Patching the French Intelligence Bill
- 1 INTRODUCTION
- 2 SCOPE RESTRICTIONS
- 2.1 Forbiding massive and predictive surveillance measures (black boxes)
- 2.2 Restricting the scope of the "foreign policy interests" justifying surveillance
- 2.3 Repealing the "collective violence" public interest
- 2.4 Repealing the "key scientific and economic interests" public interest
- 2.5 Limiting by law the number of intelligence agencies
- 2.6 Limiting the surveillance of the targets' entourage
- 2.7 Forgoing the extension of the time during which metadata may be exploited
- 2.8 Limiting the retention period for encrypted data and communications
- 3 INTERNATIONAL SURVEILLANCE AND UNIVERSAL RIGHTS
- 4 CONTROL & TRANSPARENCY
- 4.1 Ensuring an effective control by the CNCTR
- 4.2 Ensuring the collegiality of the CNCTR
- 4.3 Repealing or limiting the "absolute emergency" procedure exempting from prior authorization
- 4.4 Forgoing real-time metadata surveillance with no prior control and no time limits
- 4.5 Reporting relevant cases to judicial authorities
- 4.6 Bringing guarantees of due process
- 4.7 Opening legal challenges to advocacy groups
- 4.8 Ensuring transparency on situations of illegality
- 4.9 Repealing the criminalization of revelations on surveillance programs
- 4.10 Protecting whistleblowers within intelligence agencies
- 4.11 Protecting individuals and groups subject to professional secrecy
- 4.12 Ensuring transparency on the means for collecting, analyzing and processing data
- 4.13 Ensuring control of the files of the intelligence services by the CNIL
The Intelligence Bill introduced before the French Council of Ministers on March, 19th 2015 is presented by its promoters as a text which protects fundamental rights. This technical text would be nothing more than a way to legalise policies and techniques which were up to now common but not regulated, and as such to create better safeguards. Move along, nothing to see here!
This public relations strategy is all the more convenient for the government given that since the beginning of Edward Snowden's disclosures regarding the NSA and GCHQ surveillance practices, the French government has chosen to burry its head in the sand. For nearly two years, it has indeed managed to avoid any meaningful debate on the French services' practices, even though some of Snowden documents shed light on the DGSE (French foreign intelligence agency) partnerships with the NSA and the GCHQ. Instead of a transparent democratic debate, French officials have mostly weathered the storm, simply issuing denials without ever saying anything about its own surveillance practices.
According to its sponsors, this bill would help render the whole scheme as clean as it gets. For Prime Minister Manuel Valls, the text would even forbid mass surveillance! The underlying message being pushed here is that the French system is being defined in opposition to the American and British models.
But the argument doesn't hold once the text is examined in detail. Several provisions are actually directly inspired by the US and British law and the methods used by the NSA and GCHQ. Indeed, the bill legalizes tools of mass surveillance, in particular with automated Internet trafic analysis "black boxes" designed to detect “suspicious behaviour” (art. L. 851-4) or provisions on so-called "international surveillance" (art. L. 854-1) which will authorize bulk data collection. It also sets loose hacking and cyberattacks carried beyond French borders, and in this respect also echoes the recent revelations regarding the British, US and Canadian agencies' practices. Finally, despite what its champions claim, the text is in many ways a step backwards in relation to the existing law and practices: for instance, specific and crucial control processes currently carried out by the CNCIS (National Commission for the Control of Security Interceptions) are being dismantled, whereas the field of intervention of intelligence agencies is widely extended.
The government is now trying to force this bill through. At the National Assembly Valls-Urvoas tandem (Jean-Jacques Urvoas is the Bill's co-author and is also its rapporteur) will enable the government and its majority to join forces during an rushed legislative procedure, while the "post-Charlie" popular mood and the securitarian drift of the opposition conservative party (UMP) will supposedly contribute to stifling the democratic and parliamentary debates.
Only a wide-ranging citizen mobilisation, in France and across the world, can make a change.
The points raised below highlight the dangers of the bill while pointing at possible amendments. To be acceptable and allow intelligence agencies to do their work while respecting the rule of law, the text must indeed be deeply amended.
