INTERCEPTION CAPABILITIES 2000: THE ABOLITION OF PRIVACY?
On Friday 7 May the European Parliament accepted the Lawful Interception of Communications Council Resolution on new technologies. The resolution is the culmination of efforts begun in the early 90's, when the JHA Council tasked the ENFOPOL working group under the JHA Council's K.4 Committee with drawing up policy outlines with the aim of assuring the transparency of communications for national security and law enforcement purposes. The effect of the resolution upon both communications service providers, and users, is substantive. Concurrently, the Scientific and Technical Options Assessment Unit of the European Parliament (STOA) released an April report on the history, scope, manner, politics, and technical aspects and capabilities of Communications Intelligence (Comint) - Interception Capabilities 2000 (IC2000). The report ends its analysis with a call for open debate on the EU adoption of communication interception policy.
Heralding the Enfopol resolution, a December 3rd Reuters dispatch had noted that the EU is, "quietly getting ready to approve legislation that will allow police to eavesdrop...without obtaining court authorization."
Significant in the impact of the Enfopol policy is the manner in which it will amplify the effect of previous measures such as the planned Convention on Mutual Assistance in Criminal Matters (CMACM).
Enfopol - An overview
With the acceptance of Enfopol, the EP has given police and security services the authorisation to implement the steps necessary to intercept any form of telecommunication. This would include satellite based communications, mobile phone services, data (clear or encrypted), e-mail, the new Iridium telecommunications system, as well as the more standardized telecommunications services. Additionally, complete access to the customer records of service providers is required, with these providers also being required to provide both the necessary interfaces and dedicated phone lines for use in "real-time" interceptions (by multiple agencies) and records access...and, at the service provider's expense. Further, the geographic location of targeted mobile communications is also required. Effectively then, through Enfopol, there will exist a virtually seamless interception net around all communications.
Over the last twenty years, law enforcement and national security agencies have been facing increasing technological challenges in their efforts at communications interception. The formation of the EU, and the development of these new technologies, have meant that cross border considerations must also be addressed in the execution of successful communications interception. However, questions have repeatedly arisen from legislators, industry groups, and public interest organisations as to the necessary scope of such operations, their legitimacy, as well as the preservation of the right to privacy as it is presently known.
In a Reuters report, Marc Rotenberg, Director of the Electronic Privacy Information Center, noted that, "This is a US export...". Paradoxically, only last September the EP had energetically advocated implementing restrictions upon Echelon - the US National Security Agency's clandestine communications interception network.
The Beginning
Starting in 1990, the US government became concerned about the possibility that its Comint could be compromised by the availability of a "secure telephone system". Within a few years, these concerns had fathered a US initiative whose stated aim was assuring the "transparency" of communications for national security and law enforcement purposes. The initiatives pursued included the incorporation of transparency into the design and production of communications hardware and software, as well as focussing on the necessary changes in communications related law that would meet the stated national security and law enforcement requirements.
An excerpt from Interception Capabilities 2000 (IC 2000) notes: "Since 1993, unknown to European parliamentary bodies and their electors, law enforcement officials from many EU countries and most of the UKUSA nations have been meeting annually in a separate forum to discuss their requirements for intercepting communications. These officials met under the auspices of a hitherto unknown organisation, ILETS (International Law Enforcement Telecommunications Seminar). ILETS was initiated and founded by the FBI." The extent to which this group affects EU policy is shown, for example, by this statement: "Following the second ILETS meeting in Bonn, IUR (International User Requirements) 1.0 was presented to the Council of Ministers (JHA) and was passed without a single word being altered on 17 January 1995 (IC2000 excerpt)." Further, it is also noted that the Resolution was not published in the Official Journal until 4 November 1996, almost two years later.
Simultaneous with the initiation of ILETS' activities, the Belgian presidency of the EU Council of JHA Ministers in 1993 mentioned the interception of communications in its program of priority action. As put forward in the draft proposal, it was stated that, "the Member States of the Union value the legally authorized interception of communications for the protection of national interests, in particular in relation to national security and the investigation of serious and organised crime" (see CL No.24, p.6).
Dovetailing with this, November 1993 saw the creation of a Draft Convention on the European Information System (EIS: the system that is to replace the Schengen Information System).
