ENDitorial: The FRA Law – Sleepwalking into a Surveillance Society
(Dieser Artikel ist auch in deutscher Sprache verfügbar)
New disclosures from researchers and electronic surveillance experts in an
effort to explain the real impacts and implications of the FRA law.
The Swedish Parliament passed controversial legislation last June, the so
called FRA law. It seems that the MPs didn’t realise what they were voting
for when they voted the FRA law. The FRA law is one in a line of laws
calling for mass surveillance of ordinary people. It gives the Swedish
signal intelligence agency, FRA, (the National Defence Radio Establishment)
the right to eavesdrop on all civilian Internet, telephone and fax traffic
and keep tabs on the social networks of innocent citizens. This can be done
by accessing various existing databases carrying information about a given
person’s race, ethnic origin, political views, union membership, sexual
habits etc. In addition, the FRA agency is entitled to transfer personal
data to foreign powers. In this way FRA may get to know you better than you
know yourself. Keeping under surveillance lots of innocent private
individuals is unacceptable and contrary to the principles governing
democratic societies. This is the view of thirteen researchers and experts
in different areas of knowledge who have analysed the FRA law.
The digital revolution affects our lives in terms of privacy more than we
think. We leave electronic ‘footprints’ whatever we do: paying by credit
card, visiting website homepages, calling friends on the phone or sending
them an e-mail. Imagine that someone decides to collect all this information
and assemble it in a massive database. Using the right tools they will be
able to identify your lifestyle patterns and gain insight into your
personality.
These recurring personality patterns can be graphically illustrated by means
of a sociogram.
A sociogram is a graphic representation of the relationships between
persons, organisations, homepages etc., with the view to determine personal
social networks, position of power, views and beliefs and other personal
information.
The actual message is less important than the information about the sender,
recipient, the time of transaction, and means of communication. If the
personal sociogram is known, it is possible to establish the person’s
contact relationships, which is often all that is needed.
Two questions have been left unanswered by the FRA-law debate. The first
question is: How will FRA be able to access information when an increasing
number of users choose to encrypt their messages? This is especially
relevant, as there has been a tendency for encryption techniques to develop
at a faster rate than decryption techniques. FRA has stated that this should
not pose an insurmountable problem, since the message content need not be
examined in order to determine whether a given communication is worth
further examination.
The second question is: What will happen to all this incoming electronic
traffic once it has been re-routed and fed into the FRA agency? The answer
is that it will be examined and analysed by means of social network analysis
techniques such as, for example, sociographic representations.
Different individuals can be linked to different sociograms: we have
different everyday experiences, social relations, interests, views and
beliefs, all of which is reflected in our electronic communication contacts.
Sociograms have applications in a plethora of areas. With the help of a
powerful computer and appropriate analytical tools we might thus be able to
build up a profile of and identify a typical benefit scrounger, a refugee in
hiding, a data hacker, a homosexual couple, or a political activist, to give
just a few examples. If we also monitor cross-border traffic we will be able
to – at least theoretically – build sociograms identifying currency
speculators, or foreign political and military leaders. The objectives of
the FRA law scheme in which surveillance of the civilian population can take
place comport well with this type of analysis.
The adoption of the new legislation giving officials sweeping powers to
access all electronic information has been justified by combating external
threats, including phenomena such as international terrorism, hostile
foreign state behaviour towards Sweden, IT dependence, economic crises,
environmental threats, ethnic and religious conflicts, vast refugee flows
and illegal immigration, as well as currency and interest rate speculation.
The idea underlying the FRA law has been that on massive data we will be
able to identify ‘deviants’ by means of the ‘electronic footprint’ that they
leave behind. This is also the reason why FRA supporters claim that even the
most complicated of ciphers does not pose an insurmountable problem, since
the content of a message does not have to be examined in order to determine
whether the message should be further investigated.
It is a well-known fact, however, that best results are obtained from
monitoring a public who is unaware of being watched, or those who cannot
protect themselves against it. We are of the opinion that the claim that one
will be able to stop future terrorist plots is highly exaggerated. This view
finds support in the MI5 report appearing in the Guardian on 21 August 2008,
which challenges views on terrorism in Britain. The single most important
conclusion of the report is that those who become terrorists “are a diverse
collection of individuals, fitting no single demographic profile, nor do
they follow a typical pathway to violent extremism”. We would like to
further suggest that whereas a terrorist will know how to conceal his or her
dark intentions, an unsuspecting, innocent citizen will remain unprotected,
and may be put at risk if personal information falls into the wrong hands.
