Transcript Legislation - ICL Database & Commentary

Electronic Surveillance of
Communications
- Master Programme in Law and Information Technology
- Course C 2010. Development and Management of Information
Systems in a Legal Perspective
- Course C, block 5. Identification and Control technologies
Mark Klamberg, doctoral candidate
1
Outline
Background
1. Changes in Our Society
2. Why legislation
3. How does it work?
– Traffic analysis and social network analysis
– Data mining
– Impact on society: From Panopticon to Panspectron?
Discussion
5. Academic discourse (Solove v. Kerr)
6. Constitutional Protection and the ECHR
7. How does it work at home?
8. The involvement of Courts
Legislation
9. Defining content and traffic data
10. Four fields of legislation
11.EU Data Retention Directive
12.Signal Intelligence
New types of legislation concerning
electronic surveillance of communications
1. Data retention of traffic data
2. Signal intelligence (strategic monitoring)
Changes in Our Society
Technological change
Until the end of the 1990s satellites were the main
medium for international communication. Now it is
fiber optics in cables controlled by private companies.
Shift in Threats Relevant for National Security
The perceived threat from the Soviet Union has been replaced
with vague threats such as terrorism, international criminality,
migration, environmental threats and financial imbalances
New Legal Demands
The European Convention on Human Rights requires that
interferences in the private life and family has a legal basis (article
8)
Privatization
Telecom operators were previously state-owned and controlled.
Now they are private companies whose priority is to safeguard 4the
interests of their customers, not the interests of the state
Signal Intelligence
- why legislation?
Considering the changes in the 1990s:
The technological change and privatization creates a need to
adopt legislation or other binding measures that obligates the
private operators to surrender communication to the State. This
makes the existence of previously top secret surveillance public
knowledge
The shift in perceived threats creates a need to expand the
mandate or codify an already expanded mandate of signal
intelligence organizations
The public knowledge about this surveillance and new legal
demands creates a need for legislation protecting privacy
5
Data retention
- why legislation?
Communication providers have stored traffic data (who is phoning
who and when) about the phone calls of their customers for billing
purposes. Law enforcement agencies have used such data in order
to detect, prevent and investigate crime
Nowadays, consumers are turning to flat-rate subscriptions and
voice over IP-services (for example Skype). Thus, there is no need
to retain traffic data for billing purposes.
Law enforcement agencies still want/need traffic data.
6
Traffic analysis and social
network analysis
We humans leave electronic footprints after us, in the form of
credit card payments, visits to websites, records of phone calls
and e-mail (communication data). Imagine that somebody could
collect everything and process it through a powerful computer.
With the right tools one could find patterns that in detail describe
what groups and networks you belong to. Such techniques are
referred to as traffic analysis and social network analysis
7
With traffic analysis
social networks may be identified
A communication pattern can depict relations between individuals,
Organisations, websites, etc with purpose of charting the social networks,
position of power, views and other personal data about an individual.
Individual
The actual message is less important than
the information about the sender, recipient,
the time of transaction, and means of
communication. Knowledge about the
communication pattern and thus
the social network of person is often enough
8
U.S. National Research Council, report October 2008
“Protecting Individual Privacy in the Struggle Against Terrorists: A
Framework for Program Assessment”
Two general types of data mining techniques
1. Subject-based data mining
2. Pattern-based data mining
U.S. National Research Council
“Protecting Individual Privacy in the Struggle Against
Terrorists: A Framework for Program Assessment”
Subject-based data mining
Subject-based data mining uses an initiating individual or
other datum that is considered, based on other information,
to be of high interest, and the goal is to determine what other
persons or financial transactions or movements, etc., are
related to that initiating datum.
U.S. National Research Council
Pattern-based data mining
Pattern-based data mining looks for patterns (including
anomalous data patterns) that might be associated
with terrorist activity—these patterns might be regarded as
small signals in a large ocean of noise.
