EU & FBI launch global telecommunications surveillance system: "not a significant document" - UK Home Secretary
A special report by Statewatch published at the end of February detailed plans for a joint plan drawn up by the Council of the European Union and the US Federal Bureau of Investigations (FBI) to introduce a global system for the surveillance of telecommunications - phone calls, e-mails and faxes. Further investigations have revealed that:
a. The decision to go ahead was never discussed by the Council of Justice and Home Affairs Ministers - it was simply agreed by "written procedure" through an exchange of telexes between the 15 EU governments.
b. The "Requirements" to be placed on network and service providers by the European Union to enable the surveillance of communications adopted on 17 January 1995 - and not made public until November 1996 - is based on the "Requirements" drawn up by the FBI in 1992 (and revised in 1994).
The first attempt by the FBI in the United States to get through a new law to allow for the surveillance of all telecommunications was withdrawn from the Congress in June 1991. In March 1992 a redrafted proposal, the Digital Telephony Bill, was sent to the Congress but after major opposition by civil liberties groups it was quietly withdrawn in the autumn of 1992 just before the Presidential election which saw Clinton returned to the White House.
Part of the FBI's campaign for these new powers included its report, "Law Enforcement REQUIREMENTS for the surveillance of electronic communications" (emphasis in original) put out in June 1992. During 1993 the FBI arranged a meeting in Quantico, USA attended by EU representatives plus Canada, Sweden, Norway, Finland, Hong Kong, Australia, New Zealand and the USA. In March 1994 the FBI released a new draft proposal ironically renamed: "The Digital Telephony and Privacy Improvement Act". An updated version of the "REQUIREMENTS" were issued by the FBI in June 1994. By early August 1994 the FBI proposal, to be renamed again as "The Communications Assistance for Law Enforcement Act", was formally introduced and on 25 October 1994 President Clinton signed it into law - which placed on the statute book identical powers to those adopted by the EU in January 1995.
EU slow to catch up
It was not until June 1993 that the EU Trevi Ministers, meeting for the last time in Copenhagen, addressed the subject seriously. They agreed the text of a "questionnaire on phone tapping" to be sent to each Member State in July 1993 and to the new members (Finland, Sweden and Austria) in September 1993. The issue was also raised at the "Friends of Trevi" meeting in Copenhagen attended by Deputy Attorney General Philip Heymann from the USA. However, this EU report was not completed until November 1995. When the new Council of Justice and Home Affairs Ministers held its first meeting in November 1993 in Brussels the Resolution they adopted on "The Interception of Communications" clearly expressed their concern:
"The Council: 1. calls upon the expert group to compare the requirements of the Member States of the Union with those of the FBI. 2. agrees the requirements of the Member States of the Union will be conveyed to the third countries which attended the FBI meeting at its headquarters in Quantico in order to avoid a discussion based solely on the requirements of the FBI."
On 3 March 1994 the K4 Committee, followed by COREPER (the committee of Permanent Representatives of the 15 EU governments) on 10 March 1994, agreed a draft Recommendation calling for a study "to be made of the different technical PSCS-interception possibilities (PSCS, Personal Satellite Communications Services)". In the event the Council of Justice and Home Affairs Ministers on 23 March 1994 discussed, but did not adopt, the Recommendation (not to be confused with the later "Resolution"). On 14-15 April it was back on the agenda of the K4 Committee and on COREPER's on 27 April 1994 which cleared "the text of a confidential letter to be sent by the President of the JHA Council to the President of the Telecommunications Council." In simple terms this meant, as Greece then held the EU Presidency, one Greek Minister sending a "confidential" letter to another Greek Minister in their respective roles as "Presidents" of two different Councils of Ministers.
What had been clear for some time was now transparent. For more than five years it had been clear to the US government and the EU governments that the combination of new satellite-based telecommunications and, for the Europeans, the privatisation of state-owned telephone companies, combined with the explosion in the use of mobile phones and the impending launch of e-mail via the Internet presented a new challenge for interception by the "law enforcement agencies". The Council of Justice and Home Affairs Ministers did not consider the issue again.
This was despite the decision of the K4 Committee on 19-20 December 1994 that:
"The Committee agreed to suggest to Coreper and the Council that the above draft Resolution ("Draft Council Resolution on the lawful interception of telecommunications") be adopted as an "A" item." [An "A" item is adopted without debate in the Council of Ministers]
The next day, 21 December 1994 a decision was taken, under the German Presidency, not to wait for the next Council meeting in March 1995 but to adopted the "Resolution" setting out the "Requirements" by "written procedure". The "written procedure" process of decision making meant that the draft Resolution was sent out by telex from Brussels to each Member State. On 9 January a further telex attached two statements by Denmark and France for agreement, and a final telex with a statement by the Netherlands was telexed out on 18 January - the day after the official adoption of the measure on 17 January 1995.
No publicity was given to this decision at the time. On 9 July 1996 the K4 Committee's Police Cooperation Working Party proposed that the Resolution should be published in the Official Journal of the European Communities which it was in November 1996. This is the same Working Party which had reported in June 1995 that the new system should be able to:
""tag" each individual subscriber in view of a possibly necessary surveillance activity."
and that a major problem was that:
"initial contacts with various consortia... has met with the most diverse reactions, ranging from great willingness to cooperate on the one hand, to an almost total refusal even to discuss the question... it is very urgent for governments and/or legislative institutions to make the new consortia aware of their duties. The government will also have to create new regulations for international cooperation so that the necessary surveillance will be able to operate." [emphasis added]
By the summer of 1996 the EU was beginning to catch up with the US. The European Telecommunications Standards Institute (ETSI) prepared the first of several drafts of a document entitled, "Requirements for Trusted Third Party Services" at its meeting on 15-16 July 1996. At the November 1996 meeting of the Council of Justice and Home Affairs Ministers a text was agreed to send out to the equivalent international standards bodies with the Resolution detailing the "Requirements", the IEC, ISO and ITU, informing them that EU Member States would be applying "these requirements to network operators and providers of services." If the significance, and global implications, of this new system was in any doubt Version 4 of the "Requirements for Trusted Third Party Services" prepared by ESTI, dated 25 November 1996 dispelled it:
"There is a need to facilitate the growing importance and development of electronic commerce, the European Information Infrastructure (EII) and the Global Information Infrastructure (GII) by the introduction of suitable measures to safeguard the integrity and confidentiality of electronic information."
And on "Lawful Interception":
"Lawful interception of telecommunications traffic is commonly recognized as an important instrument to fight crime and to assure national security. Law Enforcement Agencies (LEAs) have the need to intercept incoming and outgoing telecommunications traffic, which is transported via telecommunications networks, without knowledge of eg: the interception subjects and the foreign country or countries involved".
To complete the strategy and ensure global compliance to the new, "tappable", telecommunications standards the EU led on drawing up a "Memorandum of Understanding" to extend the EU-US system to non-EU countries which were invited to adopt the same "Requirements" for network and service providers. The contact addresses for signatory countries and for further information, which confirms the EU-USA link, should be sent to:
"a) Director Federal Bureau of Investigation,
Attention: Information Resource Division,
10 Pennsylvania Avenue, N.W.,
Washington D.C. 20535
b) General Secretary of the Council of the European Union, FAO The President,
Rue de la Loi 175,
B-1048 Brussels,
Belgium."
The number of signatories to the "Memorandum" is open-ended, any country can join providing the existing member states agree. It invites "participants" because "the possibilities for intercepting telecommunications are becoming increasingly threatened" and there is a need to introduce "international interception standards" and "norms for the telecommunications industry for carrying out interception orders" in order to "fight.. organised crime and for the protection of national security."
By October 1996 Australia, Canada and the US had informed the European Council in Brussels of their support for the "Requirements", Norway had signed the "Memorandum of Understanding", and Hong Kong and New Zealand are "considering the means by which they could support the "Requirements"." Ongoing meetings of "experts" from these six countries and the EU are being organised under the "informal title of ILETS (International Law Enforcement Telecommunications Seminar)".
The FBI "Requirements"
A comparison of the "Requirements" and the "Glossary" in the Resolution adopted in January 1995 by the EU and the two reports by the FBI entitled: "Law Enforcement REQUIREMENTS for the surveillance of electronic communications" (June 1992 and June 1994) shows them to be the same in almost every respect. The only difference is that the EU's "Requirements" have a couple of additional provisions to cover the linking of different telecommunications providers (eg: Germany, Austria and Spain). Some of the terminology is quaint. The term "law enforcement agencies", a American term, is used in both but is not defined in the EU version. It can be presumed to cover police, intelligence agencies (MI6 and GCHQ), internal security agencies (MI5), customs, tax, and immigration agencies. The US-FBI use of the term "transparency" has strange ring in European understanding, it is taken to mean ensuring that the subjects of the interception are "unaware of ongoing electronic surveillance".
The nine "Requirements" in the FBI report are directly repeated in the EU's ten "Requirements" with similar or in some cases the same terminology. For example, the EU's "Requirement" no 1 says:
"Law enforcement agencies require access to the entire telecommunications transmitted, or caused to be transmitted, to and from the number or other identifier of the target service used by the interception subject."
The FBI's "Requirement" no 1 says:
"Law enforcement agencies require access to the electronic communications transmitted, or caused to be transmitted, to and from the number, terminal equipment, or other identifier associated with the intercept subject... "
While "Requirement" no 2 for the EU reads:
"Law enforcement agencies require a realtime, fulltime monitoring capability for the interception of telecommunications."
And, the FBI's "Requirement" no 2 reads:
"Law enforcement agencies require a realtime, fulltime monitoring capability for intercepts."
"not a significant document" - the Home Secretary
The Chair of the Select Committee on the European Communities in the House of Lords, Lord Tordoff, took up the "Memorandum" with the Home Secretary, Michael Howard, in an exchange of letters on the Committee_s access to documents for scrutiny. On the subject of the "Memorandum of Understanding on the Legal Interception of Telecommunications" Mr Howard told Lord Tordoff:
"The Memorandum of Understanding is a set of practical guidelines to third countries on the lawful interception of telecommunications. It is not a significant document and does not, therefore, appear to meet the criteria for Parliamentary scrutiny of Title VI documents." (emphasis added)
It is quite clear from this Briefing that the "Memorandum" is not an insignificant document concerning as it does a EU-US plan for global telecommunications surveillance.
After the Guardian newspaper carried a front-page report on Statewatch's research Mr Howard wrote the following letter to the paper:
"You alleged, quite wrongly, that the United Kingdom was clandestinely joining its EU partners to create "an international telecommunications tapping system" (Britain to join FBI phone tap system, February 25).
We have never disguised the fact that interception of communications is an important tool in the fight against organised crime and, clearly, we need to ensure that we can keep up as organised criminals and their means of communication become increasingly sophisticated and international. But that does not justify the alarmist tone of your article, which confused a number of separate issues.
