Privacy Law and Policy Reporter
This is the first of four articles surveying worldwide developments in surveillance, extracted from David Banisar, Privacy and Human Rights 2000, EPIC/PI 2000, the annual survey of privacy and surveillance practices. The full report is available online at <http://www.privacyinternational.org/survey/> and from the EPIC Bookstore at <http://www.epic.org/bookstore/>. Articles in following issues will deal with national security and ‘Echelon’, video surveillance, and workplace surveillance — General Editor.
Nearly every country in the world has established some form of eavesdropping capability over telephone, fax and telex communications. In most countries, these intercepts are initiated and authorised by law enforcement or intelligence agencies. However, wiretapping abuses have been revealed in most countries, sometimes occurring on a vast scale involving thousands of illegal taps. The abuses invariably affect anyone ‘of interest’ to a government. Targets include political opponents, student leaders and human rights workers.
Law enforcement agencies have traditionally worked closely with telecommunications companies — many until recently controlled by government telecommunications agencies — to formulate arrangements that would make phone systems ‘wiretap friendly’. These agreements range from allowing police physical access to telephone exchanges to installing equipment to automate the interception.
The US Government has led a worldwide effort to limit individual privacy and enhance the capability of its police and intelligence services to eavesdrop on personal conversations. The campaign has two strategies: the first is to promote laws that make it mandatory for all companies that develop digital telephone switches, cellular and satellite phones and other developing communication technologies to build in surveillance capabilities; and the second is to seek limits on the development and dissemination of products, both in hardware and software, that provide encryption, a technique that allows people to scramble their communications and files to prevent others from reading them.
At the same time, the US has been promoting greater use of electronic surveillance. Louis Freeh, director of the Federal Bureau of Investigation (FBI), has travelled extensively around the world promoting the use of wiretapping in recently free countries such as Hungary and the Czech Republic. The US pressured countries such as Japan into adopting their first ever laws allowing for wiretapping. The US has also been working through international groups such as the OECD, G-8 and the Council of Europe to promote surveillance.
In the early 1990s, US law enforcement agencies, led by the FBI, began demanding that all current and future telecommunications systems be designed to ensure that they would be able to conduct wiretaps. After several years of lobbying, the US Congress approved the Communications Assistance for Law Enforcement Act (CALEA) in 1994. The Act sets out legal requirements for telecommunications providers and equipment manufacturers on the surveillance capabilities that must be built into all telephone systems used in the US. However, due to lobbying by the computer industry, the internet was exempted from these requirements.
While the FBI was lobbying for CALEA in the US, it also began working with the Justice and Interior Ministers of the European Union (EU) on creating international technical standards for wiretapping. In 1993, the FBI began hosting meetings at its research facility in Quantico, Virginia, called the International Law Enforcement Telecommunications Seminar (ILETS). The meetings included representatives from Canada, Hong Kong, Australia and the EU. At these meetings, an international technical standard for surveillance, based on the FBI’s CALEA demands, was adopted as the ‘International Requirements for Interception’.
In January 1995, the Council of the European Union approved a secret resolution adopting the ILETS standards. The resolution was not formally debated and was not made public until late 1996. Following this, many countries adopted the resolution into their domestic laws without revealing the role of the FBI in developing the standard. Following the adoption, the EU and the US offered a Memorandum of Understanding for other countries to sign to commit to the standards. A number of countries, including Canada and Australia, immediately signed the MOU. Others were encouraged to adopt the standards to ensure trade. International standards organisations, including the International Telecommunications Union and the European Telecommunication Standard-isation Institute (ETSI), were then successfully approached to adopt the standards.
The ILETS group continued to meet. A number of committees were formed and developed a more detailed standard, extending the scope of the interception standards. The new standards were designed to apply to a wide range of communications technologies, including the internet and satellite communications. It also set more detailed criteria for surveillance across all technologies. The result was a 42 page document called ENFOPOL 98 (the EU designation for documents created by the EU Police Co-operation Working Group).
In 1998, the document became public and generated considerable criticism. The committees responded by removing most of the controversial details and putting them into a secret operations manual that has not been made publicly available. The new document, now called ENFOPOL 19, expanded the type of surveillance to include ‘IP address (electronic address assigned to a party connected to the internet), credit card number and email address’. In April 1999, the Council proposed the new draft council resolution to adopt the ENFOPOL 19 standards into law in the EU.
In May 1999, the European Parliament approved the ENFOPOL 19 resolution. However, the vote was criticised for being taken late on a Friday with only 20 percent of the delegates present, and was reversed by the Council of Ministers. The rejection has not stopped the ETSI from continuing their work on developing wiretapping standards.
Following closely on the success of forcing telecommunications equipment manufacturers and companies to build in surveillance capabilities, intelligence and law enforcement agencies have turned their attention to forcing internet service providers (ISPs) to facilitate surveillance of their users. A number of countries are demanding that ISPs install ‘black boxes’ on their systems that can monitor the traffic of their users.
The actual workings of these black boxes are unknown to the public. What little information which has been made public has revealed that many of the systems are based on ‘packet sniffers’ typically employed by computer network operators for security and maintenance purposes. These are specialised software programs running in a computer that is hooked into the network at a location where it can monitor traffic flowing in and out of systems. These sniffers can monitor the entire datastream, searching for key words, phrases or strings such as net addresses or email accounts. It can then record or retransmit for further review anything that fits its search criteria. In many of the systems, the boxes are connected to government agencies by high speed connections. The US FBI has developed a system called ‘Carnivore’ that places a PC running Windows NT at an ISP’s offices which can monitor all traffic about a user, including email and browsing. According to press reports, Carnivore ‘can scan millions of emails a second’ and ‘would give the Government, at least theoretically, the ability to eavesdrop on all customers’ digital communications, from email to online banking and web surfing’. In response to the public uproar over Carnivore, Attorney General Janet Reno announced that the technical specifications of the system would be disclosed to a ‘group of experts’ to allay public concerns. EPIC has filed suit demanding access to all relevant information, including the source code for the system.