Forbiding massive and predictive surveillance measures (black boxes)
Article L.851-4 provides that the Prime Minister may require that telecom operators and online service providers deploy technical devices (a.k.a black boxes) to detect, via automated means, suspicious patterns of connexion data or online behavior. The Prime Minister could decide, "if a terrorist threat were to be revealed (...) to lift the anonimity of those data". This provision seems to be inspired from the British model, as a similar mechanism was debated as early as 2000 and eventually included in the RIP Act's section 12 (in the UK, the issue of "black boxes" would be raised again in 2008, during a modernisation plan criticised for the extravagant expenses it incurred at the time).
Such devices aimed at the extensive scanning of online communications at the network or server levels amount to a massive processing of personal data. As such, they are contrary to the jurisprudence established by both EU Court of Justice and the European Court of Human Rights (see, e.g., Amann v. Switzerland, February 16th, 2000, §68). The government's argument that such surveillance relates to raw, anonymous data is completely at odds with technical realities, since "raw" metadata can easily be used to reveal someone's identity.
To detect "suspicious behaviors", these black boxes will run algorithms for which no transparency is possible. They are moreover contrary to the French Data Protection Act's article 10, which provides that "no decision which produces legal effects in respect of a person may be taken on the sole basis of the automated processing of data." It must therefore be repealed.
Restricting the scope of the "foreign policy interests" justifying surveillance
Several of the bill's aim to enlarge the various "public interests" that may be invoked to engage in intelligence gathering activities. The government argues that the reference to France's "international commitments" and "essential foreign policy interests" among those public interests aims to use the surveillance to fight the proliferation of weapons of mass destruction. While this goal may be laudable, "international commitments" and "foreign policy interests" are much too broad and ill-defined legal categories, which would allow for an indefinite extension of the legal basis for the use of surveillance. To comply with international law, the bill must be amended to ensure that it expressly mentions specific international obligations (treaties, agreements, conventions) justifying the use of intelligence gathering techniques.
Repealing the "collective violence" public interest
Article L. 811-3. extends the intelligence services' powers to include the "prevention of collective violence likely to cause serious harm to the public peace." The extremely broad wording of this public interest allowing exceptional monitoring techniques poses serious risks of arbitrariness. It could for instance easily be invoked to engage in the surveillance of social movements. Given the serious risks it poses to the most basic political rights, this provision must be deleted.
Repealing the "key scientific and economic interests" public interest
The legalisation of economic and scientific espionage in the country without any judicial oversight results in a disproportionate interference with both the right to privacy and freedom of enterprise. If the information sought after is not directly linked to the fight against industrial espionage, in which case the surveillance can be part of a criminal investigation, then the recourse to exceptional surveillance techniques cannot be justified.
Limiting by law the number of intelligence agencies
Article L. 811-4 of the bill empowers the government to unilaterally increase the number of executive agencies that fall under the Minister of Defense, the Minister of the Interior as well as the Ministers for the Economy, Budget or Customs and which may use intelligence techniques. In impact assessment, the government is openly considering to give "certain police services" the broad surveillance powers provided in the bill . However, the scope of the competent authorities in regard to preventive and extra-judicial surveillance should remain limited to the minimum necessary, and the government does not provide any justification for the need to expand the already large number of beneficiary services (DGSE, DSPDs, DRM, DGSI, Tracfin and DNRED). Thus, given the fact that the increase in the number of relevant services acquiring and accessing "intelligence" leads to a greater risk for civil liberties, but also in order to ensure the predictability of the law, the number and nature of the beneficiary services must remain limited and must be subject to the law rather than executive decrees. This provision should be repealed.
Limiting the surveillance of the targets' entourage
Article L 852-1 will authorize the interceptions of the communications made by "individuals close to the person who is the object of the authorisation" when they "are likely to act as an intermediary, voluntary or not, or on their behalf or may provide information pursuant to the end result for which the authorisation was granted." This provision may significantly increase the number of people likely to be monitored in a preventive and extra-judicial framework. It must be clarified to ensure that only those who are known to actually act as a direct and voluntary intermediary or who have a direct link with the ongoing intelligence operation may be affected by this provision.