The UK is not party to any agreements concerning our interception of calls outside this country. Nor do we allow calls here to be Intercepted by foreign governments. The International User Requirement, which outlines recommended technical standards for lawful interception, far from being a secret document, was published in the EU Official Journal last year and repeated, in substance, in a document which has been placed In the libraries of both Houses of Parliament. Similarly, there is no secrecy attached to the Government's proposals on encryption which were announced last June and will be set out in a consultation paper which will be published shortly.
It is no secret that discussions are taking place within the EU context about how current interception capability can be maintained as the use of "satellite" phones increases. Any changes to our interception regime to take account of this will almost certainly require domestic primary legislation, giving Parliament and the public full opportunity to discuss these matters." Michael Howard (MP), Home Secretary, Queen Anne's Gate, London SW1H 9AT.
Statewatch's editor replied:
"Your report of our research on the new EU-FBI global telecommunications surveillance system (25 February) is termed "alarmist" by the Home Secretary Mr Howard (1 March).
Faced with a new generation of satellite-based telecommunications for phone calls, e-mails and faxes the EU Council of Ministers have laid down new standards for manufacturers and service providers if they want to get contracts. These "Requirements" will create a system which can monitor everyone and every form of communication and it is one which Mr Howard admits will require "primary legislation" to update the 1985 Interception of Communications Act.
Mr Howard says the new measure was deposited in parliament but this was after it had been agreed. He failed to refer the Resolution setting up this system to the Select Committee on the European Communities for parliamentary scrutiny when it was being discussed in the K4 Committee in April, November and December 1994. Or before it was discussed by the Council of Justice and Home Affairs Ministers in March 1994 and or finally agreed, in an unpublicised decision, by "written procedure" via telexes sent out from the Council in Brussels in January 1995. It was "secret" until it had been adopted without any parliamentary scrutiny. Mr Howard says "The UK is not party to any agreements concerning our interception of calls outside this country. Nor do we allow calls here to be intercepted by foreign governments". Clause 2.3.d of the Police Bill currently before parliament would allow the tapping of phones and communications (and entry into homes and offices) on behalf of any "law enforcement agency" in the world. The UK does not allow interception by "foreign governments" it will do it for them.
He also seems to be unaware of the 1948 UKUSA agreement whereby the UK's GCHQ in Cheltenham and the US National Security Agency (NSA) at Menwith Hill in Yorkshire and Morwenstow in Cornwall routinely intercept telecommunications including e-mails and faxes (through the ECHELON network).
The "Memorandum of Understanding" drawn up by the EU and the FBI extending the system to non-EU states like Canada, Australia, New Zealand, Norway, the USA and Hong Kong, is in Mr Howard's words "not a significant document".
People and parliament might have been "alarmed" if they had been told what was going on." Tony Bunyan, Editor, Statewatch (paras 4, 5 & 6 were not printed)
Mr Howard did not reply.
Conclusion
Whether the EU effectively adopted in 1995 the "Requirements" drafted by the FBI back in 1992 is perhaps not the issue. What is however is that while in the US the taking of new, intrusive, surveillance powers by the "law enforcement agencies" was debated and adopted through their democratic process, in the EU the decision was taken in secret by "written procedure" with no democratic discussion at all in the parliaments of the European Union.
Sources: Publication of Council Resolution of 17 January 1995 on the lawful interception of telecommunications, Report from Police Cooperation Working Party to Steering Group II, 8977/96, Limite, ENFOPOL 121, 11.7.96; Interception of communications, report to COREPER, ENFOPOL 40, 10090/93, Confidential, 16.11.93; Memorandum of Understanding concerning the lawful interception of telecommunications, ENFOPOL 112, 10037/95, Limite, 25.11.95; Legally permitted surveillance of telecommunications systems provided from a point outside the national territory, report from the UK delegation to the Working Group on Police Cooperation, ENFOPOL 1, 4118/95, Restricted, 9.1.95; Electronic Privacy Information Center, Washington, USA; Chapter 4, "Pre-Wiretapping Telephones", by David Banasar in Electronic Privacy Sourcebook (forthcoming, June 1997), John Wiley and Sons, NY. Copies of Statewatch's interim report on "European Union and FBI launch global surveillance system" are available for £2.00 (inc p&p).
CHRONOLOGY
June 1991: first FBI Bill withdrawn from US Congress
June 1992: FBI produced "Law Enforcement REQUIREMENTS for the surveillance of electronic communications"
Autumn 1992: second FBI Bill withdrawn from US Congress
1993: FBI host a seminar in Quantico attended by the EU
29-30 November 1993
The first meeting of the new, post-Maastricht, Council of Justice and Home Affairs Ministers meeting in Brussels adopt a Resolution calling on experts to compare the needs of the EU "with those of the FBI"
March 1994: The Council of Justice and Home Affairs Ministers discuss but do not adopt a draft Recommendation of principle August 1994: third, and successful Bill introduced in US Congress April, November and December 1994: The K4 Committee discusses the draft Resolution on the lawful interception of telecommunications and the "Requirements" to be placed on network and service providers
October 1994: US Bill passed and signed by Clinton
November 1994: The K4 Committee discusses the draft "Memorandum of Understanding with third countries".
17 January 1995: The Resolution on the "Requirements", never discussed by the Council of Ministers is adopted by "written procedure". It is not published in any form until 4 November 1996 when it appears in the Official Journal.
23 November 1995: The Council of Justice and Home Affairs Ministers agree the "Memorandum of Understanding". It is not published in any form
7 May 1996: Michael Howard, the Home Secretary, tells the Chair of the Select Committee on the European Communities in the House of Lords that the "Memorandum of Understanding on the legal interception of communications" is "not a significant document". 28 November 1996: The Council of Justice and Home Affairs Ministers agree the text of a letter to be sent out to other potential "participants" (countries) in the "Memorandum of Understanding".
K4 Committee: Also set up under the Maastricht Treaty to coordinate the work on the "third pillar" - policing, immigration and asylum, and legal cooperation. Is comprised of senior officials from Interior Ministries and prepares report to go to the Council. Under the K4 Committee there are three Steering Groups covering policing and customs, immigration and asylum, and legal cooperation (civil and criminal) to which a series of Working Groups report.
COREPER: the Committee of Permanent Representatives from each EU state based in Brussels.
New Convention to legitimise surveillance - group of "20" implementing EU-FBI plan
The EU-FBI plan to create a global system for the surveillance of telecommunications - phones calls, faxes and e-mails - has taken three major steps forward - the first is a new group of "20" outside EU structures to effect the plan, the second are plan for all interceptions to be routed through just 3 or 4 EU states, and the third is a new draft EU Convention to "legitimise" surveillance by "law enforcement agencies".
Earlier this year the K4 Committee minutes noted that work on this is being developed "outside the third pillar" structures. Statewatch has learned that the plan is being developed outside the structures of the European Union by a group of 20 countries - the 15 EU member states plus the US, Canada, Norway, Australia and New Zealand (see Statewatch, vol 7 no 1).
The group of "20" is not accountable through the Council of Justice and Home Affairs Ministers or to the European parliament or national parliaments. Using the "Memorandum of Understanding", signed on 23 November 1996 by individual EU members states, they are now cooperating with the five non-EU states on a multilateral basis to ensure that the new satellite-based service and network telecommunications providers put telecommunications under surveillance at the request of "law enforcement agencies". The Australian government introduced legalisation to fall in line with the EU-FBI plan on 2 October. It claimed that the lack of legal powers had been delaying new systems because there was no obligation on service providers to allow police and security agencies to intercept communications. The police and security agencies have also had to pay the service providers to help them, under the new law the cost will be borne by the companies. The EU will "legitimate" its participation through a new Convention on mutual assistance in criminal matters which was re-written after the report by the High Level Group on Organised Crime (see Statewatch, vol 7 no 2) and a secret seminar in the Hague on 25-26 November 1996. Conventions, such as this one, adopted by the EU under Article 3.2.c of Title VI of the Treaty on European Union once agreed have to be ratified by each EU national parliament - but the parliaments are not allowed to amend or change a single "dot or comma".
The introduction of the surveillance of telecommunications in the EU has four elements:
a) the initial agreement between the US (in effect the FBI) and the EU Member States (which adopted the "Requirements" laid down by the FBI) to cooperate. The US Congress adopted the provision in October 1994 and the EU hastily followed by adopting the same provisions - without discussion in the Council of justice and Home Affairs Ministers - by "written procedure" in January 1995 (see Statewatch, vol 7 no 1).
b) the "Memorandum of understanding" built on the joint EU-FBI "Requirements" by providing a mechanism to create an initial group of "20". A report to the K4 Committee in April report notes that the Council of Europe is working on "nearly identical instruments on mutual assistance" so it can be expected that the six EU applicant countries will have to adopt the new Convention as another condition of entry.
c) with agreement to cooperate on the basis of the "Memorandum" the group of "20" can work together to ensure that the major providers of the new satellite-based telecommunications systems adhere to the "Requirements" - in effect to ensure compliance by multinational companies.
The new era of satellite-based telecommunications will see just four companies - Iridium, Globalstar, Odyssey and ICO - will control the "global network of mutually co-operating satellites". In the EU it is expected that there will only be 3 or 4 "ground stations" linked to these systems - "in France and Italy and perhaps Finland, the UK and Germany". All requests for interception orders are, under the draft Convention, to be effected through these "ground stations" and therefore through the countries hosting them.
d) the finally element is the need, within the EU, to ensure that "law enforcement agencies" cooperation to intercept telecommunications has a legal basis. The draft Convention on mutual assistance in criminal matters in Articles 6-8 set out the terms of this cooperation.
Although the new Convention is being presented as dealing with "organised crime" and the provisions on "controlled deliveries" and on the surveillance of telecommunications are a direct result of the "Action Plan on Organised Crime" drawn up by the High Level Group on Organised Crime its effect is much wider. The 1959 Council of Europe Convention, which the new Convention seeks to "supplement and facilitate", says in its Explanatory report that the objective is that the Contracting Parties:
"afford each other the widest measure of mutual assistance in proceedings in respect of offences the punishment of which falls within the judicial authorities of the requesting Party. Provision is thus made for minor offences as well as for other, serious matters.."
There is no limitation in the 1959 Convention to "organised crime" or to "serious crime", it simply concerns any punishable offence however minor.
The feature is this issue examines the changing content of the draft Convention on mutual assistance in criminal matters, the reports on the interception of telecommunications and the implications for civil liberties.
EU: New Convention on mutual assistance in legal matters
The present situation - Council of Europe Convention and Protocol to Convention
The primary instrument currently governing mutual assistance between the EU member states is the Council of Europe (CoE) Convention on mutual assistance in criminal matters of 1959, which entered into force in 1962. This Convention has been supplemented by an Additional Protocol, signed in 1978, which entered into force in 1982. The Convention is now in force in 30 states, including all 15 member states of the EU. The Protocol is in force in 24 states, including 13 Member States of the EU (Belgium and Luxembourg have yet to ratify it). Once these two states ratify the Protocol, it will be binding on all Member States of the EU.
