I have been interviewed in New York Review of Books for the article "The Swedish Kings of Cyberwar", to be published 19th January 2017. I found one map/illustration in the article very interesting, see below. It shows how the division of work and dynamics between Western intelligence services may change, i.e. Finnish intelligence services may gain influence at the expense of its Swedish counterparts.
Today I read the report to the European Parliament on mass surveillance. I have contributed research to the report and really appreciate that I was allowed to do so. I find the report very useful and want to congratulate the team that the drafted the report.
Much of the section on Sweden was based on my research and there is a need for two clarifications. This report compares United Kingdom, Germany France, the Netherlands and Sweden. I only contributed with research in the form of previous publications and I answered a questionnaire. I did not draft the section on Sweden and I did not receive or review any drafts of that section before it was made public.
Clarification 1: The history of the FRA and Swedish signals intelligence
1. The report states on p. 58 that "Since five years, there have been reports of FRA accessing data traffic crossing its borders".
The indicated source is "N. Nielsen (2013), ‘EU asks for answers on UK snooping programme’, EU Observer, 26 June 2013.
This may create the impression that the FRA has only conducted surveillance since 2008.
Clarification: In the SOU (Swedish Government Official Reports) 2009:66 Signalspaning för polisiära ändamål (signals intelligence for law enforcement purposes), p. 55 it is stated that the police started with signals intelligence 1939. The Defence Radio Establishment (FRA) was established 1942 (its predecessor already in 1937). Professor Agrell has found documents in the archives of the Swedish state that show that the Swedish Government in a secret decision in 1948 obligated Telegrafstyrelsen (government-owned corporation, public enterprise, responsible for telecommunications) to transfer all telegram destined or from foreign embassies to the FRA. This power was gradually expanded in secret until 1991 when the Government out of fear of a potential public disclosure cancelled these powers ending FRA's access to cable communications. FRA could still intercept communication radio, satellite and microwave relay link which during the 1990s was enough for the needs of FRA. All of this was secret but it all became public in when the Government introduced legislation which was under debate 2007/2008. One of main purposes of the law was to grant the FRA access to cable communications which was perceived as necessary because most international communication went from satellite to fibre-optics.To sunmarize, the FRA and its predecessor has been monitoring communication since the late 1930s.
Media sources
2. The reports states that on p. 58 "In 2008 the TV broadcaster SVT reported that the FRA was collecting/receiving data from the Baltic states and forwarding in bulk to the USA, based on the testimony of a FRA whistleblower."
The indicated source is M. Klamberg, (2010), ‘FRA and the European Convention on Human Rights’, Nordic Yearbook of Law and Information Technology, Bergen 2010, pp. 96-134.
The problem is the following, it was probably a whistle-blower who revealed the FRA-NSA cooperation but I don't know.
I write the following on p. 121: "A TV news broadcaster (SVT’s programme Rapport) disclosed in June 2008 that the FRA indiscriminately collects traffic data, including data relating to communication from or
to Swedish citizens. The data is stored in the traffic database (Titan) for 18 months. The source of the information was a FRA employee who also disclosed a confidential document from a Q&A session held within the FRA supporting the claims made (henceforth the FRA Q&A document). The document discusses the scope of the collection and storage in the terms of “all available communication” and “large amounts of information”. The source for this news piece in June 2008 was a FRA whistle-blower.
The same journalists at SVT (and other media outlets) revealed in late august 2008 that that the FRA was collecting/receiving data from the Baltic states and forwarding in bulk to the USA. They did not explain who was the source. It appears as the report conflates the two related, but still separate stories in June and August into one.
These are minor details concerning the history of the FRA and media sources which does not affect the reliability of the report.
Earlier this week I had a presentation on "Electronic surveillance and privacy - in light of the Snowden Affair" in Uppsala, September 16th, 2013. It was hosted by UF Uppsala (Association of international affairs). The presentation is in English.
A key question is whether FISA grants direct access to the servers of internet service providers. It is always difficult for legal scholars to analyse the law in foreign jurisdictions, in this case US law. I have for some time sought the provision in FISA which obligates communication service providers (CSPs) to grant NSA access to their fibre optic cables. In the Verizon court order disclosed by the Guardian there is a reference to 50 USC § 1861 but that provision concerns the production of tangible things such as records, but arguably not direct access to fibre optic cables or the entire network of a CSP. I believe that the relevant provision needs to be sought elsewhere in FISA.