U.S. National Research Council
When to use the two different techniques
In the case of the decentralized group, subject-based data
mining is likely to augment and enhance traditional police
investigations by making it possible to access larger volumes
of data more quickly. Furthermore, communications networks
can more easily be identified and mapped if one or a few
individuals in the network are known with high confidence.
By contrast, pattern-based data mining may be more useful
in finding the larger information footprint that characterizes
centrally organized terrorist groups.
U.S. National Research Council
Utility of pattern-based data mining
The utility of pattern-based data mining is found
primarily if not exclusively in its role in helping humans
make better decisions about how to
deploy scarce investigative resources, and action
(such as arrest, search, denial of rights) should never
be taken solely on the basis of a data mining result.
Automated terrorist identification through data mining
(or any other known methodology) is neither feasible
as an objective nor desirable as a goal of technology
development efforts.
U.S. National Research Council
Panopticon (Bentham)
Panspectron (Delanda)
“There are many differences between the
Panopticon and the Panspectron being
assembled at the NSA. Instead of positioning
some human bodies around a central
sensor, a multiplicity of sensors is deployed
around all bodies: its antenna farms, spy
satellites and cable-traffic intercepts feed into
its computers all the information that can be
gathered. This is then processed through a
series of “filters” or key-word watch lists. The
Panspectron does not merely select certain
bodies and certain (visual) data about them.
Rather, it compiles information about all at
the same time, using computers to select the
segments of data relevant to its surveillance
tasks.”
Discussion
Based on the material distributed, discuss for 15 minutes:
1. When does the interference with privacy occur in relation to systems of
mass surveillance of electronic communication?
2. How does the American system differ from the legal regime under
ECHR in its approach to the content/non-content distinction?
3. In the country you come from, do you have any regulations concern
signal intelligence/strategic monitoring/surveillance for intelligence
purposes? If not, does your country still have a state agency similar to
the NSA, GCHQ, BND and FRA?
4. Is it appropriate to involve courts in issues concerning the
implementation of policies on national security?
16
Defining content and
traffic data
As opposed to the content of a message, traffic data is the information
used by the communication network to deliver the message to or from
the user.
In a telephone network, traffic data will reveal the number dialed (“to”),
the originating number (“from”), the time of the call, and its duration.
In the internet context, traffic data will similarly reveal the “to” and
“from” e-mail address, the instant message to and from account names,
and the other administrative information the computers generate in the
course of delivery
Compare with Orin Kerr: content and envelope information
17
Four fields of legislation
International communication
Domestic communication
N/A
Signal Intelligence
Act (2008:717)
1. Chapter 27 of the Code
of Judicial Procedure
1. Act on measures to prevent
certain serious crimes (2007:979)
2. Chapter 6 section 22(3) of
the Electronic Communications
Act (2003:389)
2. Chapter 6 section 22(3) of the
Electronic Communications Act
(2003:389)
3. Act on measures concerning
certain serious crimes (2008:854)
Preliminary
Investigation
Intelligence
18
EU Data Retention Directive
1. Data is retained for periods of not less than six months and not more
than two years from the date of the communication
2. The data retained purports to the questions who was communicating
with who, when the communication occurred, where was the
communicating parties and what type of communication used.
3. No content data may be retained for the purpose of the directive.
4. The access for national authorities to the data is to be regulated
through domestic law
19
Summary of the legislation
adopted 18 June 2008:
IT- and telecom operators are obligated to transfer all
communication in cables crossing Swedish borders to
nodes controlled by the State
The Defence Radio Establishment will intercept
communication and collect data at the nodes (signal
intelligence)
20
Similar organizations, laws
and programs
USA
Organization:
Legislation:
United Kingdom
Organization:
Legislation:
Case:
National Security Agency (NSA)
FISA
Government Communications Headquarters
(GCHQ)
RIPA
Liberty et al. v. The United Kingdom
21
Similar organizations,
laws and programs
France
Organization:
Germany
Organization:
Legislation:
Direction Générale de la Sécurité Extérieure
(DGSE)
Case:
Bundesnachrichtendienst (BND)
G 10-law (Gesetz zur Beschränkung des
Brief-, Post- und Fernmeldegeheimnisses)
Weber and Saravia v. Germany
Denmark
Organization:
Legislation:
Forsvarets Efterretningstjeneste (FE)
