Danish government plans to create a Center for Cybersecurity with privacy-invasive powers

By EDRi · March 12, 2014

In 2011, the Danish parliament voted unanimously to create a GovCERT service responsible for cybersecurity issues for government institutions and critical infrastructure. The 2011 law allows GovCERT to collect and retain traffic data (metadata) and packet data (contents) for the institutions and networks which are monitored by GovCERT. Data associated with security events can be retained for three years, whereas ordinary traffic and packet data can be retained for 12 months and 14 days, respectively. Under the law, traffic data can be shared with similar cybersecurity services in other countries. To begin with, GovCERT was part of the Ministry for Science, Technology and Innovation, but in late 2011, the new Danish government led by the Social Democrats transferred GovCERT to the Danish Defence Intelligence Service (Forsvarets Efterretningstjeneste, FE).

The Danish government is about to propose a new law for a Center for Cybersecurity, which will replace the current GovCERT service. Last week, the public consultation ended for a draft version of the proposed law, and there was substantial criticism from civil society, including IT-Political Association of Denmark, and several other organizations such as Teleindustrien (association of Danish telecoms and internet service providers).

The draft law proposal extends the powers given to the existing GovCERT services in several ways. Firstly, the retention period is increased. Traffic and packet data which are not associated with a cybersecurity event can be retained for 13 months. For packet data (contents) this is a substantial increase over the existing 14-day period. Traffic data which are shared with other cybersecurity services can be retained indefinitely. The definition of traffic data is broader than the one in the e-privacy directive 2002/58/EC. For example, HTTP headers are classified as traffic data. This would include URL information about specific web pages.

Secondly, the draft law widens the range of public institutions and private companies which can be monitored by the new cybersecurity service. Under the current law, such activities are limited to government institutions and critical infrastructure, but these requirements are broadened considerably. It appears to be possible for an internet service provider to be monitored by the cybersecurity service. In that case, the cybersecurity service will gain access to potentially vast amounts of internet traffic from Danish citizens, including contents about their private communication with each other and with journalists or lawyers. Private companies can even volunteer to be subjected to temporary monitoring, and there is a legal basis for turning over log files from the private company to the government cybersecurity service. This data transfer, as well as any other data processing by the cybersecurity service, is completely exempted from the Danish data protection law.

Thirdly, the draft proposal removes the previous ban on monitoring encrypted traffic. From the comments in the law, it is not entirely clear how encrypted traffic will be monitored. Most likely, it requires access to private keys on the server (e.g. the private SSL key on a webserver), which could easily create new security risks of compromising sensitive data about Danish citizens.

The Center for Cybersecurity is exempted from the Danish data protection act, the freedom of information act and the public administration act. Since the Center for Cybersecurity is part of the Danish Defence Intelligence Service, there are no legal limitations on using the retained data for other purposes than cybersecurity. However, the comments of the draft law state that the Minister of Defence will issue an administrative order which limits the internal exchange within the intelligence services of the information collected. There will be an independent oversight board for the Center for Cybersecurity, but its powers are expected to be fairly modest.

When the GovCERT service was established in 2011, there was very little attention in Parliament to the blanket collection and retention of data about Danish citizens. No written parliamentary questions were asked to the minister responsible for the GovCERT law. Similarly, when GovCERT was transferred to the Danish Defence Intelligence Service in late 2011, no serious political objections were raised. This time, however, things appear to be different as several parties from the opposition have expressed their concern about the privacy violations of the proposed law. There is even criticism from within the Danish government, as the social-liberal party Radikale Venstre has indicated that the law proposal would be amended to strike a better balance between privacy and cybersecurity concerns.

GovCERT official website (in Danish and English)

Consultation response from IT-Political Association of Denmark (in Danish)

New law can be abused by cyber criminals, Information (in Danish) (07.03.14)

Venstre (biggest opposition party): the cyber law is a democratic problem, TV2 Nyhederne (in Danish) (05.03.14)

Radikale Venstre (member of government): concerns about the access to personal data by intelligence services are relevant, Politiken (in Danish) (05.03.14)–persondata-er-relevant/

(Contribution by Jesper Lund – IT-Pol)