In Sweden the relevant provision is to be found chapter 6 section 19(a) of the Electronic Communications Act (2003:389). It provides that the CSPs (such as TeliaSonera and Bahnhof) are under an obligation to transfer all cable communication crossing Swedish borders to certain “interaction points” (black boxes), which may include communication
where the sender or receiver is in Sweden. See also section 4.3.1 in this article.
I thing that I have now found the relevant provision in FISA. It is 50 USC § 1881a (see also section 702 of the FISA Amendments Act)
(h) Directives and judicial review of directives
(1) Authority
With respect to an acquisition authorized under subsection (a), the Attorney General and the Director of National Intelligence may direct, in writing, an electronic communication service provider to—
(A) immediately provide the Government with all information, facilities, or assistance necessary to accomplish the acquisition in a manner that will protect the secrecy of the acquisition and produce a minimum of interference with the services that such electronic communication service provider is providing to the target of the acquisition; and
See also the subsections on challenges to directives.(B) maintain under security procedures approved by the Attorney General and the Director of National Intelligence any records concerning the acquisition or the aid furnished that such electronic communication service provider wishes to maintain.
(4) Challenging of directives
(A) Authority to challenge
An electronic communication service provider receiving a directive issued pursuant to paragraph (1) may file a petition to modify or set aside such directive with the Foreign Intelligence Surveillance Court, which shall have jurisdiction to review such petition.
[...]
(5) Enforcement of directives
(A) Order to compel
If an electronic communication service provider fails to comply with a directive issued pursuant to paragraph (1), the Attorney General may file a petition for an order to compel the electronic communication service provider to comply with the directive with the Foreign Intelligence Surveillance Court, which shall have jurisdiction to review such petition.
(B) Assignment
The presiding judge of the Court shall assign a petition filed under subparagraph (A) to 1 of the judges serving in the pool established under section 1803 (e)(1) of this title not later than 24 hours after the filing of such petition.
(C) Procedures for review
I believe that the interpretation of the term "electronic communication service provider" is crucial. Should it be interpreted narrow to only include CSPs such as Verizon and ATT (comparable with TeliaSonera and Bahnhof) or a more broad interpretation that also includes other internet service providers such as Google, Facebook, Microsoft and Skype? From the reaction of the latter companies and US Government it appears as the provision is interpreted narrowly. If this is true, the US Government would make a great favour to it self and this debate if it made the relevant court orders (and interpretation of such orders) public. This is not only of interest to the American public, we have some Google, Facebook, Microsoft and Skype users in Sweden as well.A judge considering a petition filed under subparagraph (A) shall, not later than 30 days after being assigned such petition, issue an order requiring the electronic communication service provider to comply with the directive or any part of it, as issued or as modified, if the judge finds that the directive meets the requirements of this section and is otherwise lawful. The judge shall provide a written statement for the record of the reasons for a determination under this paragraph.
It sounds like the PRISM program is the way of implementing the statute [FISA Amendments Act of 2008], now codified at 50 U.S.C. 1881aIn other words, the PRISM program is legal.
The Guardian and the Washington Post have on Thursday disclosed two very interesting documents that reveal two separate, probably interrelated, surveillance programs run by the NSA. The first document is a court order that forces Verizon to hand over phone records of millions of US customers. The second document contains selected slides from a slide PowerPoint presentation on a previously undisclosed program called PRISM. I have commented upon the story in Sveriges Radio P1 Studio Ett.
Update Sunday, June 9th, 2013. If one listens to the interview with me from Friday at 04.38-6.10, you can hear that I find the information about Verizon reliable because it confirms what has been revealed before from other sources (see for example USA Today May 10th, 2006). The documents disclosed by the Guardian strengthens this story. I am more cautious in the interview in relation to the claim that the NSA through the PRISM program has direct access to the servers of internet service providers such as Google, Facebook, Microsoft and Skype because the documents (i.e. the PowerPoint presentation) is scant on the scope and mode of these operations.
