In France, what was supposed to be an emergency measure of internet surveillance after 9/11 led to a permanent legislation. Here's the story.
A 5 ans, j'ai gagné un poste TV. A 15, je voulais faire du ciné. A 17, je lançais un fanzine, underground. A 20, une revue, expérimentale. A 25, un journal gratuit, sur les "arts de l'écran". A 28, je découvrais le Net.
Unless otherwise noted, all the links are French.
Imagine a democracy where the law demands the transportation department install cameras everywhere and keeps a record of activities for one year “just in case.” This includes the places people visited, how they went, the people they met, and what was exchanged or shared. In 2011, this is the reality for France.
As published in its official journal, France is forcing ISPs and social networks to store data which indicates who people are, where and when they go on the Internet, and what they are doing.
This Big Brother legislation on the “preservation of data that allows for identification of any person or entity involved in the creation of any online content,” is the conclusion of a story that started nearly 20 years ago (and was amplified in the aftermath of 9/11).
The history of Internet surveillance began in 1993, when the web was booming. During this year, there were 130 websites in June and 623 by December. The first browsers, Lynx and NCSA Mosaic, were growing at an annual rate of 341,634%.
That same year, the US authorities initiated intense diplomatic efforts to persuade European countries and the OECD to deploy surveillance and interception methods for telecommunications. This was sponsored under the ILETS (Interception Law Enforcement Telecommunication Seminar), an organization of European and American experts on the subject.
Founded by the FBI, the existence of this organization was revealed by journalist Duncan Campbell while he was writing a report on interception capabilities for the European Parliament. Due to his investigative work, in 1995 Europe adopted the resolution for lawful interception of telecommunications. This resolution was inspired by the American Communications Assistance to Law Enforcement Act (CALEA), created by the FBI in 1994 and required telephone companies and Internet providers to make their infrastructure accessible for network monitoring.
During this time, a group of the ministers from the EU formed ENFOPOL (ENFOrment POLice), which sought to define the technical procedures and standards of preventive surveillance for telecommunications. Some consider this group Europe’s response to the ECHELON organization.
A proposal was summited forcing ISPs to notify the authorities of the relevant passwords for the Internet, or at least creating a “backdoor” software system. In July 2001 the European Parliament decided to oppose the preservation of these connection traces. This conclusion was reached on the grounds that “it would give a free pass for the intrusion into the lives of private citizens, which would violate human rights and fundamental freedoms.” ZDNet reports:
The European Parliament committee noted that when dealing with electronic surveillance measures, they should be “entirely exceptional cases and based on specific laws and authorized by a competent judicial authority in the cases of individuals.” Any form of large-scale electronic surveillance should be banned, affirmed the committee.
Two months later, the events on 9/11 changed everything. In the name of anti-terrorism, many countries boosted their “security tool kits.”
In France, the socialist government, who since 1997 were trying to work around this law and fight “insecurity,” quickly changed its emergency legislation on communication safety (LSQ). Notably, this forced Internet ISPs to hold, for a year, the logs of what people were doing on the Internet. At this point, it wasn’t proven that terrorists used the Internet to communicate.
Showing the divide in Parliament, the socialist Senator Michel Dreyfus-Schmidt blew the whistle by claiming that France was acting outside of “Republican law.”
“There are some urgent and unpleasant measures that need to be taken, but I hope that we can return to a Republican law by the end of 2003.”
Fully aware that the anti-terrorism laws needed strict supervision, Article 22 of the LSQ precisely stated that the emergency measures were only effective in the wake of the attack, and were only to run until December 31, 2003. A report would be released around the time the expiration date approached, which would “evaluate the implementation of all these measures,” allowing Parliament to decide whether to continue the emergency legislation.
Parliament was not given the time to request or examine any report. On January 21, 2003, an amendment (posed by Christian Estrosi with the support of President Nicolas Sarkozy) introduced the a form of the Homeland Security Act (LSI, or Loi Sarkozy II). Without any debates and in less than a minute, the principle of preventative Internet surveillance was written in stone (See the full transcript):
M. Christian Estrosi: Extension or durability? In clause 17 of this government project, it only refers to the question of extension. In my amendment, conversely, I propose to perpetuate some of the referred provisions which pertain to the conservation and encryption of data. In other words, this is the use of new information technologies and communications in cybercrime.
I have previously submitted an amendment which would define these new forms of crimes, giving police the means to fight against cybercrimes and related networks.
It seems justifiable to consider the benefits from this amendment, which will perpetuate arrangements that will be increasingly useful for the future. We’ll have the resources to carry out investigations in fighting other forms of illegal trafficking: drugs, weapons, pedophilia, prostitution, and money laundering.
President Sarkozy: what is the opinion of the government?
Minister of Internal Security and Local Liberties: Favorable.
(the amendment is adopted.) “
The exceptional measures initially implemented to counteract terrorism at the disposition of a judicial authority became a definitive measure which is totally separated from the existences, or lack thereof, of a terrorist threat.
