lördag, oktober 25, 2008

The FRA Law – Sleepwalking into a Surveillance Society

Below is a translation of an article in the Swedish Daily Dagens Nyheter, September 3rd 2008

The FRA Law – Sleepwalking into a Surveillance Society

The Swedish Parliament passed controversial legislation last June, the so called FRA law. It seems that the MPs didn’t realise what they were voting for when they voted the FRA law in. The FRA law is one in a line of laws calling for mass surveillance of ordinary people. It gives the Swedish signal intelligence agency, FRA, (the National Defence Radio Establishment) the right to eavesdrop on all civilian Internet, telephone and fax traffic and keep tabs on the social networks of innocent citizens. This can be done by accessing various existing databases carrying information about a given person’s race, ethnic origin, political views, union membership, sexual habits, etc. In addition the FRA agency is entitled to transfer personal data to foreign powers. In this way FRA may get to know you better than you know yourself. Keeping under surveillance lots of innocent private individuals is unacceptable and contrary to the principles governing democratic societies. This is the view of thirteen researchers and experts in different areas of knowledge who have analysed the FRA law.

The digital revolution affects our lives in terms of privacy more than we think. We leave electronic ‘footprints’ whatever we do: paying by credit card, visiting website homepages, calling friends on the phone or sending them an e-mail. Imagine that someone decides to collect all this information and assemble it in a massive database. Using the right tools they will be able to identify your lifestyle patterns and gain insight into your personality.

These recurring personality patterns can be graphically illustrated by means of a sociogram.
A sociogram is a graphic representation of the relationships between persons, organisations, homepages, etc., with a view to determining personal social networks, position of power, views and beliefs and other personal information.

The actual message is less important than the information about the sender, recipient, the time of transaction, and means of communication. If the personal sociogram is known, it is possible to establish the person’s contact relationships, which is often all that is needed.

Two questions have been left unanswered by the FRA-law debate. The first question is: How will FRA be able to access information when an increasing number of users choose to encrypt their messages? This is especially relevant, as there has been a tendency for encryption techniques to develop at a faster rate than decryption techniques. FRA has stated that this should not pose an insurmountable problem, since the message content need not be examined in order to determine whether a given communication merits further examination.

The second question is: What will happen to all this incoming electronic traffic once it has been re-routed and fed into the FRA agency? The answer is that it will be examined and analysed by means of social network analysis techniques such as, for example, sociographic representations.

Different individuals can be linked to different sociograms: we have different everyday experiences, social relations, interests, views and beliefs, all of which is reflected in our electronic communication contacts. Sociograms have applications in a plethora of areas. With the help of a powerful computer and appropriate analytical tools we might thus be able to build up a profile of and identify a typical benefit scrounger, a refugee in hiding, a data hacker, a homosexual couple, or a political activist, to give just a few examples. If we also monitor cross-border traffic we will be able to – at least theoretically - build sociograms identifying currency speculators, or foreign political and military leaders. The objectives of the FRA law scheme in which surveillance of the civilian population can take place comport well with this type of analysis.

Adoption of the new legislation giving officials sweeping powers to access all electronic information has been justified by combating external threats, including phenomena such as international terrorism, hostile foreign state behaviour towards Sweden, IT dependence, economic crises, environmental threats, ethnic and religious conflicts, vast refugee flows and illegal immigration, as well as currency and interest rate speculation.

The idea underlying the FRA law has been that on massive data we will be able to identify ‘deviants’ by means of the ‘electronic footprint’ that they leave behind. This is also the reason why FRA supporters claim that even the most complicated of ciphers does not pose an insurmountable problem, since the content of a message does not have to be examined in order to determine whether the message should be further investigated.

It is a well-known fact, however, that best results are obtained from monitoring a public who is unaware of being watched, or those who cannot protect themselves against it. We are of the opinion that the claim that one will be able to stop future terrorist plots is highly exaggerated. This view finds support in the MI5 report appearing in the Guardian on 21 August 2008, which challenges views on terrorism in Britain. The single most important conclusion of the report is that those who become terrorists ‘are a diverse collection of individuals, fitting no single demographic profile, nor do they follow a typical pathway to violent extremism’. We would like to further suggest that whereas a terrorist will know how to conceal his or her dark intentions, an unsuspecting, innocent citizen will remain unprotected, and may be put at risk if personal information falls into the wrong hands.

On 16 June 2008 Sweden’s largest news programme Rapport revealed that FRA had been storing traffic communications data in their large database named Titan for ten years.

Are there any indications that the electronic surveillance legislation passed by Swedish Parliament on 18 June allows introduction of such a scheme? If we compare the newly enacted legislation with the pre-existing legislation concerning FRA, we must give an affirmative reply.

Government Bill No. 2006/07:63, page 86, indicates that ‘data reduction is necessary. This means that the greater part of the intercepted signals will be sifted through and discarded.’ In other words FRA will not store the original messages but only traffic analysis results. Storing analysis results requires very little in terms of computer memory, which is why practically unlimited amount of this type of data can be stored.

