”). The explanatory comment also says that “additional information on the aim of and reasons for the request” cannot be asked for by the “requested” member state when it is for a “real time” interception.

The background reports leading up Articles 6-9 are more revealing. A “preparatory meeting on interception” was held in the Hague on 25-26 November 1996. On 17 January the EU Presidency sent a report on the meeting to the Working Party on Mutual Assistance in Criminal Matters” entitled: “Does the interception of mobile satellite telecommunications require new forms of mutual assistance in criminal matters?” The report contains a series of definitions which expand on those given in the published version of the Council Resolution (Official Journal, 4.11.96). The first link are the “system providers”, consortium that:

“provide the global network of mutually co-operating satellites. Up to now Iridium, Globalstar, Odyssey and ICO prepare a network, each servicing between 10 to 100 ground stations world-wide.”

The second link is the “ground station”, the “earthly, fixed equipment where a telecom signal of a satellite is received.. each ground station renders this services to a system provider for an area encompassing all the countries of the EU.” The report says, as do previous ones, that the interception of mobile phone has to take place at the “ground station”.

The report argues that “additional international legal instruments” are need because the 1959 Convention implies that the “requested” member state should check the data before it is transmitted “real time” to the “requesting” member state -whereas they want data to be sent immediately without any check under the laws of the “requested” member state.

In April the EU Presidency presented a report to the K4 Committee summarising the proposed changes to the new Convention. The report says that there is a need to “provide a legal basis for the cooperation between the Member States” on the interception of telecommunications and the “real time monitoring of satellite telecommunications”.

The rights of the individual are referred to as covered by Article 8 of the 1950 European Convention for the Protection of Human Rights and Fundamental Freedoms. Article 8 guarantees the right to respect for private life and correspondence. The “problem” for EU policymakers is that:

“Traditionally persons located on the territory of a certain state, fall under its jurisdiction. Their freedoms.. are guaranteed under the law of that state. Likewise the infringements on this freedom should be allowed by the laws of that same state. The location of a target is therefore relevant. Exceptions of the principle of sovereignty can only be regulated by a Convention.” (Hague meeting 25-26 November 1996)

These “freedoms” are, by way of this new Convention, being discussed away in the secret meetings of the EU and when the 15 governments have agreed its contents national parliaments have no powers to change or amend any of its provisions.

The April report says that in the near future:

“perhaps within a year. The 3 or 4 systems will be established by large multinational operators.”

And:

“each system will have (only) one ground station in Europe. It is at this stage expected that ground stations will be established in France, Italy and perhaps Finland, the UK and Germany.”

The significance of there only being 3 or 4 “ground stations” in the EU is that, under Article 7 and 8 of the new draft Convention, all requests for interception will go to the member states in which they are based in and be executed according to the national laws of that country.

Conclusion

It is clear from past experience that the Council’s working groups frequently agree a large percentage of a measure before it is discussed by the K.4 Committee, never mind the Justice and Home Affairs Council. The mutual assistance Convention looks set to be a classic example.

The draft Convention abounds with clauses liable to have a substantial impact on individual rights, certainly by comparison with the subject-matter of “traditional” judicial cooperation in criminal matters, including the 1996 drafts of the same Convention.

This is a classic case where public debate is sorely needed, where peoples’ rights and protections are negotiated away in secret EU meetings.

Sources: Draft report to the Council on the draft Convention on mutual legal assistance in criminal matters, Presidency to K4 Committee, 7350/97, Limite, JUSTPEN 31, 14.4.97; Interception of telecommunications systems outside national boundaries – Lawful interception of satellite personal communications systems, Presidency to Working Party on Mutual Assistance in Criminal Matters, 12290/1/96 REV 1, Limite, JUSTPEN 150, 17.1.97; Draft Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union, 5978/96, 16.4.96; 9268/96, 15.7.96; 7945/97, 6.5.97; Explanatory report on the Convention on mutual legal assistance in criminal matters, including text of 1959, Council of Europe, 1969; Council of Europe press release no 341, 2.6.97.

Statewatch bulletin, July-October 1997, vol 7 nos 4 & 5

The EU-FBI plan to create a global system for the surveillance of telecommunications – phones calls, faxes and e-mails – has taken three major steps forward – the first is a new group of “20” outside EU structures to effect the plan, the second are plan for all interceptions to be routed through just 3 or 4 EU states, and the third is a new draft EU Convention to “legitimise” surveillance by “law enforcement agencies”.

Earlier this year the K4 Committee minutes noted that work on this is being developed “outside the third pillar” structures. Statewatch has learned that the plan is being developed outside the structures of the European Union by a group of 20 countries – the 15 EU member states plus the US, Canada, Norway, Australia and New Zealand (see Statewatch, vol 7 no 1).

The group of “20” is not accountable through the Council of Justice and Home Affairs Ministers or to the European parliament or national parliaments. Using the “Memorandum of Understanding”, signed on 23 November 1996 by individual EU members states, they are now cooperating with the five non-EU states on a multilateral basis to ensure that the new satellite-based service and network telecommunications providers put telecommunications under surveillance at the request of “law enforcement agencies”. The Australian government introduced legalisation to fall in line with the EU-FBI plan on 2 October. It claimed that the lack of legal powers had been delaying new systems because there was no obligation on service providers to allow police and security agencies to intercept communications. The police and security agencies have also had to pay the service providers to help them, under the new law the cost will be borne by the companies. The EU will “legitimate” its participation through a new Convention on mutual assistance in criminal matters which was re-written after the report by the High Level Group on Organised Crime (see Statewatch, vol 7 no 2) and a secret seminar in the Hague on 25-26 November 1996. Conventions, such as this one, adopted by the EU under Article 3.2.c of Title VI of the Treaty on European Union once agreed have to be ratified by each EU national parliament – but the parliaments are not allowed to amend or change a single “dot or comma”.

The introduction of the surveillance of telecommunications in the EU has four elements:

1. a) the initial agreement between the US (in effect the FBI) and the EU Member States (which adopted the “Requirements” laid down by the FBI) to cooperate. The US Congress adopted the provision in October 1994 and the EU hastily followed by adopting the same provisions – without discussion in the Council of justice and Home Affairs Ministers – by “written procedure” in January 1995 (see Statewatch, vol 7 no 1).
2. b) the “Memorandum of understanding” built on the joint EU-FBI “Requirements” by providing a mechanism to create an initial group of “20”. A report to the K4 Committee in April report notes that the Council of Europe is working on “nearly identical instruments on mutual assistance” so it can be expected that the six EU applicant countries will have to adopt the new Convention as another condition of entry.
3. c) with agreement to cooperate on the basis of the “Memorandum” the group of “20” can work together to ensure that the major providers of the new satellite-based telecommunications systems adhere to the “Requirements” – in effect to ensure compliance by multinational companies.

The new era of satellite-based telecommunications will see just four companies – Iridium, Globalstar, Odyssey and ICO – will control the “global network of mutually co-operating satellites”. In the EU it is expected that there will only be 3 or 4 “ground stations” linked to these systems – “in France and Italy and perhaps Finland, the UK and Germany”. All requests for interception orders are, under the draft Convention, to be effected through these “ground stations” and therefore through the countries hosting them.

1. d) the finally element is the need, within the EU, to ensure that “law enforcement agencies” cooperation to intercept telecommunications has a legal basis. The draft Convention on mutual assistance in criminal matters in Articles 6-8 set out the terms of this cooperation.

Although the new Convention is being presented as dealing with “organised crime” and the provisions on “controlled deliveries” and on the surveillance of telecommunications are a direct result of the “Action Plan on Organised Crime” drawn up by the High Level Group on Organised Crime its effect is much wider. The 1959 Council of Europe Convention, which the new Convention seeks to “supplement and facilitate”, says in its Explanatory report that the objective is that the Contracting Parties:

“afford each other the widest measure of mutual assistance in proceedings in respect of offences the punishment of which falls within the judicial authorities of the requesting Party. Provision is thus made for minor offences as well as for other, serious matters..”

There is no limitation in the 1959 Convention to “organised crime” or to “serious crime”, it simply concerns any punishable offence however minor.

Statewatch bulletin, vol 8 no 1 (January-February 1998)

An excellent report prepared by Steve Wright of the Omega Foundation in Manchester for the European Parliament (EP) sets out in frightening detail the surveillance systems being constructed in the EU. The report, prepared for the Scientific and Technical Options Assessment Panel of the EP, deals with both technology exported from the EU to third world countries and the surveillance and control systems to be used within the EU. It covers surveillance systems; data gathering, processing and filtering devices; biometric and other human identity recognition tools; so-called “less-lethal” weapons for crowd control; new prison control systems; and torture techniques.

The report gives information on the global surveillance system run by the military-intelligence community (military and intelligence agencies) called ECHELON run by the USA, UK, Canada, Australia and New Zealand. Bases in these countries trawl the electronic airwaves and download all information held in “Dictionaries” of keywords, phrases and people’s names. It also gives details of the EU-FBI surveillance system being set up for the law enforcement agencies community (police, customs, immigration and internal security services) to monitor all telecommunications (phones calls, faxes and e-mails) (see Statewatch, vol 7 no 1).

The report says there has been a “political shift in targeting”. Instead of investigating crime (which is a reactive) law enforcement agencies are now “tracking certain social classes and races of people living in red-lined areas before crime is committed”, a form pre-emptive policing dubbed “data surveillance” based on military models of gathering huge amounts of low-grade intelligence and digging out deviant patterns. Glyn Ford MEP, who is on the STOA Panel, hopes that the report will be the first step in establishing more openness: “Some democratically elected body should surely have a right to know at some level. At the moment that’s nowhere”.

An appraisal of technologies of political control: final report, working document for the STOA Panel, April 1997, PE 166.499/Final; Daily Telegraph, 6.12.97.

Statewatch bulletin, vol 8 no 6 (November-December 1998)

The EU is to extend the EU-FBI telecommunications surveillance plan to the Internet and to new generation satellite mobile phones (see Statewatch, vol 7 no 1 & 4 & 5; vol 8 no 5). At the same time EU Interior Ministers are seeking to resolve their differences over the legal powers they intend to give the “law enforcement agencies” to intercept all forms of telecommunications under the new Convention on Mutual Legal Assistance. In the US the same issues are being openly discussed – the Federal Communications Commission has deferred a decision on an FBI proposal to extend surveillance to the Internet. In October 1994 the US Congress passed an FBI-proposed law, the Communications Assistance for Law Enforcement Act. On 17 January 1995 the EU adopted a Resolution on the “Requirements” to be placed on network and service providers to carry out surveillance of all telecommunications. These “Requirements” were exactly the same as those drafted by the FBI. Now these “Requirements” are to be extended from covering traditional phone networks and GSM mobile phones to the Internet and to the new satellite-based mobile phones run by multinational companies like Iridium. Under the plan telecommunications network and service providers would have to give access to communications from “mobile satellite services” (provided by multinationals like Iridium via their “ground station” in Italy, see Statewatch, vol 8 no 5) and to e-mail sent and received via ISPs (internet service providers) in addition to phone calls and faxes sent through the traditional system (land and sea lines and microwave towers).

