Record:

TITLE:

EU-FBI: Interventions by the EU's..
artdoc December=2001

Statewatch bulletin vol 9 no 6 (November-December 1999)

Interventions by the EU's internal security services and a G8
Sub-group on surveillance and data protection

The EU-FBI telecommunications surveillance plan has been held up
since early summer over the revised set of "Requirements" to be
laid on internet and service providers (ENFOPOL 19) and the draft
Convention on Mutual Assistance in criminal matters - now held
up for nearly two years due to the inclusion of provisions on
interception and the inability of EU member states to reach
agreement (see Statewatch vol 7 no 1, 4 & 5; vol 8 nos 5 & 6; vol
9 no 2).
  The intervention of new players is partly responsible for the
hold-up. First, the internal security services of EU member
states have directly intervened because they considered the
restrictions of their "freedom" to conduct surveillance could be
limited by the draft provisions in the draft Convention. The
potential role of the internal security services (like MI5)
cropped up earlier in the discussion over the provisions in the
draft Convention because the UK is the only EU member state to
formally give, by law, a role to MI5 to assist the police in
their crime role. The other EU member states have no problems as
they maintain the draft Convention only covers "crime" and
policing - which has always begged the question that if this
Convention is not to cover surveillance by internal security
services what does? The answer is nothing covers or limits or
makes accountable their surveillance of telecommunications.   
The Justice and Home Affairs Council on 2 December agreed that
the draft Convention, while placing a general obligation on the
"intercepting" member state to inform the member state in which
the interception is carried out, this will only apply to
"criminal" proceedings and investigations - and not to
"interceptions undertaken for national security purposes".    The
effect is that the surveillance of telecommunications by internal
security agencies is left untouched by the draft Convention but
allows them to take advantage of access to telecommunications
being OPENed by the "Requirements" to be laid on internet and
service providers under the EU-FBI plan.
   The EU-FBI telecommunications surveillance plan is intended
to serve the "law enforcement community" as distinct from the
"military-intelligence community" (which uses ECHELON). The
latter covers intelligences agencies like NSA and the CIA in the
US and MI6 (the overseas Secret Intelligence Service) in the UK.
This leave internal security agencies primarily dependent on the
EU-FBI plan for its surveillance work. So, although EU member
states have to at least create the appearance of control and
accountability and even data protection for policing activities
these provisions could limit, or lead to the exposure of,
internal security service surveillance. This is especially the
case when the line between traditional "internal security" and
"combatting crime" is increasingly blurred in fields like
computer crime, environmental and political protests, and
"illegal immigration".

Secret groups

While the draft Convention on Mutual Assistance in criminal
matters sets out powers of surveillance and interception within
the EU the "Requirements", which will also apply within the EU,
are subject to international agreement through a series of hidden
working parties. 
  These secret working groups include: i) the EU Police
Cooperation Working Group (Telecommunications) and its Technical
Questions Sub-Group; ii) IUR, the International Users
Requirements group; iii) STC, Standards Technical Committee; and
ILETS, International Law Enforcement Telecommunications Seminar. 
ILETS is a key group comprising the Cold War UKUSA countries -the
US, Canada, Australia, New Zealand and UK - plus Hong Kong and
Norway and 14 EU member states (15 minus the UK which was a
founding member). Aside from strictly technical questions
membership of these groups overlap so that EU member
representatives on the Police Cooperation Working Group may also
be on ILETS. The drafts of the original IUR 95 "Requirements"
adopted by the EU in January 1995 and the proposed revisions in
1998 (to include internet service providers and satellite phones)
in ENFOPOL 98 (and its two revised versions) came from this group
into the EU policymaking process.

The "Lyon Group"

While ILETS works on technical matters (and their policy
implications) a much more high-powered driving force on the
global interception of telecommunications is the "Lyon Group" and
especially its "High-tech Crime Subgroup of G8 Senior Experts'
Group on Transnational Organised Crime."
    The G8 Senior Experts' Group on Transnational Organised Crime
came out of the G8 Prime Ministers meeting on 27 June 1996 in
Lyon, France. The first "G" Prime Ministers' Summit was held in
Rambouillet, France in 1975 comprised of US, France, UK, Germany,
Italy and Japan. Canada joined in 1976 (making G7) and in 1977,
at the London Summit, the European Community joined its
membership. The European Community's delegation is made up of a
EU Presidency representative (currently Finland), the head of the
European Commission (Romano Prodi, who previously attended as
part of the Italian delegation) plus the Commissioner for
external affairs (Chris Patten). Since 1994 Russia attended its
meetings and became a full member at the Birmingham Summit in
1998, making up G8.
   All "Summit" meetings, such as EU Summits and G8 Summits try
to sort out outstanding differences between members but the real
work is done beforehand by officials and "experts" - and much of
the latter's work goes through "on the nod" into the final
conclusions. G8 Summits (and other meetings) are prepared by
high-ranking officials known as "sherpas" and "sous-sherpas".
National "sherpas" are each supported by two "sous sherpas" (one
covering foreign affairs and finance, the other "political"
matters including justice and home affairs).
   Alongside G8 is "P8" ("Political 8") which deals amongst other
matters with terrorism, crime and illegal migration which since
the Lyon decision has led to the creation of a series of other
groups and meetings (such as the G8 Justice and Interior
Ministers who last met in Moscow on 19-20 October 1999).  