It appears as I am not the only one who is cautious in relation to the original PRISM story. Ed Bott writes that the same day (Friday June 7th 2013) Washington Post changed key details in the PRISM story. After comparing the original and the edited versions of the Post's article, Bott's conclusion is that the Washington Post "leaked PowerPoint presentation from a single anonymous source and leaped to conclusions without supporting evidence". Barton Gellman, who co-wrote the Washington Post’s story, later told the Huffington Post that he “started to hear some footsteps [from the Guardian], so I had to move” and said he "would have been happier to have had a day or two” more to work on the PRISM story. In other words, the story was published prematurely. Gellman co-authored on Saturday a new article based with a different narrative on how it works:
According to a more precise description contained in a classified NSA inspector general’s report, also obtained by The Post, PRISM allows "collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations," rather than directly to company servers. ... According to slides describing the mechanics of the system, PRISM works as follows: NSA employees engage the system by typing queries from their desks. For queries involving stored communications, the queries pass first through the FBI’s electronic communications surveillance unit, which reviews the search terms to ensure there are no U.S. citizens named as targets.If this description is correct, the PRISM program is more targeted and narrow in scope compared to how it was described initially.
The book "Digital Democracy and the Impact of Technology on Governance and Politics: New Globalized Practices" has been published with my article "A Paradigm Shift in Swedish Electronic Surveillance Law", available in hardcopy as well as ondemand pdf download. Here is the abstract.
Electronic surveillance law is subject to a paradigm shift where traditional principles are reconsidered and the notion of privacy has to be reconstructed. This paradigm shift is the result of four major changes in our society with regard to: technology, perceptions of threats, interpretation of human rights and ownership over telecommunications. The above-mentioned changes have created a need to reform both the tools of electronic surveillance and domestic legislation. Surveillance that was previously kept secret with reference to National Security is now subject to public debate, including Communications Intelligence (COMINT), a sub-category of Signals Intelligence (SIGINT). This chapter covers systems of “mass surveillance,” such as data retention and COMINT, and whether these are consistent with the European Convention on Human Rights. The chapter comes to two conclusions in relation to COMINT. First, the perceived threats have changed, shifting the focus of COMINT from military threats towards non-state actors such as terrorists and criminal networks. Second, COMINT involves relatively narrow interception of the content of messages compared to its large-scale collection and storage of traffic data, which through further processing may reveal who is communicating with whom.The present text is an updated version of my contribution "FRA and the European Convention on Human Rights - A Paradigm Shift in Swedish Electronic Surveillance Law" published 2010 by the publisher Fagoforlaget, Bergen. The reason why I updated the original article is twofolded: 1) The publisher Fogforlaget did not print one table as it was submitted by my and 2) the original article was written 2008. During 2009 the legislation was amended (effective 1 December 2009) and thus there was a need to provide an updated assesment of the 2009 changes.
Thus, at the present time only the Government, the Government office, and the Defence Forces have the authority to request the FRA to conduct electronic surveillance. … The Government has commissioned a second inquiry to consider signals intelligence for law enforcement purposes. The inquiry has at the present date not yet presented a formal proposal, but it appears as only the Secret Service (SÄPO) and no other law enforcement agency will have the power to issue requests for signals intelligence operationsThe Government has since I submitted the article presented a proposal which been adopted as a law adopted effective 1 January 2013. The law now grants SÄPO and the regular police the power to issue requests for signals intelligence operations. Based on the position of the Government and the main opposition party (the Socialdemocrats) I believe that the legislation is stable as it is and no substantial changes are to be expected in the foreseeable future.
My article co-written with Elisabet Fura on electronic surveillance laws in Europe and the USA has been published as a contribution to the book Josep Casadevall, Egbert Myjer, Michael O’Boyle (editors), “Freedom of Expression – Essays in honour of Nicolas Bratza – President of the European Court of Human Rights”, Wolf Legal Publishers, Oisterwijk, 2012. You can read the article here.
The Register reports a case where the Eastern District Court of New York has made an interesting ruling. Before I comment upon the case it is worth going into the current law practice of US Courts. The following section on current U.S. Law has been written for an article not yet published.
Current Law
The Fourth Amendment of the US Constitution provides the following.
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated; and no Warrants shall issue but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.In comparison with article 8 of the European Convention on Human Rights (ECHR), the Fourth Amendment has neither any explicit requirement that interference must be in accordance with law nor any list which describes for which purposes interference may be legitimate. This does not mean that such matters are irrelevant. In Katz v. United States 389 U.S. 347 (1967), the Supreme Court ruled that the amendment covered a person’s “reasonable expectation of privacy”. However, there are great difficulties to know what makes an expectation of privacy constitutionally “reasonable”.
