A Very Private Affair

A hidden battle is raging between our fundamental right to privacy and the requirements of the state to maintain and advance its powers of surveillance. The battlefield is complex and confusing, the players numerous. Modern information technologies are key: they have created the many new media in which we communicate, and accordingly increased authorities’ requirements for extensive and invasive information-gathering capabilities.

The means by which these authorities go about obtaining such information is far from straightforward. There are legislative components, such as the Enfopol papers, which are drafted by the Police Cooperation Working Party to define EU policy on ‘lawful interception’. There are physical, technological components, such as Echelon, which has the power to intercept a significant proportion of today’s global communications traffic. Together, such components are actively contributing to a steady decay in personal privacy.

Independent media, and the journalists who have forced covert surveillance and information-gathering agendas out into the open, are crucial in this ongoing battle for privacy. Perhaps chief amongst media outlets for such reports has been the online journal Telepolis, publishing investigations from reporters such as Duncan Campbell, Christiane Schulzki-Haddouti and Eric Moechel that have been instrumental in shedding more light on phenomena like Echelon and Enfopol, openening up public discussion and thereby edging the technologies of ‘lawful interception’ towards some form of accountability. Here, Armin Medosch, editor of Telepolis, discusses the recent history of today’s surveillance regime and looks at some critical developments in the technology and legislation which underwrite it.

At the beginning of the 1990s, the US Federal Bureau of Investigations had a problem. It seemed that the new digital telephone systems coming into use might not allow the easy tracking and interception of targets that they'd been used to with old analogue exchanges. Their response, as Duncan Campbell reported in his article, 'ILETS and the Enfopol Affair <1>, was a plan to turn every type of modern communications system into 'a national and, ultimately, global surveillance network which would give them "real time, full time" access to those whom they wanted to watch.'

To flesh out this plan, in 1993 the FBI invited law enforcement and security agency representatives from Allied countries to come to Quantico, their R&D headquarters, to form the International Law Enforcement Telecommunications Seminar (ILETS). Acting in secret, without parliamentary knowledge or government supervision, and backed by the US National Security Agency (NSA), ILETS has gone on to create the blueprint for telecommunications surveillance in the information age. In doing so, it has largely ignored concerns about the protection of privacy and democratic supervision of its monitoring activities. Meetings of ILETS are attended by high-ranking police chiefs and members of the intelligence community. Lawyers and industry specialists who might have protected privacy and human rights, or commented on the feasibility of its wish list of interception requirements, are excluded. ILETS spelt out its demands in detail in a four page document plus glossary entitled 'International Requirements For Interception', or 'IUR 1.0'. Based on an earlier wish list from the FBI and backed by EU police chiefs and countries with questionable democratic traditions such as Russia and Hong Kong, the IUR 1.0 would - were it to be adopted - mean that new network switches and internet routers would come with monitoring systems built in.

ENFOPOL AND EU/USA COOPERATION

By January 1995 the IUR had, although unacknowledged, become the official policy of the EU, adopted as a part of the 'Council Resolution on the lawful interception of telecommunications'.<2> In the United States, they had become law.<3> But European Ministers responsible for Justice and Home Affairs were not told that the Requirements had been written by the FBI-sponsored and NSA-backed ILETS group. Instead, they were identified within an Enfopol document, 'Enfopol 90'.<4> These papers are supposed to be written by the Police Cooperation Working Party (PCWP), a group of senior European law enforcement and secret service officials who meet regularly and enjoy permanent representation with those ministers signing the relevant laws at the Council of Ministers in Brussels. The IUR, now 'Europeanised' as IUR95, was agreed by the so-called 'written procedure', in which a document is sent out via telex to EU member states between meetings of the Council of Ministers. This had two key effects: it bypassed discussion in the European and national parliaments thus reducing the risk of lengthy debates and disputes, and allowed the Requirements to remain hidden from public view until November 1996, when marked with the code Enfopol 90 they were finally published in the EU's Official Journal.