17 § forsvarsloven
22
Key Features of the Swedish law
and the operations of the
Defence Radio Establishment
1. Mandate for Surveillance by the Defence Radio Establishment
2. Clients
3. Review Mechanisms
4. Method – what is signal intelligence?
Traffic analysis and social network analysis
5. Scope of Surveillance
23
1. Mandate of the Defence
Radio Establishment
Mandate to monitor
1. external military threats,
2. factors relevant for peacekeeping operations,
3. international terrorism and international organized crime
4. the development and proliferation of weapons of mass destruction and
arms control,
5. external threats against infrastructure (for example against information and
communication technology)
6. conflicts outside of Sweden that effect international peace and security and
7. counter-intelligence
8. international phenomena relevant for Swedish foreign-, security-, and
defence policy (Government and diplomatic correspondence?)
24
2. Clients (known)
1. The Government
2. The Government office
3. The Defence Forces
4. The Police, including the Security Service (SÄPO)
5. National Inspectorate of Strategic Products
6. Swedish Customs Service
7. Defence Materiel Administration Agency
8. Defence Research Agency
9. Civil Contingencies Agency
Excluded in
Autumn 2009
International Partners exist but unknown which those are.
Could include NSA, GCHQ, BND, DGSE and FE
25
3. Review Mechanisms
1. Defence Intelligence Court
• Reviews applications for surveillance missions in advance
• Professional judge and politically appointed lay-members
representing the majority and the opposition in Parliament
2. Defence Intelligence Committee
• Reviews, inter alia, the integrity and use of the databases held by
the Defence Radio Establishment
• Composed of a legal professional and politically appointed lay-members
representing the majority and the opposition in Parliament
• Reports to the Government
3. Internal oversight board inside the Defence Radio Establishment
4. Ombudsman who report cases of misuse to the Parliamentary Ombudsman
(JO) or the Chancellor of Justice (JK), (proposal)
5. Extraordinary review to be presented 2011 by the Data Protection
Authority and a parliamentary committee
26
4. Method – what is
signal intelligence?
Information life cycle
1. Interception of messages and traffic data (meta data)
2. Processing
i) Traffic analysis of traffic data (who is communicating with who)
ii) Cryptanalysis
iii) Analysis of the content of messages
3. Analysis with the use of other sources, for example Open Source Intelligence
(OSINT)
4. Report to client
27
5. Scope of Surveillance
1. Fairly small amounts of messages are intercepted and processed
Example from Germany, judgement of the First Senate of 14 July 1999, para. 89 :
The capacity of the Federal Intelligence Service (BND) permits the screening
of approximately 15,000 acts of telecommunication per day out of a total of
approximately 8 million telecommunications contacts between Germany
and foreign countries. The material and personal resources of the Federal
Intelligence Service, however, are not sufficient to evaluate all contacts.
Approximately 700 fall under the area of application of the G 10 Act. Only
these acts are selected with the help of the search concepts.
About 70 of them are examined more closely by employees of the Federal
Intelligence Service.
2. Traffic data (meta data) relating to all or large amounts of communication is stored by the Defence Radio Establishment in a database (Titan)
Example from the USA: The NSA Call database contains 1,9 trillion records which
28
include the records of tens of millions of Americans
To consider…
Is this kind of data collection and surveillance…
• Consistent with the right to privacy? This is both a
human right and a constitutional right.
• Efficient?
• Proportional?
• Confident and reliable in the sense that it provide
accurate intelligence and not false alarms?
29
Questions?
30
Thanks!
Blog:
www.klamberg.se
E-mail:
[email protected]
Phone:
+46 8 16 11 90
31