The new draft “Requirements” cover the “realtime” (as it is actually happening) surveillance of phone-calls and e-mails including where messages are redirected, voice-mail and conference calls. They even extend to passing over data when a connection has not been made for both outgoing and incoming calls/messages. All details concerning e-mails accounts have to be handed over by IP providers. “Realtime” is defined as routing the surveillance in “milliseconds”.

Legal powers

In a parallel development the EU Justice and Home Affairs Council is discussing the draft Articles on the “interception of telecommunications” in a new Convention on Mutual Legal Assistance in Criminal Matters. This is intended to extend the application of a 1959 Council of Europe Convention with the same title.

The new “Requirements” and the new legal powers are being presented as being necessary to combat organised crime. However, the scope of the 1959 Council of Europe Convention simply covers any:

“offences the punishment of which falls within the competence of the judicial authorities of the requesting Party. Provisions is thus made for minor offences as well as for other, serious, offences..” (Explanatory report on the European Convention on mutual assistance in criminal matters, Council of Europe, 1969, p11)

The issue of police officers and/or judicial authorities being called on to give what will in effect be instantaneous authorisations for intercepts “within minutes” is not addressed by the draft EU Convention.

Nor is the issue of telecommunications surveillance by the security and intelligence services – the new legal powers are only intended to authorise interception for criminal investigations. To the embarrassment of EU Interior Ministers the UK has objected to the draft Convention because in the UK -unlike in other member states – there is a single law covering the Security Service’s (MI5) surveillance in connection with national security and its role assisting the police on organised crime. Neither the first set of “Requirements” not the proposed revised set of “Requirements” require approval or reference to parliaments, national or European. The new draft Convention, when eventually signed by the 15 EU member states has to be ratified by national parliaments – but they are not allowed to change or amend anything, even a dot or comma.

In-depth report

The Justice and Home Affairs Council (JHA Council) of the European Union is to extend the EU-FBI telecommunications surveillance plan to the Internet and to new generation satellite mobile phones (see Statewatch, vol 7 no 1 & 4 & 5). At the same time EU Interior Ministers are seeking to resolve their differences over the legal powers they intend to give themselves to intercept all forms of telecommunications under the new Convention on Mutual Legal Assistance. In the US the same issues are being openly discussed – the Federal Communications Commission has deferred a decision on an FBI proposal to extend surveillance to the Internet.

The secret making of policy

Within the formal structures of the EU, under the Justice and Home Affairs Council, the work on the interception of telecommunications is carried out by the Police Cooperation Working Party (Interception of telecommunications). This Working Party in turn is represented on three non-EU “technical expert groups” – ILET (International Law Enforcement Telecommunications), STC (Standards Technical Committee) and the IUR (International User Requirements). The findings on these non-EU groups are in turn brought back within the EU structures through the Police Cooperation Working Party and presented to the K4 Committee, COREPER and the JHA Council as being:

“agreed by the law enforcement agencies as an expression of their joint requirements”

Meetings in Rome on 14, 15 and 16 July of the IUR and STC were reported back to the meeting of the EU’s Police Cooperation Working Party on 3-4 September in Brussels. Further meetings of the IUR in Vienna on 20-22 October and in Madrid on 27-28 October led to a draft Resolution from the Austrian Presidency to the Police Cooperation Working Party, dated 4 November, on the “interception of telecommunications in relation to new technologies”.

The effect will be to extend the Requirements to be placed on network and service providers adopted by the EU as the Resolution of 17 January 1995 (see Statewatch, vol 7 no 1). Under the plan telecommunications network and service providers would have to give access to communications from “mobile satellite services” (provided by multinationals like Iridium via their “ground station” in Italy, (see Statewatch, vol 8 no 5) and to e-mail sent and received via ISPs (internet service providers) in addition to phone calls and faxes sent through the traditional system (land and sea lines and microwave towers).

The EU’s plans for the surveillance of all forms of telecommunications is being determined by non-EU bodies – ILETS, STC and IUR – on which the major players are: the EU (represented by the Police Cooperation Working Party and other experts), the USA (the FBI), Canada and Australia (New Zealand and Norway are also involved). The stakes for these governments are enormous. Just as important as the “law enforcement agencies” being able to set down the “Requirements” for intercepting every form of communication are the commercial profits to be made out of “agreed” standards, equipment and service provision. Once adopted, EU-US standards, are set to become “global”. For example, Iridium, the first multinational to open a “ground station” in Italy to serve the EU with a global earth-satellite, “mobile satellite service” (MSS, or “Satellite Personal Communications System, SPCS) is using Motorola and Kyocera to make Iridium handsets. The initiative for creating Iridium came from Motorola. Moreover, the EU market is critical to Iridium’s initial success because AT & T dominates the US with traditional land bases systems.

Spelling out “law enforcement” demands

Underneath the draft Resolution amending the 17 January 1995 EU Council Resolution is a detailed report (“Interception of telecommunications: recommendation for a Council Resolution in respect of new technology”) explaining the need for “supplementary requirements and supplementary definitions in respect of new technologies including SPCS, the Internet…” This report was discussed at the Police Cooperation Working Party in Brussels on 3-4 September.

The report opens with the statement that the Resolution of 17 January 1995 – which was never even discussed by the JHA Council but adopted by “written procedure” (signed by the Brussels-based Permanent Representatives of each EU member state) – has to be changed to be:

“suitable for new technologies, especially satellite communication, Internet, cryptography, pre-paid cards etc”

Throughout the report distinguishes between the new “international requirements for surveillance.. developed by the law enforcement agencies” for: i) SPCS (“Satellite Personal Communications Systems”) and ii) the Internet.

Introducing the “law enforcement agencies” needs for SPCS the report says:

“Operational scenarios comprise the following connections: mobile to mobile (via satellite), mobile to mobile (terrestrial), mobile (via satellite or terrestrial) to the public switched telephone network (PSTN) and PSTN to mobile (via satellite or terrestrial). Interception of such satellite based services is subject to the national laws of the requesting law enforcement agency as well as those of the state providing the gateway.”

The report’s introduction on the Internet is altogether simpler: “This explanatory memorandum refers to requirements of law enforcement agencies to the interception of ISP-based Internet services.”

The report then looks at each of the already agreed “Requirements” and proposes new ones.

First, under “Requirement 1” the “law enforcement agencies require access to the entire telecommunications transmitted..”. Traditional means of communications are simple and provide the “locations” of the two parties but this is not so for calls between two mobile phones (SPCS). However, a solution is provided by “a single terrestrial gateway [which] serves many countries from one site” (such as the Iridium ground station in Italy covering the whole EU). For the Internet access is required to:

“ISP address, customer’s account number, logon-ID/password, PIN number, E-mail address.”

Second, is the “Requirement” that “law enforcement agencies require a real-time, fulltime monitoring capability” as well as “call associated data”. “Real-time” is defined: “100 milliseconds to 500 milliseconds are desirable”.

Third, network operators and service providers are required to provide “one or several interfaces” for the new Iridium-style SPCS mobile phones and, of course, Iridium by offering the use of its facilities meets this need – “Interception can be planned as a MSS-gateway which serves several countries..” Equally, “Several countries can carry out interceptions of the same mobile subscriber who is served by a gateway.”

Fourth, the need for immediate interception, “in urgent cases within a few hours or minutes” where “questions of sovereignty can cause further delays if cooperation of law enforcement agencies from different countries is required”.

The “Supplementary requirements” state that network and service providers have to hand over full details of any customer:

“the complete name and complete address of the monitored person… the person who pays the bill for the services available to the monitored person.. sufficient credit card details to identify the customer account…”

Together with details of all the services used by the “customer”, for example, conferencing, voice-mail, ISDN, telex, internet domain names, “roaming” permissions (for mobile phone users).

Network and service providers will have to provide their own secure means of ensuring the “security” of the intercepts. One reason given for this “security” is the comforting thought that the rights of the individual are to be protected:

“Protection of the interests of an interception subject from revelation of its telecommunications to other parties that the intercepting authority”.

On the other hand, another “requirement” is that “neither the interception target nor any other unauthorised person is aware of.. the interception order.”

The MLA “debate”

The draft Convention of Mutual Legal Assistance in Criminal Matters is still under discussion in the Justice and Home Affairs Council. The “outstanding” issues are whether or not data protection provisions should be included (only Italy, Austria, Belgium and the Commission are in favour), the role of the Court of Justice, its jurisdiction (the usual dispute between the UK and Spain over the status of Gibraltar) and the Articles on the interception of telecommunications.

It should be remembered that the primary purpose of this new Convention is to “supplement the provisions and facilitate the application” of the 1959 Council of Europe Convention on Mutual Legal Assistance in Criminal Matters. The Schengen Agreement (1985 and 1990) and the Benelux Treaty (1972) have been added. The 1959 Council of Europe Convention is not limited to “serious crime” or “organised crime”, it simply concerns any punishable offence however minor. New powers contained in this new EU Convention on mutual assistance are, therefore, applicable also to any punishable offence (see Statewatch, vol 7 no 4 & 5). The draft Convention thus places no limits on the use of the proposed new powers of intercepting telecommunications – this is solely regulated by each member states’ national law.

In the latest draft of the new Convention the Articles on the “Interception of telecommunications” are in Title III, Articles 11-14 and represent the third substantial revision. The major areas of “discussion” in the secret conclaves of the EU member states are as follows.

The issue starts with the question as to whether “where a Member State intercepts or intends to intercept a target present in another Member State.. and does not need any assistance from that Member State” it should tell the other Member State. As presently drafted Article 13 provides that: the “intercepting Member State” will inform the “visited Member State”, that the “visited Member State” may “require that the interception not be carried out or be interrupted”, and that the “visited Member State may lay down conditions on the use of material already intercepted”. This issue particularly arises if the Iridium’s EU ground station in Italy is able to provide access to call contents (for SPCS mobile phones) in different countries instantaneously.

Due to the different legal powers to authorise interception in EU states a discussion has emerged over the role of security and intelligence agencies. Fourteen EU member states believe that the new Convention only refers to “criminal investigations” and therefore excludes interceptions by security and intelligence agencies. In these countries interception by these agencies takes place either through administrative authorisation (for example, from an Interior Minister) or through a judicial warrant. In the UK the Security Service (MI5) is issued with warrants by the Home Secretary for both matters of national security and for criminal investigations (where they are working on serious organised crime). As presently drafted the UK would be obliged to inform other EU states when MI5 is intercepting communications in another member state.

What has been highlighted by this discussion between EU member states is that there is no existing or proposed regulation of the interception of telecommunications when carried by security and intelligence agencies. It also demonstrates that there is not a simple distinction between “criminal investigations” and “national security”. One of the questions asked in the latest draft is whether there should be an obligation by a member state to inform other member states where “it would be likely to prejudice its security, ordre public or other essential interests?”

Another issue is whether other EU member states should be informed when the surveillance (of GSM mobile phone networks) is for less than 24 hours and may involve, in border areas, several EU member states.

The member states are also divided over whether the “visited Member State” should have the power to “require the interception not to be carried out or to be interrupted” and the power to “impose restrictions on the use of the already intercepted material”.

At the JHA Council on 3-4 December the Ministers were asked to consider the following question:

“Which of the following reasons should be regarded as a basis for requiring interception not to be carried out or to be interrupted:

– national law of the visited Member State?