The IUR95 had become law without any public discussion or contribution from civil society. Nevertheless, it could be used to force European telecommunication operators to comply with the Requirements, and lawmakers in individual member states would have to consider IUR95 in any future national legislation concerning 'lawful interception'. Between 1995 and 1998 the European PCWP and ILETS group with their overlapping memberships continued meeting and revising the Requirements for the ever increasing number of new communication technologies. Enfopol 90 became 'Enfopol 98', whose purpose was apparently to 'clarify' the original Requirements in line with the needs of particular law enforcement groups. It ran to some 36 pages and attempted to list every conceivable form of wiretapping of any new communications medium - from the internet and mobile phones to pagers, SMS messages and the then hotly discussed satellite system, Iridium.<5> The experts on 'lawful interception' would have to learn that this was politically inadvisable - and that the wide range of surveillance suggested by Enfopol 98 was 'not conducive to ready comprehension.' Someone inside the security apparatus, perhaps agreeing that Enfopol 98 was going a little too far, leaked the measure to a number of journalists. Among them was Erich Moechel, working as a correspondent for Telepolis at the time.

While others sat on their hands, Moechel convinced me to publish the paper in full length on the Telepolis website, together with his analysis of it. 'The demands of the "legally empowered authorities"', he wrote, 'can [...] be summed up with the word "everything" [...] "all signals created at the observed facilities" are to be made accessible, as well as all related technical services and data: the redirecting of telephone calls, conference calls, voice mail and other forms of telecommunication. Even inbound and outbound connections which are not completed have been taken into consideration. And the "legally empowered authorities" want all of this data immediately... [It is] clear that the plans of the European police will not be able to be realised without seriously affecting the topology of the network.'<6>

THE BATTLE IN THE MEDIA

It was a while before the story took off. Mainstream media, if they did not ignore the piece completely, questioned its authenticity. Some even accused us of being full of hot air. But other investigative journalists, such as Duncan Campbell and Christiane Schulzki-Haddouti, discovered further details about new Enfopol papers and published them on Telepolis.<7> Journalists from Spain, France and Denmark began to investigate the activities of their own civil servants within the PCWP. Slowly the bigger picture - including the involvement of ILETS and EU-USA police collaboration - emerged. The civil rights group Freedom for Links also started an Enfopol campaign.

Then in January 1999 another new Enfopol paper, 'Enfopol 19', emerged.<8> It seemed that the PCWP had responded to the criticism of Enfopol 98 primarily by producing a much shorter document. Like its predecessors, Enfopol 19 still required that internet service providers and telecommunications networks install monitoring equipment or software in their premises in a high security zone, producing a network of tapping centres throughout Europe, operating across national boundaries. But some of its most controversial provisions - for example, the plans for tapping Iridium and other satellite-based personal communications systems, the new requirements for gathering personal data about service subscribers, and a fourth new policy concerning cryptography - now appeared to have been removed.

The European Council for Justice and Home Affairs seemed all set to adopt Enfopol 19. But the story was still buzzing inconveniently through the mainstream press, from El Pais to Der Spiegel and Le Monde Diplomatique. In the summer of 1999, European Ministers were forced to announce that they would let the measure rest, assuring the public that no further steps would be taken in surveillance legislation without a broad and informed debate.

Proceedings over the plans outlined in Enfopol 19 appeared to have stopped. Unfortunately, as Duncan Campbell warned me in a private conversation at the time, this did not mean total victory. 'We've been aiming at a big white bear with Enfopol,' he said, 'only to find that it has now morphed into lots of small white mice, all running in different directions.'

