Danish anti-terror proposal expands surveillance
On 19 February 2015, the Danish government presented a 12-point plan for new anti-terror initiatives in response to the Charlie Hebdo attack in Paris and the shooting incident in Copenhagen on 14 February. This will become the third major anti-terror package since 2001 to be presented to the Danish Parliament.
The focus of the plan is on surveillance measures in Denmark and abroad through increased budgets, new IT-systems, and new powers for the intelligence services, the Danish Defence Intelligence Services (DDIS) and the Danish Security and Intelligence Service (PET), which is part of the Danish police.
The most controversial element is targeted surveillance and eavesdropping of communications of Danish citizens abroad. This will be done by DDIS without a court order. The head of DDIS will decide whether a Danish citizens can be targeted for surveillance. It is currently not clear whether an unspecified group, for example Danish citizens in Syria, can be targeted in this way. Statements in an interview given by the Danish Minister of Defence support the conjecture that this would indeed be possible.
Since 2006, DDIS can collect, analyse and retain information about Danish citizens if that information is discovered “by chance” in an operation directed against activities in a foreign country. This includes signal intelligence and mass collection of electronic communication, for example by tapping fibre-optic cables. Until it is analysed, the mass collection is referred to as “raw data”. DDIS is allowed to exchange this information with intelligence services in other countries, including raw data that may contain information about unknown Danish citizens. Information about Danish citizens, which DDIS has discovered “by chance”, can be shared freely with PET, and PET may use the information in criminal investigations and prosecutions.
Under the current rules (from 2006), DDIS is required to inform a supervisory committee if DDIS wants to retain information about a Danish citizen for more than six months. The number of cases in which DDIS retains information is kept secret. According to the annual report from the supervisory committee, it is only known that this number is increasing.
The report also says that roughly half of the information comes from DDIS’ own collection (mass surveillance), the other half from information sharing with other intelligence services. The information about Danish citizens mainly relates to terrorism, but computer hacking and organised crime are also mentioned in the annual report.
Because of the requirement that information has to be obtained “by chance”, DDIS cannot do targeted surveillance against Danish citizens. The new proposal, however, would allow DDIS to initiate targeted surveillance of Danish citizens outside Denmark as its own operation, and a court order would not be required for this. It is unclear how DDIS will do this in practice and it remains to be seen whether DDIS will be subjected to any real legal restrictions on the targeted surveillance of Danish citizens outside Denmark.
The new DDIS surveillance powers have been heavily criticised by legal experts in Denmark. A legal analysis from the Danish think tank Justitia concluded that the targeted surveillance powers of DDIS would exceed those of the US National Security Agency (NSA) and the UK Government Communications Headquarters (GCHQ) as the NSA is required to obtain a court order in order to target a United States citizen.
On 8 March 2015, the Danish newspaper Politiken reported that DDIS has been seeking extended powers for targeted surveillance without a court order for several years, but until recently the Ministry of Justice opposed the idea.
A strong guard against terror, The Danish Government (in Danish only, 19.02.2015)
Justitia Analysis: DDIS surveillance of Danes abroad without a court order (in Danish only, 26.02.2015)
Danish intelligence to get more power than NSA, The Local (25.02.2015)
Greater powers for the spies in the Danish defence, Politiken (in Danish only, 08.03.2015)
(Contribution by Jesper Lund, EDRi-member IT-Pol, Denmark)