On 16 June 2008, Sweden’s largest news programme Rapport revealed that FRA
had been storing traffic communications data in their large database named
Titan for ten years.
Are there any indications that the electronic surveillance legislation
passed by Swedish Parliament on 18 June allows introduction of such a
scheme? If we compare the newly enacted legislation with the pre-existing
legislation concerning FRA, we must give an affirmative reply.
Government Bill No. 2006/07:63, page 86, indicates that “data reduction is
necessary. This means that the greater part of the intercepted signals will
be sifted through and discarded.” In other words, FRA will not store the
original messages but only traffic analysis results. Storing analysis
results requires very little in terms of computer memory, which is why
practically unlimited amount of this type of data can be stored.
From Section 3 of the Ordinance concerning the Processing of Personal Data
by the National Defence Radio Establishment (2007:261) we can draw the
conclusion that a sociogram is the end product of traffic analysis in which
patterns are drawn from the information flow among a set of senders and
receivers. The analytical results are stored in a special database.
Similarly to other ordinances the latter Ordinance has been adopted by the
Government, and did not have to undergo the standard legislative procedure.
There has been no public commentary by the Government as regards the above
Ordinance in the context of the current debate. This is why we strongly
suspect that the average MP has not been informed about the existence of
these databases or the use of sociogram data. We could not find the term
“sociogram” in any of the preparatory materials, but we assume that it is
equivalent to something called “traffic patterns” in Bill No. 2006/07:46, p.
29.
This form of traffic data analysis constitutes a violation of personal
integrity, which is just as bad as the violation of post and
telecommunications secrecy when all cable communications become accessible
to FRA, pursuant to Chapter 6, section 19 a of the Electronic Communications
Act (2003:389).
Those who support the FRA law have been trying to tone down the criticism
and charges of violation of personal integrity, claiming that processing of
data is not carried out by individuals. For us it is the very efficiancy of
automatic data processing, in which seemingly harmless data can be
transformed with the help of statistics into a powerful instrument that will
give the state a direct line into our lives, which is so horrifying.
The FRA agency can always validate their activities in relation to the
Personal Data Act (which was enacted in 1998 in order to bring Swedish law
into conformity with the requirements of the European Union Data Protection
Directive (95/46/EC)) by reference to a special act containing provisions
referring to personal data processing. According to this act (Act on
Personal Data Processing by the National Radio Defence Establishment in its
Signals Intelligence Analysis and Development Activities (2007:256))
searches based on what is known about a person’s race or ethnic origin,
political opinions, religious beliefs or philosophical convictions, trade
union membership, health or sex life are permissible if certain conditions
are satisfied. Chapter 1 section 17 of the above-mentioned Act provides that
personal data collected by the FRA agency “may be transferred to a third
country”.
With the help of social network analysis the FRA agency may get to know a
given person better than that person knows himself/herself, for example, as
regards habits of which the habituee is quite unaware. The big problem is
that data of this kind must be collected over a long period of time, and
that we cannot know beforehand who will satisfy the deviance criterion
linked to an external hazard. This is why the FRA agency has to store
sociograms of a great number of people, which means keeping close tabs on
practically everybody, whether they are innocent or not.
The Act contains provisions concerning destruction of records, but at the
same time Chapter 6, section 1 of the Act contains an opt-out provision
permitting retention of records for historical, statistical or scientific
purposes.
In the end FRA agency’s eavesdropping on civilian communications means
keeping tabs on innocent, law-abiding citizens.
The FRA law is a slap in the face of democracy and must be repealed. We are
not against signals intelligence as such, when applied to purely military
communications systems, i.e. communication between warships, fighter
aircraft, tanks or infantry. Neither have we any objection to wiretapping
phones of persons suspected of terrorist or criminal activities in
accordance with the provisions of the Code of Judicial Procedure and
following a relevant court decision. But engaging in mass surveillance of
innocent people is another thing and it is quite unacceptable. We must ask
again: did the MPs really know what they were doing when they voted in
favour of the Bill last June?
List of Signatories
http://www.edri.org/docs/signatories-fra-law.pdf
Original article (only in Swedish)
http://www.dn.se/DNet/jsp/polopoly.jsp?d=572&a=827493
EDRi-gram: ENDitorial: Wiretapping – the Swedish way (27.08.2008)
http://www.edri.org/edrigram/number6.16/wiretapping-swedish-way
(Contribution by Mark Klamberg – doctoral student – Sweden)