Sub-Group on High-Tec Crime

The "problems" for the G8/P8 states were broadly defined at the
1998 Birmingham Summit under the UK Presidency as:

"The main obstacle facing a G8 achievement of any goals set out
in Birmingham appears to be the barrier of red tape obstructing
law enforcement agencies from cooperating across national
jurisdictions. The G8 will need to address the inconsistencies
between justice systems from one member country to another if the
problem of international crime is to be dealt with effectively."

The key phrases here are "red tape" (procedures, control and
accountability) and "inconsistencies between justice systems"
(data protection and legal restrictions). In this context the
Minutes of the G8 Subgroup on High-Tec Crime held in Paris on
18-21 May 1999 sets out a whole agenda influencing the EU-FBI
plan.
   The first issue the Minutes cover is the "Preservation of
Traffic data" covering "historical traffic data" and the
"collection of future data". The Minutes state that:

"Delegations agreed that privacy legislation (e.g. implementing
the 1995 and 1997 EU Data Protection Directives), national laws
implementing the Directives, and market forces are among the
significant obstacles to law enforcement's ability to obtain
historical data for use in criminal investigations. (Disclosure
of that traffic to foreign investigators is also complicated by
these and other impediments). Privacy directives, to the extent
they require the deletion of connection information, can
effectively erase the trail of connections that might otherwise
identify the SOURCE of criminal activity."

It goes say that a further impediment is "anonymous free Internet
services.. contribute to the absence of useful traffic data."  
Two solutions are suggested for this "problem". The meeting of
G8 Justice and Interior Ministers in Moscow on 19-20 October
adopted "Principles on Transborder access to stored computer
data" defined simply as covering "law enforcement agents employed
by law enforcement agencies.. investigating criminal matters".
The "Principles" say "each State" will ensure that data is
preserved, "particularly data held by third parties such as
service providers" for the purpose of seeking:

"access, search, copying, seizure or disclosure, and ensure that
preservation is possible even if necessary only to assist another
State."

The second "problem" with "historical data" is that there is no
obligation for service and internet providers to keep data of
their users messages etc. The 1997 EU Directive on
Telecommunications Sector Data Protection allows service
providers to keep traffic data for billing disputes but this is
rarely used as users are not billed by individual connection.
Some countries allow traffic data to be preserved to guard
against subscriber fraud but the Minutes observe there are no
provisions for "infrastructure protection" or "other suspected
illegal activity". The Sub-Group's view is that G8 should prepare
"G8 Recommendations on Data Preservation" and that at national
level the EU Directive should "either mandate or allow ISPs to
retain particularly critical categories of traffic data for
minimum time periods."
   As to "future traffic data" ("real-time connection
information", as it is happening) a number of delegations
reported that national laws "imposed heightened limitations" on
the "ability of law enforcement" to obtain future traffic data
and "share it with foreign law enforcement". Several countries
treated "future traffic data" as "interception" which "involves
more stringent prerequisites and may only be available for
certain offences". Moreover, although national laws may permit
the "capture of future traffic data for domestic purposes, its
laws may not permit it to do so solely for the benefit of a
foreign state". The Sub-Groups solutions to this "problem"
include treating "future traffic data" on the same basis as
"historical data" to avoid being defined as interception and
amending Mutual Legal Assistance Agreements (MLAA's) and national
laws to allow interception on behalf of foreign states and
agencies.
  It also suggests that "important investigative techniques"
could be used: "for the benefit of a foreign  government and in
the absence of a criminal offence or serious criminal offence,
in the conduit country". This perhaps fits in with the
"hypothetical intrusion exercise" the Sub-Groups agencies are
testing their investigative techniques on - this suggests an
interventionist, pro-active approach which could "interfere" with
telecommunications.
  The "Principles on Transborder Access", agreed in Moscow, also
covered instances where there was a formal request for access to
data (under MLAA's) and "Transborder access to stored data not
requiring legal assistance" - this latter aspect covers
accessing "publicly available (OPEN SOURCE) data" and:
"accessing, searching, copying, or seizing data stored in a
computer system located in another State, if acting in 
accordance with the lawful and voluntary consent of a person who
has the lawful authority to disclose to it that data." In effect,
US or UK security agencies could gain access to data where
authorised to do so by a US or UK multinational operating in the
surveilled country.  
  The G8 states have set up a 24-hour "point-of-contact network"
that also acts as a "warning system" which "could be used
proactively". All EU and Council of Europe states have been
invited to join the network, with Spain and Denmark responding
first.

