Legitimizing Foreign Mass Surveillance in the European Court of Human Rights

The European Court of Human Rights (ECtHR) is beginning to weigh in on a sweep of legislation passed, in recent years, that authorizes bulk interception of foreign communications in countries including France and the U.K. A recent ruling pertaining to Swedish bulk interception programs expands permission for mass surveillance, exploratory or general monitoring, and broader storage of raw data, thereby easing safeguards against the abuse of power, further demonstrating a surprising willingness by the court to re-tailor its human rights standards to meet the “collect it all” and “master the internet” agendas of western SIGINT agencies.

Avid Just Security readers would recall that in a January 2017 I wrote a post about this “new era of mass surveillance legislation” that was emerging across Europe. I suggested that this emerging trend would widen the chasm between the expressed policies and aspirational agenda of the European Union and the Council of Europe and the laws and regulations of their member states. It was, therefore, inevitable that these laws would be subjected to the scrutiny of the ECtHR for their presumed violation of the right to privacy enshrined under Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR).

Two such cases are pending before the court. One challenges the French Intelligence Act of 2015 (Association confraternelle de la presse judiciaire v. France et 11 autres requêtes) and another, triggered by the revelations of U.S. National Security Agency contractor Edward Snowden, challenges the programs of mass surveillance conducted by the U.K.’s signals intelligence agency, the Government Communications Headquarters (GCHQ), in collaboration with its U.S. counterpart, the National Security Agency (NSA) (10 Human Rights Organisations and Others v. the United Kingdom).

Last month, the ECtHR gave judgment in Centrum För Rättvisa v. Sweden that upheld Swedish legislation authorizing the gathering of covert bulk signals intelligence (SIGINT). The judgment is one of only a few cases in the history of the court to directly address foreign mass surveillance, and is certainly the only ruling in the post-Snowden era to be favorable to government. As such, it makes an important contribution to the court’s surveillance case law and sets a crucial precedent by drawing the lines of legality and illegality for intelligence agencies operating in the digital age.

The bottom line of the judgment is this: not only has mass surveillance by governments become the new normal even in Europe, as I indicated in my 2017 post, but this new normal has now received the Strasbourg Court’s official stamp of approval.

The Facts of Centrum För Rättvisa v. Sweden

The case was initially brought in 2008 after the Swedish parliament extended the powers of the Defense Radio Establishment (Försvarets radioanstalt, or FRA), Sweden’s primary SIGINT agency, to allow the bulk interception of communications and communications data running through cables. The Signals Intelligence Act (Lagen om signalspaning i försvarsunderrättelseverksamhet), which entered into force on Jan. 1, 2009, established that “all cable-based cross-border communications” will now be transferred to “points of collection” so that the FRA may conduct foreign signals intelligence based on (a) “detailed tasking directive(s)” which were to be routinely issued by governmental offices, the armed forces, the security police, and the national operative department of the police authority (para. 9).

The law has since been amended three times (in 2013, 2015, and 2016, respectively), and the ECtHR determined that it would examine its compatibility with the ECHR based on the most recent version of the law (para. 98).

As the court explains, there are eight possible justifications for foreign SIGINT collection under Section 1(2) of the Swedish law (para. 12):

“1) external military threats to the country, 2) conditions for Swedish participation in international peacekeeping or humanitarian missions or threats to the safety of Swedish interests in the performance of such operations, 3) strategic circumstances concerning international terrorism or other serious cross-border crimes that may threaten essential national interests, 4) the development and proliferation of weapons of mass destruction, military equipment and other similar specified products, 5) serious external threats to society’s infrastructure, 6) foreign conflicts with consequences for international security, 7) foreign intelligence operations against Swedish interests, and 8) the actions or intentions of a foreign power that are of substantial importance for Swedish foreign, security or defence policy.”