– fundamental principles of national law of the visited Member State, and/or ordre public?”

A new Article (no 14a) has now been included “to ensure an appropriate legal basis for the purpose of agreements on the use of the service provider solution [Iridium] regarding satellite telecommunications”. The new Article states, in full:

“Nothing in this Title shall preclude any bilateral or multilateral arrangements between Member States for the purpose of facilitating the exploitation of present and future technical possibilities regarding the interception of telecommunications”.

A proposal which, potentially, could drive a “coach and horses” through any provisions in the new Convention. The so-called “service provider” for the interception of telecommunications carried out through Iridium’s EU ground station in Italy would mean that if a “target” moved from one country to another the surveillance would simply be “switched” from one country to another.

There is no provision in this new Convention for it to only come into effect when all 15 EU member states have ratified it. Under Article 18.4 it can come into effect between any two or more member states who declare that it should do so.

In the USA

In the US the Federal Communications Commission has invited public comments on FBI-proposed requirements that would enable law enforcement agencies to be given the location of people using cellular phones without a warrant and has deferred a decision on another request to place the Internet under surveillance.

Conclusion

The new powers to intercept telecommunications is by no means limited to any common perception of “serious crime”. By including the interception Articles in a new Convention on Mutual Legal Assistance in Criminal Matters the limits are simply those set out in the 1959 European Convention on Mutual Assistance in Criminal Matters which refers to any punishable offence however minor. Once in place to “combat organised crime” these powers can be infinitely extended to all forms of offence including public order or “national security”.

Sources: Council Resolution of 17 January 1996 on the lawful interception of telecommunications; Interception of telecommunications: recommendation for a Council Resolution in respect of new technology, ENFOPOL 98, 10951/98, 3.11.98 and ENFOPOL 98 REV 1, 10951/1/98, 4.11.98; Draft Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union, JUSTPEN 108, 13144/98, Limité, 19.11.98; PC Magazine, January 1999.

Statewatch bulletin vol 9 no 2 (March-April 1999)

The EU-FBI telecommunications surveillance system is developing apace through two separate, but intrinsically intertwined, initiatives (see Statewatch, vol 7 no 1 & 4 & 5; vol 8 nos 5 & 6). First, the Council has proposed a new draft Council Resolution to extend the 1995 “Requirements” Resolution to cover “new technologies” – the Internet and satellite-based telecommunications. Second, the Council is on the brink of agreeing a formula to provide a legal base for “remote” access to the Iridium satellite “ground station” in Italy – through new clauses in the draft Convention on Mutual Legal Assistance in criminal matters. This draft Convention will provide the legal framework for the interception of all forms of telecommunications in the EU required to put into effect the EU-FBI surveillance system. Both measures are expected to be agreed at the 27-28 May meeting of the Justice and Home Affairs Council.

Background

The 1995 Council Resolution on the lawful interception of telecommunications setting out the “Requirements” was slipped through the EU by what is known as “written procedure” on 17 January 1995. “Written procedure” is a decision-making process whereby a measure is sent out to EU member states for agreement between meetings of the Council of Ministers. In October 1994 the US Congress had adopted its version of the “Requirements” drawn up by the FBI. Not wishing to wait three months until the next meeting of the Justice and Home Affairs Council the German Presidency took the initiative to use “written procedure” (all Member States are obliged to reply though they may add statements to be included in the Council minutes). Using the “written procedure” process had another effect, the “Requirements” Resolution remained hidden from view until November 1996 when it was published in the EU’s Official Journal. In the USA civil liberties groups have campaigned against the new surveillance powers since 1993, however the EU end of the EU-FBI axis only became apparent when Statewatch published its first report in February 1997.

The “new technologies”

In July 1998 the Austrian Presidency of the EU put forward a proposal for a “Draft Joint Action on the interception of telecommunications” which was discussed by the Police Cooperation Working Party (Experts’ meeting – Interception of telecommunications) at its meeting on 3-4 September in Brussels. This draft Joint Action was intended to extend the 1995 “Requirements” to “new technologies” (the Internet and satellite-based telecommunications) and to place on network operators and service providers an obligation to provide information and assistance in the interception of telecommunications. The idea of a Joint Action was dropped by the end of July as a number of EU member states were not prepared, or ready, to adopt a binding commitment to place an “obligation” on network and service providers at national level.

However, the same meeting of the Police Cooperation Working Party was also considering reports drawn up by three “expert groups”: the IUR (International User Requirements) and the STC (Standing Technical Committee) from their meeting in Rome on 14-16 July 1998 plus the conclusions of an earlier meeting of ILETS (International Law Enforcement Telecommunications Seminar). The role of these non-EU working groups is made explicit in ENFOPOL 98 which had “been drafted by the technical groups ILET, STC and IUR.”

There were further meetings of IUR, 20-22 October in Vienna and 27-28 October in Madrid. By November 1998 meetings of ILETS, IUR and STC concluded that “adjustments” to the 1995 “Requirements” to cope with the “new technologies” was “an urgent necessity”.

The key group is ILETS, revealed by Statewatch in February 1997 (vol 7 no 1) and pinned down by Duncan Campbell in an article in the Guardian’s Online. ILETS was founded by the FBI in 1993 and is comprised of: the US, Canada, Norway, Australia, New Zealand and Hong Kong (it is not known if Hong Kong is still particitpating) plus the 15 EU states. Those attending these meetings are from the “law enforcement agencies”.

The core of the ILETS group are the US, Canada, Australia, New Zealand and the UK – the UKUSA group, started in 1946, which runs up a global surveillance system to service the military and overseas intelligence agencies (ECHELON). There are thus two global systems: ECHELON serving the “military and intelligence community” (external, eg: GCHQ and MI6 in UK) and the EU-FBI telecommunications surveillance system to serve the “law enforcement community” (police, internal security, customs and immigration).

The new draft Resolution

The European Parliament was consulted (that is, its views are sought but they can be ignored) on the second revision of ENFOPOL 98, dated 3 December 1998. A later version of the same report, now renamed ENFOPOL 19, dated 15 March 1999 contains two significant differences to the version given to the European Parliament.

1) In the version discussed by the European Parliament the “General explanations” seek to amend the 1995 requirements to include identifier data on internet users by including:

“IP address (electronic address assigned to a party connected to the Internet), account number and E-mail address” (ENFOPOL 98 REV 2)

In the new version it says:

“IP address (electronic address assigned to a party connected to the Internet), credit card number and E-mail address”

(ENFOPOL 19) (our emphasis)

An earlier document makes clear that the “account number” is not needed because this data comes with the “IP address”.

2) The second difference is either sleight of hand or a deliberate mistake. In the section on the “Explanations of the Requirements” describing the changes to be made to the 1995 requirements it says that concerning access to “fixed and switch connections”:

“IP connections are not included” (ENFOPOL 98 REV 2)

In the new version it says:

“IP connections are not excluded” (ENFOPOL 19) (our emphasis)

Moreover, the first revision of ENFOPOL 98 (ENFOPOL 98 REV 1, dated 10 November 1998), not considered by the European Parliament, also says “not excluded”.

The general concerns over the contents of ENFOPOL 19 are: a) under the heading “Interception interface”, the inclusion of: “In newer technologies the interception interface may be a virtual interface within the network”. This would involve specialised software being installed at Internet Service Providers which would be remotely (“virtual”) controlled by the law enforcement agencies. The effect would be to automate the transmission of messages etc.

1. b) many of the detailed requirements of the law enforcement agencies expressed through ILETS and the EU’s Police Cooperation Working Party present in ENFOPOL 98 – but not in ENFOPOL 19 which is limited to amending the 1995 “Requirements” – are likely to be placed in an operational manual which will not be subject to public debate or parliamentary scrutiny.

EP discusses the EU-FBI surveillance system

As noted above the European Parliament was “consulted” on the proposal in ENFOPOL 98 REV 2. This is the first opportunity that the European Parliament had to formally comment on the EU-FBI telecommunications surveillance system.

The main committee considering the Council proposal was the Civil Liberties and Internal Affairs Committee and its report by Gerhard Schmid (PSE, Socialist group, rapporteur) “approves the Council proposal” and was adopted unanimously at its meeting on 20 April. It proposes minor amendments to the opening “Recitals” and suggest that the Council report back by July 2000 on how many EU states have effected the amended 1995 “Requirements” Resolution into national law.

The five-paragraph “Explanatory Statement” says that the “resolution is not binding” (which is correct) and that it is simply intended to make clear that the 1995 “Requirements” Resolution “apply to both existing and new communications technologies, e.g. satellite and Internet communications.” The report simply concludes that: “It does not, therefore, affect the tension between fundamental rights and internal security.” The “Opinion” of the Legal Affairs and Citizens’ Rights Committee, attached to the main report, was adopted on 25 March by 7 votes to 4. Its conclusion was that the Committee: “rejects the Council proposal.”

The report notes that the 1995 “Requirements” are not binding and that “national legislation applies”. It goes on to say: “The Registrar’s office of the European Court of Human Rights has told the rapporteur that the ECHR has not yet ruled on the violation of the secrecy of correspondence in respect of electronic mail.”

Neither report used the wealth of information now available on the EU-FBI surveillance system (which is not mentioned). The report was adopted at the European Parliament plenary session on Thursday 6 May.

In this context it should be observed: a) that most national legislation does not cover the interception of the Internet and e-mails nor satellite telecommunications and that most EU countries are likely to have new measures before their parliaments over the next two years; b) although the amended 1995 “Requirements” Resolution is not legally binding on EU member states network operators and service providers will not be granted new/extended operating licences at national level unless they comply due to international agreements reached in non-EU bodies – the STC, IUR and ILETS.

The “remote approach”

Alongside the plans on the EU-FBI telecommunications surveillance system within the EU are the parallel discussions taking place over the provisions on interception to be included in the draft Convention on Mutual Legal Assistance in criminal matters which will give EU states the legal powers to carry out cross-border interceptions.

Statewatch vol 8 no 5 reported how the EU was planning to take advantage of the offer by Iridium of “remote” access to telecommunications passing through its global network, which is: “from a technical point of view, a convenient option”. It transpires that it is also “convenient” from a legal/political point of view as well.

Two questions have been taxing the EU working parties, first, to what extent should the EU member state in which Iridium’s ground station is located – Italy – have any involvement or responsibility for “remote interception” and second, should the draft Convention expressly provide for the “remote approach”. The answer to the second question is yes, provisions should cover the “remote approach” both to cover Iridium and future network providers.

The first question divided the EU member states. 13 member states think the “remote approach” does not infringe the rights of the “host” member state. Italy, the “host”, takes a different point of view and Germany thinks the draft Convention should expressly refer to the “remote approach” being applied “for the purpose of criminal investigation”. The majority of EU member states take the view that the “host” state does not have a substantial role and it does not have legal responsibility for the interception of telecommunications made via the “ground station”.