It soon became clear how right he was. The provisions described in the successive Enfopol papers 98 and 19 had not been dropped. Rather, the tactics had changed: the idea was to smuggle through the original ILETS plans in bits and pieces. On an European level for example, the 'Convention on Mutual Assistence in Criminal matters' contains articles about cross border interception inspired by the ILETS wish-list. Similarly, national legislation like the UK Regulation of Investigatory Powers Act and the German directive on interception of telecommunications - as well as similar laws in many other countries - is indirectly and in part the brainchild of ILETS. When challenged by journalists about controversial legislation on surveillance, ministers and civil servants can always claim that they have no choice: the IUR95 had been adopted by the EU, are existing European law and have to be implemented in national legislation.<9>

ECHELON AND BEYOND: THE PHYSICAL LAYER

Of course, seminars, policy documents and legislative acts do not in themselves create a surveillance regime. Indeed, the building of the physical layer of the ILETS/Enfopol proposals is controversial, with many in the industry suggesting that the Requirements are not technically workable. And yet there is certainly a precedent for the kind of surveillance network set down in Enfopol 19, one which is by now well known. This is Echelon <10>, common parlance for the worldwide signals intelligence (sigint) network run by the NSA and the UK Government Communications Headquarters (GCHQ) in collaboration with Canada, Australia and New Zealand. Echelon, research suggests, uses large ground-based radio antennae in the United States, Italy, the UK, Turkey, New Zealand, Canada, Australia, and several other countries to intercept satellite transmissions and some surface traffic, as well as employing satellites to tap transmissions between cities. Although Echelon was designed for the use of military intelligence agencies, it has also always been used to monitor commercial communications around the world. The information it gathers is routinely used by the US and its allies for diplomatic, military and commercial purposes. Indeed, under a 1993 policy known cheekily as 'levelling the playing field', the United States government under President Clinton specifically told the NSA - in command of Echelon - to act in support of the US businesses that were seeking contracts abroad. In the UK, GCHQ's enabling legislation from 1994 openly identifies one of its purposes as the promotion of 'the economic well-being of the United Kingdom in relation to the actions or intentions of persons outside the British Islands.' The scope of Echelon and the extent of its reach into the public domain have been the source of many concerned reports and articles. The first of these appeared in an article in New Statesman magazine in 1998, which was followed by Nicky Hager's groundbreaking revelations in his 1996 book about New Zealand's Echelon Station.<11> But it wasn't until 1997, after the publication of a report written by Steve Wright from the Omega Research Foundation for the Scientific and Technological Options Assessment (STOA) panel of the European Parliament <12>, that the Echelon story started to gain prominence in the media and give rise to some form of public discussion. Wright's report, which credited Echelon with the capacity to intercept 'within Europe, all e-mail, telephone, and fax communications', promised to be politically explosive. His claims have since proven to be excessive, but have nonetheless been widely repeated throughout the press under headlines such us 'America's Big Ears'. Another report commissioned by the STOA panel and written by Duncan Campbell, 'Interception Capabilities 2000' (or 'ICP 2000') provided a more detailed and realistic assessment of Echelon's capabilities. Campbell showed that the system was far from capable of intercepting and analysing 'all' global electronic communications, but could nonetheless deal with considerable parts of it - in particular, all traffic going through the INTELSAT international telephone satellites <13> and internet traffic passing through the main network switches in East and West.

The European Parliament, under pressure from the European Greens and some maverick MEPs from other political parties, used a temporary committee to mount an enquiry into Echelon. The committee was to confirm Echelon's existence, examine whether the rights of European citizens were being adequately protected and to ascertain whether European industry was being put at risk by the global interception of its communications. As a starting point, the committee studied the old reports of the STOA panel, and also commissioned a number of new reports. Investigations in France and Britain met with many obstacles. In Washington, the shutters came down on the European Union delegation one af ter another: no one in the US Government would even admit that the electronic spying system existed. The NSA, the CIA, the State Department and even the Department of Commerce refused outright to talk to the committee of MEPs on their fact-finding trip. 'Perhaps,' the EU's Special Rapporteur Gerard Schmid commented at the time, 'one half of this famous Anglo-American partnership was telling the people in Washington not to be too open with us.'

