Patching the French Intelligence Bill

De La Quadrature du Net
Aller à la navigationAller à la recherche


This wiki page suggests possible amendments to the French Intelligence Bill (2015). It is still under construction and its contents could be thoroughly modified in the coming days.

Sommaire

INTRODUCTION

The Intelligence Bill introduced before the French Council of Ministers on March, 19th 2015 is presented by its promoters as a text which protects fundamental rights. This technical text would be nothing more than a way to legalise policies and techniques which were up to now common but not regulated, and as such to create better safeguards. Move along, nothing to see here!

This public relations strategy is all the more convenient for the government given that since the beginning of Edward Snowden's disclosures regarding the NSA and GCHQ surveillance practices, the French government has chosen to burry its head in the sand. For nearly two years, it has indeed managed to avoid any meaningful debate on the French services' practices, even though some of Snowden documents shed light on the DGSE (French foreign intelligence agency) partnerships with the NSA and the GCHQ. Instead of a transparent democratic debate, French officials have mostly weathered the storm, simply issuing denials without ever saying anything about its own surveillance practices.

According to its sponsors, this bill would help render the whole scheme as clean as it gets. For Prime Minister Manuel Valls, the text would even forbid mass surveillance! The underlying message being pushed here is that the French system is being defined in opposition to the American and British models.

But the argument doesn't hold once the text is examined in detail. Several provisions are actually directly inspired by the US and British law and the methods used by the NSA and GCHQ. Indeed, the bill legalizes tools of mass surveillance, in particular with automated Internet trafic analysis "black boxes" designed to detect “suspicious behaviour” (art. L. 851-4) or provisions on so-called "international surveillance" (art. L. 854-1) which will authorize bulk data collection. It also sets loose hacking and cyberattacks carried beyond French borders, and in this respect also echoes the recent revelations regarding the British, US and Canadian agencies' practices. Finally, despite what its champions claim, the text is in many ways a step backwards in relation to the existing law and practices: for instance, specific and crucial control processes currently carried out by the CNCIS (National Commission for the Control of Security Interceptions) are being dismantled, whereas the field of intervention of intelligence agencies is widely extended.

Only the citizens' mobilisation, in France and across the world, can make a change whilst the the government tries to force this bill through. In actual fact, the Valls-Urvoas (Jean-Jacques Urvoas is the Bill's co-author and is also its rapporteur) tandem in the National Assembly will enable the government and its majority to join forces during an rushed legislative procedure, while the "post-Charlie" mood and the securitarian drift of the opposition conservative party (UMP) will supposedly contribute to stifling the democratic and parliamentary debates.

The points raised below highlight the dangers of the bill while pointing at possible amendments. To be acceptable and allow intelligence agencies to do their work while respecting the rule of law, the text must indeed be deeply amended.

SCOPE RESTRICTIONS

Forbiding mass surveillance and predictive measures

Article L.851-4 provides that the Prime Minister may require that telecom operators and online service providers to detect, via automated means, suspicious pattern connexion data or online behavior, whose anonymity would be lifted if a terrorist threat were to be revealed. This provision seems to be inspired from the British model, as a similar mechanism was debated as early as 2000 when the RIP Act was adopted and eventually included within the Act's section 12 (this issue would be raised again in 2008, during a modernisation plan criticised for the extravagant expenses it incurred at the time).

Such means for extensive scanning of online communications at the network or server levels amount to a massive processing of personal data. As such, they are contrary to the jurisprudence established by both ECHR and ECJ. The government's argument that this surveillance relates to raw, anonymous data is completely at odds with technical realities. This provision introduces a mass surveillance using technical devices and algorithms in which no transparency is possible. It is moreover contrary to the French Data Protection Act, which provides that "no decision which produces legal effects in respect of a person may be taken on the sole basis of the automated processing of data." It must therefore be repealed.

Restricting the scope of the "foreign policy interests" public interest

Several provisions enlarge the various "public interests" that may be invoked to engage in intelligence gathering activities. The Government argues that the reference to the implementation of France's international commitments, or foreign policy interests, among those public interests aims to use the intelligence techniques to prevent the proliferation of weapons of mass destruction. While this goal may be laudable, the international commitments of France are a too broad and ill-defined legal category, which would allow for an indefinite extension of the legal basis for the use of surveillance. To comply with international law, the French law must be amended to ensure that it expressly mentions specific international obligations (treaties, agreements, conventions) justifying the use of intelligence gathering techniques.