Both the Convention and the Protocol are instruments of public international law, whose legal effect for individuals is dependent upon how each state decides to give effect to rules of international law in its national legal system. There is no judicial system for reviewing or interpreting the Convention or Protocol, or for settling disputes relating to their application. National rules implementing the Convention or Protocol have to conform to the Human Rights Convention, notably Articles 5 (rights on detention) and 6 (rights to a fair trial). Both the Convention and the Protocol are subject to reservations on any of their provisions by any signatory.
What needs to emphasised, especially in relation to the new draft EU Convention is that the CoE Convention deals purely with relations between judicial authorities - policing and law enforcement issues entirely outside its scope.
Equally, enforcement of criminal sentences is a matter for separate Council of Europe Conventions, on transfer of prisoners, transfer of proceedings and the international validity of criminal judgements. These Conventions have fewer signatories than the mutual assistance Convention and have not yet been subject to any attempts to supplement them through the 'third pillar' of the EU.
The 1959 Convention does not apply to political offences or offences connected with political offences, or to fiscal offences. It also contains a very general exception which states can invoke to protect sovereignty, security or public order (ordre publique).
In practice the 1959 Convention works by means of "Letters Rogatory" sent by judicial authorities in the state which requests evidence (the "requesting state") to the state which has the evidence (the "requested state"). The letters rogatory are sent through the Home Affairs ministries.
The 1959 Convention covers physical evidence as well as appearance of natural persons. Witnesses in the requested state can be summoned to the proceedings in the requesting state. However, the summons is not binding upon the witnesses and the requesting state can only enforce the summons against the witnesses if the witnesses cross into the requesting state, receive another summons from the authorities, and then ignore it. The Convention also covers people who are in custody in the requested state, where the requesting state wants them to testify. The person has the right to object to testifying in the requesting state.
The Protocol widens the scope of the 1959 Convention allowing it to be used for fiscal offences and makes it clear that the "double criminality" rule (requiring an offence to be punishable in both the requested and requesting state for the Convention to apply) is to be relaxed for such offences.
The subject of interception of telecommunications is not covered by either the 1959 Convention or the Protocol. The only relevant provision is Recommendation (85)10 of the Council of Europe Committee of Ministers.
The new draft EU Convention: first phase of discussions
The initial purpose of the negotiations on a EU Convention for mutual criminal assistance was to facilitate the operation of the 1959 Council of Europe Convention and Protocol - not to extend its scope into the field of criminal investigations.
The first drafts (April and July 1996) did, however, include some significant extensions in the powers of the authorities to gather evidence and to get witnesses into court. Article 2 allows requests to be made by "administrative authorities" concerning "infringements of public order provisions", for example, by Germany.
Article 3 provides for an exception to the rule that a person must consent before a transfer (compared with Article 11 of the 1959 CoE Convention, which deals with transfers in different circumstances); the exception is that the person may be forcibly moved if "charged in the course of proceedings for which the investigation has been requested". This provision runs the risk of allowing states to circumvent the guarantees provided for in extradition treaties, or encouraging them to bring additional charges against a person in custody in order to ensure the person's transfer for "use" in another state's proceedings. Article 6 is a completely new development in international judicial assistance, providing that witness statements may be taken by video conference. The requested state is generally obliged to summon a person to give evidence in this fashion (Article 6(3)), and the summoned person will then be under an obligation to give evidence. An obligation to give evidence does not exist under the present 1959 CoE Convention. The new Convention would provide for a substantial increase in the power of one Member State to compel a person in another Member State to give evidence. In this draft, it would have fallen to the requesting state to conduct the hearing (Article 6(4)), but to the requested state to ensure "due regard for the [witness'] fundamental rights" (Article 6.5)).
The July 1996 draft of the new Convention is a very good example of the case for national parliaments to be able to scrutinise early drafts of measures. There are no less than 36 reservations or differing views expressed by EU member states. While some of these are simply reservations on minor points, others are not. For example, "Scrutiny reservations on the whole text by German, Irish and United Kingdom delegations" and on the issue of the giving of evidence by video conference Austria, Finland and Portugal said this should not take place without the consent of the person concerned, France, Italy and the UK did not agree as the person would already have been summoned.
Second phase: Beyond traditional judicial assistance
The July 1996 draft of the new Convention had 11 Articles - the May 1997 draft has 20 Articles. Under the Irish Presidency it was decided that the scope of the new Convention should be expanded far beyond judicial criminal assistance as it is commonly understood. The EU Dublin Summit in December 1996 decided to set up the "High Level Group on Organised Crime" which reported back with its "Action Plan to combat organised crime" to the June 1997 EU Summit in Amsterdam. The "Action Plan" report had several recommendations which it was decided to slot into the draft Convention on mutual assistance on criminal matters, and which had implications well beyond any understanding of "organised crime". At the same time the need to legitimise the interception of telecommunications was moving ahead.
New issues were put on the table for the Working Party on Mutual Assistance in Criminal Matters: Controlled deliveries, cross-border use of undercover investigators, cross-border surveillance and hot pursuit, cross-border bugging of vehicles or monitoring of vehicle movement, cross-border use of private informers or private undercover agents, joint teams, mutual assistance on Internet matters, and the surveillance of satellite communications were discussed.
By April a report was before the K4 Committee. The conclusions included:
1) the draft Convention "should contain additional provisions" on "controlled deliveries": "all Member States consent to the use of this method". The "method" according to the UN 1988 Convention on drugs is: "the technique of allowing illicit or suspect consignments of drugs to pass out of, through or into the territory of one or more countries, with the knowledge and under the supervision of their competent authorities". The Working Party recommended the new Convention should extend this beyond drugs to cover "arms, money etc".
2) "cross border use of undercover investigators (law enforcement agents)": "undercover investigators" are "law enforcement agents as opposed to private persons" and: "In some Member States undercover investigators may be used as part of police work without any specific legal basis. In others national law contains more precise and direct provisions on this issue." As the practice varies "no rules" can be established, so current unregulated bilateral cooperation continues.
3) the report says that the draft Convention does not need to include: "cross border surveillance and cross border hot pursuit": already covered by Articles 40 and 41 of the 1990 Schengen Convention except for Ireland and UK; "cross border use of technical equipment attached to vehicles or objects for the sole purpose of monitoring movements.." : "used in all members states", covered by "existing mutual assistance instruments"; "cross border use of technical equipment attached to or installed in vehicles to monitor communications taking place therein": most member states do not provide for this in "national law", in some "expressly forbidden", but in member states where allowed it is covered by existing instruments"; "joint teams": the Working Party concluded that there was no need for a provision in the draft convention as it was already covered by the 1959 CoE Convention and Article 47 of the 1990 Schengen Convention. The new draft thus includes in Article 10 that "controlled deliveries" shall be allowed "in the framework of criminal investigations into extraditable offences" - this formula of "extraditable offences" allows the remit to go beyond drugs. Only Portugal has a reservation on this extension (see Statewatch, vol 7 no 2 for the wide definition in the Extradition Convention). Article 4 on searches and seizure would delete the reservations which Member States have attached to Article 5 of the 1959 Council of Europe Convention. Without these reservations property could be searched or seized even if the property owner is accused of an offence which is not a crime in the state in which they resides; and the search or seizure could take place in a manner not authorised by national law.
The new Articles 6-9 on telephone tapping, including the bugging of all forms of telephones, not just satellite calls, are the most remarkable change from the earlier draft (see below). Article 12 of the revised Convention deals with witnesses' statements in video conferences. Article 12(5) makes clear that the witness will be obliged to appear. Article 12(6) on the procedure is a much expanded version of Article 6(4) and 6(5) in the 1996 drafts. Here there is no longer a woolly reference to the requested state guaranteeing the witness' fundamental rights, but there is no replacement covering the matter in more detail. It is not clear how these clauses will operate in practice. How can the guarantees for suspects' and witnesses' rights within the system of judicial protection of the requesting state be upheld, without substantial additional provisions providing for mechanisms by which the requesting state's disclosure rules will apply to the cross-border provision of evidence and by which the witness has access to legal advice concerning the requesting state's law?
Article 13 covers the transfer of a person to another Member State, which might be without consent (Article 13(6)). This leaves open the possibility that a person can be moved forcibly to another Member State, albeit temporarily, after procedural protections which might be lower than that provided for under extradition procedures. It is not clear how long the person concerned might be transferred for, with the risk that a remand prisoner might have their pending trial delayed as a result of the transfer; and the prisoner will in any case be forcibly separated from their families for the duration of the transfer. Article 14, provides for "spontaneous exchange of information". There is no reference to data protection rules. Finally, Article 15 provides for expedited procedural rules for requests between authorities. While it is made clear here that the Convention is not meant to apply to "pure" police or customs cooperation, at least for controlled deliveries (Article 15(6)), it can still cover requests emanating from or to police or customs authorities, as long as one side is handling such requests via the judicial authorities. There is a risk that such a requirement may simply be a formalist restraint covering what is de facto direct cooperation between police or customs authorities in both Member States.
It should be noted that this draft Convention, in Article 18.4, takes a further step down the road to undermine the scrutiny by national parliaments in the ratification of Conventions. The Dublin Convention stipulated that all EU member states had to complete ratification before it could come into force, the Amsterdam Treaty says Conventions can only come into force when a majority of member states (8) have adopted it - this draft Convention allows the first two member states to ratify it to put it into practice immediately.
The Convention and the surveillance of telecommunications
The implementation of the EU-FBI surveillance plan was introduced into the draft Convention on mutual assistance in criminal matters, in Articles 6-9, this year. The May 1997 draft says in an "explanatory comment" that the Presidency believes: "in view of the absence an explicit Treaty basis for the interception of telecommunications - proposes that the Convention under consideration should make provision for investigation of all types of telecommunications".
Article 6.2 says that an "order" from a competent authority of the "requesting Member State" can ask for either:
"the interception, recording and transcription of intercepted correspondence or for interception and direct transmission of intercepted correspondence to the requesting Member State for monitoring and for recording and transcription there."
In plain language the results of an interception are either sent ex-post by the "requested" member state after the event to the requesting member state or, if the member state asks the interception is transmitted, real time (as it is happening) to the "requesting" member state. The term "correspondence" is taken from Article 8 of the European Convention on Human Rights and taken to encompass "both conversations and fax messages etc." Article 6.3 covers the surveillance of mobile phones and messages in another member state or member states (or another state which is party to the agreement). Article 6.4 sets out that requests between member states should include: "as accurate a description as possible of the subject of the investigation.."; "the desired duration of the investigation"; and the "type of investigation" (as in Article 6.2 above).
Article 6.5 is intended to exclude, according to the explanatory comment, the use of information derived "between doctor and patient or client and lawyer and correspondence with religious advisers".