From Section 3 of the Ordinance concerning the Processing of Personal Data by the National Defence Radio Establishment (2007:261) we can draw the conclusion that a sociogram is the end product of traffic analysis in which patterns are drawn from the information flow among a set of senders and receivers. The analytical results are stored in a special database. Similarly to other ordinances the latter Ordinance has been adopted by the Government, and did not have to undergo the standard legislative procedure.

There has been no public commentary by the Government as regards the above Ordinance in the context of the current debate. This is why we strongly suspect that the average MP has not been informed about the existence of these databases or the use of sociogram data. We could not find the term ‘sociogram’ in any of the preparatory materials, but we assume that it is equivalent to something called ‘traffic patterns’ in Bill No. 2006/07:46, p. 29.

This form of traffic data analysis constitutes a violation of personal integrity, which is just as bad as the violation of post and telecommunications secrecy when all cable communications become accessible to FRA, pursuant to Chapter 6, section 19 a of the Electronic Communications Act (2003:389).

Those who support the FRA law have been trying to tone down the criticism and charges of violation of personal integrity, claiming that processing of data is not carried out by individuals. For us it is the very efficacy of automatic data processing, in which seemingly harmless data can be transformed with the help of statistics into a powerful instrument that will give the state a direct line into our lives, which is so horrifying.

The FRA agency can always validate their activities in relation to the Personal Data Act by reference to a special act containing provisions referring to personal data processing. According to this act (Act on Personal Data Processing by the National Radio Defence Establishment in its Signals Intelligence Analysis and Development Activities (2007:256)) searches based on what is known about a person’ race or ethnic origin, political opinions, religious beliefs or philosophical convictions, trade union membership, health or sex life are permissible if certain conditions are satisfied. Chapter 1 section 17 of the above-mentioned Act provides that personal data collected by the FRA agency ‘may be transferred to a third country’.

With the help of social network analysis the FRA agency may get to know a given person better than that person knows himself/herself, for example, as regards habits of which the habituee is quite unaware. The big problem is that data of this kind must be collected over a long period of time, and that we cannot know beforehand who will satisfy the deviance criterion linked to an external hazard. This is why the FRA agency has to store sociograms of a great number of people, which means keeping close tabs on practically everybody, whether they are innocent or not.

The Act contains provisions concerning destruction of records, but at the same time Chapter 6, section 1 of the Act contains an opt-out provision permitting retention of records for historical, statistical or scientific purposes.

In the end FRA agency’s eavesdropping on civilian communications means keeping tabs on innocent, law-abiding citizens.

The FRA law is a slap in the face of democracy and must be repealed. We are not against signals intelligence as such, when applied to purely military communications systems, i.e. communication between warships, fighter aircraft, tanks or infantry. Neither have we any objection to wiretapping phones of persons suspected of terrorist or criminal activities in accordance with the provisions of the Code of Judicial Procedure and following a relevant court decision. But engaging in mass surveillance of innocent people is another thing and it is quite unacceptable. We must ask again: did the MPs really know what they were doing when they voted in favour of the Bill last June?

MARK KLAMBERG, DOCTORAL STUDENT, DEPARTMENT OF LAW, STOCKHOLM UNIVERSITY;

MIKAEL NILSSON, DOCTORAL STUDENT IN INFORMATICS, ROYAL INSTITUTE OF TECHNOLOGY;

ANNA PETERSSON, DOCTORAL STUDENT, DEPARTMENT OF MATHEMATICS, UPPSALA UNIVERSITY;

PETER SEIPEL, PROFESSOR EMERITUS OF LAW AND INFORMATION TECHNOLOGY AT STOCKHOLM UNIVERSITY;

JANNE FLYGHED, PROFESSOR OF CRIMINOLOGY, STOCKHOLM UNIVERSITY;

CECILIA MAGNUSSON SJÖBERG, PROFESSOR OF LAW AND INFORMATION TECHNOLOGY, STOCKHOLM UNIVERSITY,

JUSSI KARLGREN, ASSOCIATE PROFESSOR OF LANGUAGE TECHNOLOGY, SWEDISH INSTITUTE OF COMPUTER SCIENCE;

MARKUS BYLUND, COMPUTER AND SYSTEMS SCIENCE, AREA OF SPECIALISATION: PERSONAL INTEGRITY, SWEDISH INSTITUTE OF COMPUTER SCIENCE;

KARL PALMÅS, MSC IN ENGINEERING AND PH.D. IN SOCIOLOGY, THE SCHOOL OF BUSINESS, ECONOMICS AND LAW GÖTEBORG UNIVERSITY;

PÄR STRÖM, MS.C. IN ENGINEERING AND WRITER, PRIVACY OMBUDSMAN AT THE NEW WELFARE FOUNDATION – A CIVIL LIBERTIES THINK TANK;

DANIEL THORBURN, PROFESSOR OF STATISTICS, STOCKHOLM UNIVERSITY;

JOHAN WESTERHOLM, FORMER NAVAL OFFICER, RESERVE MILITARY INTELLIGENCE SERVICE OFFICER AND GREYCAT ADVISOR.

Translator: Teresa Bjelkhagen

2 kommentarer:

ChrisK sa...

Mycket lyckat. Jag postade på panspectrocism.org även.

Mark Klamberg sa...

Tack Christopher!
EDRI kommer att publicera i sitt nyhetsbrev som når intressenter i hela Europa i början av november.