The Supreme Court in Katz, after all, drastically changed existing Fourth Amendment doctrine in concluding that the phone booth user had a reasonable expectation of privacy over the contents of his conversation. ... The fiction that the vast majority of the American population consents to warrantless government access to the records of a significant share of their movements by 'choosing' to carry a cell phone must be rejected. In light of drastic developments in technology, the Fourth Amendment doctrine must evolve to preserve cell-phone user's reasonable expectation of privacy in cumulative cell-site-location records. ... This court ... seeks to resolve the question before it: whether the request for at least 113 days of cumulative cell-site-location records for an individual's cell phone constitutes a search under the Fourth Amendment. (Sealed Appl. at I, 5.) The court concludes that it does. Consequently, the information sought by the Government may not be obtained without a warrant and the requisite showing of probable cause.The district court ruling departs from the Supreme Court ruling in Smith v. Maryland, because it extends the scope of the Fourth Amendment to non-content surveillance. The district briefly cites Smith v. Maryland on page 5.
While the government's monitoring of our thoughts may be the archetypical Orwellian intrusion, the government's surveillance of our movements over a considerable time period through new technologies, such as the collection of cell-site-location records, without the protections of the Fourth Amendment, puts our country far closer to Oceania than our Constitution permits.It remains to be seen if the order will stands or is reversed on appeal.
When the Tories and Liberal Democrats agreed to form a coalition they reach the following agreement 11 May 2010.
The parties agree to implement a full programme of measures to reverse the substantial erosion of civil liberties under the Labour Government and roll back state intrusion.Five months later The Telegraph reports that "Every email, phone call and website visit is to be recorded and stored after the Coalition Government revived controversial Big Brother snooping plans". I don't understand why they make promises after the election that are broken in just a couple of months. Didn't they know what they as Government wanted to do?
This will include
- Ending of storage of internet and email records without good reason.
Today I will have a seminar on the Master Programme in Law and Information Technology, Stockholm University. The participants are exchange students.
The topic is electronic surveillance of communications. The students have received three articles to read and four questions to consider.
You can participate by writing comments on this blog, either in English or Swedish.
Articles
1. Kerr, Orin S., “Applying the Fourth Amendment to the Internet: A General Approach”, Stanford Law Review, Forthcoming
2. Solove, Daniel J., "Reconstructing Electronic Surveillance Law", Geo. Wash. L. Rev., vol 72, 2003-2004, pp. 1264-1305
3. Klamberg, Mark "A Paradigm Shift in Electronic Surveillance Law", forthcoming in Nordic Yearbook of Law and Information Technology 2010 (Nordisk årsbok i rättsinformatik).
Questions
1. When does the interference with privacy occur in relation to systems of mass surveillance of electronic communication?
2. How does the American system differ from the legal regime under ECHR in its approach to the content/non-content distinction?
3. In the country you come from, do you have any regulations concerning signal intelligence/strategic monitoring/surveillance for intelligence purposes? If not, does your country still have a state agency similar to the NSA, GCHQ, BND and FRA?
4. Is it appropriate to involve courts in issues concerning the implementation of policies on national security?
PowerPoint presentation
You can find my slides for the seminar here or below through slideshare.
I have written an article in English on electronic surveillance law in Sweden. It will be published in the Nordic Yearbook of Law and Information Technology 2010 (Nordisk årsbok i rättsinformatik). You can read a draft of the article here. All comments are welcome in Swedish as well as in English.
Later this year I will have text published in the Nordic Yearbook on Law Informatics (Nordisk Årsbok i Rättsinformatik): "A Paradigm Shift in Electronic Surveillance Law".
I wrote a section about cryptanalysis but later came to the conclusion that the section should be excluded. Considering that the work is done I do not want it to be vasted. After participating in a discussion on Rick Falkvinge's blog which, inter alia, concerned cryptanalysis I decided to publish the section here. It is written for a law journal which explains why it is quite rudimentary. The purpose of this section was to explain why law enforcement and intelligence agencies focus more on traffic analysis and less on content analysis. My explanation is that there is a tendency that with increasing processing power of computers the efficiency between encryption and attacking a crypto (cryptanalysis) is growing, to the detriment of the later. Thus, traffic analysis is becoming more important.