Articles 7 and 8 deal respectively with: "Investigation of terrestrial telecommunications" and "Investigation of satellite communications". Article 9 is currently blank to provide for additional provisions concerning third member state (in addition to the "requesting" and "requested" member states).
Article 7.2 says would allow the "requested" member state to refuse to execute the request "in view of the nature or non-seriousness of the offence or the personal status of the subject of the investigation" or if it considered the request was "unjustified given the circumstances of the case". Article 7.3 a & b say that the "requested" Member State "may" set conditions that i) prior to the transfer of the data it would "destroy.. those parts of the correspondence which.. cannot be meaningful in the context.." or ii) the "requesting" member state which receives the data "real time" would do the same. The first condition 7.3.a cannot be imposed where the "requesting" member state has asked for interception and transmission (real time). Each member state would operate according to its national law -which may of course be different.
Articles 7.3.c & d say that the "requested" and "requesting" member states shall:
"inform the holder of the network connection number and the subject of the investigation.. that the investigation has been carried out."
There is, of course, a catch to this provision: "in accordance with those authorities' national law". In the UK, for example, this would never happen (except perhaps where it had to be revealed in court).
Article 8 is almost exactly the same as Article 7 but the explanatory comments regarding satellite telecommunications shows the influence of the report of the High Level Group on Organised Crime. The request for "assistance" is to be made to the member state in which the "ground station" is located - the "ground station" could be located in member state A while the subject may be in member state B (see below for the significance of "ground stations"). The explanatory comment also says that "additional information on the aim of and reasons for the request" cannot be asked for by the "requested" member state when it is for a "real time" interception.
The background reports leading up Articles 6-9 are more revealing. A "preparatory meeting on interception" was held in the Hague on 25-26 November 1996. On 17 January the EU Presidency sent a report on the meeting to the Working Party on Mutual Assistance in Criminal Matters" entitled: "Does the interception of mobile satellite telecommunications require new forms of mutual assistance in criminal matters?" The report contains a series of definitions which expand on those given in the published version of the Council Resolution (Official Journal, 4.11.96). The first link are the "system providers", consortium that:
"provide the global network of mutually co-operating satellites. Up to now Iridium, Globalstar, Odyssey and ICO prepare a network, each servicing between 10 to 100 ground stations world-wide."
The second link is the "ground station", the "earthly, fixed equipment where a telecom signal of a satellite is received.. each ground station renders this services to a system provider for an area encompassing all the countries of the EU." The report says, as do previous ones, that the interception of mobile phone has to take place at the "ground station".
The report argues that "additional international legal instruments" are need because the 1959 Convention implies that the "requested" member state should check the data before it is transmitted "real time" to the "requesting" member state -whereas they want data to be sent immediately without any check under the laws of the "requested" member state.
In April the EU Presidency presented a report to the K4 Committee summarising the proposed changes to the new Convention. The report says that there is a need to "provide a legal basis for the cooperation between the Member States" on the interception of telecommunications and the "real time monitoring of satellite telecommunications".
The rights of the individual are referred to as covered by Article 8 of the 1950 European Convention for the Protection of Human Rights and Fundamental Freedoms. Article 8 guarantees the right to respect for private life and correspondence. The "problem" for EU policymakers is that:
"Traditionally persons located on the territory of a certain state, fall under its jurisdiction. Their freedoms.. are guaranteed under the law of that state. Likewise the infringements on this freedom should be allowed by the laws of that same state. The location of a target is therefore relevant. Exceptions of the principle of sovereignty can only be regulated by a Convention." (Hague meeting 25-26 November 1996)
These "freedoms" are, by way of this new Convention, being discussed away in the secret meetings of the EU and when the 15 governments have agreed its contents national parliaments have no powers to change or amend any of its provisions.
The April report says that in the near future:
"perhaps within a year. The 3 or 4 systems will be established by large multinational operators."
And:
"each system will have (only) one ground station in Europe. It is at this stage expected that ground stations will be established in France, Italy and perhaps Finland, the UK and Germany."
The significance of there only being 3 or 4 "ground stations" in the EU is that, under Article 7 and 8 of the new draft Convention, all requests for interception will go to the member states in which they are based in and be executed according to the national laws of that country.
Conclusion
It is clear from past experience that the Council's working groups frequently agree a large percentage of a measure before it is discussed by the K.4 Committee, never mind the Justice and Home Affairs Council. The mutual assistance Convention looks set to be a classic example.
The draft Convention abounds with clauses liable to have a substantial impact on individual rights, certainly by comparison with the subject-matter of "traditional" judicial cooperation in criminal matters, including the 1996 drafts of the same Convention.
This is a classic case where public debate is sorely needed, where peoples' rights and protections are negotiated away in secret EU meetings.
Sources: Draft report to the Council on the draft Convention on mutual legal assistance in criminal matters, Presidency to K4 Committee, 7350/97, Limite, JUSTPEN 31, 14.4.97; Interception of telecommunications systems outside national boundaries - Lawful interception of satellite personal communications systems, Presidency to Working Party on Mutual Assistance in Criminal Matters, 12290/1/96 REV 1, Limite, JUSTPEN 150, 17.1.97; Draft Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union, 5978/96, 16.4.96; 9268/96, 15.7.96; 7945/97, 6.5.97; Explanatory report on the Convention on mutual legal assistance in criminal matters, including text of 1959, Council of Europe, 1969; Council of Europe press release no 341, 2.6.97.
EU: Surveillance report
An excellent report prepared by Steve Wright of the Omega Foundation in Manchester for the European Parliament (EP) sets out in frightening detail the surveillance systems being constructed in the EU. The report, prepared for the Scientific and Technical Options Assessment Panel of the EP, deals with both technology exported from the EU to third world countries and the surveillance and control systems to be used within the EU. It covers surveillance systems; data gathering, processing and filtering devices; biometric and other human identity recognition tools; so-called "less-lethal" weapons for crowd control; new prison control systems; and torture techniques.
The report gives information on the global surveillance system run by the military-intelligence community (military and intelligence agencies) called ECHELON run by the USA, UK, Canada, Australia and New Zealand. Bases in these countries trawl the electronic airwaves and download all information held in "Dictionaries" of keywords, phrases and people's names. It also gives details of the EU-FBI surveillance system being set up for the law enforcement agencies community (police, customs, immigration and internal security services) to monitor all telecommunications (phones calls, faxes and e-mails) (see Statewatch, vol 7 no 1).
The report says there has been a "political shift in targeting". Instead of investigating crime (which is a reactive) law enforcement agencies are now "tracking certain social classes and races of people living in red-lined areas before crime is committed", a form pre-emptive policing dubbed "data surveillance" based on military models of gathering huge amounts of low-grade intelligence and digging out deviant patterns. Glyn Ford MEP, who is on the STOA Panel, hopes that the report will be the first step in establishing more openness: "Some democratically elected body should surely have a right to know at some level. At the moment that's nowhere".
An appraisal of technologies of political control: final report, working document for the STOA Panel, April 1997, PE
166.499/Final; Daily Telegraph, 6.12.97.
EU: Surveillance extended to Internet and satellite phones
The EU is to extend the EU-FBI telecommunications surveillance plan to the Internet and to new generation satellite mobile phones (see Statewatch, vol 7 no 1 & 4 & 5; vol 8 no 5). At the same time EU Interior Ministers are seeking to resolve their differences over the legal powers they intend to give the "law enforcement agencies" to intercept all forms of telecommunications under the new Convention on Mutual Legal Assistance. In the US the same issues are being openly discussed - the Federal Communications Commission has deferred a decision on an FBI proposal to extend surveillance to the Internet. In October 1994 the US Congress passed an FBI-proposed law, the Communications Assistance for Law Enforcement Act. On 17 January 1995 the EU adopted a Resolution on the "Requirements" to be placed on network and service providers to carry out surveillance of all telecommunications. These "Requirements" were exactly the same as those drafted by the FBI. Now these "Requirements" are to be extended from covering traditional phone networks and GSM mobile phones to the Internet and to the new satellite-based mobile phones run by multinational companies like Iridium. Under the plan telecommunications network and service providers would have to give access to communications from "mobile satellite services" (provided by multinationals like Iridium via their "ground station" in Italy, see Statewatch, vol 8 no 5) and to e-mail sent and received via ISPs (internet service providers) in addition to phone calls and faxes sent through the traditional system (land and sea lines and microwave towers).
The new draft "Requirements" cover the "realtime" (as it is actually happening) surveillance of phone-calls and e-mails including where messages are redirected, voice-mail and conference calls. They even extend to passing over data when a connection has not been made for both outgoing and incoming calls/messages. All details concerning e-mails accounts have to be handed over by IP providers. "Realtime" is defined as routing the surveillance in "milliseconds".
Legal powers
In a parallel development the EU Justice and Home Affairs Council is discussing the draft Articles on the "interception of telecommunications" in a new Convention on Mutual Legal Assistance in Criminal Matters. This is intended to extend the application of a 1959 Council of Europe Convention with the same title.
The new "Requirements" and the new legal powers are being presented as being necessary to combat organised crime. However, the scope of the 1959 Council of Europe Convention simply covers any:
"offences the punishment of which falls within the competence of the judicial authorities of the requesting Party. Provisions is thus made for minor offences as well as for other, serious, offences.." (Explanatory report on the European Convention on mutual assistance in criminal matters, Council of Europe, 1969, p11)
The issue of police officers and/or judicial authorities being called on to give what will in effect be instantaneous authorisations for intercepts "within minutes" is not addressed by the draft EU Convention.
Nor is the issue of telecommunications surveillance by the security and intelligence services - the new legal powers are only intended to authorise interception for criminal investigations. To the embarrassment of EU Interior Ministers the UK has objected to the draft Convention because in the UK -unlike in other member states - there is a single law covering the Security Service's (MI5) surveillance in connection with national security and its role assisting the police on organised crime. Neither the first set of "Requirements" not the proposed revised set of "Requirements" require approval or reference to parliaments, national or European. The new draft Convention, when eventually signed by the 15 EU member states has to be ratified by national parliaments - but they are not allowed to change or amend anything, even a dot or comma.
EU: EU-FBI telecommunications surveillance extended to Internet and new generation mobile phones
Statewatch bulletin, vol 8 no 6 (November-December 1998)
The Justice and Home Affairs Council (JHA Council) of the European Union is to extend the EU-FBI telecommunications surveillance plan to the Internet and to new generation satellite mobile phones (see Statewatch, vol 7 no 1 & 4 & 5). At the same time EU Interior Ministers are seeking to resolve their differences over the legal powers they intend to give themselves to intercept all forms of telecommunications under the new Convention on Mutual Legal Assistance. In the US the same issues are being openly discussed - the Federal Communications Commission has deferred a decision on an FBI proposal to extend surveillance to the Internet.