The crux of the discussion is set out in a Note from the Italian delegation at the end of February. Two options were on the table. First, the “centralised” option, based on present practice, would involve each interception to be authorised through “International Letters of Request”. For the “host”, Italy, this means single authorisations being granted by the Italian authorities “following Letters of Request from member states”. The “centralised” option meant pursuing the present system where each, single, interception has to be authorised by the competent authorities. This was seen as too slow and cumbersome and it was “impossible” for the EU member states to reach agreement on a text. Instead they have opted for, in the words of the Italian delegation’s report, the “remote approach” which would mean:

“a single, general, “order”, given by Italy to its ground station to adjust its structures in order to allow the autonomous activation of interception by the national service providers and the automatic transmission thereto of the conversations intercepted.”

This “general” order granted to member states would cover both communications between satellite handsets (air/air), which the “ground station” would, in technical jargon, “hock into” then “duplicate” and between satellite handsets and fixed terminals, or GSM, mobile phones (air/ground), when the “ground station” would simply “listen to.. the communication already in transit within its own structure.”

The Italian concerns are that the interception is on “Italian territory”, that the “remote approach” means limiting Italian sovereignty, and that by issuing a “single order” which will once and for all replace all single authorisations granted by the competent Italian authorities it will need to be given some “guarantees”. Under its constitution its President, the President of the Council of Ministers and members of the Italian parliament cannot be the “object of investigations” except under very specific conditions. As for “national security” there were responsibilities to parliament if part of its sovereignty were to be relinquished “without having guaranteed the fundamental interests of the State”. The response, two weeks later, of the majority group of 13 EU member states was not sympathetic:

“The member state hosting the ground station cannot export its constitutional principles to other member states.”

To which the Italian delegation responded by saying they should be entitled to make: “a declaration.. specifying certain limits for interception via the ground station by remote control which other member states must respect.”

The issues raised by Italy’s constitutional objections are wider than their position makes apparent. It is proposed to move from the current system whereby every interception request to Italy from another EU member state requires a Letter of Request and an order from the Italian authorities to a system which through one general order automatic authorisation will be granted to all interceptions without any review as to their legitimacy or legality (either before of after the event) under Italian law. It is therefore possible that 14 EU member states will each be granted a single, general, order to use the “remote” interception facility made available by Iridium from Italy and that the same may happen with the Globalstar “ground station” located in France (which is going online soon).

Iridium sales failure

Iridium, of “Iridium is God manifesting himself through us” fame, lost $440 million in the last quarter of 1998. This follows substantial problems with the production of handsets and has led to a substantial shortfall in Iridium subscriptions. The company had expected to have 40,000 subscribers by the end of 1998, in the event they only had 3,000 and most of these were to the US government and military. Iridium hopes to have 500,000 plus subscribers by the end of 1999.

Figures like these go some way to explain why Iridium is so anxious to please EU member states by facilitating the interception of telecommunications from its ground station in Italy. Commentators say that Iridium has to make major inroads into the “wireless” market in the EU because the US is dominated by a solid single “wired” network created by AT&T. This may explain why it has met all the costs of ensuring that its Italian ground station can provide a “remote” interception service for law enforcement agencies.

STOA report

A special report just completed for the Science and Technology Options Assessment Panel of the European Parliament (STOA) by Duncan Campbell entitled: Interception capabilities 2000 observes that:

“It should be noted that technically, legally and organisationally, law enforcement requirements for communications interception differ fundamentally from communications intelligence [eg: ECHELON]. Law enforcement agencies (LEA) will normally wish to intercept a specific line or group of lines, and must normally justify their requests to a judicial or adminsitrative authority before proceeding. In contrast, Comint [communications intelligence] agencies conduct broad international communications “trawling” activities, and operate under general warrants. Such operations do not require or even suppose that the parties they intercept are criminals. Such distinctions are vital to civil liberty, but risk being eroded if the boundaries between law enforcement and communications intelligence become blurred in future.”

The “law enforcement agencies” in the EU are to be issued with general warrants to intercept the new generation of satellittee communications services offered by Iridium in Italy and Globalstar in France. In addition, the provisions of the amended 1995 “Requirements” Resolution, when combined with the EU legal framework in the draft Convention on Mutual Assistance in criminal matters, provide for real-time (as a communication is happening) interception which will require instanteous authorisation by a police officer or official. Moreover, police analysis software, such as the Harlequin system, is already widely used in the EU to “map” a target’s business, political and friendship networks from data provided by telecommunications operators. The EU-FBI telecommunications surveillance system may not yet have the ability to “trawl” the ether but it will certainly be able to cast a very wide net.

Sources: Report on the draft Council Resolution on the lawful interception of telecommunications in relation to new technologies, Committee on Civil Liberties and Internal Affairs, Rapporteur: Gerhard Schmid, and Opinion from the Legal Affairs and Citizens’ Rights Committee, PE 229.986.fin, 20.4.99; Draft Convention on Mutual Assistance in Criminal Matters between Member States of the European Union – Interception of telecommunications, Presidency to COREPER/Council, ref: 11173/98, Limite, JUSTPEN 87, 15.9.98; Draft Convention on Mutual Assistance in Criminal Matters between Member States of the European Union – Interception of subjects on national territory using national service providers (“remote approach”), Presidency to Working Party on Mutual Assistance in Criminal Matters, ref: 7196/99, Limite, JUSTPEN 22, 7.4.99; Draft Convention on Mutual Assistance in Criminal Matters between Member States of the European Union -application of the remote approach regarding interception of satellite telecommunications, Italian delegation to Working Party on Mutual Assistance in Criminal Matters, ref: 6284/99, Limite, JUSTPEN 9, 25.2.99; Draft Convention on Mutual Assistance in Criminal Matters between Member States of the European Union – application of the remote approach regarding interception of satellite telecommunications, Working Party on Mutual Legal Assistance in Criminal Matters, ref: 6195/99, Limite, JUSTPEN 7, 19.2.99 and COREPER to Council, ref: 6195/1/99, Limite, JUSTPEN 7 REV 1, 9.3.99; Draft Convention on Mutual Assistance in Criminal Matters between Member States of the European Union, Working Party on Mutual Assistance in Criminal Matters to COREPER/COUNCIL, ref: 13144/98, Limite, JUSTPEN 108, 19.11.98; Interception of telecommunications -Draft Council Resolution on new technologies, Presidency to Police Cooperation Working Party, ref: 6715/99, Limite, ENFOPOL 19, 15.3.99; Interception of telecommunications – Council Draft Resolution in relation to new technologies, Presidency to Police Cooperation Working Party, ref: 10951/98, Limite, ENFOPOL 98, 3.9.98 and ref: 10951/1/98, Limite, ENFOPOL 98 REV 1, 10.11.98 and ref: 10951/2/98, Limite, ENFOPOL 98 REV 2, 3.12.98; PC Magazine, May 1999; Duncan Campbell, “Intercepting the Internet”, Guardian Online and on the telepolis site: http://www.heise.de/tp/english/special/enfo/6397/1.html;Interception Capabilities 2000, report by Duncan Campbell for the Science and Technology Options Assessment Panel of the European Parliament, 6.5.99.

Statewatch bulletin vol 9 nos 3 & 4 (May-August 1999)

A report from the Data Protection Working Party for the Commission DG XV adopted on 3 May 1999 is critical of the privacy implications of the “Council Resolution of 17 January on the lawful interception of telecommunications” (The International User Requirements drawn up by the FBI and adopted by the EU, known as IUR 95). The Working Party is comprised of data protection experts, its chair Peter Hustinx is one of the Dutch members of the Schengen Joint Supervisory Authority.

Their report says that the data to be collected would cover both the “target persons and any persons with whom they enter into communication”. It expresses their concern at the “scope” of the measures envisaged and in particular with the “Memorandum of Understanding” to exchange data with non-EU states who “are not subject to the requirements of the European Convention on Human Rights and of Directives 95/46/EC and 97/66/EC.”

The Working Party thus “wishes to draw attention to the risks of abuse with regard to the objective of the tapping, risks which would be increased by an extension to a growing number of countries – some of which are outside the European Union – of the techniques for intercepting and deciphering telecommunications.

Some of the provisions in IUR 95 would, they say, “conflict with more restrictive national regulations in certain countries in the European Union”. They give examples of access to data concerning calls and “forbidding operators from disclosing interceptions after the fact”. Moreover, when satellites or the Internet is used, it must not lead to “a lowering of the level of confidentiality and protection of the privacy of individuals.” The Working Party’s recommendations call for “national law to strictly specify”:

1. “the prohibition of all large-scale exploratory or general surveillance of telecommunications.”
2. “compliance with the principle of specificity, which is a corollary of forbidding all exploratory or general surveillance. Specifically, as far as traffic data are concerned, it implies that the public authorities may only have access to these data on a case-by-case basis, and never proactively and as a general rule.”
3. “that a person under surveillance be informed of this as soon as possible.”
4. “the recourse available to a person under surveillance”
5. “the publication of the policies on the interception of telecommunications as they are actually practised, for example, in the form of regular statistical reports”
6. “the specific conditions under which the data may be transmitted to third parties under bilateral or multilateral agreements”

The existing and planned UK law would fail on a number of these counts. Point 2 is directly contrary to what is being planned for the Iridium ground station in Italy where 12 EU member states are demanding Italy agree to general, unlimited and open-ended interception warrants. Point 6 taken together with the Working Party’s grave reservations about the transfer of data to and from non-EU states raises major questions about Europol’s planned agreements with third states and agencies within third states.

Their report is on:

http://www.europa.eu.int/comm/dg15/en/media/dataprot/wpdocs/wp 18en.htm

EU-FBI plan adopted in Holland

Statewatch bulletin vol 9 nos 3 & 4 (May-August 1999)

The Dutch parliament, overruling objections from lawyers, employers and the telecommunications industry, has agreed that the Ministry of Justice should be authorised to tap into any form of communication, including internal company networks. Any new service offered must also be “tappable”. KPN, the major provider of telecommunications in the Netherlands, has estimated that the potential cost could be astronomical.

There is one exception to this measure. The internet will remain tap-free. However the service provider Xs4all is not impressed by the concession: “…it makes no practical difference whether we are included in this or not”, a spokesman pointed out. Nobody, not even the government knows how to tap the internet.”

Volkskrant 8.4.99

Statewatch bulletin vol 9 no 6 (November-December 1999)

The EU-FBI telecommunications surveillance plan has been held up since early summer over the revised set of “Requirements” to be laid on internet and service providers (ENFOPOL 19) and the draft Convention on Mutual Assistance in criminal matters – now held up for nearly two years due to the inclusion of provisions on interception and the inability of EU member states to reach agreement (see Statewatch vol 7 no 1, 4 & 5; vol 8 nos 5 & 6; vol 9 no 2).

The intervention of new players is partly responsible for the hold-up. First, the internal security services of EU member states have directly intervened because they considered the restrictions of their “freedom” to conduct surveillance could be limited by the draft provisions in the draft Convention. The potential role of the internal security services (like MI5) cropped up earlier in the discussion over the provisions in the draft Convention because the UK is the only EU member state to formally give, by law, a role to MI5 to assist the police in their crime role. The other EU member states have no problems as they maintain the draft Convention only covers “crime” and policing – which has always begged the question that if this Convention is not to cover surveillance by internal security services what does? The answer is nothing covers or limits or makes accountable their surveillance of telecommunications. The Justice and Home Affairs Council on 2 December agreed that the draft Convention, while placing a general obligation on the “intercepting” member state to inform the member state in which the interception is carried out, this will only apply to “criminal” proceedings and investigations – and not to “interceptions undertaken for national security purposes”. The effect is that the surveillance of telecommunications by internal security agencies is left untouched by the draft Convention but allows them to take advantage of access to telecommunications being opened by the “Requirements” to be laid on internet and service providers under the EU-FBI plan.

