Oversight Board report: Illegal surveillance of Danish citizens

By EDRi · July 26, 2017

The annual report from the Danish Intelligence Oversight Board (TET) was published on 7 July 2017. Under Danish law, TET is tasked with overseeing the data collection and data processing practices of the Danish Security and Intelligence Service (PET) and the Danish Defence and Intelligence Service (DDIS). Both intelligence services operate mostly outside European Union (EU) law because of the national security exemption in the EU Treaties.

The previous annual reports for activities in 2014 and 2015 contained substantial criticism of especially PET. In a large number of cases, PET retained personal data which was no longer necessary, and in the opinion of TET, further processing of that data was therefore unlawful. PET disagreed with this interpretation of the PET law, and the matter was referred to the Minister of Justice in May 2016. His solution was to propose an amendment of the PET law which essentially removed the requirement to erase personal data that was no longer necessary, and this amendment was swiftly adopted by the Danish Parliament in December 2016.

This year, the most interesting revelations are in the report covering the activities of DDIS, which is the foreign intelligence service. Under Danish law, DDIS can collect any information for essentially any foreign intelligence purpose, as long as the operations are abroad. DDIS can also process information about Danish citizens and foreign residents in Denmark (collectively referred to as “Danish persons”), if this occurs as incidental collection in connection with an operation that is directed against developments abroad. The only real legal restriction for DDIS is that targeted collection against Danish persons is not allowed.

----------------------------------------------------------------- Support our work with a one-off-donation! -----------------------------------------------------------------

An amendment of the DDIS law in 2015 introduced an exception to this rule: if a Danish person is believed to be travelling abroad and is suspected of involvement in terrorist activities against Denmark or Danish interests (which includes Danish allies), DDIS can obtain a court order for targeted collection against that person. The required level of suspicion is lower than in regular criminal investigations of terrorist cases by the Danish police. Association with “radicalised individuals” is mentioned in the comments of the law as sufficient grounds for DDIS to obtain a court order for targeted collection of intelligence information. This information can be shared with the Danish police and used as evidence in a criminal prosecution.

In summary, the DDIS law represents an extensive data collection regime with very few restrictions that only pertain to Danish persons. Nonetheless, TET found several cases of data protection violations by DDIS during its oversight activities in 2016.

First, TET criticised that some mass collection activities contained a disproportionately large fraction of Danish persons. Mass collection, called “raw data”, is allowed under the DDIS law as long as the mass surveillance is directed against developments abroad, and as long as DDIS does not actively search for (“target”) Danish persons in the collected raw data. However, there is an upper limit on the allowed fraction of Danish persons in the collected raw data, presumably for compliance with the “directed against developments abroad” requirement. The TET report does not say anything about the type of collection, except that it is signals intelligence, SIGINT, which generally means electronic communications. A plausible example could presumably be international telephone calls from or to Denmark, or internet traffic which terminates in Denmark, rather than transiting through Denmark.

Secondly, in a sample of searches of SIGINT raw data by DDIS analysts, TET found that 12 percent of the searches unlawfully targeted Danish persons. Specifically, in these cases, the DDIS analysts should have known beforehand that the search results would mainly contain information about Danish persons. Targeted collection against Danish persons is only allowed with a court order, which was not obtained for these searches. The total number of searches in SIGINT raw data by DDIS is not mentioned in the report, so the estimated number of Danish persons affected by these unlawful searches remains unknown.

Thirdly, TET also found irregularities in the targeted collection against Danish persons that was authorised with a court order. In 11% of the cases surveyed by TET, the targeted searches of raw data did not respect the time limitations of the court order. What this means is not entirely clear. It could simply refer to searches done before the court order was obtained or after it has expired. Alternatively, the court order for targeted collection could potentially impose time-related limits on the raw data that can be searched, for example a prohibition on searching SIGINT raw data collected before the date of the court order. In this way, the court order would only authorise future interception of the electronic communications of the target.

The unlawful searches of SIGINT raw data by DDIS highlight the massive privacy problems inherently associated with the mode of operation of defence intelligence services. Law enforcement authorities generally only intercept communications of specific persons subject to prior approval by an independent judicial authority, and the targeted interception (“collection”) is done by the electronic communications provider, typically a private company. Defence intelligence services, on the other hand, collect electronic communications of everyone on their own accord, often referred to as the “collect it all” principle. The privacy and data protection safeguards provided for by law are solely implemented as internal policy restrictions on how these massive databases of electronic communications can be searched and analysed. Independent oversight of compliance with these restrictions is difficult, at best, and the oversight relies on accurate access logging of all searches by analysts. The TET report also criticised the lack of access logging in several cases, again without providing specific details.

The public reaction in Denmark to the unlawful searches of raw data by DDIS in 2016 has been very limited so far. On the day the TET report was published, the head of DDIS gave a short interview to Danish media and explained that the unlawful searches were all done by mistake since there was no systematic pattern in the various searches. The chairwoman of TET seems to agree with this rather odd explanation, but she also told Danish media that TET would intensify the future oversight of DDIS after the discovery of the unlawful searches.

The political reaction has been even more limited than the media coverage, probably owing to the fact that most Danish politicians are on holidays in July. However, the Minister of Defence will be asked to appear before a parliamentary committee later in the year. In previous years, the reports from TET were published in May, while Parliament is still in session. It is not clear why the publication of the annual report was delayed to July in 2017. TET submitted the report to the Danish government on 16 May 2017. The government must then present the report to the intelligence committee of the Danish Parliament before the report is published. For unknown reasons, this process took almost two months in 2017, compared to 2-3 weeks in earlier years, pushing the publication of the TET report into the month of July and the political holiday period.

Homepage of the Danish Intelligence Oversight Board, annual reports (only in Danish)

EDRi: Denmark: Weakening the oversight of intelligence services (05.04.2017)

EDRi: Danish anti-terror proposal expands surveillance (11.03.2015)

Spy service on illegal searches: it happened by mistake, DR Nyheder (only in Danish, 07.07.2017)

Watchdog intensifies oversight of intelligence service after repeated breaches of law, Jyllands-Posten (only in Danish, 14.07.2017)

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)