The secret making of policy
Within the formal structures of the EU, under the Justice and Home Affairs Council, the work on the interception of telecommunications is carried out by the Police Cooperation Working Party (Interception of telecommunications). This Working Party in turn is represented on three non-EU "technical expert groups" - ILET (International Law Enforcement Telecommunications), STC (Standards Technical Committee) and the IUR (International User Requirements). The findings on these non-EU groups are in turn brought back within the EU structures through the Police Cooperation Working Party and presented to the K4 Committee, COREPER and the JHA Council as being:
"agreed by the law enforcement agencies as an expression of their joint requirements"
Meetings in Rome on 14, 15 and 16 July of the IUR and STC were reported back to the meeting of the EU's Police Cooperation Working Party on 3-4 September in Brussels. Further meetings of the IUR in Vienna on 20-22 October and in Madrid on 27-28 October led to a draft Resolution from the Austrian Presidency to the Police Cooperation Working Party, dated 4 November, on the "interception of telecommunications in relation to new technologies".
The effect will be to extend the Requirements to be placed on network and service providers adopted by the EU as the Resolution of 17 January 1995 (see Statewatch, vol 7 no 1). Under the plan telecommunications network and service providers would have to give access to communications from "mobile satellite services" (provided by multinationals like Iridium via their "ground station" in Italy, (see Statewatch, vol 8 no 5) and to e-mail sent and received via ISPs (internet service providers) in addition to phone calls and faxes sent through the traditional system (land and sea lines and microwave towers).
The EU's plans for the surveillance of all forms of telecommunications is being determined by non-EU bodies - ILETS, STC and IUR - on which the major players are: the EU (represented by the Police Cooperation Working Party and other experts), the USA (the FBI), Canada and Australia (New Zealand and Norway are also involved). The stakes for these governments are enormous. Just as important as the "law enforcement agencies" being able to set down the "Requirements" for intercepting every form of communication are the commercial profits to be made out of "agreed" standards, equipment and service provision. Once adopted, EU-US standards, are set to become "global". For example, Iridium, the first multinational to open a "ground station" in Italy to serve the EU with a global earth-satellite, "mobile satellite service" (MSS, or "Satellite Personal Communications System, SPCS) is using Motorola and Kyocera to make Iridium handsets. The initiative for creating Iridium came from Motorola. Moreover, the EU market is critical to Iridium's initial success because AT & T dominates the US with traditional land bases systems.
Spelling out "law enforcement" demands
Underneath the draft Resolution amending the 17 January 1995 EU Council Resolution is a detailed report ("Interception of telecommunications: recommendation for a Council Resolution in respect of new technology") explaining the need for "supplementary requirements and supplementary definitions in respect of new technologies including SPCS, the Internet..." This report was discussed at the Police Cooperation Working Party in Brussels on 3-4 September.
The report opens with the statement that the Resolution of 17 January 1995 - which was never even discussed by the JHA Council but adopted by "written procedure" (signed by the Brussels-based Permanent Representatives of each EU member state) - has to be changed to be:
"suitable for new technologies, especially satellite communication, Internet, cryptography, pre-paid cards etc"
Throughout the report distinguishes between the new "international requirements for surveillance.. developed by the law enforcement agencies" for: i) SPCS ("Satellite Personal Communications Systems") and ii) the Internet.
Introducing the "law enforcement agencies" needs for SPCS the report says:
"Operational scenarios comprise the following connections: mobile to mobile (via satellite), mobile to mobile (terrestrial), mobile (via satellite or terrestrial) to the public switched telephone network (PSTN) and PSTN to mobile (via satellite or terrestrial). Interception of such satellite based services is subject to the national laws of the requesting law enforcement agency as well as those of the state providing the gateway."
The report's introduction on the Internet is altogether simpler: "This explanatory memorandum refers to requirements of law enforcement agencies to the interception of ISP-based Internet services."
The report then looks at each of the already agreed "Requirements" and proposes new ones.
First, under "Requirement 1" the "law enforcement agencies require access to the entire telecommunications transmitted..". Traditional means of communications are simple and provide the "locations" of the two parties but this is not so for calls between two mobile phones (SPCS). However, a solution is provided by "a single terrestrial gateway [which] serves many countries from one site" (such as the Iridium ground station in Italy covering the whole EU). For the Internet access is required to:
"ISP address, customer's account number, logon-ID/password, PIN number, E-mail address."
Second, is the "Requirement" that "law enforcement agencies require a real-time, fulltime monitoring capability" as well as "call associated data". "Real-time" is defined: "100 milliseconds to 500 milliseconds are desirable".
Third, network operators and service providers are required to provide "one or several interfaces" for the new Iridium-style SPCS mobile phones and, of course, Iridium by offering the use of its facilities meets this need - "Interception can be planned as a MSS-gateway which serves several countries.." Equally, "Several countries can carry out interceptions of the same mobile subscriber who is served by a gateway."
Fourth, the need for immediate interception, "in urgent cases within a few hours or minutes" where "questions of sovereignty can cause further delays if cooperation of law enforcement agencies from different countries is required".
The "Supplementary requirements" state that network and service providers have to hand over full details of any customer:
"the complete name and complete address of the monitored person... the person who pays the bill for the services available to the monitored person.. sufficient credit card details to identify the customer account..."
Together with details of all the services used by the "customer", for example, conferencing, voice-mail, ISDN, telex, internet domain names, "roaming" permissions (for mobile phone users).
Network and service providers will have to provide their own secure means of ensuring the "security" of the intercepts. One reason given for this "security" is the comforting thought that the rights of the individual are to be protected:
"Protection of the interests of an interception subject from revelation of its telecommunications to other parties that the intercepting authority".
On the other hand, another "requirement" is that "neither the interception target nor any other unauthorised person is aware of.. the interception order."
The MLA "debate"
The draft Convention of Mutual Legal Assistance in Criminal Matters is still under discussion in the Justice and Home Affairs Council. The "outstanding" issues are whether or not data protection provisions should be included (only Italy, Austria, Belgium and the Commission are in favour), the role of the Court of Justice, its jurisdiction (the usual dispute between the UK and Spain over the status of Gibraltar) and the Articles on the interception of telecommunications.
It should be remembered that the primary purpose of this new Convention is to "supplement the provisions and facilitate the application" of the 1959 Council of Europe Convention on Mutual Legal Assistance in Criminal Matters. The Schengen Agreement (1985 and 1990) and the Benelux Treaty (1972) have been added. The 1959 Council of Europe Convention is not limited to "serious crime" or "organised crime", it simply concerns any punishable offence however minor. New powers contained in this new EU Convention on mutual assistance are, therefore, applicable also to any punishable offence (see Statewatch, vol 7 no 4 & 5). The draft Convention thus places no limits on the use of the proposed new powers of intercepting telecommunications - this is solely regulated by each member states' national law.
In the latest draft of the new Convention the Articles on the "Interception of telecommunications" are in Title III, Articles 11-14 and represent the third substantial revision. The major areas of "discussion" in the secret conclaves of the EU member states are as follows.
The issue starts with the question as to whether "where a Member State intercepts or intends to intercept a target present in another Member State.. and does not need any assistance from that Member State" it should tell the other Member State. As presently drafted Article 13 provides that: the "intercepting Member State" will inform the "visited Member State", that the "visited Member State" may "require that the interception not be carried out or be interrupted", and that the "visited Member State may lay down conditions on the use of material already intercepted". This issue particularly arises if the Iridium's EU ground station in Italy is able to provide access to call contents (for SPCS mobile phones) in different countries instantaneously.
Due to the different legal powers to authorise interception in EU states a discussion has emerged over the role of security and intelligence agencies. Fourteen EU member states believe that the new Convention only refers to "criminal investigations" and therefore excludes interceptions by security and intelligence agencies. In these countries interception by these agencies takes place either through administrative authorisation (for example, from an Interior Minister) or through a judicial warrant. In the UK the Security Service (MI5) is issued with warrants by the Home Secretary for both matters of national security and for criminal investigations (where they are working on serious organised crime). As presently drafted the UK would be obliged to inform other EU states when MI5 is intercepting communications in another member state.
What has been highlighted by this discussion between EU member states is that there is no existing or proposed regulation of the interception of telecommunications when carried by security and intelligence agencies. It also demonstrates that there is not a simple distinction between "criminal investigations" and "national security". One of the questions asked in the latest draft is whether there should be an obligation by a member state to inform other member states where "it would be likely to prejudice its security, ordre public or other essential interests?"
Another issue is whether other EU member states should be informed when the surveillance (of GSM mobile phone networks) is for less than 24 hours and may involve, in border areas, several EU member states.
The member states are also divided over whether the "visited Member State" should have the power to "require the interception not to be carried out or to be interrupted" and the power to "impose restrictions on the use of the already intercepted material".
At the JHA Council on 3-4 December the Ministers were asked to consider the following question:
"Which of the following reasons should be regarded as a basis for requiring interception not to be carried out or to be interrupted:
- national law of the visited Member State?
- fundamental principles of national law of the visited Member State, and/or ordre public?"
A new Article (no 14a) has now been included "to ensure an appropriate legal basis for the purpose of agreements on the use of the service provider solution [Iridium] regarding satellite telecommunications". The new Article states, in full:
"Nothing in this Title shall preclude any bilateral or multilateral arrangements between Member States for the purpose of facilitating the exploitation of present and future technical possibilities regarding the interception of telecommunications".
A proposal which, potentially, could drive a "coach and horses" through any provisions in the new Convention. The so-called "service provider" for the interception of telecommunications carried out through Iridium's EU ground station in Italy would mean that if a "target" moved from one country to another the surveillance would simply be "switched" from one country to another.
There is no provision in this new Convention for it to only come into effect when all 15 EU member states have ratified it. Under Article 18.4 it can come into effect between any two or more member states who declare that it should do so.
In the USA
In the US the Federal Communications Commission has invited public comments on FBI-proposed requirements that would enable law enforcement agencies to be given the location of people using cellular phones without a warrant and has deferred a decision on another request to place the Internet under surveillance.
Conclusion
The new powers to intercept telecommunications is by no means limited to any common perception of "serious crime". By including the interception Articles in a new Convention on Mutual Legal Assistance in Criminal Matters the limits are simply those set out in the 1959 European Convention on Mutual Assistance in Criminal Matters which refers to any punishable offence however minor. Once in place to "combat organised crime" these powers can be infinitely extended to all forms of offence including public order or "national security".
Sources: Council Resolution of 17 January 1996 on the lawful interception of telecommunications; Interception of telecommunications: recommendation for a Council Resolution in respect of new technology, ENFOPOL 98, 10951/98, 3.11.98 and ENFOPOL 98 REV 1, 10951/1/98, 4.11.98; Draft Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union, JUSTPEN 108, 13144/98, Limité, 19.11.98; PC Magazine, January 1999.
