EU: Welcome to the new world of the interception of telecommunications

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

  • Under the new forms of interception Member States simply authorise themselves
  • Italian government survey response: "it is probably possible that the telecommunications are in a way "deviated" to the requesting state without listening in Italy."
  • "the legal framework with respect to transnational searches of such devices is not well-developed." (EU-G6 Interior Ministers)

A survey by the Council of the European Union: Answers to the questionnaire on interception of telecommunications (pdf) in preparation for the European Investigation Order (EIO) sets out 4 methods of interception:

First, two traditional forms of surveillance/interception:

- Type 1:Ordinary interception of telecommunications without immediate transmission

- Type 2: Ordinary interception of telecommunications with immediate transmission

Second, the interception of satellite communications where there is a formal request/relationship between the requesting and requested EU Member State under Types 3a and 3b:

- Type 3: Interception of satellite telecommunications where there is a formal relationship though a request for mutual legal assistance (MLAS) between the requesting State and the State hosting the terrestrial station - as we shall see only a few Member States actually host a terrestrial station for satellite communications.

. Type 3a: the interception of telecommunications takes place in the State hosting the terrestrial station and the result is later forwarded to the requesting State. For example, the UK makes a request to Denmark (which hosts a terrestrial station for satellite communications) to intercept a target in Finland (which does not host such a station) and the latter is not informed that one of its citizens or a visitor is being surveilled.

. Type 3b: telecommunications are intercepted in the State hosting the terrestrial station but immediately transmitted to the requesting State. The example above equally applies here too.

But the third and fourth methods of interception are quite different. The "requesting state" simply authorises itself to intercept/surveil any communication anywhere in the EU.

. Type 3c: the interception of telecommunications takes place in the requesting State, which uses a remote control system to activate the transmission of telecommunications from the terrestrial station to one of its telecommunication service providers. For example, the UK uses remote control to access the terrestrial station for satellite communications in Italy to intercept the communications of a target in Spain. The authorities in Italy and Spain are aware this has happened.

- Type 4: Interception of telecommunications in cases where the requesting State does not need the technical assistance of the Member State where the target is located - this refers to "remote computer searches" (see below). For example, Spain sets up remote access to any computer anywhere in the EU to track and monitor targeted activity.

What does the survey tell us?

First, what is interesting about the questions is that all these types of surveillance are technically possible and used by some Member States (the more secretive forms of surveillance under Types 3c and 4 are used by a number of security services). Second, as far as Types 3c and 4 are concerned there is no need to involve the state where the target is located - as distinct from Types 1, 2, 3a and 3b where mutual legal assistance is invoked.

The Survey covers 15 Member States (the rest did not reply) of these only Denmark and Italy said they have a terrestrial station for satellite communications. Austria, Belgium, Czech Republic, Estonia, Finland, Latvia, Portugal, Sweden, and UK said they do not have terrestrial stations on their territory.

Very few of the responses provided any statistics, most claiming either that they were not collected or not held by the Interior Ministry. Belgium said there had been approximately 350 cases. Greece had 86 requests of which 18 were rejected. Finland had "about 300" over 5 years. Latvia two cases since July 2009. Portugal 6 requests. Sweden had 35 requests and sent about 100 itself to other states. And the UK had 24 requests, "six of these were successful". All are listed as traditional Type 1 requests.

Type 2 requests (with immediate transmission, "real-time" surveillance) are used by Austria "with a certain regularity". Bulgaria has one case and Denmark has two cases a year.

For Type 3 (all three categories) Austria says it does not use "remote control" nor do Belgium, Czech Republic, Denmark, Estonia, Sweden, Slovenia and surprisingly the UK: "The UK has not taken measures to make use of a "remote control" system" (but, of course, the UK is only answering for its law enforcement agencies, not Government Communication Headquarters, GCHQ).

As to Type 4 the Czech Republic admits to two requests from the Netherlands. While the UK gives a typically oblique reply: as a requesting state the number of times this has been opposed is: "Nil" and the number of times the UK has refused a request is: "Nil". In other words the UK does use "remote access".

Perhaps the most realistic answer comes from Italy which says that for Type 2 though it is technically possible to listen in Italy and to transmit the data to the requesting state:

"it is probably possible that the telecommunications are in a way "deviated" to the requesting state without listening in Italy."

A clear reference to Types 3c and 4.

A follow-up Council document to the Survey (Doc no: 14641/10, pdf) discusses its findings and concludes that:

"However, the possible introduction of all forms of interception within the scope of the Directive does not mean that provisions in this Directive on these issues should follow the structure found in the 2000 EU MLA Convention." (emphasis added)

In other words it would not be necessary to make a formal request under the 2000 Mutual Legal Assistance Convention where Member State X intercepts telecommunications in Member State Z. Accountability, and meaningful statistics, go out of the window.

What are "remote computer searches"?

Between July and November 2008 the EU Justice and Home Affairs Council worked on a set of Conclusions (policy-making) on cyber-crime which covered:

"the area of remote computer searches, which are a delicate issue because of their cross-border nature." (July 2008, emphasis added)

The adopted version, in November 2008, was more diplomatic covering:

"facilitating remote searches if provided for under national law, enabling investigation teams to have rapid access to information, with the agreement of the host country."

There is no mention of the “delicate issue” of “cross-border” searches, nor would anyone reading this adopted version (and not having seen the two earlier documents) necessarily realise that “remote searches” refers to “remote computer searches”.

This policy covers the interception Types 3a and 3b above which involve the state hosting the terrestrial station for satellite communications - but not Types 3c and 4. Technology has moved on under interception Types 3c and 4 but policy has not.

Remote access to computer hard drives came up at the G6 meeting in Bonn on 26-27 September 2008 [G6 is an intergovernmental group comprised of the Interior Ministers of the six largest states in the EU: UK, Spain, Italy, Germany, France and Poland]. At the Bonn meeting they were joined by the Secretary of Homeland Security from the USA. The Conclusions stated:

"The interior ministers note that almost all partner countries have or intend to have in the near future national laws allowing access to computer hard drives and other data storage devices located on their territory. However, the legal framework with respect to transnational searches of such devices is not well-developed. The interior ministers will therefore continue to seek ways to reduce difficulties and to speed up the process in future (para 13)." (emphasis added)

See Statewatch analysis: EU agrees rules for remote computer access by police forces – but fails, as usual, to mention – the security and intelligence agencies (pdf)

Tony Bunyan

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.

 

Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error