Repealing the "collective violence" public interest

Article L. 811-3. extends the intelligence services' powers to include the "prevention of collective violence likely to cause serious harm to the public peace." The extremely broad wording of this public interest allowing exceptional monitoring techniques poses serious risks of arbitrariness. It could for instance easily be invoked to engage in the surveillance of social movements. Given the serious risks it poses to the most basic political rights, this provision must be deleted.

Repealing the "key scientific and economic interests" public interest

The legalisation of economic and scientific espionage in the country without any judicial oversight results in a disproportionate interference with both right to privacy and freedom of enterprise. If the information sought is not directly linked to the fight against industrial espionage, in which case the surveillance can be part of a criminal investigation, then the recourse to exceptional monitoring techniques cannot be justified.

Limiting by law the number of intelligence agencies

Article L. 811-4 of the bill empowers the government to unilaterally increase the number of executive agencies falling under the Minister of Defense, the Minister of the Interior as well as the Ministers for the Economy, Budget or Customs which may use intelligence techniques. In impact assessment, the Government is openly considering to give "certain police services" the broad surveillance powers provided in the bill . However, the scope of the competent authorities in regard to preventive and extra-judicial surveillance should remain limited to the minimum necessary, and the government does not provide any justification for the need to expand the already large number of beneficiary services (DGSE, DSPDs, DRM, DGSI, Tracfin and DNRED). Thus, given the fact that the increase in the number of relevant services acquiring and accessing "intelligence" leads to a greater risk for civil liberties, but also in order to ensure the predictability of the law, the number and nature of the beneficiary services must remain limited and must be subject to the law rather than executive decrees. This provision should be repealed.

Limiting the surveillance of the targets' entourage

Article L 852-1 will authorize the interceptions of the communications passed by "individuals close to the person who is the object of the authorisation" when they "are likely to act as an intermediary, voluntary or not, or on their behalf or may provide information pursuant to the end result for which the authorisation was granted." This provision may significantly increase the number of people likely to be monitored in a preventive and extra-judicial framework. It must be clarified to ensure that only those who are known to actually act as a direct and voluntary intermediary or whom have a direct link with the ongoing investigation may be affected by this provision.

Forgoing the extension of the time during which metadata may be exploited

The bill extends from three to five years the period during which intelligence agencies can keep hold and make use of traffic metadata. This very long duration is not necessary, and the government had failed to provide any evidence justifying the extension. The three-year period currently applied is already an exception to the regime applicable to other collected data, which must be destroyed after a period of 1 to 12 months.

Limiting the retention period for encrypted data and communications

Article L. 822-2 provides that the time limit for the retention of collected information (one to twelve months depending on the case) starts from the time of their decryption. This provision would allow services to retain data or communications (e.g. e-mail) for years before deciphering them and using it. For this reason, it is necessary to limit this period to a period of 30 days during which the data will be stored in an encrypted state, giving the agencies will enough time to perform a technical analysis. In addition, the article provides that the metadata attached to the encrypted content is subject to the same retention periods. This metadata being "in plaintext" (legible by everyone), this provision restricts the right to privacy even though the encrypted contents have not been decrypted. Here, the retention period prescribed for metadata (3 years) should apply.

INTERNATIONAL SURVEILLANCE AND UNIVERSAL RIGHTS

Limiting the "international surveillance" regime to communications transmitted and received abroad

In Article 854-1, the bill defines "international surveillance measures" as communications "sent or received abroad." Now, in the case of the Internet, most of French residents' communications are obviously "made or received abroad", particularly in the US where the largest service provider's servers are located. It is therefore completely misleading to coin them "international surveillance", since these provisions will directly and massively impact French citizens and residents.

All these provisions must be interpreted as a crude attempt to circumvent the already very weak protections contained in the bill. What is more, the provision actually raises additional walls of secrecy around the "implementation of surveillance rules", providing that these rules will be defined in an "unpublished" executive decree. In addition, the text does not bring any protection regarding the authorisation collection, retention, destruction or control procedures relating to these operations, merely referring once again to decree to be adopted at a later stage. Finally, derogatory rules will apply to the collected data: in a move contradicting France's commitment to universal rights protection, the text allows for special guarantees when the data can be 'linked' to the French national territory, and therefore to French citizens (similar to British RIP Act of 2000). These guarantees, however, come rather short of those applied to "national surveillance", since the retention time for intercepted communications starts from "the date of first use," instead of the date of collection.