EU-FBI: EU-FBI telecommunications system moves two steps nearer
The EU-FBI telecommunications surveillance system is developing apace through two separate, but intrinsically intertwined, initiatives (see Statewatch, vol 7 no 1 & 4 & 5; vol 8 nos 5 & 6). First, the Council has proposed a new draft Council Resolution to extend the 1995 "Requirements" Resolution to cover "new technologies" - the Internet and satellite-based telecommunications. Second, the Council is on the brink of agreeing a formula to provide a legal base for "remote" access to the Iridium satellite "ground station" in Italy - through new clauses in the draft Convention on Mutual Legal Assistance in criminal matters. This draft Convention will provide the legal framework for the interception of all forms of telecommunications in the EU required to put into effect the EU-FBI surveillance system. Both measures are expected to be agreed at the 27-28 May meeting of the Justice and Home Affairs Council.
Background
The 1995 Council Resolution on the lawful interception of telecommunications setting out the "Requirements" was slipped through the EU by what is known as "written procedure" on 17 January 1995. "Written procedure" is a decision-making process whereby a measure is sent out to EU member states for agreement between meetings of the Council of Ministers. In October 1994 the US Congress had adopted its version of the "Requirements" drawn up by the FBI. Not wishing to wait three months until the next meeting of the Justice and Home Affairs Council the German Presidency took the initiative to use "written procedure" (all Member States are obliged to reply though they may add statements to be included in the Council minutes). Using the "written procedure" process had another effect, the "Requirements" Resolution remained hidden from view until November 1996 when it was published in the EU's Official Journal. In the USA civil liberties groups have campaigned against the new surveillance powers since 1993, however the EU end of the EU-FBI axis only became apparent when Statewatch published its first report in February 1997.
The "new technologies"
In July 1998 the Austrian Presidency of the EU put forward a proposal for a "Draft Joint Action on the interception of telecommunications" which was discussed by the Police Cooperation Working Party (Experts' meeting - Interception of telecommunications) at its meeting on 3-4 September in Brussels. This draft Joint Action was intended to extend the 1995 "Requirements" to "new technologies" (the Internet and satellite-based telecommunications) and to place on network operators and service providers an obligation to provide information and assistance in the interception of telecommunications. The idea of a Joint Action was dropped by the end of July as a number of EU member states were not prepared, or ready, to adopt a binding commitment to place an "obligation" on network and service providers at national level.
However, the same meeting of the Police Cooperation Working Party was also considering reports drawn up by three "expert groups": the IUR (International User Requirements) and the STC (Standing Technical Committee) from their meeting in Rome on 14-16 July 1998 plus the conclusions of an earlier meeting of ILETS (International Law Enforcement Telecommunications Seminar). The role of these non-EU working groups is made explicit in ENFOPOL 98 which had "been drafted by the technical groups ILET, STC and IUR."
There were further meetings of IUR, 20-22 October in Vienna and 27-28 October in Madrid. By November 1998 meetings of ILETS, IUR and STC concluded that "adjustments" to the 1995 "Requirements" to cope with the "new technologies" was "an urgent necessity".
The key group is ILETS, revealed by Statewatch in February 1997 (vol 7 no 1) and pinned down by Duncan Campbell in an article in the Guardian's Online. ILETS was founded by the FBI in 1993 and is comprised of: the US, Canada, Norway, Australia, New Zealand and Hong Kong (it is not known if Hong Kong is still particitpating) plus the 15 EU states. Those attending these meetings are from the "law enforcement agencies".
The core of the ILETS group are the US, Canada, Australia, New Zealand and the UK - the UKUSA group, started in 1946, which runs up a global surveillance system to service the military and overseas intelligence agencies (ECHELON). There are thus two global systems: ECHELON serving the "military and intelligence community" (external, eg: GCHQ and MI6 in UK) and the EU-FBI telecommunications surveillance system to serve the "law enforcement community" (police, internal security, customs and immigration).
The new draft Resolution
The European Parliament was consulted (that is, its views are sought but they can be ignored) on the second revision of ENFOPOL 98, dated 3 December 1998. A later version of the same report, now renamed ENFOPOL 19, dated 15 March 1999 contains two significant differences to the version given to the European Parliament.
1) In the version discussed by the European Parliament the "General explanations" seek to amend the 1995 requirements to include identifier data on internet users by including:
"IP address (electronic address assigned to a party connected to the Internet), account number and E-mail address" (ENFOPOL 98 REV 2)
In the new version it says:
"IP address (electronic address assigned to a party connected to the Internet), credit card number and E-mail address"
(ENFOPOL 19) (our emphasis)
An earlier document makes clear that the "account number" is not needed because this data comes with the "IP address".
2) The second difference is either sleight of hand or a deliberate mistake. In the section on the "Explanations of the Requirements" describing the changes to be made to the 1995 requirements it says that concerning access to "fixed and switch connections":
"IP connections are not included" (ENFOPOL 98 REV 2)
In the new version it says:
"IP connections are not excluded" (ENFOPOL 19) (our emphasis)
Moreover, the first revision of ENFOPOL 98 (ENFOPOL 98 REV 1, dated 10 November 1998), not considered by the European Parliament, also says "not excluded".
The general concerns over the contents of ENFOPOL 19 are: a) under the heading "Interception interface", the inclusion of: "In newer technologies the interception interface may be a virtual interface within the network". This would involve specialised software being installed at Internet Service Providers which would be remotely ("virtual") controlled by the law enforcement agencies. The effect would be to automate the transmission of messages etc.
b) many of the detailed requirements of the law enforcement agencies expressed through ILETS and the EU's Police Cooperation Working Party present in ENFOPOL 98 - but not in ENFOPOL 19 which is limited to amending the 1995 "Requirements" - are likely to be placed in an operational manual which will not be subject to public debate or parliamentary scrutiny.
EP discusses the EU-FBI surveillance system
As noted above the European Parliament was "consulted" on the proposal in ENFOPOL 98 REV 2. This is the first opportunity that the European Parliament had to formally comment on the EU-FBI telecommunications surveillance system.
The main committee considering the Council proposal was the Civil Liberties and Internal Affairs Committee and its report by Gerhard Schmid (PSE, Socialist group, rapporteur) "approves the Council proposal" and was adopted unanimously at its meeting on 20 April. It proposes minor amendments to the opening "Recitals" and suggest that the Council report back by July 2000 on how many EU states have effected the amended 1995 "Requirements" Resolution into national law.
The five-paragraph "Explanatory Statement" says that the "resolution is not binding" (which is correct) and that it is simply intended to make clear that the 1995 "Requirements" Resolution "apply to both existing and new communications technologies, e.g. satellite and Internet communications." The report simply concludes that: "It does not, therefore, affect the tension between fundamental rights and internal security." The "Opinion" of the Legal Affairs and Citizens' Rights Committee, attached to the main report, was adopted on 25 March by 7 votes to 4. Its conclusion was that the Committee: "rejects the Council proposal."
The report notes that the 1995 "Requirements" are not binding and that "national legislation applies". It goes on to say: "The Registrar's office of the European Court of Human Rights has told the rapporteur that the ECHR has not yet ruled on the violation of the secrecy of correspondence in respect of electronic mail."
Neither report used the wealth of information now available on the EU-FBI surveillance system (which is not mentioned). The report was adopted at the European Parliament plenary session on Thursday 6 May.
In this context it should be observed: a) that most national legislation does not cover the interception of the Internet and e-mails nor satellite telecommunications and that most EU countries are likely to have new measures before their parliaments over the next two years; b) although the amended 1995 "Requirements" Resolution is not legally binding on EU member states network operators and service providers will not be granted new/extended operating licences at national level unless they comply due to international agreements reached in non-EU bodies - the STC, IUR and ILETS.
The "remote approach"
Alongside the plans on the EU-FBI telecommunications surveillance system within the EU are the parallel discussions taking place over the provisions on interception to be included in the draft Convention on Mutual Legal Assistance in criminal matters which will give EU states the legal powers to carry out cross-border interceptions.
Statewatch vol 8 no 5 reported how the EU was planning to take advantage of the offer by Iridium of "remote" access to telecommunications passing through its global network, which is: "from a technical point of view, a convenient option". It transpires that it is also "convenient" from a legal/political point of view as well.
Two questions have been taxing the EU working parties, first, to what extent should the EU member state in which Iridium's ground station is located - Italy - have any involvement or responsibility for "remote interception" and second, should the draft Convention expressly provide for the "remote approach". The answer to the second question is yes, provisions should cover the "remote approach" both to cover Iridium and future network providers.
The first question divided the EU member states. 13 member states think the "remote approach" does not infringe the rights of the "host" member state. Italy, the "host", takes a different point of view and Germany thinks the draft Convention should expressly refer to the "remote approach" being applied "for the purpose of criminal investigation". The majority of EU member states take the view that the "host" state does not have a substantial role and it does not have legal responsibility for the interception of telecommunications made via the "ground station".
The crux of the discussion is set out in a Note from the Italian delegation at the end of February. Two options were on the table. First, the "centralised" option, based on present practice, would involve each interception to be authorised through "International Letters of Request". For the "host", Italy, this means single authorisations being granted by the Italian authorities "following Letters of Request from member states". The "centralised" option meant pursuing the present system where each, single, interception has to be authorised by the competent authorities. This was seen as too slow and cumbersome and it was "impossible" for the EU member states to reach agreement on a text. Instead they have opted for, in the words of the Italian delegation's report, the "remote approach" which would mean:
"a single, general, "order", given by Italy to its ground station to adjust its structures in order to allow the autonomous activation of interception by the national service providers and the automatic transmission thereto of the conversations intercepted."
This "general" order granted to member states would cover both communications between satellite handsets (air/air), which the "ground station" would, in technical jargon, "hock into" then "duplicate" and between satellite handsets and fixed terminals, or GSM, mobile phones (air/ground), when the "ground station" would simply "listen to.. the communication already in transit within its own structure."
The Italian concerns are that the interception is on "Italian territory", that the "remote approach" means limiting Italian sovereignty, and that by issuing a "single order" which will once and for all replace all single authorisations granted by the competent Italian authorities it will need to be given some "guarantees". Under its constitution its President, the President of the Council of Ministers and members of the Italian parliament cannot be the "object of investigations" except under very specific conditions. As for "national security" there were responsibilities to parliament if part of its sovereignty were to be relinquished "without having guaranteed the fundamental interests of the State". The response, two weeks later, of the majority group of 13 EU member states was not sympathetic:
"The member state hosting the ground station cannot export its constitutional principles to other member states."
To which the Italian delegation responded by saying they should be entitled to make: "a declaration.. specifying certain limits for interception via the ground station by remote control which other member states must respect."
The issues raised by Italy's constitutional objections are wider than their position makes apparent. It is proposed to move from the current system whereby every interception request to Italy from another EU member state requires a Letter of Request and an order from the Italian authorities to a system which through one general order automatic authorisation will be granted to all interceptions without any review as to their legitimacy or legality (either before of after the event) under Italian law. It is therefore possible that 14 EU member states will each be granted a single, general, order to use the "remote" interception facility made available by Iridium from Italy and that the same may happen with the Globalstar "ground station" located in France (which is going online soon).