In some countries, there have been laws or decrees enacted to require the systems to facilitate surveillance. Russia has been the leading country in this effort, but according to Russian computer experts, the US Government advised them on implementation. In 1998, the Russian Federal Security Service (FSB) issued a decree on the System for Operational Research Actions on the Documentary Telecommunication Networks (SORM-2) that would require ISPs to install surveillance devices and high speed links to the FSB to allow the FSB direct access to the communications of internet users without a warrant. ISPs are required to pay for the costs of installing and maintaining the devices. When an ISP based in Volgograd challenged FSB’s demand to install the system, the local FSB and Ministry of Communication attempted to have its licence revoked. The agencies were forced to back off after the ISP challenged the decision in court. In a separate case, the Supreme Court ruled in May 2000 that SORM-2 was not a valid ministerial act because it failed several procedural requirements.
Following the Russian lead, in September 1999 Ukrainian President Leonid Kuchma proposed requiring that ISPs install surveillance devices on their systems based on the Russian SORM system. The rules and a subsequent Bill were attacked by the Parliament and withdrawn. However, in August 1999, the security service visited a number of the large ISPs who were reported to have installed the boxes.
In the Netherlands, a new Telecommunications Act was approved in December 1998 which requires that by August 2000 ISPs have the capability to intercept all traffic with a court order and maintain users logs for three months. The Bill was enacted after XS4ALL, a Dutch ISP, refused to conduct a broad wiretap of electronic communications of one of its subscribers. The Dutch Forensics Institute has developed a ‘black box’ that is used to intercept internet traffic at an ISP. The black box is under control of the ISP and is turned on after receiving a court order. The box is believed to look at authentication traffic of the person to wiretap and divert the person’s traffic to law enforcement if the person is online.
More recently, the UK Parliament approved the Regulation of Investigatory Powers Act in July 2000. It requires that ISPs provide a ‘reasonable interception capability’ in their networks. The intercepted traffic will be forwarded to a Government Technical Assistance Centre based in the headquarters of a branch of British Intelligence. While the legislation itself does not mention a black box, a government sponsored report raised the likelihood that they would be necessary.
Not satisfied with national efforts based on laws, governments have begun demanding that computer and networking companies build in these capabilities. In 1999, the FBI approached the Internet Engineering Task Force (IETF), an internet standards body, and asked that it facilitate net surveillance by designing communications protocols to enable surveillance. The initiative was strongly opposed. IETF held a meeting in November 1999 and found that the consensus was against the proposal. In April 2000, IETF came out with an official position opposing the recommendation.
A related effort for enhancing government control of the internet and promoting surveillance is also being conducted in the name of preventing ‘cyber-crime’, ‘information warfare’ or ‘protecting critical infrastructures’. Under these efforts, proposals to limit the online privacy of net users are being introduced as a way to prevent computer hackers from attacking systems.
The lead bodies internationally are the European Union, the Council of Europe and the G-8, a high level organisation made up of eight major industrialised countries. The US has been active behind the scenes in developing and promoting these efforts. After meeting secretly for years, the organisations recently made public proposals that would place restrictions on online privacy, anonymity and encryption in the name of preventing cyber-crime.
Since 1997, the Council of Europe’s Committee of Experts on Crime in Cyber-space (PC-CY) has been meeting and drafting an international treaty. In April 2000, the Council of Europe released the ‘Draft Convention on Cyber-crime’. According to the COE, the US was ‘very active’ in its development.
The draft treaty requires countries to pass laws on cyber-crime and agree to promote mutual assistance in enforcing laws and conducting investigations. Among the provisions, it requires that countries enact laws guaranteeing that users provide access to all files on a system under penalty of jail — including their encryption keys. It bans security tools that probe systems for known problems, and requires ISPs to keep detailed logs of their users for an undefined period of time, said to be somewhere between 40 days and a year. To make it more difficult politically to oppose, copyright and child porn provisions have also been included. After working on this for three years, the COE left blank in the public document two sections on interception of communications. It is expected that these sections will facilitate cross-border wiretaps and are likely to include the ILETS/ENFOPOL requirements.
The draft is expected to be completed by December 2000 and will be open for signature by the member countries by September 2001. The Convention is open to the 52 members of the Council of Europe and to countries that were involved in the development, which includes the US, Canada, Japan and South Africa. At the G-8 meeting in Paris in July 2000, the French Government recommended that the convention be opened to all countries.
The proposal has already been criticised by privacy experts on a number of grounds and by a group of prominent security experts for the limitations on security software. The EU’s Data Protection Working Group has expressed concern about efforts to require ISPs to preserve information for law enforcement purposes.
The G-8 has been meeting since 1996 on the issue. At the Birmingham, England meeting on 18 May 1998, the G-8 adopted a recommendation on 10 principles and a 10 point action plan on high tech crime. The ministers announced:
We call for close co-operation with industry to reach agreement on a legal framework for obtaining, presenting and preserving electronic data as evidence, while maintaining appropriate privacy protection, and agreements on sharing evidence of those crimes with international partners. This will help us combat a wide range of crime, including abuse of the Internet and other new technologies.
In July 2000, the G-8 met in Paris to discuss responses to cyber-crime.
The Council of Ministers of the EU reached a Common Position on the convention in May 1999. In July 2000, the Commission announced that it is planning a new directive for fighting cyber-crime.
David Banisar, Privacy International.