20 July 2023
Law enforcement officials are meeting today and tomorrow in Logroño, Spain, to discuss "access to electronic communications and digital data as a premise for law enforcement." The Spanish Council Presidency published a discussion paper prior to the meeting, but a document obtained by Statewatch offers far more information on current plans.
Support our work: become a Friend of Statewatch from as little as £1/€1 per month.
A document (pdf) produced by law enforcement and security agencies in Sweden, other EU member states, Australia and "North America" and circulated in the Council of the EU in February sets out police demands for access to data in the modern telecommunications environment, under the title of LEON (Law Enforcement Operational Needs).
The plans are a reincarnation of a similar process that took place three decades ago:
"In 1993, representatives from various Law Enforcement Agencies (LEAs) in Europe, North America and Australia met to consider the impact on Lawful Interception (LI) of developments taking place in the communications industry... At the request of the communications industry, consideration was given to the development of a draft set of common requirements that could be considered by manufacturers in the development of new communications systems."
This led to the drafting of "International User Requirements" in 1994, which were adopted as EU law, as part of some national laws, were "brought in to the European standards body (ETSI) and the 3rd Generation Partnership Project (3GPP) to ensure LI by design," and were subsequently "recognised" by the USA, Canada and Australia, says the Swedish paper. Statewatch reported extensively on that process.
Repeating the process
Through the LEON initiative, the intention is to repeat this process for the contemporary telecommunications environment. It "applies to all communication services, independent of the network or platform they operate on and also independent of the type of access (e.g. mobile, wireless or fixed)" and covers "communication services used today and those that may be used in the future."
As the document notes: "The SoI [subject of interest] may even be a vehicle or smart device authorised for lawful access." Depending on the scope of the eventual "user requirements," this could encompass televisions, fridges, watches, speakers, toys or any other device or entity connected to telecommunications networks.
"A forum for developing technical solutions to meet the law enforcement operational needs could preferably be in the open international standardisation bodies such as ETSI and 3GPP," says the paper.
Access and privacy
The document calls for "efforts" to be made "to ensure it is well understood by the industry and the public that the goals of ensuring lawful access by design and privacy by design are requirements that can be applied in common and can complement each other" (emphasis added).
When it comes to seeking to bypass or undermine end-to-end encryption, technical experts have repeatedly pointed out that this is not the case. As a recent letter to the UK government highlighted: "It is not possible to create a backdoor that only works for “good people” and that cannot be exploited by “bad people”."
The authors of the LEON paper do not appear to have taken this point on board. "LEON 5" deals with "Access to Encrypted Services", stating:
"Law enforcement agencies require communication service providers to deliver lawfully accessed communications that are intelligible for law enforcement agencies notwithstanding that there are encrypted services offered (for example en clair)."
The paper lists 15 "LEONs" in total, including for communications content, metadata, location data, subscriber data, and broader issues such as service providers being able to provide live information on a subject of interest's location to the police.
Spanish Presidency paper
Meanwhile, in Logroño, during an informal meeting of the Justice and Home Affairs Council, officials will be discussing data retention (pdf). Two questions are posed to delegations: the first one whether they agree there is a need for a new EU-wide legal regime on telecoms data retention; the second, on:
"...the general need to engage with industry and, in particular, to encourage cooperation and joint work with industry to promote not only privacy by design, but also the development of capabilities to enable legal access to information, where necessary for law enforcement purposes."
The Swedish Presidency of the Council proposed to create a High-Level Expert group on data retention to strike a new "balance" between the right to privacy and the right to security, according to two documents published by Statewatch. Member state feedback has been enthusiastic. The aim is to change the rhetoric on surveillance to facilitate the adoption of new rules. The expert group format of discussion and the participation of civil society are still to be decided, with the Commission and the Council likely to co-chair.
The minutes of the recent EU-US Senior Officials Meeting on Justice and Home Affairs, held in Stockholm on 16 and 17 March, demonstrate cooperation on a vast range of topics - including a "proof of concept" of the "Enhanced Border Security Partnership" involving the transatlantic sharing of biometric data, the need to "reinforce law enforcement’s legitimacy to investigate" in debates around breaking telecoms encryption, and US "concerns on radicalisation among police forces."
The growing number of EU digital policies should “benefit” justice and home affairs actors whilst “addressing and minimizing the associated risks,” the Swedish Presidency of the Council argues in a recent discussion paper. The Council’s internal security committee, COSI, should continue to “monitor and discuss” relevant legal proposals to create “a positive narrative… on the justice and internal security needs related to technological development and digitalization,” says the document.
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: MayDay Rooms, 88 Fleet Street, London EC4Y 1DH. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.