The EU-FBI telecommunications surveillance plan is intended to serve the “law enforcement community” as distinct from the “military-intelligence community” (which uses ECHELON). The latter covers intelligences agencies like NSA and the CIA in the US and MI6 (the overseas Secret Intelligence Service) in the UK. This leave internal security agencies primarily dependent on the EU-FBI plan for its surveillance work. So, although EU member states have to at least create the appearance of control and accountability and even data protection for policing activities these provisions could limit, or lead to the exposure of, internal security service surveillance. This is especially the case when the line between traditional “internal security” and “combatting crime” is increasingly blurred in fields like computer crime, environmental and political protests, and “illegal immigration”.

Secret groups

While the draft Convention on Mutual Assistance in criminal matters sets out powers of surveillance and interception within the EU the “Requirements”, which will also apply within the EU, are subject to international agreement through a series of hidden working parties.

These secret working groups include: i) the EU Police

Cooperation Working Group (Telecommunications) and its Technical Questions Sub-Group; ii) IUR, the International Users Requirements group; iii) STC, Standards Technical Committee; and ILETS, International Law Enforcement Telecommunications Seminar. ILETS is a key group comprising the Cold War UKUSA countries -the US, Canada, Australia, New Zealand and UK – plus Hong Kong and Norway and 14 EU member states (15 minus the UK which was a founding member). Aside from strictly technical questions membership of these groups overlap so that EU member representatives on the Police Cooperation Working Group may also be on ILETS. The drafts of the original IUR 95 “Requirements” adopted by the EU in January 1995 and the proposed revisions in 1998 (to include internet service providers and satellite phones) in ENFOPOL 98 (and its two revised versions) came from this group into the EU policymaking process.

The “Lyon Group”

While ILETS works on technical matters (and their policy implications) a much more high-powered driving force on the global interception of telecommunications is the “Lyon Group” and especially its “High-tech Crime Subgroup of G8 Senior Experts’ Group on Transnational Organised Crime.”

The G8 Senior Experts’ Group on Transnational Organised Crime came out of the G8 Prime Ministers meeting on 27 June 1996 in Lyon, France. The first “G” Prime Ministers’ Summit was held in Rambouillet, France in 1975 comprised of US, France, UK, Germany, Italy and Japan. Canada joined in 1976 (making G7) and in 1977, at the London Summit, the European Community joined its membership. The European Community’s delegation is made up of a EU Presidency representative (currently Finland), the head of the European Commission (Romano Prodi, who previously attended as part of the Italian delegation) plus the Commissioner for external affairs (Chris Patten). Since 1994 Russia attended its meetings and became a full member at the Birmingham Summit in 1998, making up G8.

All “Summit” meetings, such as EU Summits and G8 Summits try to sort out outstanding differences between members but the real work is done beforehand by officials and “experts” – and much of the latter’s work goes through “on the nod” into the final conclusions. G8 Summits (and other meetings) are prepared by high-ranking officials known as “sherpas” and “sous-sherpas”. National “sherpas” are each supported by two “sous sherpas” (one covering foreign affairs and finance, the other “political” matters including justice and home affairs).

Alongside G8 is “P8” (“Political 8”) which deals amongst other matters with terrorism, crime and illegal migration which since the Lyon decision has led to the creation of a series of other groups and meetings (such as the G8 Justice and Interior Ministers who last met in Moscow on 19-20 October 1999).

Sub-Group on High-Tec Crime

The “problems” for the G8/P8 states were broadly defined at the 1998 Birmingham Summit under the UK Presidency as:

“The main obstacle facing a G8 achievement of any goals set out in Birmingham appears to be the barrier of red tape obstructing law enforcement agencies from cooperating across national jurisdictions. The G8 will need to address the inconsistencies between justice systems from one member country to another if the problem of international crime is to be dealt with effectively.”

The key phrases here are “red tape” (procedures, control and accountability) and “inconsistencies between justice systems” (data protection and legal restrictions). In this context the Minutes of the G8 Subgroup on High-Tec Crime held in Paris on 18-21 May 1999 sets out a whole agenda influencing the EU-FBI plan.

The first issue the Minutes cover is the “Preservation of Traffic data” covering “historical traffic data” and the “collection of future data”. The Minutes state that:

“Delegations agreed that privacy legislation (e.g. implementing the 1995 and 1997 EU Data Protection Directives), national laws implementing the Directives, and market forces are among the significant obstacles to law enforcement’s ability to obtain historical data for use in criminal investigations. (Disclosure of that traffic to foreign investigators is also complicated by these and other impediments). Privacy directives, to the extent they require the deletion of connection information, can effectively erase the trail of connections that might otherwise identify the source of criminal activity.”

It goes say that a further impediment is “anonymous free Internet services.. contribute to the absence of useful traffic data.” Two solutions are suggested for this “problem”. The meeting of G8 Justice and Interior Ministers in Moscow on 19-20 October adopted “Principles on Transborder access to stored computer data” defined simply as covering “law enforcement agents employed by law enforcement agencies.. investigating criminal matters”. The “Principles” say “each State” will ensure that data is preserved, “particularly data held by third parties such as service providers” for the purpose of seeking:

“access, search, copying, seizure or disclosure, and ensure that preservation is possible even if necessary only to assist another State.”

The second “problem” with “historical data” is that there is no obligation for service and internet providers to keep data of their users messages etc. The 1997 EU Directive on Telecommunications Sector Data Protection allows service providers to keep traffic data for billing disputes but this is rarely used as users are not billed by individual connection. Some countries allow traffic data to be preserved to guard against subscriber fraud but the Minutes observe there are no provisions for “infrastructure protection” or “other suspected illegal activity”. The Sub-Group’s view is that G8 should prepare “G8 Recommendations on Data Preservation” and that at national level the EU Directive should “either mandate or allow ISPs to retain particularly critical categories of traffic data for minimum time periods.”

As to “future traffic data” (“real-time connection information”, as it is happening) a number of delegations reported that national laws “imposed heightened limitations” on the “ability of law enforcement” to obtain future traffic data and “share it with foreign law enforcement”. Several countries treated “future traffic data” as “interception” which “involves more stringent prerequisites and may only be available for certain offences”. Moreover, although national laws may permit the “capture of future traffic data for domestic purposes, its laws may not permit it to do so solely for the benefit of a foreign state”. The Sub-Groups solutions to this “problem” include treating “future traffic data” on the same basis as “historical data” to avoid being defined as interception and amending Mutual Legal Assistance Agreements (MLAA’s) and national laws to allow interception on behalf of foreign states and agencies.

It also suggests that “important investigative techniques” could be used: “for the benefit of a foreign government and in the absence of a criminal offence or serious criminal offence, in the conduit country”. This perhaps fits in with the “hypothetical intrusion exercise” the Sub-Groups agencies are testing their investigative techniques on – this suggests an interventionist, pro-active approach which could “interfere” with telecommunications.

The “Principles on Transborder Access”, agreed in Moscow, also covered instances where there was a formal request for access to data (under MLAA’s) and “Transborder access to stored data not requiring legal assistance” – this latter aspect covers accessing “publicly available (open source) data” and: “accessing, searching, copying, or seizing data stored in a computer system located in another State, if acting in accordance with the lawful and voluntary consent of a person who has the lawful authority to disclose to it that data.” In effect, US or UK security agencies could gain access to data where authorised to do so by a US or UK multinational operating in the surveilled country.

The G8 states have set up a 24-hour “point-of-contact network” that also acts as a “warning system” which “could be used proactively”. All EU and Council of Europe states have been invited to join the network, with Spain and Denmark responding first.

EU problems

The Irish government has told the EU that it is currently unable to cooperate fully in assisting other states on the interception of telecommunications. Under present legislation “interception cannot be ordered to assist in the investigation of a criminal offence in a foreign jurisdiction.” If, however, a foreign law enforcement agency is “cooperating in a joint investigation” with the Garda Siochana then it is up to the GS Commissioner to decide whether to make an application for “interception authorisation”.

The EU Directive on Data Protection does not cover justice and home affairs issues and only recently have the Council (EU governments) been considering whether or not to include such provisions in a series of measures – some adopted, some planned such as Europol, the Customs Information System or Eurodac. One of the reports on this internal discussion says:

“if the objective of the Horizontal Working Party on Data Processing were primarily to look for “the lowest common denominator” in physical data protection under the Third Pillar, how would it be possible to disregard Council of Europe Convention No 108 of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data?””.

In its 31st report the UK’s House of Commons’ European Scrutiny Committee has said that it is: “somewhat surprised that the UK does not impose restrictions on the use of information it supplies to other EU member states”. This arose in reaction to the Home Office’s comments on a German proposal for data protection to be inserted in the draft Convention on Mutual Assistance in Criminal Matters. The proposal would allow intercepted data supplied to another state “not only to be used for the purpose for which it has been communicated but also for other purposes”, including unrelated criminal investigations and prosecutions. The Home Office comments:

“This proposal may be controversial since some Member States provide information on condition that it is used only for the purposes specified in the request, or for other purposes with the prior consent of the requested state. The UK does not impose this condition.”

The UK therefore supports the German proposal because “it would avoid the need for prior consent from the requested state before making use of information in other criminal investigations.”

ECHELON and Italy

On 3 March 1999, the Rome attorney’s office opened a preliminary investigation into ECHELON to find out whether this surveillance activity violates the Italian penal code. Stefano Rodota, the Italian ombudsman for the protection of personal data, welcomed the initiative because “it can contribute to offer public opinion with precise information to base its judgements on.” He added that research into the technical aspects of the ECHELON network is crucial in order to develop legal and technological measures which, he feels, must be established at a supranational level, due to ECHELON’s characteristics. He was critical of the refusal by countries involved in the ECHELON network to respond to allegations, in spite of an explicit request from the European Parliament. Rodota said it was not a simple question of national sovereignty “through this surveillance, one effectively enters the physical borders of a country. What suffers is the freedom of every citizen, whose physical movements and communications are controlled, step after step.” Furthermore, he reasons, if it is used to discover commercial information, as has been alleged, such a network becomes invaluable.

“Echelon – Dichiarazione del Prof. Rodota all’Agenzia Agi su avvio indagine Procura di Roma”, 3.3.99.