Despite all the stonewalling, Schmid went on to produce a summary that, according to specialists, is an accurate assessment of Echelon's surveillance capabilities. It concludes that Echelon exists, that its capabilities have been overstated in the press, but that at least a percentage of all international telecommunications can be intercepted. On the highly controversial question of whether the system is being used for economic espionage to the advantage of American multinationals, the report is inconclusive - mainly because the Americans did not furnish MEPs with the access they were initially promised. The report concludes that there is strong evidence, but no concrete proof, of the US using Echelon to these ends.

Although the final report is relatively successful in its fact finding mission, it is weak in its recommendations to the political leadership of the EU. It argues that such infringements of privacy are unavoidable, and that instead of militating for an outright - and possibly unrealistic - ban, it would be better to bring systems such as Echelon into a legal framework of international treaties in order to guarantee basic human rights. European Parliament left-wingers from within the German and Irish Greens and the Italian Radicals have objected to these recommendations. Fearing that the proposed 'international legal framework' could in fact turn out to be a deceptive measure to legitimise international surveillance, they support the outright abolition of Echelon.

The dissenters may do well to give some attention to the Enfopol plans, which set out to establish a procedural regime better adapted to new technologies, and certainly look like a legitimised legal framework for international surveillance. The secret 'UKUSA' Agreement of 1947, which brought together British and American systems, personnel and stations to create the basis for Echelon, is eerily mirrored in the cooperation of the FBI/NSA/EU, and the meetings of the ILETS group, which has secretly shaped international policy on legal interceptions for almost a decade. The EU seems to be doing its level best to accommodate the US agencies' demands through Enfopol measures which, realised in their entirety, could produce an international surveillance architecture explicitly and legally directed at civilians.

THE ROLE OF THE ENGINEER

The European Telecom Standards Institute (ETSI) Working Group on 'lawful interception', which consists of engineers from major telecommunication equipment manufacturers and police liaison officers, is currently drafting a technical meta-standard for interception which requires a 'handover interface' to be built into all telecommunication switching and routing equipment constructed from now on. This provision, eff ectively a backdoor for spooks, would guarantee that police and intelligence agencies will be able to covertly intercept any form of telecommunications, anywhere. It will be built into standard hardware meaning that no suspicious external 'black boxes' will be required. ETSI is trying to produce an updated version of the technological interception capabilities of the older technology of t elephone connections (which are directly routed from one participant to the other) for the new paradigm of 'packet-switched data traffic', where data travels in much more complex ways and is thus difficult to intercept. Through a standardisation process, ETSI is effectively trying to provide the technological foundation for interception that complies with the original ILETS wish list of 'in real time, full time'. The only dim ray of hope comes from cynics in the technical community who have studied the papers. Just as many believe that Echelon cannot possibly handle and sort the amount of data that some have claimed, so the cynics have concluded that the handover interface may not actually work. <14>

OUTLAWED BY THE BACKDOOR

There has been one development which may yet help resuscitate personal privacy within the EU. In July 2001, the Italian MEP Marco Cappato, from the Radical Party/List Emma Bonino, was appointed to write the final report for the Committee on Citizens' Freedom and Rights in preparation of a draft directive on 'the processing of personal data and the protection of privacy in the electronic communications sector.' Cappato proposed some key amendments to European directive, the most radical of which stipulated that 'in carrying out lawful interception of electronic communications [...] Member States [would] have to act on the basis of a specific law which is comprehensible to the general public, and the measures [would] have to be entirely exceptional, authorised by the judicial or competent authorities for individual cases and for a limited duration, appropriate, proportionate and necessary within a democratic society.' Further, the measure reminded the EU that 'under the European Convention on Human Rights and pursuant to rulings issued by the Court of Human Rights, any form of wide-scale general or exploratory electronic surveillance is prohibited.'<15>