In the present context, Article 8 of the EIS is particularly noteworthy in that it provides for, "the admissibility of 'covert surveillance' of any person [including EU nationals] not only for the purpose of crime repression but also for the 'prevention of threats to public security'. So, on receiving a request from the authorities responsible for State security, the EIS may also be used for the covert surveillance of people, "if and when concrete indications allow the supposition that the information...is necessary for the prevention of a serious threat emanating from the subject or other threats to the internal or external security of the State" (Article 99.3 of the Schengen Convention provides for the use of the SIS for the same purposes).
More recently, the EU draft Convention on Mutual Assistance in Criminal Matters (CMACM), established the need for an effective mechanism whereby "competent authorities" in an EU Member State "may make a (binding) request for (telecommunications) interception and immediate direct transmission to a "competent authority" in another (requested) Member State". The rules are worded so as to enable the communications interception, without interruption, in the whole territory of the EU, even of persons quickly moving between different Member States and using any type of fixed or mobile telecommunications devices and structures. (see FECL No.54: "Naples II and Mutual Assistance in Criminal Matters: the making of a legal labyrinth").
Controversy Surrounding the Acceptance of Enfopol
On 20 April the EP's Committee on Civil Liberties and Internal Affairs (CCLIA) voted to "throw out" the Enfopol measure which Britain's Daily Telegraph noted as being, "developed in secret by EU justice ministers". The Telegraph goes on to note that, in combination with the (CMACM), the measure provides, "national governments wide-ranging powers to intercept communications without a court order, in order to combat 'serious crime'"; however, "serious crime" remains undefined in the draft. Linx, a British Internet service providers' association warned against a "gross invasion of privacy", and their chairman, Keith Mitchell, added, "The problem is it's a bunch of law-enforcement people who have cooked this up in a vacuum without public consultation".
In a further statement regarding the nature of Enfopol's parliamentary passage, the draft initiative first came to public awareness only in late November after being leaked to Telepolis , a German Internet publication. In a 30 November report by Armin Medosch, Telepolis highlighted both the effort to minimize the public's awareness of Enfopol, as well as the publication's belief that, "politicians and civil servants are making top-down decisions, far away from the public".
Enfopol, Comint, and the question of intelligence gathering vs law enforcement communications surveillance
Without question, there is a genuine and pressing need for mechanisms which would allow for the legitimate clandestine surveillance of communications by law enforcement personnel. Further, such clandestine communications interception is again also vital for national security agencies; however, as national security groups operate outside of the EU's traditional legal framework, the issue for them is primarily one of access, rather than law enforcement's need for both access to communications, as well as the legal authorization necessary for the utilisation of this access. However, unlike law enforcement agencies, national security groups are not restricted from investigating individuals not suspected of criminal activity; thereby causing concern as regards the potential for abuse inherent in their activities.
As an example of such abuses, British courts authorise 8000 eavesdropping operations per year. The US National Security Agency (NSA), at the request of the British authorities, intercepts the communications of another 40,000 people on UK territory - without any involvement of a court but in full compliance with British law (see CL No.50, p.7).
As a corollary to this, published reports suggest Enfopol would provide a mechanism whereby Europe could intercept the communications of American citizens in a like manner.
Of concern, recent developments in security services have led to a blurring of the lines between law enforcement and national security agencies. National security agencies, such as Germany's foreign intelligence service BND and America's NSA, are equipped with sophisticated electronic and computerised equipment permitting the almost unlimited interception and analysis of international (including wireless) telecommunications (see CL No.28, p.1). The "collection of economic intelligence and information about scientific and technical developments has been an increasingly important aspect of Comint. More recent targets include narcotics trafficking, money laundering, terrorism and organised crime" (IC2000). Further, collection of Comint by governments on "political opposition figures" is also cited.
However, according to IC2000, over the last decade "law enforcement" has repeatedly been used as a smokescreen for advancing the intelligence gathering interests of national security agencies. In an IC2000 example of one such incident, in September 1996, David Herson, head of the EU Senior Officers Group on Information Security, noted that, "'Law Enforcement' is a protective shield for all the other governmental activities...".