Iridium sales failure
Iridium, of "Iridium is God manifesting himself through us" fame, lost $440 million in the last quarter of 1998. This follows substantial problems with the production of handsets and has led to a substantial shortfall in Iridium subscriptions. The company had expected to have 40,000 subscribers by the end of 1998, in the event they only had 3,000 and most of these were to the US government and military. Iridium hopes to have 500,000 plus subscribers by the end of 1999.
Figures like these go some way to explain why Iridium is so anxious to please EU member states by facilitating the interception of telecommunications from its ground station in Italy. Commentators say that Iridium has to make major inroads into the "wireless" market in the EU because the US is dominated by a solid single "wired" network created by AT&T. This may explain why it has met all the costs of ensuring that its Italian ground station can provide a "remote" interception service for law enforcement agencies.
STOA report
A special report just completed for the Science and Technology Options Assessment Panel of the European Parliament (STOA) by Duncan Campbell entitled: Interception capabilities 2000 observes that:
"It should be noted that technically, legally and organisationally, law enforcement requirements for communications interception differ fundamentally from communications intelligence [eg: ECHELON]. Law enforcement agencies (LEA) will normally wish to intercept a specific line or group of lines, and must normally justify their requests to a judicial or adminsitrative authority before proceeding. In contrast, Comint [communications intelligence] agencies conduct broad international communications "trawling" activities, and operate under general warrants. Such operations do not require or even suppose that the parties they intercept are criminals. Such distinctions are vital to civil liberty, but risk being eroded if the boundaries between law enforcement and communications intelligence become blurred in future."
The "law enforcement agencies" in the EU are to be issued with general warrants to intercept the new generation of satellittee communications services offered by Iridium in Italy and Globalstar in France. In addition, the provisions of the amended 1995 "Requirements" Resolution, when combined with the EU legal framework in the draft Convention on Mutual Assistance in criminal matters, provide for real-time (as a communication is happening) interception which will require instanteous authorisation by a police officer or official. Moreover, police analysis software, such as the Harlequin system, is already widely used in the EU to "map" a target's business, political and friendship networks from data provided by telecommunications operators. The EU-FBI telecommunications surveillance system may not yet have the ability to "trawl" the ether but it will certainly be able to cast a very wide net.
Sources: Report on the draft Council Resolution on the lawful interception of telecommunications in relation to new technologies, Committee on Civil Liberties and Internal Affairs, Rapporteur: Gerhard Schmid, and Opinion from the Legal Affairs and Citizens' Rights Committee, PE 229.986.fin, 20.4.99; Draft Convention on Mutual Assistance in Criminal Matters between Member States of the European Union - Interception of telecommunications, Presidency to COREPER/Council, ref: 11173/98, Limite, JUSTPEN 87, 15.9.98; Draft Convention on Mutual Assistance in Criminal Matters between Member States of the European Union - Interception of subjects on national territory using national service providers ("remote approach"), Presidency to Working Party on Mutual Assistance in Criminal Matters, ref: 7196/99, Limite, JUSTPEN 22, 7.4.99; Draft Convention on Mutual Assistance in Criminal Matters between Member States of the European Union -application of the remote approach regarding interception of satellite telecommunications, Italian delegation to Working Party on Mutual Assistance in Criminal Matters, ref: 6284/99, Limite, JUSTPEN 9, 25.2.99; Draft Convention on Mutual Assistance in Criminal Matters between Member States of the European Union - application of the remote approach regarding interception of satellite telecommunications, Working Party on Mutual Legal Assistance in Criminal Matters, ref: 6195/99, Limite, JUSTPEN 7, 19.2.99 and COREPER to Council, ref: 6195/1/99, Limite, JUSTPEN 7 REV 1, 9.3.99; Draft Convention on Mutual Assistance in Criminal Matters between Member States of the European Union, Working Party on Mutual Assistance in Criminal Matters to COREPER/COUNCIL, ref: 13144/98, Limite, JUSTPEN 108, 19.11.98; Interception of telecommunications -Draft Council Resolution on new technologies, Presidency to Police Cooperation Working Party, ref: 6715/99, Limite, ENFOPOL 19, 15.3.99; Interception of telecommunications - Council Draft Resolution in relation to new technologies, Presidency to Police Cooperation Working Party, ref: 10951/98, Limite, ENFOPOL 98, 3.9.98 and ref: 10951/1/98, Limite, ENFOPOL 98 REV 1, 10.11.98 and ref: 10951/2/98, Limite, ENFOPOL 98 REV 2, 3.12.98; PC Magazine, May 1999; Duncan Campbell, "Intercepting the Internet", Guardian Online and on the telepolis site: http://www.heise.de/tp/english/special/enfo/6397/1.html;Interc eption Capabilities 2000, report by Duncan Campbell for the Science and Technology Options Assessment Panel of the European Parliament, 6.5.99.
EU-FBI plan adopted in Holland
The Dutch parliament, overruling objections from lawyers, employers and the telecommunications industry, has agreed that the Ministry of Justice should be authorised to tap into any form of communication, including internal company networks. Any new service offered must also be "tappable". KPN, the major provider of telecommunications in the Netherlands, has estimated that the potential cost could be astronomical.
There is one exception to this measure. The internet will remain tap-free. However the service provider Xs4all is not impressed by the concession: "...it makes no practical difference whether we are included in this or not", a spokesman pointed out. Nobody, not even the government knows how to tap the internet."
Volkskrant 8.4.99
EU-FBI telecommunications surveillance plan: Commission working party concerned
A report from the Data Protection Working Party for the Commission DG XV adopted on 3 May 1999 is critical of the privacy implications of the "Council Resolution of 17 January on the lawful interception of telecommunications" (The International User Requirements drawn up by the FBI and adopted by the EU, known as IUR 95). The Working Party is comprised of data protection experts, its chair Peter Hustinx is one of the Dutch members of the Schengen Joint Supervisory Authority.
Their report says that the data to be collected would cover both the "target persons and any persons with whom they enter into communication". It expresses their concern at the "scope" of the measures envisaged and in particular with the "Memorandum of Understanding" to exchange data with non-EU states who "are not subject to the requirements of the European Convention on Human Rights and of Directives 95/46/EC and 97/66/EC."
The Working Party thus "wishes to draw attention to the risks of abuse with regard to the objective of the tapping, risks which would be increased by an extension to a growing number of countries - some of which are outside the European Union - of the techniques for intercepting and deciphering telecommunications.
Some of the provisions in IUR 95 would, they say, "conflict with more restrictive national regulations in certain countries in the European Union". They give examples of access to data concerning calls and "forbidding operators from disclosing interceptions after the fact". Moreover, when satellites or the Internet is used, it must not lead to "a lowering of the level of confidentiality and protection of the privacy of individuals." The Working Party's recommendations call for "national law to strictly specify":
1. "the prohibition of all large-scale exploratory or general surveillance of telecommunications."
2. "compliance with the principle of specificity, which is a corollary of forbidding all exploratory or general surveillance. Specifically, as far as traffic data are concerned, it implies that the public authorities may only have access to these data on a case-by-case basis, and never proactively and as a general rule."
3. "that a person under surveillance be informed of this as soon as possible."
4. "the recourse available to a person under surveillance"
5. "the publication of the policies on the interception of telecommunications as they are actually practised, for example, in the form of regular statistical reports"
6. "the specific conditions under which the data may be transmitted to third parties under bilateral or multilateral agreements"
The existing and planned UK law would fail on a number of these counts. Point 2 is directly contrary to what is being planned for the Iridium ground station in Italy where 12 EU member states are demanding Italy agree to general, unlimited and open-ended interception warrants. Point 6 taken together with the Working Party's grave reservations about the transfer of data to and from non-EU states raises major questions about Europol's planned agreements with third states and agencies within third states.
Their report is on:
http://www.europa.eu.int/comm/dg15/en/media/dataprot/wpdocs/wp 18en.htm
EU-FBI telecommunications surveillance plan: Secret services and G8 intervene
Interventions by the EU's internal security services and a G8 Sub-group on surveillance and data protection
The EU-FBI telecommunications surveillance plan has been held up since early summer over the revised set of "Requirements" to be laid on internet and service providers (ENFOPOL 19) and the draft Convention on Mutual Assistance in criminal matters - now held up for nearly two years due to the inclusion of provisions on interception and the inability of EU member states to reach agreement (see Statewatch vol 7 no 1, 4 & 5; vol 8 nos 5 & 6; vol 9 no 2).
The intervention of new players is partly responsible for the hold-up. First, the internal security services of EU member states have directly intervened because they considered the restrictions of their "freedom" to conduct surveillance could be limited by the draft provisions in the draft Convention. The potential role of the internal security services (like MI5) cropped up earlier in the discussion over the provisions in the draft Convention because the UK is the only EU member state to formally give, by law, a role to MI5 to assist the police in their crime role. The other EU member states have no problems as they maintain the draft Convention only covers "crime" and policing - which has always begged the question that if this Convention is not to cover surveillance by internal security services what does? The answer is nothing covers or limits or makes accountable their surveillance of telecommunications. The Justice and Home Affairs Council on 2 December agreed that the draft Convention, while placing a general obligation on the "intercepting" member state to inform the member state in which the interception is carried out, this will only apply to "criminal" proceedings and investigations - and not to "interceptions undertaken for national security purposes". The effect is that the surveillance of telecommunications by internal security agencies is left untouched by the draft Convention but allows them to take advantage of access to telecommunications being opened by the "Requirements" to be laid on internet and service providers under the EU-FBI plan.
The EU-FBI telecommunications surveillance plan is intended to serve the "law enforcement community" as distinct from the "military-intelligence community" (which uses ECHELON). The latter covers intelligences agencies like NSA and the CIA in the US and MI6 (the overseas Secret Intelligence Service) in the UK. This leave internal security agencies primarily dependent on the EU-FBI plan for its surveillance work. So, although EU member states have to at least create the appearance of control and accountability and even data protection for policing activities these provisions could limit, or lead to the exposure of, internal security service surveillance. This is especially the case when the line between traditional "internal security" and "combatting crime" is increasingly blurred in fields like computer crime, environmental and political protests, and "illegal immigration".
Secret groups
While the draft Convention on Mutual Assistance in criminal matters sets out powers of surveillance and interception within the EU the "Requirements", which will also apply within the EU, are subject to international agreement through a series of hidden working parties.
These secret working groups include: i) the EU Police
Cooperation Working Group (Telecommunications) and its Technical Questions Sub-Group; ii) IUR, the International Users Requirements group; iii) STC, Standards Technical Committee; and ILETS, International Law Enforcement Telecommunications Seminar. ILETS is a key group comprising the Cold War UKUSA countries -the US, Canada, Australia, New Zealand and UK - plus Hong Kong and Norway and 14 EU member states (15 minus the UK which was a founding member). Aside from strictly technical questions membership of these groups overlap so that EU member representatives on the Police Cooperation Working Group may also be on ILETS. The drafts of the original IUR 95 "Requirements" adopted by the EU in January 1995 and the proposed revisions in 1998 (to include internet service providers and satellite phones) in ENFOPOL 98 (and its two revised versions) came from this group into the EU policymaking process.
