Policing by design: the latest EU surveillance plan

Secret surveillance plan

The plan (pdf), first published by Netzpolitik and now also made public by the European Commission, was drafted by the “High-Level Group (HLG) on access to data for effective law enforcement,” which was convened following a proposal by the Swedish Presidency of the Council last spring.

The HLG was composed (pdf) of senior officials from member states and the Commission, representatives of EU justice and home affairs agencies, and the EU Counter-Terrorism Coordinator, and was chaired by the Council Presidency and the Commission.

Building upon previous proposals drafted by police and security officials from Europe and North America, the plan contains 42 separate recommendations, amongst which are calls for the re-introduction of mass telecommunications surveillance (“data retention”) and the undermining of encrypted communication systems.

Data retention

The paper calls for “a harmonised EU regime on data retention” that is “technology neutral and future-proof,” covers all types of telecommunications service providers, includes measures ensuring both retention of and access to data, and is “in full compliance with privacy and data protection rules.”

The EU’s previous data retention legislation was struck down by the Court of Justice in 2014, which found that the law allowed for “a wide-ranging and particularly serious interference” with the fundamental rights to privacy and data protection. The court has confirmed this interpretation in several cases about national data retention measures.

At the same time, the Court ruled that the legislation did not undermine the essence of those rights, and that retaining telecommunications data for criminal investigations “satisfies an objective of general interest” – the problem with the law was that it was seriously disproportionate.

The plans outlined by the HLG, however, would cover even more forms of communication than the previous legislation – the paper calls for retention of data from “service providers of any kind that could provide access to electronic evidence.”

This may raise questions about the proportionality of any future legislation based on the group’s proposals – not to mention the more fundamental objection raised by opponents of data retention that it automatically treats everyone as a potential suspect.

Encryption

Encrypted communications are also in the crosshairs of the HLG, which “agreed upon the need for law enforcement to have access to data en clair” and bemoans “the pace of technological developments related to encryption of information” that apparently make existing decryption technologies “ineffective”.

The document insists that “future technical solutions or tools that are developed must not result in the weakening or undermining of encryption technologies for the communication of other users that is not subject to the lawful access measure,” though makes no mention of the fact technical experts have repeatedly pointed out the impossibility of doing so.

Instead, the group is pinning its hopes on new technology being developed:

“…technological solutions can be implemented where they exist or should be developed to preserve privacy and data protection, guarantee cybersecurity, and enable the implementation of targeted lawful access measures at the same time.”

State-industry collaboration

To achieve these goals – along with many of the others outlined in the plan – the HLG proposes close coordination and collaboration between state authorities and private industry.

In particular, the plan calls for requirements to be placed on hardware and software developers for new devices and applications to allow “access by design” for law enforcement authorities, whether through legislation, memoranda of understanding, or through the participation of policing agencies in technical standardisation committees.

The plan also calls for legal obligations to be placed on telecoms service providers to cooperate with requests for access to data, and for penalties to be imposed where they fail to do so without good reason.

In this regard, the plan is an attempt by the state to coordinate and guide the activities of private companies so that their products meet the requirements of the police – a direction of travel that sits uneasily with the EU’s commitment to “an open market economy with free competition.”

What lies ahead?

So far no formal proposals have been published to carry forward the work of the High-Level Expert Group – although the majority of the recommendations would not require legislation to be enacted, and the plan refers to other means such as recommendations, “agreed common principles”, technical standards and “soft law” to reach its goals.

What exactly will become of the plan is likely to depend on the composition of the next European Commission, following the European Parliament elections, as well as the will of the member states in the Council.

Outgoing MEP Patrick Breyer from the German Pirate Party has suggested that “this secret wish list of EU governments stands an excellent chance of being hastily implemented by the next EU Commission under the auspices of ‘Big Sister’ von der Leyen, right after the European elections.”

If that is the case, then privacy advocates will have much to do to halt what Breyer’s colleague and Pirate Party lead candidate for the elections, Anja Hirschel, has called an “excessive leap directly into a fully monitored society.”

This article was first published here by Statewatch.