Forgoing the extension of the time during which metadata may be exploited
The bill extends from three to five years the period during which intelligence agencies can keep hold and make use of traffic metadata. This very long duration is not necessary, and the government had failed to provide any evidence justifying the extension. The three-year period currently applied is already an exception to the regime applicable to other collected data, which must be destroyed after a period of 1 to 12 months.
Limiting the retention period for encrypted data and communications
Article L. 822-2 provides that the time limit for the retention of collected information (one to twelve months depending on the type of information) starts from the moment of their decryption. This provision would allow services to retain data or communications (e.g. e-mails) for everal years before deciphering them and using it. For this reason, it is necessary to limit this period to 30 days during which the data will be stored in an encrypted state, giving the agencies enough time to perform a technical analysis. In addition, the article provides that the metadata attached to the encrypted content is subject to the same retention periods. However, such metadata being "in plaintext" (legible by everyone), the provision allows for an unlimited retention period and is thus an unacceptable infringement on the right to privacy. Here, the retention period prescribed for metadata (3 years) should apply.
INTERNATIONAL SURVEILLANCE AND UNIVERSAL RIGHTS
Limiting the "international surveillance" regime to communications transmitted and received abroad
In Article 854-1, the bill defines "international surveillance measures" as communications "sent or received abroad." Now, in the case of the Internet, most of French residents' communications are obviously "made or received abroad", particularly in the US or in other European countries where the largest service providers' servers are located. It is therefore completely misleading to claim that such surveillance is "international", since these provisions will directly and massively impact French citizens and residents.
This provision must be interpreted as a crude attempt to circumvent the already very weak protections contained in the bill. What is more, this article actually raises walls of secrecy around the "implementation of surveillance rules" in this field, providing that these rules will be defined in an "unpublished" executive decree. In addition, the text does not bring any protection regarding the authorisation collection, retention, destruction or control procedures relating to these operations, merely referring once again to a (public) decree to be adopted at a later stage. Finally, derogatory rules will apply to the collected data: in a move contradicting France's commitment to universal rights protection, the text allows for special guarantees when the data can be 'linked' to the French national territory, and therefore to French citizens (similar to British RIP Act of 2000). These guarantees, however, come rather short of those applied to "national surveillance", since the retention time for intercepted communications starts from "the date of first use," instead of the date of collection.
In sum, the provision will allow the mass collection of communications to or from abroad, which can be stored indefinitely until they are processed, analysed and finally used by the agencies. In fact, the provision seems modelled on section 702 of the US law FISA, which is at the heart of the controversy surrounding Snowden's revelations. The scope of this provision must therefore necessarily be limited, by stressing that international monitoring only affects communications "issued' and received" abroad.
Upholding the universality of human rights
As showed by the ongoing Snowden revelations, the NSA and the GHCQ have invoke the foreign element of data collection to violate national laws (in particular through data exchange partnerships) and also significantly violate foreign nationals' rights to privacy. To reverse these trends, France must show its commitment to the universality of rights, in accordance with Article 1 of the Universal Declaration of Human Rights and article 2 of the International Covenant on Civil and Political Rights, particularly in regards to the right to privacy and communications confidentiality (article 17 of the ICCPR). To do this, the bill must provide that any surveillance measures, even when communications are sent and received abroad, be subject to the prior control of an independent authority. This legal and ethical position is reinforced by technical considerations: in its opinion on the bill (pdf), ARCEP (the national telecom regulatory agency) points out for example that "in light of the way the bill is drafted, it could be difficult for telecom operators to effectively determine under which regime the international communications sent or received on the national territory fall under" (since even communications sent of received in France can be routed at some point across French borders).
Repealing legal immunity for international hacking operations
France should oppose the ongoing frantic state-sponsored hacking arms race. But the bill's Article 10 aims to ammend the Criminal Code in order to shelter intelligence officers from any criminal proceedings in connection with computer crime as long as it is carried out in the context of their missions "outside the national territory" (this would give them immunity when engaging in the intrusion, capture, destruction of any type of computer systems). With Internet and the transnationalisation of communications, the notion of "national territory" is way too restrictive to ensure an effective protection of rights. In fact, even if one disregards the imperious obligation to offer a universal protection of fundamental rights, it is obvious that many French residents use computer systems located outside their borders to communicate over on the Internet and store their data. Hacking, even when conducted outside the country, must not result in any criminal immunity. The CNCTR (the executive agency which will be created by the bill to replace the CNCIS in controlling intelligence gathering operations) must also be given genuine control over any hacking activity, in France and abroad.