Prior to launching any new SIGINT operation or accessing and querying information at the various collection points, the FRA must secure a permit from the Foreign Intelligence Court (Försvarsunderrättelsedomstolen), except in the case of exigent circumstances where delay might make the operation futile. The Foreign Intelligence Court applies a proportionality test (whether less intrusive aims were considered, whether the benefits from surveillance outweigh the potential harms) in considering the reasoning for the request, the search terms or categories of search terms to be used, and the proposed duration of surveillance (up to six months, with possible routine extensions) (paras. 18-22).

In all the proceedings before the Foreign Intelligence Court, a privacy protection representative (Integritesskyddsombud) must be present, unless this would delay – and compromise — the operation. The representative as well as all other members of the court are appointed by the government. While the law requires the Foreign Intelligence Court to hold hearings in public whenever possible, in practice, its hearings have never been open to the public and all of its decisions are confidential (para. 135).

Communications between a sender and a receiver within Sweden — known in U.S. intelligence parlance as “wholly domestic” communications — are excluded from surveillance. FRA, however, does not adopt a presumption of territoriality (such as the one proposed by Jennifer Daskal in 2015 in the context of the Fourth Amendment to the U.S. Constitution). Rather, in cases where the location and identities of the communicators are difficult to ascertain, the signals may be retained and inspected under the law until it becomes clear that they are wholly domestic, at which point the data must be destroyed. As the ECtHR described it (para. 62):

“[T]here were practical difficulties in separating domestic cable-based communications from those crossing the Swedish border. Any domestic communications that were not separated at the automated stage were instead separated manually at the processing or analysing stage”

Finally, under the Swedish law, the Foreign Intelligence Inspectorate (Statens inspektion för försvarsunderrättelseverksamheten, or SSIUN), which is led by a government-appointed board, is tasked with overseeing all of the country’s foreign intelligence activities. The inspectorate monitors the implementation of existing laws and compliance with applicable directives and ordinances, and may submit opinions and suggestions to the FRA and the government. The inspectorate’s decisions are subject to a review by the Parliamentary National Audit Office (Riksrevisionen), and its analysis is further enhanced by the work of the FRA’s internal Privacy Protection Council (paras. 36-43).

The applicant, the Centrum för Rättvisa, is a Stockholm-based nonprofit public-interest firm representing clients in litigation against the state on issues concerning individual rights and freedoms. While the organization was unable to show that it was specifically targeted for communications interception, it asserted that it was at risk of potential abuses of its right to privacy due to the particular functions it serves and the sensitive nature of its communications.

The Court’s Primary Holdings and their Significance

The court explicitly finds that “bulk interception regimes did not per se fall outside” the state’s margin of appreciation, the phrase used by the ECtHR to refer to states’ discretion. The court explains that, in light of technological advancements and the current transnational threats that plague many countries, “the decision to operate a bulk interception regime in order to identify hitherto unknown threats to national security is one which continues to fall within states’ margin of appreciation” (para. 112). The Court seems to base this finding on Weber v. Germany and Liberty v. The United Kingdom. It is true that in both those cases the Court found that the two countries’ specific bulk interception regimes did not fall outside the scope of those their margin of appreciation. Nonetheless, in neither of those cases has the ECtHR made such an explicit and controversial general statement, suggesting that mass surveillance is a legitimate mean in the protection of national security. Moreover, both those cases were determined before the Snowden revelations, and the public outcry that it triggered.

Equally dramatic, the Court proceeds to suggest that its decades-old case law on surveillance, including its list of minimum safeguards, must be adapted “where necessary to reflect the operation of a bulk interception regime” (para. 114). The court then proceeds to make these necessary adjustments to a number of its most foundational standards. Here are five of the main highlights:

a. Lack of Specificity and “Development Activities”

Foreign mass surveillance programs depend on the continuous examination of various cable trunks. They rely on routine preliminary and exploratory trials to allow agencies to determine the intelligence value of different communication bearers and signal carriers. The FRA calls them “development activities,” whereas GCHQ terms the process “testing” under Britain’s Investigatory Powers Act. As the ECtHR explains further (para. 122):

“Such collection is made in order to monitor changes in the international signals environment and to develop the FRA’s own signals intelligence technology, and may lead to data not relevant for the regular foreign intelligence being intercepted and read … The development activities are essential for the proper functioning of the foreign intelligence.”