EU problems

The Irish government has told the EU that it is currently unable
to cooperate fully in assisting other states on the interception
of telecommunications. Under present legislation "interception
cannot be ordered to assist in the investigation of a criminal
offence in a foreign jurisdiction." If, however, a foreign law
enforcement agency is "cooperating in a joint investigation" with
the Garda Siochana then it is up to the GS Commissioner to decide
whether to make an application for "interception
authorisation".
  The EU Directive on Data Protection does not cover justice and
home affairs issues and only recently have the Council (EU
governments) been considering whether or not to include such
provisions in a series of measures - some adopted, some planned
such as Europol, the Customs Information System or Eurodac. One
of the reports on this internal discussion says:

"if the objective of the Horizontal Working Party on Data
Processing were primarily to look for "the lowest common
denominator" in physical data protection under the Third Pillar,
how would it be possible to disregard Council of Europe 
Convention No 108 of 28 January 1981 for the Protection of
Individuals with regard to Automatic Processing of Personal
Data?"".

In its 31st report the UK's House of Commons' European Scrutiny
Committee has said that it is: "somewhat surprised that the UK
does not impose restrictions on the use of information it
supplies to other EU member states". This arose in reaction to
the Home Office's comments on a German proposal for data
protection to be inserted in the draft Convention on Mutual
Assistance in Criminal Matters. The proposal would allow
intercepted data supplied to another state "not only to be used
for the purpose for which it has been communicated but also for
other purposes", including unrelated criminal investigations and
prosecutions. The Home Office comments:

"This proposal may be controversial since some Member States
provide information on condition that it is used only for the
purposes specified in the request, or for other purposes with the
prior consent of the requested state. The UK does not impose this
condition."

The UK therefore supports the German proposal because "it would
avoid the need for prior consent from the requested state before
making use of information in other criminal investigations."

ECHELON and Italy

On 3 March 1999, the Rome attorney's office OPENed a preliminary
investigation into ECHELON to find out whether this surveillance
activity violates the Italian penal code. Stefano Rodota, the
Italian ombudsman for the protection of personal data, welcomed
the initiative because "it can contribute to offer public opinion
with precise information to base its judgements on." He added
that research into the technical aspects of the ECHELON network
is crucial in order to develop legal and technological measures
which, he feels, must be established at a supranational level,
due to ECHELON's characteristics. He was critical of the refusal
by countries involved in the ECHELON network to respond to
allegations, in spite of an explicit request from the European
Parliament. Rodota said it was not a simple question of national
sovereignty "through this surveillance, one effectively enters
the physical borders of a country. What suffers is the freedom
of every citizen, whose physical movements and communications are
controlled, step after step." Furthermore, he reasons, if it is
used to discover commercial information, as has been alleged,
such a network becomes invaluable.

"Echelon - Dichiarazione del Prof. Rodota all'Agenzia Agi su
avvio indagine Procura di Roma", 3.3.99.

ECHELON and Denmark

"We know that we don't know anything apart from what has been
reported in the press". This is in essence the response of Danish
ministers when asked about possible Danish involvement in the in
international surveillance system ECHELON. The latest attempt to
get information about ECHELON was during a debate in the Danish
Parliament 9 December. Three Ministers - Justice, Defence and
research - were asked to answer the following question from the
MP's, Mr Keld Albrechtsen (the Red-Green Alliance/Enhedslisten)
and Mr Knud Erik Hansen (Peoples
Socialist Party/SF): "What can the ministers say about the
parliamentary control of ECHELON and other surveillance systems
abroad and at home.. and what are Government intentions to
strengthen parliamentary control?" The Minister of Defence, Mr
Hans Haekkerup, said: "Neither the Ministry of Defence nor the
military intelligence participates or contributes to ECHELON. But
during the debate he repeated what he had already said to the
parliament's Europe Committee in September: Denmark has
established co-operation agreements with a number of countries
leading to information being exchanged. The interception of
communications by the military intelligence service is only
related to Danish security interest abroad. But he also admitted
that Denmark receives information's from foreign intelligence
services and that he did not know if they had been intercepted
according to legal guarantees for the individual. The debate
ended with a majority of the parties -"the unified listening
parties" as they were called during the debate - in parliament
rejecting the proposal from Enhedslisten and SF. The Danish
debate about ECHELON has now been going on for nearly three years
and took off again when British journalist Duncan Campbell spoke
at a meeting in COPENhagen in September about the report
"Interception Capabilities 2000".

SOURCEs: P8 - Senior Experts Group Recommendations: "To combat
Transnational Organised Crime" (Paris, 12 April 1996); Summit
Performance Assessments by Issue: G8 1998 Birmingham: Crime;
Evaluation Report on Ireland on Mutual Legal Assistance and
Urgent Requests, ref 9079/99, CRIMORG 70, 18.8.99; Protection of
personal data in the Third Pillar of the European Union:
Proposals on determining the remit of the Horizontal Working
Party on Data Processing, ref 7718/99, JAI 36, 26.4.99; Draft
Convention on Mutual Assistance in Criminal Matters between the
Member States of the European Union - data protection, from the
German delegation, ref 11084/99, COPEN 37, 17.9.99; Select
Committee on European Scrutiny, 31st report, 19.11.99.