All comments are welcome. Please have some understanding that I am lawyer and not a mathematician.
Encryption and Cryptanalysis
With increasing processing power of computers the efficiency between encryption and attacking a crypto (cryptanalysis) is growing, to the detriment of the later.1) I will use the example of the RSA algorithm to explain why there is such a tendency. The RSA is an algorithm used for public-key cryptography and it was invented by Ronald L. Rivest, Adi Shamir, and Leonard Adleman in 1977, the letters RSA are the initials of their surnames. The RSA cryptosystem is based on the use of prime numbers and factoring.2)
Prime numbers are numbers that are not evenly divisible by any smaller number, except 1, for example 2, 3, 5, 7, 11, and 13. A non-prime, or composite number, is the product of smaller primes, known as its prime factors. 391, for example is the product of the primes 17 and 23. A number is factored when all of its prime factors are identified. As the size of the composite number increases, the difficulty of factoring and cryptanalysis increases rapidly.3) I will explain why.
RSA involves a public key for encryption and a private key for decryption. The private key corresponds to the public key, because both are based on the same modulus, n, which in turn is based on prime numbers.4) In the example above n is 391. One method of cryptanalysis is for attacker to discover the private key corresponding to a given public key. This is done by factoring the public modulus, n, into its prime factors, in the example above 17 and 23. From the prime factors and the public key exponent e, the attacker can easily get the private key exponent d. The difficulty lies in factoring n. The encryptor can use larger prime factors increasing the difficulty to factor.5) As indicated above, increasing processing power of computers allows the use of larger prime factors which will increase the difference in efficiency between encryption and cryptanalysis, to the detriment of the later.
The resources needed to add a digit when encrypting is linear while the resources needed to attack such a crypto a crypto is exponential. See the chart below.6)
In a Swedish Government Inquiry on signal intelligence for law enforcement purposes (SOU 2009:66), the reporter Anders Eriksson described in his comparative analysis how the Communications Security Establishment Canada (CSE) can collect information through signal intelligence on behalf of the Royal Canadian Mounted Police (RCMP) and the Canadian Security Intelligence Service (CSIS). In a previous post on this blog a reader asked me to investigate if it was true that Canadian law enforcement agencies can ask the CSE to initiate signal intelligence operations. The reader thought that Anders Eriksson was wrong and claimed that I was not critical enough against Erikson's inquiry on this point.
Doing comparative law is always difficult and I had a problem to find the relevant provisions. When searching for the answer I have found the blog Lux Ex Umbra, a Canadian blog solely writing about signal intelligence.
The writer of the Lux Ex Umbra, Bill Robinson, posted a very interesting blog post yesterday on a court decision which confirmed that the CSE can collect information for the CSIS. The application to the Court was filed by the CSIS under section 12 and 21 of the Canadian Security Intelligence Service Act and not the CSE. Now, the CSIS is an intelligence agency and not a law enforcement agency. Many countries have a similar solution where the two functions are separated. In contrast, the Swedish Security Service (SÄPO) is an intelligence agency as well as a law enforcement agency. Would this mean that information collected by the CSE can not be used for law enforcement purposes? As I understand the CSIS shares intelligence with the RCMP, a federal law enforcement agency. I do not know if this case answers the question asked by the abovementioned reader, but it is close. Paragraphs 31-33 of the Court's decision is interesting in this regard. It states the following.
[31] CSE's mandate is set out in the National Defence Act, R.S.C. 1985, c. N-5 as amended by the Anti-Terrorism Act, S.C. 2001, c.41. Under paragraph 273.64(1)(a) of this statute, the agency is authorized to acquire and use information from the global information infrastructure (i.e. communications systems, information technology systems and networks) for the purpose of providing intelligence to the government of Canada. CSE is prohibited under paragraph 273.64(2)(a) from directing these activities at Canadian citizens and permanent residents wherever located ("Canadian persons") or at any person in Canada regardless of nationality.Thus, it is the CSIS and not the CSE that files the application and has the initiating power. Jim Bronskill of Canadian Press writes the following.
[32] The limitation respecting Canadian persons or persons in Canada do not apply to technical and operational assistance which CSE may provide to federal law enforcement and security agencies in the performance of their lawful duties... such assistance activities are subject to any limitations imposed by law on the federal agencies in the performance of their duties.