IC2000 was published a month before the European Parliament backed the Enfopol resolution, and states, "It should be noted that technically, legally and organisationally, law enforcement requirements for communications interception differ fundamentally from communications intelligence. Law enforcement agencies (LEAs) will normally wish to intercept a specific line or group of lines, and must normally justify their requests to a judicial or administrative body before proceeding. In contrast, Comint agencies conduct broad international communication 'trawling' activities, and operate under general warrants. Such operations do not require or even suppose that the parties they intercept are criminals. Such distinctions are vital to civil liberty, but risk being eroded if the boundaries between law enforcement and communications intelligence interception becomes blurred in the future... A clear boundary between law enforcement and 'national security' interception is essential to the protection of human rights and fundamental freedoms."
On Germany's position
As early as 4 May 1995 Germany had introduced an ordinance providing the legal structures for communication interception similar to those authorized by Enfopol (Austria passed a similar measure as well).
The Fernmeldüberwachungs-Verordnung (FÜV) was undertaken upon the privatisation of Germany's State owned telecom company, Deutsche Telekom AG. It provided that state licensing of a private telecom provider would only be undertaken with the provider's submission of specifications to provide telecommunications interception to the German security forces. The ordinance's requirements demanded that such specifications must include a "line of high quality for each person under surveillance - and one for every service [security agency that targeted an individual]". Further, the measure provided for limited access to customer information, rough geographic locale of mobile users, and knowledge of any data services utilised in order to better provide security service subject "profiles".
Subsequent to the implementation of these measures, the then German Justice Minister, Sabine Leutheusser-Schnarrenberger, vowed to bring regulations within the EU up to the standard established by the FÜV. It is interesting that, in proportion to population, surveillance measures are ten times more frequent in Germany than the USA (see CL No.36, p.4).
By June 1996, a draft German "Telecommunications Law" was seeking to further increase access for security services, demanding that "competent authorities" have full on-line access to complete service provider customer information in a way that "retrievals can not be recognised by the provider". Further, the draft demanded that the providers guarantee at least three lines per customer - one for customer use, one for the security services to utilize in customer data retrieval, and at least one for call interception by the security services. And, the costs for the necessary hardware and software entailed in these demands were to be paid for by the service providers (see CL No.44, p.7).
In both Germany and Austria, while the public remained largely uninterested, provisions of the measures were diluted after public outcries by service providers, well fuelled by the substantial financial costs these measures entailed for them. When we consider the pursuit of these new laws, however, according to published reports, the similarity between these measures and EU Enfopol policies is suggestive of a common sponsorship for the proposals, as well as an effort by influential members of European law enforcement to create an integrated, Europe-wide telecommunications surveillance environment.
However, preceding the first German measure, on 21 September 1994 the Bundestag adopted a new law on the fight against crime. Under the new legislation, the German foreign secret service, BND, could now communicate information on certain forms of serious crime, such as terrorism, and arms and drug trafficking, to the prosecuting authorities. Further, the BND could additionally hand out only fact-related and object-related and not person-related intelligence to the police (see CL No.28, p.1).
Building upon such measures, a "Memorandum of Understanding" on telecommunications interception was quietly signed at the EU JHA Council's meeting of 23 November 1995 (see CL No 44, p.5). The document emphasises the need for global cooperation in this area to combat crime and maintain national security. The signatory States (including Norway as well) agreed to promote "international surveillance requirements" through: influencing national policy concepts; providing communications industry guidelines on the development, manufacture, and configuration of communications equipment and services; the development of communications industry norms for the execution of communications interception orders; and through assuring that new technical developments and norms do not jeopardise interception.
Global Surveillance, Secret Agreements, and ECHELON
The Memorandum of Understanding MOU is stated to have been born out of concerns for the coming generation of satellite communications. These networks will not require exchanges in every country, and that could entail a lack of interception capabilities should an exchange be located in a "non-cooperative" nation. This was noted in a confidential report from the Enfopol sub-group of the K4-Committee from 5 May 1995. The report then goes on to stress a number of operational and technical, as well as legal and political measures, much on the lines of the German draft Telecommunication Law.