CONTROL & TRANSPARENCY
Ensuring an effective control by the CNCTR
The CNCTR (French acronym for National Commission for the Control of Intelligence Techniques, which will replace the current CNCIS) must be able to carry out its duties by leveraging sufficient human, material and technical resources. First, its ex ante opinions must be binding for the Prime Minister, who will eventually grant intelligence services the power to engage in surveillance operations. Then the ex post control must be effective. By merely providing an access to centralized records of data and communications kept by the government as well as the possibility for the Prime Minister to transmit all or part of the intelligence agencies inspection services' reports, the bill marks a major step backward compared to the ex post control currently in place. The CNCTR should also be able to audition the agencies' directors or technical managers, have direct and real-time access to collected data and communications, and be able to conduct audits in the agencies' premises (with both scheduled and unexpected visits). Furthermore, the CNCTR must have sufficient human resources to conduct its missions, for example by relying on an investigative team with the appropriate technical and legal expertise. To that end, the CNCTR should directly supervise the Intelligence General Inspection (created in 2014 to control intelligence agencies, and currently attached to the Prime Minister).
Ensuring the collegiality of the CNCTR
In the bill's current form, Article L.821-3 allows the president of the CNTR to give his sole approval to a request from the Prime Minister. If in doubt, he may decide to consult with the rest of the Commission's board (comprised of 8 other members). By contrast, a majority of Commissioners is required to make an appeal in order to terminate an ongoing surveillance operation. Within the CNCTR, authorisation requests should be submitted to each of the commissioners, and the opinion of the committee must be the result of a simple majority of cast votes, respecting the timelines provided for in the bill. The adoption of a recommendation to stop the implementation of an intelligence gathering scheme should happen under the same conditions. When such recommendation is not acted upon, (Article L. 821-6), a qualified majority made up of a third of the commissioners should suffice to refer the case to the Council of State. All commissioners must be in a position to publish their personal opinion on the activities of the Commission in its annual report, in accordance with legitimate state secrets. In addition to collegiality, and to insure that the principle of adversarial proceedings is respected, a position of 'Independent Privacy Advocate' to defend the right to privacy of persons subject to surveillance should be created, as has been debated in the context of the FISA law reform proposals currently discussed by the US Congress.
The ante post control exerted by the CNCTR before the Prime minister can issue surveillance orders runs the serious risk of being circumvented by the "absolute emergency" procedure provided in the bill, especially since intelligence agencies will have all the means at their disposal to make up for and argue 'absolute emergency'. This provision should be repealed or at least narrowly defined, for instance by limiting the number of times it can be use per year (e.g. only five times a year).
Forgoing real-time metadata surveillance with no prior control and no time limits
In the name of preventing terrorism, Article L. 851-3 allows for the connection data belonging to persons "previously identified as posing a threat" to be collected in real-time, directly from the operators' networks, with no time constraint. Consequently, this provision authorizes real-time metadata surveillance without any prior control from the CNCTR. such a control must be restored. Additionally, the provision must specify that intelligence agencies cannot directly tap into the operators' networks: the later should instead be the ones transmitting the data, if necessary in real-time (as is currently the case in the Internal Security Code, as amended by the Military Planning Act: Article R. 246-7, which states that "the information request laid down in Article L. 246-3 must be fulfilled by the network's operator").
In the bill, there is no set framework to define when and according to which criteria exceptional and preventive surveillance measures must give way to a full judicial enquiry with its attached safeguards. The judiciary is therefore likely to stay away from investigations into offences revealed by collected information, even when such investigations should in principle be under its sole authority. The law should therefore provide that once the constitutive elements of a crime are identified as part of the collection of intelligence, all necessary and relevant records should be transferred from the administrative authority to the judiciary. The CNCTR should also exert control to ensure that intelligence services transmit all the relevant information to the judiciary as soon as possible.