ECHELON and Denmark

“We know that we don’t know anything apart from what has been reported in the press”. This is in essence the response of Danish ministers when asked about possible Danish involvement in the in international surveillance system ECHELON. The latest attempt to get information about ECHELON was during a debate in the Danish Parliament 9 December. Three Ministers – Justice, Defence and research – were asked to answer the following question from the MP’s, Mr Keld Albrechtsen (the Red-Green Alliance/Enhedslisten) and Mr Knud Erik Hansen (Peoples Socialist Party/SF): “What can the ministers say about the parliamentary control of ECHELON and other surveillance systems abroad and at home.. and what are Government intentions to strengthen parliamentary control?” The Minister of Defence, Mr Hans Haekkerup, said: “Neither the Ministry of Defence nor the military intelligence participates or contributes to ECHELON. But during the debate he repeated what he had already said to the parliament’s Europe Committee in September: Denmark has established co-operation agreements with a number of countries leading to information being exchanged. The interception of communications by the military intelligence service is only related to Danish security interest abroad. But he also admitted that Denmark receives information’s from foreign intelligence services and that he did not know if they had been intercepted according to legal guarantees for the individual. The debate ended with a majority of the parties -“the unified listening parties” as they were called during the debate – in parliament rejecting the proposal from Enhedslisten and SF. The Danish debate about ECHELON has now been going on for nearly three years and took off again when British journalist Duncan Campbell spoke at a meeting in Copenhagen in September about the report “Interception Capabilities 2000”.

Sources: P8 – Senior Experts Group Recommendations: “To combat Transnational Organised Crime” (Paris, 12 April 1996); Summit Performance Assessments by Issue: G8 1998 Birmingham: Crime; Evaluation Report on Ireland on Mutual Legal Assistance and Urgent Requests, ref 9079/99, CRIMORG 70, 18.8.99; Protection of personal data in the Third Pillar of the European Union: Proposals on determining the remit of the Horizontal Working Party on Data Processing, ref 7718/99, JAI 36, 26.4.99; Draft Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union – data protection, from the German delegation, ref 11084/99, COPEN 37, 17.9.99; Select Committee on European Scrutiny, 31st report, 19.11.99.

Statewatch bulletin vol 10 no 2 (March-May 2000)

An interesting note has appeared which gives the European Commission’s report on a meeting of the EU Council of Ministers Police Cooperation Working Party in October 1999. There has been a bit of a mystery surrounding the progress of EU plans to adopt the amendments to the “Requirements” of the law enforcement agencies to intercept telecommunications (phonecalls, e-mails and faxes) (see Statewatch, vol 7 no 1 & & & 5, vol 8 nos 5 & 6, vol 9 no 2 & 6). The “Requirements” to be laid on network and service providers to allow the interception of any communication were first adopted by the EU in January 1995. In 1998 it was proposed to amend these “Requirements” to deal with the internet and satellite telecommunications (in ENFOPOL 98). This EU report was, it was thought, almost finalised in a report dated 15 March 1999 (ENFOPOL 19 of 1999). However, since then this report has gathered dust.

The note, from Directorate B, Unit B/1 Police and Customs Cooperation of the Commission, on the Council’s Police Cooperation Working Party held on 13-14 October 1999, says that “progress in this matter is being very slow”. It says the Working Group had:

In previous meetings.. discussed that it could be sensible to get some political support from upper instances in the Council for this matter to go forward…

The main reasons for the delay and the apparent lack of “political support” was:

the negative press that this issue has received in the media..

One idea considered to counter this was for the Council to put out a press release of its own but “several delegations.. [thought] this could provoke a chain reaction and further negative press in the media.”

Agreement “within a year”

The EU discussions on the associated development to the EU-FBI system, the draft Convention on Mutual Assistance in criminal matters, have taken another turn. The draft Convention includes provisions on the interception of telecommunications to give a legal basis for the imposition of the “Requirements”. On the table is a proposal from the European Commission which says that:

Within a year after signature of the Convention, but at the very latest by the entry into force of the Convention, Member States and telecommunications service providers concerned shall elaborate a secure system for submission of interception requests and for transmission of intercepted communications… Member States shall provide the satellite service providers granting direct access with the names of service providers on their territory designated to act as intermediary for the purpose of interception by direct access.

The Convention is expected to be signed on 29-30 May while the entry into force will take 2-3 years.

Iridium collapses

Iridium, the conglomerate which offered to provide “hands-free” access to the EU of all satellite telecommuications passing through its ground station in central Italy has gone bust. A company executive described as follows: “If you believe in god, Iridium is God manifesting himself through us” (see Statewatch, vol 8 no 5).

Sixty-six satellites and $5 billion had been spent by Iridium but only 55,000 customers had signed up. Started in the early nineties the technology was overtaken by the growth of terrestorial GSM phones. The Guardian described the Iridium technology as “laughably old-fashioned”.

The EU Council of Ministers had welcomed the offer of Iridium to route all telecommunications without any checks as a “convenient” option. Now the Council will have to wait and see whether the other players still in the field like Globalstar, Teledisc, Skybridge and Spaceway will offer a similar deal.

Meeting Report Police Cooperation Working Group, 13-14 October, Directorate B, Unit B/1 Police and Customs Cooperation, Directorate-General Justice and Home Affairs, 18.10.99; Draft Convention on mutual assistance in criminal matters between Member States of the European Union, ref: 6836/00, COPEN 18, 10.3.00); Observer, 19.3.00; Guardian, 23.3.00.

US: “Carnivore” surveillance system challenged

The US group EPIC (Electronic Privacy Information Center) has lodged a lawsuit to get the FBI to reveal details of its new “Carnivore” telecommunications monitoring system – to be used by “black boxes” placed in service providers. “Carnivore”, developed in the FBI laboratories at its HQ in Quantico, Virginia, is apparently named thus because it finds the “meat” in vast quantities of data. It is apparently capable of scanning millions of e-mails each second and able to give the “law enforcement agencies” access to all of an ISP’s customers’ digital communications. Marc Rotenberg, of EPIC, said: “It goes to the heart of the Fourth Amendment and the federal wiretap statute that are going to be applied in the Internet age”.
“Carnivore” consists of a laptop computer, communications interface cards and software. It uses the fact that virtually all internet communications are broken up into “packets” or uniform chunks of data and FBI programmers devised a “packet sniffer”. The system is able either to download whole sets of traffic or what is called in the US a “pen register” – a list of people/sites contacted or from whom information is received (an early version, called in the UK “telemetering”, was used by BT from the 1970s onwards).
It is interesting to note that the total telecommunications interception warrants issued in the US in 1998 was only 1,329 whereas in the UK it was 1,903 (excluding Northern Ireland).

Sources: EPIC Alert, 3.8.00; International Herald Tribune, 13 & 17.7.00; see also Statewatch News online for UK telephone tapping figures, on http://www. statewatch.org/news

EU: What happened to the ENFOPOL decision?

After the debate surrounding an EU document called “ENFOPOL 98” it was expected that the Justice and Home Affairs Council would adopt the streamlined version, ENFOPOL 19, dated 15.3.99 (see Statewatch, vol 7 no I & 4/5, vol 8 nos 5 & 6, vol 9 nos 2 & 6, vol 10 no 2). This would have extended the EU-FBI Requirements to cover the interception of the internet, e-mails and satellite phones. Instead, as reported in the last Statewatch, the “negative press” over interception meant there was little political will to adopt this update.
In the spring the EU’s Working Party on Police Cooperation has decided that the issues previously discussed under “interception of communications” will now come under “advanced technologies”. One of the first document to surface with the title: “Advanced technologies: relations between the first and third pillars” came out on 12 July. This seemingly innocuous report is concerned with “the single market and the EU’s entry into the global Information Society”. It then says that experts in the first (economic) pillar and third (police cooperation) need to work together on criminal use of new technologies and the “emergence of cybercrime”. While the first pillar takes decisions on “technical and commercial” matters, the Working Party on Police Cooperation has:

“therefore defined the technical specifications intended to safeguard the possibility of lawful interception of such services “

The report suggests “an inter-pillar dialogue” now be established. This is all a polite way of saying that the EU-FBI “Requirements” have to be built into trade and commerce in the EU.
One of the issues which has apparently already been discussed is “the definition of the length of time data may be stored in the telecommunications sector”. This is a reference to the on-going debate between Data Protection authorities in the EU and the “law enforcement agencies”. Elizabeth France, the UK Data Protection Commissioner, said in her latest annual report that:

“The routine long-term preservation of data by ISPs [internet service providers] for law enforcement purposes would be disproportionate general surveillance of communications.”

The Spring 2000 Conference of European Data Protection Commissioners, 6-7 April, Stockholm, issued a declaration on the “Retention of Traffic Data by Internet Service Providers (ISPs)”. It noted with concern:

“proposals that ISPs should routinely retain traffic data beyond the requirements of billing purposes in order to permit possible access by law enforcement bodies.

The Conference emphasised that such retention would be an improper invasion of the fundamental rights guaranteed to individuals by Article 8 of the European Convention on Human Rights. Where traffic data are to be retained in specific cases, there must be a demonstrable need, the period of retention must be as short as possible and the practice must be clearly regulated by law.”

There is an on-going “debate” over the length of time ISPs should be required to keep data, the “law enforcement agencies” variously argue for 30 days, 90 days and some for much, much longer.

Sources: ENFOPOL 19, 6715/00, 15.3.99; ENFOPOL 150, 10571/1/94, REV I +REV 2 +REV 3 +REV 4, 17.1.95.

European Parliament: Inquiry into Echelon launched

The European Parliament has agreed to set up a temporary committee to investigate Echelon, a world-wide electronic surveillance network headed by GCHQ (UK) and the National Security Agency in the US. The Committee will meet over a year and has 36 members. The setting up of the Committee follows an initiative by the Green group of MEPs who obtained 172 MEP’s signatures to get a vote on the issue at the parliament’s plenary session (when 210 MEPs voted in favour). The signatories wanted a full committee of inquiry with the power to calls witnesses to testify and to get documents. The details of the committees work are on the following web pages:

Members of the committee: http://europarl.eu.int/tempcom/echelon/en/members.htm

The mandate for the committee: http://europarl. eu. int/tempcomechelon/en/mandate. htm Meetings of the committee:

http://europarl. eu. int/tempcom/echelon/en/agenda.htm

STOA study on the development of surveillance technology http://www. europarl. eu. int/dg4/stoa/en/public/pop-up.htm

Extensive background information on Echelon is on:
http://www.echelonwatch.org

Germany: demand for agreement on Echelon

The spokesman for the EU Committee of the lower house of the German parliament, Christian Sterzig (Die Grunen), supported by the coalition spokeswoman on human rights, Claudia Roth (Die Grunen), have called for a swift and consistent mutual agreement between the US and EU member states on the Echelon system. At a hearing of the EU Committee in the beginning of July, ministers concluded that the system is threatening civil liberties in Germany. In a report by Duncan Campbell for the European Parliament it became evident that Echelon, a world-wide interception system run by the US, the UK, Australia, New Zealand and Canada under the auspices of the US National Security Agency (NSA), not only intercepted firms’ business communications but also those of human rights organisations such as Amnesty International.

The Committee expressed concern that the NSA is running a station connected to the Echelon system in the Bavarian town of Bad Aiblingen. The German government has accepted reassurances by the US that their status as NATO partners would not allow them to carry out economic espionage against Germany. However, the data protection officer for the Land Brandenburg, Dr Alexander Dix, informed the parliamentary EU Committee that the status of NATO as a military force did not provide an adequate legal basis regulating surveillance via the Bad Aiblingen station. Echelon, he concluded, did not only violate German, but European community law as well. Currently, a German governmental supervisory committee meeting in secret gets information on Echelon. Data protection officers and MP’s concerned with civil liberties however, are demanding an open parliamentary- debate as well as a binding agreement prohibiting the interception of telecommunications through Echelon in EU member states.