[33] In the context of the present application, therefore, CSE may only assist CSIS to intercept communications and obtain information if CSIS has a judicially authorized warrant under section 21 of the Act.
CSE is generally prohibited from spying on Canadians, but it can assist CSIS and police agencies acting under judicial warrants.Ths should the settle question posed by the abovementioned reader of this blog.
The applicant submits that the acts necessay to permit interception of communications and to obtain information [redacted], with the technical assistance of the CSE, will take place entirely in Canada. The communications wil be heard, or the information obtained [redacted] will be read only in Canada.For me, it is clear that this decision concerns signal intelligence of international communication crossing Canadians borders which are intercepted in Canada.
Martin Lederman of Georgetown Law and Orin Kerr of George Washington University Law discusses amendments on the FISA law in this video.
Orin Kerr is a leading scholar on Fourth Amendment jurisprudence in electronic communications and surveillance. Orin Kerr has argued that the NSA surveillance program acting without court warrants probably was constituational but in violation with FISA. In a European context it is difficult to understand how a law on surveillance can be in violation with a law, but still constitutional. Article 8 of the European Convention on Human Rights requires, inter alia, that restrictions in privacy have to be in accordance with law. The 4th amendment has a different standard, in Katz v. United States, 389 U.S. 347 (1967), the Supreme Court ruled that the amendment covered a person's "reasonable expectation of privacy".
Martin Lederman argues that the american legislation is obscure, and makes the joke that only 40-50 persons in the U.S. understands the legislation and at least 99 % of them work for the executive branch of Government. Reminds me of the situation in Sweden. Martin Lederman makes the assumption at 44.50 that the NSA computers records and retains the content of all conversations, which in my view, is a wrong assumption of how signal intelligence actually works.
Since the discussion was recorded, Martin Lederman left Georgetown Law and is working in the Obama administration.
There is a conference 23-24 September 2009 in Copenhagen where I will participate in a panel on "Privacy versus security: from conflict to alliance?" You may find my presentation here, abstract and the full programme here. On a similar topic, Bruce Schneier has written a piece on An Ethical Code for Intelligence Officers.
The presentation is also available as a PDF (Acrobat) or through Slideshare (below).
English: The video below and PowerPoint are in English.
Nedan har jag bifogat en presentation som jag höll den 1 november 2008 i Göteborg under rubriken "Surveillance by the National Defence Radio Establishment (FRA) and Data Mining". Jag presenterar här två begrepp som kan vara nya för den svenska FRA-debatten, mönsterbaserad igenkänning och subjektbaserad igenkänning.
Below is a translation of an article in the Swedish Daily Dagens Nyheter, September 3rd 2008
The FRA Law – Sleepwalking into a Surveillance Society
The Swedish Parliament passed controversial legislation last June, the so called FRA law. It seems that the MPs didn’t realise what they were voting for when they voted the FRA law in. The FRA law is one in a line of laws calling for mass surveillance of ordinary people. It gives the Swedish signal intelligence agency, FRA, (the National Defence Radio Establishment) the right to eavesdrop on all civilian Internet, telephone and fax traffic and keep tabs on the social networks of innocent citizens. This can be done by accessing various existing databases carrying information about a given person’s race, ethnic origin, political views, union membership, sexual habits, etc. In addition the FRA agency is entitled to transfer personal data to foreign powers. In this way FRA may get to know you better than you know yourself. Keeping under surveillance lots of innocent private individuals is unacceptable and contrary to the principles governing democratic societies. This is the view of thirteen researchers and experts in different areas of knowledge who have analysed the FRA law.
The digital revolution affects our lives in terms of privacy more than we think. We leave electronic ‘footprints’ whatever we do: paying by credit card, visiting website homepages, calling friends on the phone or sending them an e-mail. Imagine that someone decides to collect all this information and assemble it in a massive database. Using the right tools they will be able to identify your lifestyle patterns and gain insight into your personality.
These recurring personality patterns can be graphically illustrated by means of a sociogram.
A sociogram is a graphic representation of the relationships between persons, organisations, homepages, etc., with a view to determining personal social networks, position of power, views and beliefs and other personal information.