These activities are, by their very definition, less specific. They fail to meet the ECtHR’s traditional requirements of particular suspicion and are aimed at broadening the net through the deployment of fuzzier search terms. While it is true that most of these operations will result in the gathering of metadata, some development activities may also involve the examination of intercepted content.

The court finds that, given that these activities are authorized through the same permit process and subjected to the same oversight, they are “sufficiently demarcated” and do not violate Article 8 of the ECHR. This is a massive shift from the court’s original position on surveillance going back to the late 1970s. Indeed in Klass v. Germany, the Court explicitly prohibited “exploratory or general surveillance” that did not cover specific suspects (para. 51).

b. Toleration of `Automated Haystacks’

One of the most controversial questions in foreign mass surveillance debates surrounds the question of whether the right to privacy is violated already at the moment of collection or only at the moment of access. As clarified further by Professors Francesca Bignami and Giorgio Resta (p. 253):

“The U.S. intelligence community takes the position that the acquisition of personal data does not amount, in and of itself, to “processing;” data are processed only at the moment when they are analyzed by a human being. In other words, the default position in U.S. national security law is that privacy concerns arise only when the information is accessed by a human. This view stands in contrast with European law, under which the right to personal data-protection is triggered at the moment of collection.”

The ECtHR for the first time adopts the view that automated haystacks — databases of stored “unprocessed information,” raw materials not yet “subjected to manual treatment” — do not trigger an Article 8 infringement. Rather the court “accepts that it is necessary for the FRA to store raw material before it can be manually processed,” merely nodding to the obligation to delete such data “as soon as it is evident that it lacks pertinence for a signals intelligence mission” (para. 146). This is yet another radical claim that brings the Council of Europe’s human rights law far closer to the NSA’s playbook.

c. The Restructuring of Safeguards in Foreign Surveillance Cases

In Weber v. Germany (para. 95) the Court developed six safeguards that must be introduced into statutory authorizations to prevent any absuses of surveillance powers. The court in this case stretches the “Weber Criteria” to have them cover the FRA’s foreign surveillance operations.

The court, for example, acknowledged the fact that the Signals Intelligence Act included no provision obliging Swedish agencies to discontinue a signals intelligence mission when it is found that “the conditions for it have ceased to exist or the measures themselves are no longer necessary.” The inclusion of such a provision has been traditionally regarded by the court to be a prerequisite for the determination that a domestic law met the Weber Criteria. Nonetheless, the court was willing to avoid this omission, suggesting that unlike criminal investigations that target individual suspects, the need for such a cancellation provision is less “prominent” in the case of foreign intelligence against national security threats (para. 130).

A similar shift was introduced in the context of the secrecy surrounding the authorization of foreign surveillance measures. The applicants argued that all of the Foreign Intelligence Court’s hearings and judgments are subject to complete secrecy, and that authorities even refused to disclose mere aggregated information such as the number of hearings, the number of permits granted or rejected, or the various categories of search terms authorized. The court, however, did not see this as contradicting the Criteria it adopted in Weber. Rather, it found that the presence of a privacy protection representative in most of the hearings “compensates, to a limited degree, for the lack of transparency concerning the court’s proceedings and decisions.”

d. Lack of Clarity Surrounding Rules on Intelligence Sharing

The FRA’s current legal framework lacks sufficient clarity regarding if, when, or how intelligence is to be shared across agencies domestically or with foreign partners. Moreover, equally lacking are the frameworks that govern oversight over such intelligence cooperation. This is particularly concerning given the historical involvement of the FRA with the NSA and GCHQ in quite a number of controversial mass surveillance and hacking programs, such as Quantum and XKeyscore, as were revealed by the Snowden leaks.

The ECtHR begins by highlighting the importance of sharing foreign surveillance information as part of Sweden’s “participation in international security operations.” At the same time, the court also acknowledges that “the mentioned lack of specification in the provisions regulating the communication of personal data to other states and international organisations gives some cause for concern with respect to the possible abuse of the rights of individuals.”