PO Box 1516, London N16 0EW, UK

tel: (00 44) 0181 802 1882 fax: (00 44) 0181 880 1727

Introduction

“The EU, in cooperation with the FBI of the USA, is launching a system of global surveillance of communications to combat “serious crime” and to protect “national security”, but to do this they are creating a system which can monitor everyone and everything. The EU will be able to trawl the airwaves for “subversive” thoughts and “dissident” views and, with its partners, across the globe.”

“It seems extraordinary given the concern over the Police Bill in the UK and the “Clipper chip” in the USA that there has been no debate over the creation of a global telephone tapping system initiated by the EU and the USA and supported by Canada, Australia, Norway and Hong Kong.”

“the UK Parliament, like many others in the EU, has been by-passed in the most blatant way. To claim as the Home Secretary does that the “Memorandum of Understanding” is “not a significant document” and to fail to send the main EU Council Resolution to parliament for scrutiny is quite extraordinary when the Police Bill – which extends police surveillance – is going through parliament.”

OVERVIEW

EU-FBI: global tapping system

The Council of the European Union and the FBI in Washington, USA have been cooperating for the past five years on a plan to introduce a global telecommunications tapping system.

The system takes advantage of the liberalisation of telecommunications – where private companies are taking over from national telephone systems – and the replacement of land/sea based lines and microwave towers by satellite communications.

Telephone lines are now partly land-based or under sea or via microwave land-based towers but the new generation of telecommunications will be totally satellite based.

The EU-FBI initiative notes the demise of:

1. state-owned telephone companies

2. nationally-based telephone systems

And is concerned about:

3. the problems faced with intercepting “mobile” phones and encrypted communications

And wants to ensure:

4. there is harmonisation of national laws on interception

5. to ensure that telecommunications provider business cooperate with the police and internal security

6. the equipment produced has standards which can be intercepted

7. as many countries as possible to sign up and thus create a de facto global system (through provisions of equipment etc to third countries)

A related disclosure in a book by Nicky Hager shows that instead of “suspects” and “targets” the ECHELON system simply trawls the airwaves for “subversive thoughts” in written form and increasingly in verbal form.

ECHELON is run under the 1948 UKUSA agreement by the US, UK, Canada, New Zealand and Australia.

REPORT

The Trevi decision

The first reference to this initiative was at a Trevi Ministers meeting in December 1991 which decided that:

“a study should be made of the effects of legal, technical and market developments within the telecommunications sector on the different interception possibilities and of what action should be taken to counter the problems that have become apparent”

At the meeting of Trevi Ministers in Copenhagen in June 1993 they agreed the text of a “questionnaire on phone tapping” which was sent to each Member State in July 1993 and to the new members (Finland, Sweden and Austria) in September 1993 (see below).

EU-FBI linkup

At the first meeting of the new Council of Justice and Home Affairs Ministers in Brussels on 29-30 November 1993 they adopted the following Resolution on “the interception of telecommunications” which speaks for itself and reproduced here in full:

“COUNCIL RESOLUTION ON THE INTERCEPTION OF TELECOMMUNICATIONS

The Council:

1. calls upon the expert group to compare the requirements of the Member States of the Union with those of the FBI;

2. agrees that the requirements of the Member States of the Union will be conveyed to the third countries which attended the FBI meeting in Quantico and were mentioned in the memorandum approved by the Ministers at their meeting in Copenhagen (Sweden, Norway, Finland (countries applying for accession to the European Communities), the USA and Canada) in order to avoid a discussion based solely on the requirements of the FBI;

3. approves for practical reasons the extension to Hong Kong, Australia and New Zealand (which attended the FBI seminar) of the decision on co-operation with third countries which was taken at the Ministerial meeting in Copenhagen;

4. hereby decides that informal talks with the above-named countries may be envisaged: to that end the Presidency and the expert group might, for example, organize a meeting with those third countries to exchange information.”

Source: “Interception of communications”, report to COREPER, ENFOPOL 40, 10090/93, Confidential, Brussels, 16.11.93.

Main Resolution on the “lawful interception of communications”

The draft Resolution on the “lawful interception of communications”, an initiative by the Netherlands (which set out the “Requirements”, see below) was discussed in the K4 Committee in March, April, November and December 1994.

The JHA Council discussed the draft Resolution in March 1994 but it was only formally adopted by “written procedure” (by telexes to Member States dated 21.12.94, 9.1.95, and 18.1.95: source Council of the European Union; the last date is after the Resolution was agreed) on 17 January 1995. The decision was not published in any form for almost two years – on 4 November 1996 it finally appeared in the Official Journal.

The Resolution has three parts: First, the short Resolution which says:

“the legally authorised interception of telecommunications is an important tool for the protection of national interest, in particular national security and the investigation of serious crime.”

Second, the “REQUIREMENTS” which place a whole series of obligations on: network providers, eg: satellite communications networks; and on service providers, who provide the equipment for national telecom centres, business, groups and individuals. And finally, a Glossary of definitions.

The “Requirements” are based on the needs of “law enforcement agencies” (defined as “a service authorised by law to carry out telecommunications interceptions”) who “require access to the entire telecommunications transmitted.. by the interception subject” (defined as: “Person or persons identified in the lawful authorisation and whose incoming and outgoing communications are to be intercepted”) who is the subject of an “interception order” defined as: “An order placed on a network operator/service provider for assisting a law enforcement agency with a lawfully authorised telecommunications interception.”

The “law enforcement agencies” are required to be provided with access not just to the content of a communication, in whatever, form, but also “associated data”, “post-connection” signals (eg: conference calling or call transfer), all numbers called, all numbers called by – in both cases even if a connection is not made – plus “realtime, fulltime monitoring capability”, the location of mobile subscribers, simultaneous and multiple interceptions “by more than one law enforcement agency”, and “roaming” by mobile phone users “outside their designated home serving area”.

The network operators and service providers are expected to provide “one or several” permanent “interfaces from which the intercepted communications can be transmitted to the law enforcement monitoring facility.” And, if they provide “encoding, compression or encryption” to the customer they must provide it en clair (decrypted) to the law enforcement agencies.

Finally, they are obliged to ensure that:

“neither the interception target nor any other authorised person is aware of any changes made to fulfil the interception order… [and] to protect information on which and how many interceptions are being or have been performed, and not to disclose information on how interceptions are carried out.”

Source: “Memorandum of Understanding concerning the lawful interception of telecommunications”, ENFOPOL 112, 10037/95, Limite, Brussels, 25.11.95; this report contains the “Memorandum” with the Resolution adopted on 17 January 1965 attached. The Resolution was published in the Official Journal on 4.11.96, ref: C 329 pages 1-6.

Memorandum of Understanding on the Legal Interception of Telecommunications

The “Memorandum of understanding with third countries” (later described as the “Memorandum of Understanding on the Legal Interception of Telecommunications”) was discussed at the K4 Committee in November 1994.

The significance of the “Memorandum” is that it extends the agreement on the surveillance of telecommunications to non-EU countries who are being invited to adopt it – and with it the “Requirements”.

The Memorandum of Understanding was signed by the 15 EU Member States on 23 November 1995 at the meeting of the Council of Justice and Home Affairs Ministers.

The contact addresses for signatory countries and for further information, which confirms the EU-USA link, should be sent to:

“a) Director Federal Bureau of Investigation,

Attention: Information Resource Division,

10 Pennsylvania Avenue, N.W.,

Washington D.C. 20535

b) General Secretary of the Council of the European Union,

FAO The President,

Rue de la Loi 175,

B-1048 Brussels,

Belgium.”

The number of signatories to the “Memorandum” is open-ended, any country can join providing the existing member states agree.

It invites “participants” because “the possibilities for intercepting telecommunications are becoming increasingly threatened” and there is a need to introduce “international interception standards” and “norms for the telecommunications industry for carrying out interception orders” in order to “fight.. organised crime and for the protection of national security.”

The strategy appears to be to first get the “Western world” (EU, US plus allies) to agree “norms” and “procedures” and then to sell these products to Third World countries – who even if they do not agree to “interception orders” will find their telecommunications monitored by ECHELON (see below) the minute it hit the airwaves.

Source: “Memorandum of Understanding concerning the lawful interception of telecommunications”, ENFOPOL 112, 10037/95, Limite, Brussels, 25.11.95.

“not a significant document” – the Home Secretary

The Chair of the Select Committee on the European Communities in the House of Lords, Lord Tordoff, took up the “Memorandum” with the Home Secretary, Michael Howard, in an exchange of letters on the Committee’s access to documents for scrutiny.

On the subject of the “Memorandum of Understanding on the Legal Interception of Telecommunications” Mr Howard told Lord Tordoff:

“The Memorandum of Understanding is a set of practical guidelines to third countries on the lawful interception of telecommunications. It is not a significant document and does not, therefore, appear to meet the criteria for Parliamentary scrutiny of Title VI documents.”

It is quite clear from this Briefing that the “Memorandum” is not an insignificant document concerning as it does a EU-US plan for global telecommunications surveillance.

The “Memorandum” itself is just two pages. It is the full text of the “Resolution” attached to it which demonstrates its full meaning.

However, not only did Mr Howard not think the “Memorandum” was “a significant document” he also apparently believes the attached Resolution also insignificant as he did not submit it to the House of Lords Committee for scrutiny prior to its adoption in January 1995 or thereafter.

Source: Correspondence with Ministers, 9th Session 1995-96, HL 74, pages 26-29.

Letter to international standards bodies

In December 1995 COREPER agreed a letter to be sent out to “international standardisation bodies in the field of telecommunications” (IEC, ISO and ITU). The letter said:

“Modern telecommunications systems present the risk of not permitting the lawful interception of telecommunications if they have not been adapted, at the standardisation and design stage, to allow such interception.”

These bodies are “invited” to take account of the requirements of the Council Resolution of 17 January 1995 and told that Member States would be applying “these requirements to network operators and providers of services”.

The December 1995 letter to international standards bodies and the publication of the main Resolution in November 1996 in the Official Journal announced to manufacturers of equipment and service providers that they will be expected to meet the “Requirements” allowing surveillance for any new contracts within the EU and via the “Memorandum” that these standards would also apply to any countries signing up to it – for example, the USA.

Source: “Draft letter to be sent to the international standardisation bodies concerning the Council Resolution of 17 January 1995 on the lawful interception of communications”, Council General Secretariat to COREPER/COUNCIL, ENFOPOL 166, 12798/95, Limite, 14.12.95.

Letter to non EU countries

At it meeting on 28-29 November 1996 the Council of Justice and Home Affairs Ministers agreed a “draft letter” prepared by the K4 Committee to “non EU participants in the informal international Law Enforcement Telecommunications Seminar”.

“The letter.. informs you of the wider international support for the “Requirements” annexed to the Council Resolution.