Bringing guarantees of due process
The bill's Article 4 fails to ensure a fair trial since the use of state secrets during proceedings deeply undermines the rights of the defense (here, the French government draws inspiration from the "Closed-Material-Procedures" established in the UK through the Justice and Security Act of 2013, and which are severely criticized in a recent EU Parliament study). To avoid such pitfalls, the Council of State should be able to declassify documents submitted by the government and for which it deems classification to be inappropriate. Closed-door hearings provided by Article L. 773-4 of the bill also run counter to due process: in cases where the Council deems that classification is warranted and that a contradictory debate between the government and the appellant is therefore not possible, then the government should only be able to provide the written pieces, for instance those submitted to the CNCTR for prior review (this will ensure that applications for authorization are sufficiently accounted for). Finally, it is also necessary to ensure that legal procedures will fast enough to ensure their relevance, considering the time limits for surveillance authorizations and data conservation (which vary depending on the type of data). In this regard, the Council should also be able to issue provisional and protecting injunctions pending the procedure's outcome. Lastly, beyond payment of damages, administrative or criminal sanctions must be provided against persons responsible for surveillance operations found to be illegal.
Opening legal challenges to advocacy groups
In Article L. 841-1, the bill provides that those who have the capacity to appeal to a newly-created special section of the Council of State (French public law supreme court) include only the CNCTR, judicial authorities or "anyone with a direct and personal interest" act. This excludes advocacy organizations, which are often better equipped to defend civil liberties before state authorities, particularly when no surveillance target is known. It is therefore necessary to broaden the appeal capabilities.
Ensuring transparency on situations of illegality
Where the Council of State finds a situation to be illegal, it can just decide to stop the collection and eventually condemn the state to compensate the applicant for the damage, without giving any information about the nature of the state's illegal acts. Similarly, if the Council of State finds a situation to be illegal, the lifting of secrecy invoked for national security grounds is subject to the Advisory Commission for the Secrecy of National Defence. The law should ensure transparency on the illegalities of situations observed, with adapted procedures to protect legitimate state secrets.
Repealing the criminalization of revelations on surveillance programs
Article 7 revises existing criminal provisions which specifically punish, inter alia, the fact of publicly revealing a program or a given instance of surveillance. Such criminalization prevents disclosures of public interest, including those resulting from journalistic investigations. These provisions must be repealed.
Protecting whistleblowers within intelligence agencies
A procedure must be established to allow whistleblowers to report to the CNCTR or to the special section of the Council of State any practice that violates the legal framework (as proposed by the Council of State in a recent report on fundamental rights and the digital sphere). Findings of illegality must lead to end to such illegal practices, which should also be disclosed in a public report, in a way that is appropriate to the activities of the intelligence services.
Protecting individuals and groups subject to professional secrecy
To comply with the European Court of Justice Digital Rights case law, French law must provide special protections for the communications of persons subject to professional secrecy, such as journalists (including the protection of the confidentiality of sources) or lawyers. The bill should be amended accordingly.
Ensuring transparency on the means for collecting, analyzing and processing data
To ensure predictability of the legal provisions relating to administrative surveillance, the government must disclose certain aspects of the functioning of its technical apparatus (see § 68 of the Liberty v. United Kingdom European Court Human Rights ruling, from July, 1st 2000). This requirement is all the more necessary in the French context as the practices in this field have been ongoing in complete illegality for many years. The CNCTR must report on the means and tools used for surveillance by issuing general information on IT equipment, types of algorithms and other tools of technical analysis of the processed data collected by intelligence services, as well as the data exchange partnerships they may have with foreign agencies, in accordance with legitimate state secrets .
Ensuring control of the files of the intelligence services by the CNIL
The government denied the French Data Protection Authority (CNIL) to repeal existing laws that exclude the control of legality of intelligence files under the personal data protection legal framework. The DPA states in its opinion on the bill that such control "is a fundamental requirement to establish the legitimacy of these files in the rights and freedoms of citizens." The bill should be amended to allow the CNIL to exercise such control, in a manner appropriate to the activities of the intelligence services, and in cooperation with the CNCTR.