However, while an EU initiative, non-EU States were invited to sign the MOU, and speculation as to the full nature of the agreement outlined in the MOU, as well as how it would be utilized, were raised in conjunction with a refusal by the USA, Canada, Australia, and Hong Kong to sign the agreement ... despite the information such an arrangement offered, and the unilateral European offer of it. Further, fuelling such speculation, the FBI was a party to the MOU's creation, and its Washington Headquarters was listed as one of two addresses for signatory States to contact regarding the MOU. IC2000, and an earlier EP report, served to provide one possible explanation - the Echelon system.
In a 1997 EP report entitled An Appraisal Of Technologies Of Political Control (AATPC [PE 166 499]), the existence of a world wide clandestine Comint processing network called Echelon was revealed. The "highly automated" system (in existence for over 20 years) provides an extremely comprehensive net for all types of global communications, and is run by the UKUSA alliance, formed through a secret 1947 agreement between the US and UK, and including Canada, Australia, and New Zealand as "Second Parties". The five nations all share in the Comint the system garners, with the US being the "senior partner", and the remaining States "very much acting as subordinate information servicers."
This agreement was not publicly acknowledged until March 1999, when the Australian government stated its Comint organisation "does cooperate with counterpart signals intelligence organisations overseas under the UKUSA relationship." Further, on 23 May 1999 Australia also became the first country to publically acknowledge the existence of the Echelon system, doing so out of a stated concern to allay citizen apprehension regarding domestic spying, and in response to international concern regarding the pursuit of economic intelligence.
As an example of Echelon's capabilities, according to AATPC, within Europe, "all email, telephone and fax communications are routinely intercepted by the US National Security Agency, transferring all target information from the European mainland via the strategic hub of London then by satellite to Fort Meade in Maryland via the crucial hub at Menwith Hill in the North York Moors of the UK." The system utilizes reception stations worldwide, including: Sugar Grove, West Virginia and Yakima, Washington in the US; Waihopai, New Zealand; Geraldton, Australia; Hong Kong; Leitrim, Canada; and Morwenstow, UK.
The system operates by intercepting available communications and using "artificial intelligence aids like Memex to find key words". This is achieved through the utilization of "Dictionary" computers, and as IC2000 notes, Echelon "secretly intercepts every single telex which passes into, out of or through London; thousands of diplomatic, business and personal messages every day. These are fed into a programme known as 'Dictionary'. It picks out keywords from the mass of Sigint (Signals Intelligence), and hunts out hundreds of individuals and corporations." IC2000 indicates that Echelon has grown substantively over the last decade, with some installations more than doubling in size since 1990.
However, while there is considerable Comint targeted against criminal and national security threats, political and economic intelligence are priorities as well. Particularly disturbing is the London Observer interview cited by the AATPC with "highly placed intelligence operatives" who noted that they "feel we can no longer remain silent regarding that which we regard to be gross malpractice and negligence within the establishment in which we operate." Elaborating on this, AATPC cites their reporting of groups such as Amnesty International and Christian Aid as targets of communications interception.
However, striking to the heart of the Enfopol question, AATPC cites a February 1997 report that "the EU had secretly agreed to set up an international telephone tapping network via a secret network of committees established under the 'third pillar' of the Mastricht Treaty covering co-operation on law and order. Key points of the plan are outlined in a memorandum of understanding signed by EU states in 1995 (ENFOPOL 112 10037/95 25.10.95) which remains classified." Further, it goes on to note that while "official reports say the EU governments agreed to co-operate closely with Washington...earlier minutes of these meetings suggest that the original initiative came from Washington."
Addressing the possible future implications of joint EU/UKUSA communications interception, Britain's Daily Telegraph predicted: "In time the two technical systems - one designed for national security and the other for law enforcement - will merge, and in the process finally eliminate national control over surveillance activities."
Sources: Techweb News 13.5.99; Reuters, 3.12.98, 5.7.99; Daily Telegraph, 22.4.99, 10.6.99; Telepolis, 30.11.98 (www.heise.de/tp); Interception Capabilities 2000, Report to the Director General for Research of the European Parliament (by Duncan Campbell) , April 1999; An Appraisal Of Technologies Of Political Control, Report to the Director General for Research of the EP (by Steve Wright), 6 January 1998; CL Nos. 54, 50, 44, 36, 28, 24.