This concern, however, is not enough for the court to find a violation of the ECHR. The court cites to the existing oversight structures, claiming that they are enough to ease the concern, failing to explain precisely how the existing oversight bodies may be effective in supervising the unique privacy infringements that intelligence sharing triggers. This is unfortunate given that, as Privacy International noted, “Intelligence sharing is one of the most pervasive, and least regulated, surveillance practices in our modern world,” with significant impacts on privacy (p.3). Privacy International has further highlighted that in Sweden, although intelligence agencies “must inform the oversight bodies of the principles underpinning forms of cooperation with foreign agencies” the law does not explicitly require them to “disclose the written arrangements of such cooperation” or any specific details around particular intelligence sharing programs (p.34).

e. Notification Requirements and Access to Remedy

Yuval Shany, the incoming president of the United Nations Human Rights Committee, suggested in July 2017 that there might be emerging “a duty for ex post facto notification of persons who were under surveillance.” This duty has been part and parcel of the surveillance jurisprudence of the ECtHR from its early days. In the context of foreign surveillance, however, the court seems to be willing to completely abandon the duty.

The court again looks to the unique features of foreign SIGINT operations and retailors its jurisprudence. The court finds in these national security surveillance cases (para. 164) that:

“The activity or danger against which a particular series of surveillance measures is directed may continue for years, even decades, after the suspension of those measures. Subsequent notification to each individual affected by a suspended measure might well jeopardise the long-term purpose that originally prompted the surveillance. Furthermore, such notification might serve to reveal the working methods and fields of operation of the intelligence services and even possibly to identify their agents.”

As a result, the court seems open to replacing notification requirements in foreign surveillance cases with other remedies, namely domestic standing in courts to bring in abstracto litigation, so that both nationals and foreigners could be able to determine whether they have been spied upon. 

Conclusion

Earlier this year I published an article with the Chicago Journal of International Law titled: “The Myth of a Universal Right to Privacy and the Practice of Foreign Mass Surveillance.”  I argued that those human rights defenders who seek to apply the same standards for domestic and foreign surveillance in the name of universalism are setting themselves up for heartbreak, disappointment, and disenchantment. Foreign surveillance is a unique creature, and its features demand specific tailoring. As such, I called on those who care for privacy to step outside the bounded thinking of “one-size-fits-all” human rights standards for all surveillance practices.

The ECtHR in Centrum För Rättvisa v. Sweden has clearly adopted this model. In doing so, it set itself on a new path and signaled what its eventual rulings are likely to be on similar practices by the U.K. and France. In fact, in the case of 10 Human Rights Organizations v. the U.K., one of the plaintiffs’ arguments is that the U.K. has violated Article 14 of the ECHR on the principle of non-discrimination by setting different statutory protections for domestic and foreign surveillance (paras. 262-271). In the Swedish case, the court clearly takes the opposite view, endorsing such distinctions and differentiations rather than branding them with illegality.

But the ECtHR may have taken this approach over the line. In the name of doing whatever it can to legitimize the Swedish foreign surveillance machine, it might have skewed the balance too far and inadvertently legitimized more dangerous mechanisms. Recognizing the need to tailor the right to privacy to account for the unique features of foreign surveillance should not result in de facto abandoning all of the court’s important safeguards, nor should it lead us to cover our eyes to the practice’s negative effects. Instead what is required is a careful and nuanced act of rebalancing. This requires high degrees of precision. In ruling on the Swedish case, the court unfortunately wielded its analysis less like a surgeon in an operating room and more like an elephant in a china shop.

Photo by David Ramos/Getty Images

 

About the Author(s)

Asaf Lubin

Postdoctoral cybersecurity research fellow at the Fletcher School of Law and Diplomacy at Tufts University and a lecturer at Yale College, also a resident fellow at the Information Society Project and a visiting scholar at Hebrew University of Jerusalem's Cybersecurity Research Center. You can follow him on Twitter (@AsafLubin).