The "Lyon Group"
While ILETS works on technical matters (and their policy implications) a much more high-powered driving force on the global interception of telecommunications is the "Lyon Group" and especially its "High-tech Crime Subgroup of G8 Senior Experts' Group on Transnational Organised Crime."
The G8 Senior Experts' Group on Transnational Organised Crime came out of the G8 Prime Ministers meeting on 27 June 1996 in Lyon, France. The first "G" Prime Ministers' Summit was held in Rambouillet, France in 1975 comprised of US, France, UK, Germany, Italy and Japan. Canada joined in 1976 (making G7) and in 1977, at the London Summit, the European Community joined its membership. The European Community's delegation is made up of a EU Presidency representative (currently Finland), the head of the European Commission (Romano Prodi, who previously attended as part of the Italian delegation) plus the Commissioner for external affairs (Chris Patten). Since 1994 Russia attended its meetings and became a full member at the Birmingham Summit in 1998, making up G8.
All "Summit" meetings, such as EU Summits and G8 Summits try to sort out outstanding differences between members but the real work is done beforehand by officials and "experts" - and much of the latter's work goes through "on the nod" into the final conclusions. G8 Summits (and other meetings) are prepared by high-ranking officials known as "sherpas" and "sous-sherpas". National "sherpas" are each supported by two "sous sherpas" (one covering foreign affairs and finance, the other "political" matters including justice and home affairs).
Alongside G8 is "P8" ("Political 8") which deals amongst other matters with terrorism, crime and illegal migration which since the Lyon decision has led to the creation of a series of other groups and meetings (such as the G8 Justice and Interior Ministers who last met in Moscow on 19-20 October 1999).
Sub-Group on High-Tec Crime
The "problems" for the G8/P8 states were broadly defined at the 1998 Birmingham Summit under the UK Presidency as:
"The main obstacle facing a G8 achievement of any goals set out in Birmingham appears to be the barrier of red tape obstructing law enforcement agencies from cooperating across national jurisdictions. The G8 will need to address the inconsistencies between justice systems from one member country to another if the problem of international crime is to be dealt with effectively."
The key phrases here are "red tape" (procedures, control and accountability) and "inconsistencies between justice systems" (data protection and legal restrictions). In this context the Minutes of the G8 Subgroup on High-Tec Crime held in Paris on 18-21 May 1999 sets out a whole agenda influencing the EU-FBI plan.
The first issue the Minutes cover is the "Preservation of Traffic data" covering "historical traffic data" and the "collection of future data". The Minutes state that:
"Delegations agreed that privacy legislation (e.g. implementing the 1995 and 1997 EU Data Protection Directives), national laws implementing the Directives, and market forces are among the significant obstacles to law enforcement's ability to obtain historical data for use in criminal investigations. (Disclosure of that traffic to foreign investigators is also complicated by these and other impediments). Privacy directives, to the extent they require the deletion of connection information, can effectively erase the trail of connections that might otherwise identify the source of criminal activity."
It goes say that a further impediment is "anonymous free Internet services.. contribute to the absence of useful traffic data." Two solutions are suggested for this "problem". The meeting of G8 Justice and Interior Ministers in Moscow on 19-20 October adopted "Principles on Transborder access to stored computer data" defined simply as covering "law enforcement agents employed by law enforcement agencies.. investigating criminal matters". The "Principles" say "each State" will ensure that data is preserved, "particularly data held by third parties such as service providers" for the purpose of seeking:
"access, search, copying, seizure or disclosure, and ensure that preservation is possible even if necessary only to assist another State."
The second "problem" with "historical data" is that there is no obligation for service and internet providers to keep data of their users messages etc. The 1997 EU Directive on Telecommunications Sector Data Protection allows service providers to keep traffic data for billing disputes but this is rarely used as users are not billed by individual connection. Some countries allow traffic data to be preserved to guard against subscriber fraud but the Minutes observe there are no provisions for "infrastructure protection" or "other suspected illegal activity". The Sub-Group's view is that G8 should prepare "G8 Recommendations on Data Preservation" and that at national level the EU Directive should "either mandate or allow ISPs to retain particularly critical categories of traffic data for minimum time periods."
As to "future traffic data" ("real-time connection information", as it is happening) a number of delegations reported that national laws "imposed heightened limitations" on the "ability of law enforcement" to obtain future traffic data and "share it with foreign law enforcement". Several countries treated "future traffic data" as "interception" which "involves more stringent prerequisites and may only be available for certain offences". Moreover, although national laws may permit the "capture of future traffic data for domestic purposes, its laws may not permit it to do so solely for the benefit of a foreign state". The Sub-Groups solutions to this "problem" include treating "future traffic data" on the same basis as "historical data" to avoid being defined as interception and amending Mutual Legal Assistance Agreements (MLAA's) and national laws to allow interception on behalf of foreign states and agencies.
It also suggests that "important investigative techniques" could be used: "for the benefit of a foreign government and in the absence of a criminal offence or serious criminal offence, in the conduit country". This perhaps fits in with the "hypothetical intrusion exercise" the Sub-Groups agencies are testing their investigative techniques on - this suggests an interventionist, pro-active approach which could "interfere" with telecommunications.
The "Principles on Transborder Access", agreed in Moscow, also covered instances where there was a formal request for access to data (under MLAA's) and "Transborder access to stored data not requiring legal assistance" - this latter aspect covers accessing "publicly available (open source) data" and: "accessing, searching, copying, or seizing data stored in a computer system located in another State, if acting in accordance with the lawful and voluntary consent of a person who has the lawful authority to disclose to it that data." In effect, US or UK security agencies could gain access to data where authorised to do so by a US or UK multinational operating in the surveilled country.
The G8 states have set up a 24-hour "point-of-contact network" that also acts as a "warning system" which "could be used proactively". All EU and Council of Europe states have been invited to join the network, with Spain and Denmark responding first.
EU problems
The Irish government has told the EU that it is currently unable to cooperate fully in assisting other states on the interception of telecommunications. Under present legislation "interception cannot be ordered to assist in the investigation of a criminal offence in a foreign jurisdiction." If, however, a foreign law enforcement agency is "cooperating in a joint investigation" with the Garda Siochana then it is up to the GS Commissioner to decide whether to make an application for "interception authorisation".
The EU Directive on Data Protection does not cover justice and home affairs issues and only recently have the Council (EU governments) been considering whether or not to include such provisions in a series of measures - some adopted, some planned such as Europol, the Customs Information System or Eurodac. One of the reports on this internal discussion says:
"if the objective of the Horizontal Working Party on Data Processing were primarily to look for "the lowest common denominator" in physical data protection under the Third Pillar, how would it be possible to disregard Council of Europe Convention No 108 of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data?"".
In its 31st report the UK's House of Commons' European Scrutiny Committee has said that it is: "somewhat surprised that the UK does not impose restrictions on the use of information it supplies to other EU member states". This arose in reaction to the Home Office's comments on a German proposal for data protection to be inserted in the draft Convention on Mutual Assistance in Criminal Matters. The proposal would allow intercepted data supplied to another state "not only to be used for the purpose for which it has been communicated but also for other purposes", including unrelated criminal investigations and prosecutions. The Home Office comments:
"This proposal may be controversial since some Member States provide information on condition that it is used only for the purposes specified in the request, or for other purposes with the prior consent of the requested state. The UK does not impose this condition."
The UK therefore supports the German proposal because "it would avoid the need for prior consent from the requested state before making use of information in other criminal investigations."
ECHELON and Italy
On 3 March 1999, the Rome attorney's office opened a preliminary investigation into ECHELON to find out whether this surveillance activity violates the Italian penal code. Stefano Rodota, the Italian ombudsman for the protection of personal data, welcomed the initiative because "it can contribute to offer public opinion with precise information to base its judgements on." He added that research into the technical aspects of the ECHELON network is crucial in order to develop legal and technological measures which, he feels, must be established at a supranational level, due to ECHELON's characteristics. He was critical of the refusal by countries involved in the ECHELON network to respond to allegations, in spite of an explicit request from the European Parliament. Rodota said it was not a simple question of national sovereignty "through this surveillance, one effectively enters the physical borders of a country. What suffers is the freedom of every citizen, whose physical movements and communications are controlled, step after step." Furthermore, he reasons, if it is used to discover commercial information, as has been alleged, such a network becomes invaluable.
"Echelon - Dichiarazione del Prof. Rodota all'Agenzia Agi su avvio indagine Procura di Roma", 3.3.99.
ECHELON and Denmark
"We know that we don't know anything apart from what has been reported in the press". This is in essence the response of Danish ministers when asked about possible Danish involvement in the in international surveillance system ECHELON. The latest attempt to get information about ECHELON was during a debate in the Danish Parliament 9 December. Three Ministers - Justice, Defence and research - were asked to answer the following question from the MP's, Mr Keld Albrechtsen (the Red-Green Alliance/Enhedslisten) and Mr Knud Erik Hansen (Peoples Socialist Party/SF): "What can the ministers say about the parliamentary control of ECHELON and other surveillance systems abroad and at home.. and what are Government intentions to strengthen parliamentary control?" The Minister of Defence, Mr Hans Haekkerup, said: "Neither the Ministry of Defence nor the military intelligence participates or contributes to ECHELON. But during the debate he repeated what he had already said to the parliament's Europe Committee in September: Denmark has established co-operation agreements with a number of countries leading to information being exchanged. The interception of communications by the military intelligence service is only related to Danish security interest abroad. But he also admitted that Denmark receives information's from foreign intelligence services and that he did not know if they had been intercepted according to legal guarantees for the individual. The debate ended with a majority of the parties -"the unified listening parties" as they were called during the debate - in parliament rejecting the proposal from Enhedslisten and SF. The Danish debate about ECHELON has now been going on for nearly three years and took off again when British journalist Duncan Campbell spoke at a meeting in Copenhagen in September about the report "Interception Capabilities 2000".
Sources: P8 - Senior Experts Group Recommendations: "To combat Transnational Organised Crime" (Paris, 12 April 1996); Summit Performance Assessments by Issue: G8 1998 Birmingham: Crime; Evaluation Report on Ireland on Mutual Legal Assistance and Urgent Requests, ref 9079/99, CRIMORG 70, 18.8.99; Protection of personal data in the Third Pillar of the European Union: Proposals on determining the remit of the Horizontal Working Party on Data Processing, ref 7718/99, JAI 36, 26.4.99; Draft Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union - data protection, from the German delegation, ref 11084/99, COPEN 37, 17.9.99; Select Committee on European Scrutiny, 31st report, 19.11.99.