The actual message is less important than the information about the sender, recipient, the time of transaction, and means of communication. If the personal sociogram is known, it is possible to establish the person’s contact relationships, which is often all that is needed.
Two questions have been left unanswered by the FRA-law debate. The first question is: How will FRA be able to access information when an increasing number of users choose to encrypt their messages? This is especially relevant, as there has been a tendency for encryption techniques to develop at a faster rate than decryption techniques. FRA has stated that this should not pose an insurmountable problem, since the message content need not be examined in order to determine whether a given communication merits further examination.
The second question is: What will happen to all this incoming electronic traffic once it has been re-routed and fed into the FRA agency? The answer is that it will be examined and analysed by means of social network analysis techniques such as, for example, sociographic representations.
Different individuals can be linked to different sociograms: we have different everyday experiences, social relations, interests, views and beliefs, all of which is reflected in our electronic communication contacts. Sociograms have applications in a plethora of areas. With the help of a powerful computer and appropriate analytical tools we might thus be able to build up a profile of and identify a typical benefit scrounger, a refugee in hiding, a data hacker, a homosexual couple, or a political activist, to give just a few examples. If we also monitor cross-border traffic we will be able to – at least theoretically - build sociograms identifying currency speculators, or foreign political and military leaders. The objectives of the FRA law scheme in which surveillance of the civilian population can take place comport well with this type of analysis.
Adoption of the new legislation giving officials sweeping powers to access all electronic information has been justified by combating external threats, including phenomena such as international terrorism, hostile foreign state behaviour towards Sweden, IT dependence, economic crises, environmental threats, ethnic and religious conflicts, vast refugee flows and illegal immigration, as well as currency and interest rate speculation.
The idea underlying the FRA law has been that on massive data we will be able to identify ‘deviants’ by means of the ‘electronic footprint’ that they leave behind. This is also the reason why FRA supporters claim that even the most complicated of ciphers does not pose an insurmountable problem, since the content of a message does not have to be examined in order to determine whether the message should be further investigated.
It is a well-known fact, however, that best results are obtained from monitoring a public who is unaware of being watched, or those who cannot protect themselves against it. We are of the opinion that the claim that one will be able to stop future terrorist plots is highly exaggerated. This view finds support in the MI5 report appearing in the Guardian on 21 August 2008, which challenges views on terrorism in Britain. The single most important conclusion of the report is that those who become terrorists ‘are a diverse collection of individuals, fitting no single demographic profile, nor do they follow a typical pathway to violent extremism’. We would like to further suggest that whereas a terrorist will know how to conceal his or her dark intentions, an unsuspecting, innocent citizen will remain unprotected, and may be put at risk if personal information falls into the wrong hands.
On 16 June 2008 Sweden’s largest news programme Rapport revealed that FRA had been storing traffic communications data in their large database named Titan for ten years.
Are there any indications that the electronic surveillance legislation passed by Swedish Parliament on 18 June allows introduction of such a scheme? If we compare the newly enacted legislation with the pre-existing legislation concerning FRA, we must give an affirmative reply.
Government Bill No. 2006/07:63, page 86, indicates that ‘data reduction is necessary. This means that the greater part of the intercepted signals will be sifted through and discarded.’ In other words FRA will not store the original messages but only traffic analysis results. Storing analysis results requires very little in terms of computer memory, which is why practically unlimited amount of this type of data can be stored.
From Section 3 of the Ordinance concerning the Processing of Personal Data by the National Defence Radio Establishment (2007:261) we can draw the conclusion that a sociogram is the end product of traffic analysis in which patterns are drawn from the information flow among a set of senders and receivers. The analytical results are stored in a special database. Similarly to other ordinances the latter Ordinance has been adopted by the Government, and did not have to undergo the standard legislative procedure.
There has been no public commentary by the Government as regards the above Ordinance in the context of the current debate. This is why we strongly suspect that the average MP has not been informed about the existence of these databases or the use of sociogram data. We could not find the term ‘sociogram’ in any of the preparatory materials, but we assume that it is equivalent to something called ‘traffic patterns’ in Bill No. 2006/07:46, p. 29.
This form of traffic data analysis constitutes a violation of personal integrity, which is just as bad as the violation of post and telecommunications secrecy when all cable communications become accessible to FRA, pursuant to Chapter 6, section 19 a of the Electronic Communications Act (2003:389).