Somehow, to the amazement of the author himself, most of his amendments got through. If these now become law, any Echelon-style surveillance would be prohibited, and every nation participating in such surveillance - for example Britain and probably Germany - could be sanctioned under EU law. This would finally give the paper tiger of civil rights legislation in the EU some bite in relation to electronic surveillance. Moreover, it would put tight limits on the 'lawful interception' proposed in the Enfopol plans. The Cappato proposal is specifically targeted against the so-called 'fishing expeditions' in which 'lawful interception' is carried out on mere suspicion, even if there is only the slightest chance of uncovering communication patterns which might reveal networks of organised crime. Such activities infringe the rights of millions of ordinary citizens. Despite this early success, Marco Cappato has no illusions. He has told me in a telephone conversation that he expects fierce resistance from the Council of Ministers, which represents the more hardline views of Ministers for Justice and Home Affairs and in particular their councillors in the notorious PCWP (Police Cooperation Working Party). Some kind of compromise, it seems, has to be battled out between the European Parliament and the Council of Ministers.

THE CRIMINALISATION OF PROTEST?

We can expect surveillance and privacy issues to get hot this autumn. Most of the issues mentioned here will have to go through plenary sessions of the European Parliament and/or meet the final approval of the Council of Ministers, as the recommendations produced by the Echelon enquiry finally force ministers to act on an issue long denied and sidestepped. The continuous reappearance of Enfopol in new clothing on the Council of Ministers' agenda and the intimately-related standardisation of the technical definition of interception technologies will continue within the secretive and inherently non-democratic ETSI working group.

Recent events in Genoa and Gothenburg have shown how important a strengthened European civil rights movement is. Privacy is only one of a great number of issues that needs to be addressed, but it is an essential one, because infringements are often followed by further infringements. Now, in the aftermath of the confrontations at Genoa and the Gothenberg EU Summit, European Union prosecutors have put forward a number of motions that constitute a new threat to European citizens' liberty and privacy. Arguing that the high level of organisation at recent protests suggests that 'criminal organisations' are behind them, the prosecutors have set down new measures giving Europol competence to gather intelligence from national units and prepare analysis files on 'suspected' groups.<16> The new measures clear the way for protesters travelling between EU countries to be subjected to an unprecedented degree of surveillance.

These measures, adopted by the Ministers at the Justice and Home Affairs Council, are to be considered 'soft' law, in the sense that they are not binding, but are likely to be followed by all EU member states. Once again, national parliaments and the European Parliament have never been consulted about them. At the national level there is to be an 'activation' of permanent contact points in criminal intelligence centres for the 'collection, analysis and exchange of information' across borders. This 'information', it is thought, will come from 'policy or intelligence officers' who will 'identify persons or groups likely to pose a threat to public order and security.'

As Statewatch has recently argued, this remit 'legitimises the ongoing surveillance of any group whose concerns might lead them to take part in an EU-wide protest.' This is exactly the kind of intrusion into the public domain represented by the Enfopol measures, allowing the gathering of public domain information from the internet and publications, the surveillance of email, faxes and post, and the assembly of video footage of members of so-called 'suspect' or 'risk' groups.

Given the extremely confrontational nature of these proposals, it is difficult to imagine privacy will be off the political agenda any time soon. Meanwhile, concerned citizens are not powerless. Local MPs and MEPs can be lobbied, letters written, online campaigns initiated. Unfortunately, policies are now devised on an European scale, whereas people on the ground are a long way from powerful European civil rights organisations comparable to the United States' ACLU and EPIC. But as dealings with Enfopol and Echelon have shown, if there is enough pressure in individual countries, these topics can be moved up the political agenda. The comparatively small group of MEPs who battle against increasing surveillance powers in the European Parliament also need our support. Looking back to 1997 or '98, it is at least some consolation to see how much progress has already been made.

Since this article was written, on 5 September 2001, the European Parliament adopted the Echelon Report

<1> Duncan Campbell’s ‘ILETs and the Enfopol affair’ is available at Telepolis at [http://www.heise.de/tp/english/special/enfo/6398/1.html]

<2> The ‘Council Resolution on the lawful interception of telecommunications’ is available at [http://europa.eu.int/eur-lex/en/lif/dat/1996/en_496Y11041.htm] October 1994

<3> The relevant act, ‘The Communications Assistance for Law Enforcement Act’ (CALEA), was passed in October 1994

<4> Enfopol is not, as is often stated in many newspaper articles, a special police force or working group, but merely a standard European Commission classification for documents concerned with law enforcement and police matters.