The Council considers that the lawful monitoring of telecommunications systems is an important tool in the prevention and detection of serious crimes and in safeguarding national security. Mindful of new technological developments in the field of telecommunications, the Council adopted the Resolution of 17 January, 1996 laying down technical Requirements, for the lawful interception of telecommunications. The Member States of the European Union have been called upon to apply those Requirements to telecommunications operators and service providers…

The “Requirements” have been discussed by interception experts from EU Member States with colleagues from other countries which are equally concerned to ensure that adequate technical provision is made for legally authorized interception in modern telecommunications technologies. Arising from those discussions which have taken place during a seminar, the Council of the European Union has received expressions of support for the Requirements from Australia, Canada, Norway and the United States of America. In particular, the relevant authorities In those countries have undertaken to (i) have the Requirements taken into account in their appropriate national policies and (ii) use the Requirements as a basis for discussions with the telecommunications industry, standards bodies and telecommunications operators…

You are invited to take note of this letter for the purpose of your further discussions with the telecommunications industry standards bodies and telecommunications operators.

The President, for the Council of the European Union.”

Source: “Draft letter to non EU participants in the informal international Law Enforcement Telecommunications Seminar regarding the Council Resolution”, ENFOPOL 180, 11282/96, Limite 6.11.96.

Behind the scenes

Behind the formal decisions and letters the various Working Parties under the K4 Committee were at work on the details.

In January 1995 the Police Cooperation Working Group, which comes under the K4 Committee, considered a report by the UK delegation on the problems presented by the next generation of satellite-based telecommunications systems which should be able to:

” “tag” each individual subscriber in view of a possibly necessary surveillance activity.”

The report said that the new mobile individual communications working through satellites were already underway and unlike the current earth-bound systems based on GSM-technology would “in many cases operate from outside the national territory”.

The rationale for the plan was that these new systems:

“will provide unique possibilities for organised crime and will lead to new threats to national security”.

The report said all the new systems have to have the capability to place all individuals under surveillance – the product of “tagging” individual phone lines could therefore easily be extended to political activists, “suspected” illegal migrants and others.

The fact that the new systems were being developed by large private international corporations, not national state-run systems, created “unusual problems for the legally permitted surveillance of telecommunications”. The first problem to surface, according to the report, was that:

“initial contacts with various consortia… has met with the most diverse reactions, ranging from great willingness to cooperate on the one hand, to an almost total refusal even to discuss the question.”

It goes on to say:

“it is very urgent for governments and/or legislative institutions to make the new consortia aware of their duties. The government will also have to create new regulations for international cooperation so that the necessary surveillance will be able to operate.”

Another “problem” for surveillance under the new systems is that satellites will communicate with earth-bound stations which will function as distribution points for a number of adjoining countries – there will not be a distribution point in every country. While the existing “methods of legally permitted surveillance of immobile and mobile telecommunications have hitherto depended on national infrastructures” (italics added). The:

“providers of these new systems do not come under the legal guidelines used hitherto for a legal surveillance of telecommunications.”

The report says it would be difficult to monitor the “upward and downward connections to the distribution point” so the “tag” would start the surveillance at “the first earthbound distribution point”.

Due to the number of different countries that might be involved in making a connection it has been agreed that the following “relevant data” should be provided: “the number of the subscriber calling, the number of the subscriber being called, the numbers of all subscribers called thereafter”. The report uses the example of a subscriber who is a national of country A, with a telephone subscription in country B (supplying the relevant data for the “tag”), who occasionally uses the system in country C which uses the distribution point in country D (which conducts the surveillance) and who is in contact with a person in country E concerning a suspected serious crime in country F.

The report with a series of recommendations including amendments to national laws to “ensure that surveillance will be possible within the new systems” and that “all those who are involved in planning the new systems” should be made aware of “the demands of legally permitted surveillance”.

A later report from the same Working Party, in June 1995, concludes:

“These new telecommunications systems have much in common with existing mobile phone systems… [and] will very quickly develop into a global problem, which looks like it can only be controlled by global cooperation of a hitherto unknown degree.”

Sources: “Legally permitted surveillance of telecommunications systems provided from a point outside the national territory”, report from the UK delegation to the Working Group on Police Cooperation, ENFOPOL 1, 4118/95, Restricted, 9.1.95; Report from the Presidency to the Working Group on Police Cooperation, ENFOPOL 1, 4118/2/95 REV 2, Limite, 2.6.95.

Questionnaire on “national law regarding phone tapping”

In November 1995 while the EU Ministers were signing the “Memorandum of Understanding” for non-EU countries a Working Party under the K4 Committee was considering a report from the Spanish delegation on national laws within the EU on phone tapping surveillance.

The 1995 report opens with the cynical observation:

“As it was foreseeable, all states which have answered the questionnaire guarantee the confidentiality of private communications either by their constitution or their Basic Law, or both, in accordance with Article 8 of the European Convention on Human Rights.”

However, it goes on to observe, and assume, “under certain conditions the interception of telecommunications” is allowed.

The report says the country surveys showed – and this is of crucial importance regarding surveillance by ECHELON (see below) that:

“At the moment there does not seem to be a legal problem for interception that depends on the kind of device used for the transmission of voice, text, data or images”

This is a reference to forms of “written” communications or “images” sent by e-mail, fax, and telex.

It summarises the legal positions as: the following countries “can simply” make changes in the penal procedure: Germany, Austria, Denmark, Luxembourg, Spain and Portugal, while Belgium, France, the UK, Ireland, Greece, Norway and Sweden require new legislation, with a combination of both in Italy.

Discussions had taken place, the report says, on the “great advantages” the police have if: “they can keep people under surveillance on the grounds of suspicion of criminal activity”. Some countries require objective evidence of an offence before surveillance can start but in Austria a request for a phone tap “leads automatically to an investigation being opened”.

Another problem addressed was the right of individual’s to be informed about phone tapping (Article 6.3 in relation to Article 8 of the ECHR):

“Obviously such information prejudices the result of the police investigation. Therefore, each country has to arrange for a procedure to legally delay notification.”

The report recommends the Danish system where a lawyer is appointed by the Justice Ministry who represents the interests of the person to be placed under surveillance at a private hearing but is not allowed to tell the person concerned.

The survey found that the maximum duration of authorisation varied from 2 weeks to 4 months.

The report concludes that phone tapping “is justified by a serious offence” where “a punishment of imprisonment of one year or more” is available to fight “organised crime”. Yet again the justification for combating “organised crime” is so widely drawn – sentences of just one year or more – that the purpose of surveillance has to be fundamentally questioned.

Source: “Report on the national laws regarding the questionnaires on phone tapping”, Report from the Spanish Presidency to the Working Group on Police Cooperation, ENFOPOL 15, 4354/2/95 REV 2, Restricted, 13.11.95.

Who is going to pay for it?

One issue on which the reports from the K4 Committee are silent is who is to pay the costs for the special facilities needed under the “Requirements” of law enforcement agencies – network and service providers or the governments?

However, a report produced by the German government, says that the costs are going to be astronomical. It estimates that to set up surveillance of mobile phones alone will cost 4 billion D-Marks.

Source: draft report, dated 5 May 1995, from the German government on the “problems and solutions regarding the surveillance of telecommunications”.

The “ECHELON” connection

“ECHELON” is a world-wide surveillance system designed and coordinated by the US NSA (National Security Agency) that intercepts e-mail, fax, telex and international telephone communications carried via satellites and has been operating since the early 1980s – it is part of the post Cold War developments based on the UKUSA agreement signed between the UK, USA, Canada, Australia and New Zealand in 1948.

The five agencies involved are: the US National Security Agency (NSA), the Government Communications Security Bureau (GCSB) in New Zealand, Government Communications Headquarters (GCHQ) in the UK, the Communications Security Establishment (CSE) in Canada and the Defence Signals Directorate (DSD) in Australia.

The system has been exposed by Nicky Hager in his 1996 book, Secret Power: New Zealand’s role in the International Spy Network. He interviewed more than 50 people who work or have worked in intelligence who are concerned at the uses of ECHELON.

“The ECHELON system is not designed to eavesdrop on a particular individual’s e-mail or fax link. Rather, the system works by indiscriminately intercepting very large quantities of communications and using computers to identify and extract messages from the mass of unwanted ones.”

There are three components to ECHELON:

1) The monitoring of Intelsats, international telecommunications satellites used by phone companies in most countries. A key ECHELON station is at Morwenstow in Cornwall monitoring Europe, the Atlantic and the Indian Ocean.

2) ECHELON interception of non-Intelsat regional communication satellites. Key monitoring stations are Menwith Hill in Yorkshire and Bad Aibling in Germany.

3) The final element of the ECHELON system is the surveillance of land-based or under-sea systems which use cables or microwave tower networks.

At present it is thought ECHELON’s effort is primarily directed at the “written form” (e-mails, faxes, and telexes) but new satellite telephones system which take over from old land-based ones will be as vulnerable as the “written word”.

Each of the five centres supply “Dictionaries” to the other four of keywords, phrases, people and places to “tag” and the tagged intercept is forwarded straight to the requesting country.

It is the interface of the ECHELON system and its potential development on phone calls combined with the standardisation of “tappable” telecommunications centres and equipment being sponsored by the EU and the USA which presents a truly global threat over which there are no legal or democratic controls.

Source: “Exposing the global surveillance system”, Nicky Hager. CovertAction Quarterly, Winter 1996-97, pages 11-17.

CHRONOLOGY

December 1991

A meeting of the Trevi Ministers decide a study should be carried out on the new telecommunications systems and “the different interception possibilities”.

29-30 November 1993

The first meeting of the new, post-Maastricht, Council of Justice and Home Affairs Ministers meeting in Brussels adopt a Resolution calling on experts to compare the needs of the EU “with those of the FBI”.

March, April, November and December 1994

The K4 Committee discusses the draft Resolution on the lawful interception of telecommunications and the “Requirements” to be placed on network and service providers.

March 1994

The Council of Justice and Home Affairs Ministers discuss the draft Resolution.

November 1994

The K4 Committee discusses the draft “Memorandum of Understanding with third countries”.

9 January 1995

The Working Group on Police Cooperation, under the K4 Committee, considers a report on the need to “tag” all communications.

17 January 1995

The Resolution is adopted by “written procedure”. It is not published in any form until 4 November 1996 when it appears in the Official Journal.

13 November 1995

The Working Group on Police Cooperation consider a report on the situation in each EU state on telephone tapping.

23 November 1995

The Council of Justice and Home Affairs Ministers agree the “Memorandum of Understanding”. It is not published in any form.

December 1995

COREPER agree the text of a letter to be sent to international standards bodies attaching the Resolution.

7 May 1996

Michael Howard, the Home Secretary, tells the Chair of the Select Committee on the European Communities in the House of Lords that the “Memorandum of Understanding on the legal interception of communications” is “not a significant document”.

28 November 1996

The Council of Justice and Home Affairs Ministers agree the text of a letter to be sent out to other potential “participants” (countries) in the “Memorandum of Understanding”.

Council of Justice and Home Affairs Ministers

Set up under Title VI, Article K, of the Maastricht Treaty. First meet on 29 November 1993 when it took over from the Trevi Group and the Ad Hoc Group on Immigration.

K4 Committee

Also set up under the Maastricht Treaty to coordinate the work on the “third pillar” – policing, immigration and asylum, and legal cooperation. Is comprised of senior officials from Interior Ministries and prepares report to go to the Council.

Under the K4 Committee there are three Steering Groups covering policing and customs, immigration and asylum, and legal cooperation (civil and criminal) to which a series of Working Groups report.

COREPER

The Committee of Permanent Representatives from each EU state based in Brussels.