In 2004, a law (LCEN) extended hosting and managing web services’ obligations to retain data, meaning they must hold and store “data that permits the identification of people who contributed to the creation of content or are content services providers.”
In January 2006, the Interior Minister suggested to Sarkozy to extend the law to counteract terrorism (LCT). This new mandate included the maintenance of “data traffic” at Internet cafes, and permits anti-terrorism services to access outside judicial oversight (but with the consultation of a qualified person within the Interior Ministry).
On March 15,2006, the European Data Retention Directive[EN] defined the list of what service and communications providers must store regarding users’ information. This directive was followed by France on March 24, 2006. ISPs and phone operators were now required to trace and identify:
In 2007, the Interior Ministry discreetly put in place between the two presidential offices (according to Le Figaro) a new interception platform. In real time, it collects data on emails and text messages intended for intelligence:
Ranging from a call on a cellphone, an email on the Internet, or a simple text message, the “big ears” of the Republic can know who contacted who, where, and when.
Here’s the problem: The more and more connections are encrypted, the more this prevents the “big ears” from knowing who does what on different networks. Bernard Barbier, Technical Director for the Direction General for External Security, explains this phenomenon.
Upon his arrival to the special services in 1980, “The objective was the telephone” – localized and with limitations in terms of relaying information (fax, telex, or voice), its relatively low speed (“a million simultaneous communications is not a lot for us”), and rarely encrypted. The use of cryptography served as a red flag, because normally only diplomats, military and intelligence services encrypted their communications. “Our job was to decode them, and we would get between 100 to 1000 documents per day.
Today, nearly everyone in the world has a mobile phone, and the flow of information has drastically changed (about a billion simultaneous communications). Increasingly more services and information streams are encrypted (Blackberry, Skype, and since the Chinese’s cyberattacks Gmail). Even without the users noticing, eventually all forms of communication will probably be encrypted.
At the same time, says Bernard Barber, “Even the villains start to communicate” – often young and educated. “All terrorists in the making learn to encrypt. For them, the Internet is a way of hiding. They know we are trying to listen to their conversations, and therefore they hide themselves in the masses of Internet users.” In this way, “The targets have adapted.”
“Our main targets are no longer using government or military encryptions, but rather the same encryptions used by the general public. Today our targets are public networks because that is what is used by terrorists.”
Probably more intensified than before, the growth of telecommunications has led intelligence services to a further desire to know who communicates with who, when, how long, and where.
From this data stored over the years, we can look at an IP address or a phone number and then search our database for a list of the target’s correspondents. Using years of data, we can manage to reconstruct his entire network.
“The human memory is not infinite, so users often use the same passwords,” explained Bernard Barbier. This works to the advantage of those tracking terrorists, because the targets could use the same password for their real name on social networks along with their screen name used on forums related to terrorism:
Their double lives have the same password. And of course we store all passwords, we have a dictionary worth of millions of passwords.
It’s easier to understand why the legislation on the conservation of data “permiting to identify any person involved with the creation of online content,” was passed. Published 6 years after the adoption of the LCEN, it provides access to not just names, nicknames, usernames, phone numbers, electronic and postal addresses, but also “passwords and data which permits for verification of modification.”
The police and federal services have increasingly relied on crime analysis software (ANACRIM). “For example, it makes the connection between a phone call and the target, the target and his correspondents, and the network of correspondents to their extended networks and so on.”
Thus statisticians (the specialists in data mining) were able to extract from hundreds of thousands of Call Data Recordings the specific records containing all data related to one simple phone call, and identify the gathering place for the terrorists involved in the 2004 Madrid bombing.
This is why passwords are used to identify users, as noted by Guillaume Champeau on Numerama :
With these methods, the investigation becomes a sort of treasure hunt. For example, if the suspect was careful and hid his IP address and used a disposable email address at the “scene of the crime,” its possible for investigators to find the same log-in to other services online where the user has not taken the same precautions. By comparing the passwords, its may confirm that this is the same person and the IP address could be used for identification.
The anti-terrorism services, which have the right to access data without judicial review, can easily infiltrate the networks. Yet terrorist don’t really use social networks hosted in France nor French ISPs. Furthermore the legislation’s duty of preservation and transmission of data does not apply to foreign social networks and forums.
It only takes the Tarnac case to imagine the problems that would arise when police use these tools to infiltrate “organizations of a subversive nature that are likely to engage in acts of terrorism or undermine the state.” This notion is a fine line especially when surveillance is explicitly the mission of the DCRI (Direction Centrale du Renseignement Intérieur), the French anti-espionage agency resulting from the merger of RG and DST.
Considering this system has been in place for almost 10 years, is it worth being paranoid of the consequences? As noted by Eric Freyssinet, (the Director of the department fighting cybercrime), “Already in these situation and in most cases, investigators have correctly identified the right person.”
Yet it is worth remembering that normally under rule of law, we are not placed under surveillance with the pretense that we are suspected of having committed a crime or misdemeanor. In our “secure” democracy, every citizens is a suspect and is preemptively monitored, “just in case.” The problem is political – so is “Republican law.”
Photo Credits: Flickr CC leg0fenris.