<5> The IRIDIUM system is a network of 66 low earth-orbit IRIDIUM satellites delivering voice, data, paging, and fax communications across the planet.

<6> Eric Moechel, ‘The European Surveillance Union’, is available at [http://www.heise.de/tp/english/inhalt/te/1667/1.html]

<7> The Telepolis ‘Enfopol Papers’, including reports from Campbell and Schulzki-Haddouti, are available at [http://www.heise.de/tp/english/special/enfo/]

<8> ‘Enfopol 19’ is archived at the Forum for Information Policy Research: [http://www.fipr.org/polarch/Enfopol19.html]. The British civil rights group Statewatch [http://www.statewatch.org] also has an archive of Enfopol papers at [http://www.statewatch.org/news/2001/may/03CEnfopol.htm]. Statewatch must also be credited with publishing the first account of IUR95/Enfopol 90 in a January 1997 report entitled ‘The EU-FBI Surveillance System.’

<9> For example, the Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union, Declaration by the United Kingdom on Article 20, available at [http://europa.eu.int/smartapi/cgi/sga_doc?smartapi...(01)&model=guichett]. The relevant section is Article 20, ‘Interception of telecommunications without the technical assistance of another Member State.’

<10> Telepolis has featured many articles on Echelon and related subjects, but I would consider the following articles by Duncan Campbell a good introduction: ‘Inside Echelon: The history, structure and function of the global surveillance system known as Echelon’, 25 July 2000 [http://www.heise.de/tp/deutsch/special/ech/6928/1.html]; ‘Germany, UK breaching human rights with NSA spy link-up’, 27 May 2001 [http://www.heise.de/tp/english/inhalt/te/7753/1.html]; ‘Echelon Chronology: Key steps in the development of Echelon from 1964 to May 2001’, 1 June 2001 [http://www.heise.de/tp/deutsch/special/ech/7795/1.html]

<11> Secret Power, Nicky Hager, Craig Potton Publishing, New Zealand, 1996

<12> Steve Wright’s report, ‘An Appraisal of the technologies of political control,’ is available at [http://www.europarl.eu.int/stoa/publi/166499/execsum_en.htm]

<13> Duncan Campbell’s paper, ‘Interception Capabilities 2000’, is available, amongst other places, at [http://www.fas.org/irp/eprint/ic2000/ic2000.htm]

<14> A mirror of the technical paper describing the handover interface can be found in PDF format at Cryptome [http://cryptome.org/espy/ETR331e01p.pdf]

<15> Cappato’s report ‘proposal for a European Parliament and Council directive concerning the processing of personal data and the protection of privacy in the electronic communications sector’ is available at [http://www.europarl.eu.int/meetdocs/committees/libe/20010710/439506de.pdf]. Further to his comments, it is worth noting that Article 8 of the Charter on Fundamental Rights of the European Union also provides that 1) Everyone has the right to the protection of personal data concerning him or her. 2) Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 2) Compliance with these rules should be subject to control by an independent authority. Privacy in the European Convention for Human Rights. The Charter on Fundamental Rights of the European Union is available as a PDF at [http://www.europarl.eu.int/charter/pdf/text_en.pdf]

<16> Statewatch has archived all the relevant European Council Conclusions relating to the EU plans for the surveillance of protestors and the criminalisation of protests at [http://www.statewatch.org/news/2001/aug/12Aporeport.htm]

Armin Medosch armin AT easynet.co.uk> is co-founder and editor of online magazine Telepolis - The Magazine of Netculture - which was launched in 1996. He recently curated the online art exhibition Shopping Windows and, together with Janko Roettgers, edited the forthcoming book Net Pirates, which portrays the internet underworld of hackers, crackers and software pirates.