In sum, the provision will allow the mass collection of communications to or from abroad, which can be stored indefinitely until they are processed and analysed and finally used by the agencies. In fact, the provision seems modelled on section 702 of the US law FISA, which is at the heart of the controversy surrounding Snowden's revelations. The scope of this provision must therefore necessarily be limited, by stressing that international monitoring only affects communications "issued' and received" abroad.

Upholding the universality of human rights

The Snowden revelations are shedding light on the scandalous NSA or GHCQ practices, which invoked the foreign element of data collection to violate national laws (in particular through cooperation mechanisms and data exchange agreements) and also significantly violate foreign nationals' rights to privacy. To reverse these trends, France must show its commitment to the universality of rights, in accordance with Article 1 of the Universal Declaration of Human Rights, particularly in regards to the right to privacy and communications confidentiality. To do this, the legislation must request that any surveillance measures, even when communications are issued and received abroad, be submitted to the prior control of an independent authority. This legal and ethical position is reinforced by some technical considerations: in its opinion on the bill (pdf), ARCEP (the national telecom regulatory agency) points out, for example, that "in light of the way the bill is drafted, it could be difficult for telecom operators to effectively determine under which regime the international communications sent or received on the national territory fall under" (since even communications sent of received in France can be routed at some point across French borders).

Repealing legal immunity for international hacking operations

France must oppose the frantic state-sponsored hacking arms race. However, the bill's Article 10 amends the Criminal Code in order to shelter intelligence agencies' employees from all criminal proceedings in connection with computer crime when it comes to carrying out their missions "outside the national territory" (more specifically when they engage in the intrusion, capture, destruction of computer systems). With Internet and the transnationalisation of communications, the notion of "national territory" is too restrictive to ensure an effective protection of rights. In fact, many French residents use computer systems located outside their borders to communicate over on the Internet and store their data. Hacking, even when conducted outside the country, must not result in any criminal immunity. The CNCTR (the executive agency which will be created by the bill to replace the CNCIS in controlling intelligence gathering operations) must also be given genuine control over this activity.

CONTROL & TRANSPARENCY

Providing the CNCTR with adequate investigatory resources

The CNCTR (French acronym for National Commission for the Control of Intelligence Techniques, which will replace the current CNCIS) must be able to carry out its control duties by leveraging sufficient human, material and technical resources. By merely providing an access to centralized records kept by the government as well as the possibility for the Prime Minister to transmit all or part of the intelligence agencies' own reports, the bill marks a major step back compared to the post control system currently in place. The proposed law must also provide for the CNCTR to be able to audition the agencies' directors or technical managers, a direct access to the collected data and the possibility to conduct audits in the various agencies premises (with both scheduled and unexpected visits). Furthermore, the CNCTR must have sufficient human resources to conduct its ex post control monitoring, for example by providing that it will be supported by an investigative team with the appropriate technical and legal expertise. Finally, the CNCTR should have the possibility to directly call upon the Intelligence General Inspection (created in 2014 to supervise intelligence agencies) to provide assistance when fulfilling its mission.

Ensure the collegiality of the CNCTR

In the bill's current form, Article L.821-3 allows the president of the CNTR to give his sole approval to a request from the Prime Minister. If in doubt, he may decide to consult with the rest of the Commission's board. By contrast, a simple majority is required from the commissioners to terminate an ongoing surveillance operation. Within the CNCTR, authorisation requests should be submitted to each of the commissioners, and the opinion of the committee must be the result of a simple majority of cast votes, respecting the timelines provided for in the bill. The adoption of a recommendation to stop the implementation of an intelligence gathering scheme should happen under the same conditions. When such recommendation is not acted upon, (Article L. 821-6), a qualified majority made up of a third of the commissioners should suffice to refer the case to the Council of state. All commissioners must be in a position to publish their personal opinion on the activities of the Commission in its annual report, in accordance with legitimate state secrets. In addition to collegiality, and to insure that the principle of adversarial proceedings is respected, a position as 'Right for Privacy Defense Lawyer' to defend the right to privacy of the monitored individuals should be created, as in the FISA law reform proposals currently discussed by the US Congress.

Repealing or limiting the "absolute emergency" procedure exempting from prior authorization

The preliminary check carried out by the CNCTR runs the serious risk of being circumvented by the "absolute emergency" procedure, especially since the agencies will have all the means at their disposal to make up for and argue 'absolute emergency'. This provision should be repealed or at least narrowly defined, for instance by limiting the number of times it can be use per year (e.g. only five times a year).