Those who support the FRA law have been trying to tone down the criticism and charges of violation of personal integrity, claiming that processing of data is not carried out by individuals. For us it is the very efficacy of automatic data processing, in which seemingly harmless data can be transformed with the help of statistics into a powerful instrument that will give the state a direct line into our lives, which is so horrifying.
The FRA agency can always validate their activities in relation to the Personal Data Act by reference to a special act containing provisions referring to personal data processing. According to this act (Act on Personal Data Processing by the National Radio Defence Establishment in its Signals Intelligence Analysis and Development Activities (2007:256)) searches based on what is known about a person’ race or ethnic origin, political opinions, religious beliefs or philosophical convictions, trade union membership, health or sex life are permissible if certain conditions are satisfied. Chapter 1 section 17 of the above-mentioned Act provides that personal data collected by the FRA agency ‘may be transferred to a third country’.
With the help of social network analysis the FRA agency may get to know a given person better than that person knows himself/herself, for example, as regards habits of which the habituee is quite unaware. The big problem is that data of this kind must be collected over a long period of time, and that we cannot know beforehand who will satisfy the deviance criterion linked to an external hazard. This is why the FRA agency has to store sociograms of a great number of people, which means keeping close tabs on practically everybody, whether they are innocent or not.
The Act contains provisions concerning destruction of records, but at the same time Chapter 6, section 1 of the Act contains an opt-out provision permitting retention of records for historical, statistical or scientific purposes.
In the end FRA agency’s eavesdropping on civilian communications means keeping tabs on innocent, law-abiding citizens.
The FRA law is a slap in the face of democracy and must be repealed. We are not against signals intelligence as such, when applied to purely military communications systems, i.e. communication between warships, fighter aircraft, tanks or infantry. Neither have we any objection to wiretapping phones of persons suspected of terrorist or criminal activities in accordance with the provisions of the Code of Judicial Procedure and following a relevant court decision. But engaging in mass surveillance of innocent people is another thing and it is quite unacceptable. We must ask again: did the MPs really know what they were doing when they voted in favour of the Bill last June?
MARK KLAMBERG, DOCTORAL STUDENT, DEPARTMENT OF LAW, STOCKHOLM UNIVERSITY;
MIKAEL NILSSON, DOCTORAL STUDENT IN INFORMATICS, ROYAL INSTITUTE OF TECHNOLOGY;
ANNA PETERSSON, DOCTORAL STUDENT, DEPARTMENT OF MATHEMATICS, UPPSALA UNIVERSITY;
PETER SEIPEL, PROFESSOR EMERITUS OF LAW AND INFORMATION TECHNOLOGY AT STOCKHOLM UNIVERSITY;
JANNE FLYGHED, PROFESSOR OF CRIMINOLOGY, STOCKHOLM UNIVERSITY;
CECILIA MAGNUSSON SJÖBERG, PROFESSOR OF LAW AND INFORMATION TECHNOLOGY, STOCKHOLM UNIVERSITY,
JUSSI KARLGREN, ASSOCIATE PROFESSOR OF LANGUAGE TECHNOLOGY, SWEDISH INSTITUTE OF COMPUTER SCIENCE;
MARKUS BYLUND, COMPUTER AND SYSTEMS SCIENCE, AREA OF SPECIALISATION: PERSONAL INTEGRITY, SWEDISH INSTITUTE OF COMPUTER SCIENCE;
KARL PALMÅS, MSC IN ENGINEERING AND PH.D. IN SOCIOLOGY, THE SCHOOL OF BUSINESS, ECONOMICS AND LAW GÖTEBORG UNIVERSITY;
PÄR STRÖM, MS.C. IN ENGINEERING AND WRITER, PRIVACY OMBUDSMAN AT THE NEW WELFARE FOUNDATION – A CIVIL LIBERTIES THINK TANK;
DANIEL THORBURN, PROFESSOR OF STATISTICS, STOCKHOLM UNIVERSITY;
JOHAN WESTERHOLM, FORMER NAVAL OFFICER, RESERVE MILITARY INTELLIGENCE SERVICE OFFICER AND GREYCAT ADVISOR.
Translator: Teresa Bjelkhagen
Below you will find a documentary in English about the FRA where I am interviewed (at 7.40, 11.40, 17.55). Urban Lifestyle has produced "Wiretapping Sweden".
