French Patriot Act: Do we really need more surveillance?

By EDRi · January 28, 2015

On 21 January, only two weeks after the attacks in Paris, the French government announced a big bundle of new security measures, a “general mobilisation against terrorism”. But does the country need more surveillance?

France has introduced telecommunications data retention for communications more than ten years ago, it has extensive video surveillance and intelligence services have been granted broad powers on multiple occasions since 9/11. Now, after the attacks, where more than enough data were available to the security services – and would have been even without the measures that are in place, the road to mass surveillance is neither being questioned nor are the existing measures evaluated for their effectiveness. On the contrary, French Prime Minister Manuel Valls believes that an “extraordinary situation calls for extraordinary measures”. In the opposition, some even demanded a French version of the US PATRIOT Act to be introduced.

In its launch of a “general mobilisation against terrorism”, the government proposed measures such as:

  • 735 million Euro in the next three years for internal security
  • the creation of 2680 new jobs – of which 1100 in intelligence services
  • Passenger Name Record (PNR) system, to be launched in September 2015 (for which France received a support of 17 million Euro from the Commission in February 2014)
  • the creation of a database for people found guilty or suspected of terrorism
  • a new law for intelligence services (“loi sur le renseignement”) in order to facilitate the interception of communications- proposal to be published in April 2015
  • “greater responsibility“ for internet services and increased “cooperation” with companies. Who better than companies like Facebook (the US business that at one stage was simultaneously banning breastfeeding pictures while permitting beheading videos) to regulate our free speech and security?

The exact details in the field of technology policies are not yet known. However, French Interior Minister Bernard Cazeneuve gave us a foretaste of what this “general mobilisation” might mean for the Internet. During a meeting of the Ministers of Interior of the European Union, Cazeneuve called for increased cooperation with online services to quickly remove illegal content and content that makes apologies for terrorism or promotes violence or hate. Only a few days later, Prime Minister Valls backed this logic by announcing his intention to increase “moral pressure” on hosting providers. During the International Forum on Cybersecurity (FIC) in Lille on 20 January, he reminded representatives of Facebook, Google and Twitter of their “policing role”. Fifty years of international human rights law, which demands that restrictions on our freedom of expression and privacy must be based on clear legislation, seem to have disappeared in this first month of the year.

That this is an over-reaction is without doubt: It is known that the radicalisation of the Kouachi brothers and Amedy Coulibaly did not take place via the Internet. On the contrary, Chérif Kouachi was part of the ”Buttes-Chaumont“ group which is named after the part of Paris that has been frequently visited by salafist leaders. During his first incarceration in the prison of Fleury-Mérogis, he was mentored by salafist Djamel Beghal. His use of the Internet was limited to websites explaining the handling of weapons. Amedy Coulibaly was first arrested for aggravated thefts and trafficking, and he met Chérif Kouachi in Fleury-Mérogis. According to police records he only used the Internet to visit poker sites.

But back to France’s surveillance measures. Since 2001, an impressive number of laws has been passed to increase internal security. Here is a non-exhaustive list:

In November 2014, the National Assembly adopted the anti-terror law (Loi renforçant les dispositions relatives à la lutte contre le terrorisme” that foresees web blocking of “terrorist” content without clear criteria or judicial decision.

In March 2014, Snowden documents revealed that French intelligence agencies already have broad powers to spy on their citizens, without any oversight or control. French General Directorate for External Security (DGSE) is closely cooperating with telecom giant France Télécom/Orange.

In February 2014, France received 17 million Euro from the European Commission for the surveillance of air passengers (PNR) despite the fact that the European Parliament had not voted on the proposal and that the legality of the proposal for a EU-Canada agreement on PNR data is now being evaluated by the Court of Justice of the European Union (CJEU).

In December 2013, France introduced a new military programming law which allows the interception of communications without a court order (LPM, Loi de programmation militaire 2014-2019). Article 20 not only allows the military and the police but also the Ministry of the Budget and the Ministry of Economics to access citizens’ communications data.

In February 2011, France implemented its version of the EU Directive on the retention of telecommunications data, including the retention of passwords, IP addresses, pseudonyms, email accounts etc. (Décret relatif à la conservation et à la communication des données permettant d’identifier toute personne ayant contribué à la création d’un contenu mis en ligne)

In March 2011, France adopts the ”LOPPSI 2“ package, (Loi d’Orientation et de Programmation pour la Performance de la Sécurité Intérieure) which includes web blocking, police keyloggers and government-installed Trojans, increased CCTV surveillance and the extension of police databases. In a move that sounds like weak parody, this law also changed all legislative provisions mentioning “video surveillance” with the more soothing term “video-protection”.

In 2009, France adopts a decree to implement the law on video surveillance of 2007 (Décret modifiant le décret n° 96-926 du 17 octobre 1996 relatif à la vidéosurveillance).
In 2007, France possesses 36 law enforcement data bases, two years later this figure increased to 45.

In January 2006 France adopts an anti-terrorism law (LCT, la loi relative à la lutte contre le terrorisme) which extends data retention obligations to cybercafés.

In June 2004, France adopts the “law on confidence in the digital economy” (LCEN, la loi pour la confiance dans l’économie numérique) which extends data retention provision to hosting and platform providers.

In March 2003, France adopts a law to increase internal security (LSI, Loi Sarkozy II). In addition, the temporary measure passed in 2001 is being extended for an indefinite period.

In August 2002, the law for the programming of internal security (LOPSI, loi d’orientation et de programmation pour la sécurité intérieure) is passed leading to a merging of several police data bases.

After 9/11 France adopts a temporary measure in order to increase “daily security” (LSQ, Loi relative à la sécurité quotidienne) which was meant to come to an end in 2003. The law introduced the retention of telecommunications data for the period of one year.

#Antiterrorisme: Manuel Valls announced exceptional measures (only in French, 21.01.2015)

Paris, Bruxelles, Toulouse… radicalisation of terrorists does’t happen on the internet (only in French, 12.01.2015)

Apologie of terrorism: Valls puts “moral” pressure on hosting providers (only in French, 21.01.2015)

Bernard Cazeneuve urges web platforms for self-regulation (only in French, 21.01.2015)