Forgoing real-time metadata surveillance with no prior control and no time limits

In the name of preventing terrorism, Article L. 851-3 allows for the connection data belonging to people "previously identified as posing a threat" to be collected in real-time, directly from the operators' networks, with no time constraint. Consequently, this provision ensures a real-time metadata capture without any preliminary control from the CNCTR. This control must be restored. Additionally, the provision must specify that agents cannot directly tap into the operators' networks. The later should instead be the ones transmitting the data, if necessary in real-time (as is currently the case in the Internal Security Code, as amended by the Military Planning Act: Article R. 246-7, which states that "the information request laid down in Article L. 246-3 must be fulfilled by the network's operator").

Reporting relevant cases to judicial authorities

In the bill, there is no set framework to define when and according to which criteria the exceptional preventative surveillance schemes must give way to a full judicial enquiry with its attached safeguards for those targeted. The judicial court is therefore likely to stay away from investigations into offences revealed by the collected information, when such investigations are under its sole authority. The law should therefore provide that once the constitutive elements of a crime are identified as part of the collection of intelligence, all necessary and relevant records should be transferred from the administrative authority to the judiciary. The CNCTR should also exercise control to ensure that intelligence services transmit as soon as possible to the judicial authority the records warranting the opening of an investigation.

Opening legal challenges to advocacy groups

In Article L. 841-1, the bill provides that those who have the capacity to appeal to a newly-created special section of the state_%28France%29 Council of State (French public law supreme court) include only the CNCTR, judicial authorities or "anyone with a direct and personal interest" act. This excludes advocacy organizations, which are often better equipped to defend civil liberties before state authorities, particularly when no surveillance target is known. It is therefore necessary to broaden the appeal capabilities.

Ensuring transparency on situations of illegality

Where the state Council finds a situation to be illegal, it can just decide to stop the collection and eventually condemn the state to compensate the applicant for the damage, without giving any information about the nature of the state's illegal acts. Similarly, if the Council of states finds a situation to be illegal, the lifting of secrecy invoked for national security grounds is subject to the Advisory Commission for the Secrecy of National Defence. The law should ensure transparency on the illegalities of situations observed, with adapted procedures to protect legitimate state secrets.

Repealing the criminalization of revelations on surveillance programs

Article 7 revises existing criminal provisions which punish, inter alia, the fact of publicly revealing a program or specific instance of surveillance. Such criminalization prevents disclosure of public interest in this area, including through journalistic investigations. These provisions must be repealed.

Protecting whistleblowers within intelligence agencies

A procedure must be established to allow whistleblowers to bring to the knowledge of the CNCTR or the special section of the state Council all practices clearly contrary to the legal framework (this was proposed by the state Council itself in a recent report on fundamental rights in the digital sphere). Findings of illegality must lead to putting an end to these illegal practices. They should also be disclosed in a public report, in a way that is appropriate to the activities of the intelligence services.

Protecting individuals and groups subject to professional secrecy

To comply with the European Court of Justice Digital Rights case law, French law must provide special protections for the communications of persons subject to professional secrecy, such as journalists (including the protection of the confidentiality of sources) or lawyers. The bill should be amended accordingly.

Ensuring transparency on the means for analyzing and processing data

To ensure predictability of the legal provisions relating to administrative surveillance, the government must disclose certain aspects of the functioning of its technical apparatus (see § 68 of the Liberty v. United Kingdom European Court Human Rights ruling, from July, 1st 2000). This requirement is all the more necessary in the French context as the practices and tools in this field have been ongoing in complete illegality for many years. The CNCTR must report on means and the tools employed for surveillance, by giving general information on IT equipment, types of algorithms and other tools of technical analysis of the processed data collected by intelligence services, in accordance with legitimate state secrets .

Ensuring control of the files of the intelligence services by the CNIL

The Government denied the French Data Protection Authority (CNIL) to repeal existing laws that exclude the control of legality of intelligence files under the personal data protection legal framework. The DPA states in its opinion on the bill that such control "is a fundamental requirement to establish the legitimacy of these files in the rights and freedoms of citizens." The bill should be amended to allow the CNIL to exercise such control, in a manner appropriate to the activities of the intelligence services, and in cooperation with the CNCTR.