SORM Clouds Over Europe

How easily we forget

It's ironic how easily we forget our very recent past. It was not more than five years or so ago when everyone in the world was up in arms about SORM. SORM was a Russian law that would require all Russian ISPs to install a device that would connect the ISP to the security agency and let the FSB (formerly the Kremlin's Good Boys, or the KGB) eavesdrop on all information, both incoming and outgoing. The worry was not so much over SORM, but about the transition from the relatively controllable SORM-1, which required warrants, to the uncontrollable SORM-2. In essence, with SORM-2 wiretapping in Russia is as far as a mouse click away.

Then, there was much ado about SORM-2, namely that it was a violation of human rights. Business was concerned because of the potential for "market damage", i.e., it would be bad for e-commerce. Also, there were fears Internet growth may also be stunted as users would no longer trust the Internet as a new media. What's ironic now is that history is repeating itself -- this time across Europe and beyond -- with much less concern than five years ago; no widespread discussions on human rights, market damage, or stunted Internet growth. It's as if it's business as usual.

The hostage crisis in Moscow by Chechen rebels has helped to legitimate STORM

What's ironic now is that history is repeating itself -- this time across Europe and beyond -- with much less concern than five years ago. No widespread discussions on human rights, market damage, or stunted Internet growth; it's as if it's business as usual. What is more, the recent hostage crisis in Moscow by Chechen rebels has helped to legitimate STORM. Indeed, in the aftermath of the hostage crisis it looks as though Russia will be adopting a SORM-3 program, although details of such a move haven't been made official.

It's only to be expected that the Russian government would move in this direction. During the crisis, telecoms were required to capture all telecommunication exchanges taking place throughout the region. The "assistance" granted to Russia by other countries during the crisis were of a similar nature, in that all forms of electronic communications were monitored. In essence, the draconian measures of the various terrorism packages adopted by governments throughout Europe kicked in, with little or no scrutiny from outside observers or critics.

In some instances, this even led to a police crackdown of sorts. In Hungary, Chechen and other refugees were followed and closely monitored by law enforcement. The treatment of suspect foreigners in Hungary was similar to what befell Afghan refugees shortly after the terrorist attacks in the US last year. Then, Afghan refugees were rounded up and incarcerated together in a closely guarded compound; in effect, they were all treated as potential criminals.

Unfortunately, such instances of state repression have now become the rule and not the exception. And it not only has to do with former dictatorships falling back on traditional means of governance or the over-reaction of countries to terrorist or rebel attacks. In a further blow to the privacy rights of citizens within the European Union (EU), Eurocrats are planning to introduce a compulsory data retention regime throughout Europe. Unlike the past, when Russia's SORM initiatives drew scathing criticism from Europe, the European Commission (EC) seems intent on borrowing and improving on SORM.

The traffic data of the whole population of the EU is to be held on record

Under the European plan, which was first formulated by the Belgian chair of the rotating presidency in the first half of 2002 and now carried on by the Danish chair, all telecommunications firms, including mobile phone operators and internet service providers, will have to keep data identifying the source, destination, and time of a communication (as well as the personal details of the subscriber to any "communication device") on all forms of telecommunications sent and received by EU citizens. This information, known as traffic data, covers phone calls, faxes, mobile phone use, internet browsing, and e-mail. All this data would be held in central computer systems and made available to all EU governments for a period of 12-24 months. The same would apply also to accession countries to the EU, that is, those countries wishing to join the EU in the coming years, such as Hungary, Poland, and the Czech Republic.

In essence, what this means is that the traffic data of the whole population of the EU -- and the countries joining -- is to be held on record against the basic rights of data protection, proper rules of procedure, scrutiny by supervisory bodies and judicial review.

According to Statewatch, the directive by the EU contains "grave gaps" in terms of civil liberties protection. These include no provisions for refusing to execute a request on human rights or privacy grounds. Moreover, there are no limits as to what data can be exchanged and there is no reference to controls on the copying of data. Nor is there any reference to supervisory authorities on data protection or an individual's right to correct, delete, or block data. Furthermore, there is no mention of compensation for misuse or for related judicial review, nor are there any rules for checking on the admissibility of data searches.

Just the tip of the iceberg

Until now, what gave EU citizens a small measure of security from their own governments (at least on paper) was the 1997 European Commission (EC) Directive on privacy in telecommunications. This was the follow-up to the hard-won 1995 EC Directive on data protection, now law across the EU. The 1997 EC Directive said that the only purpose for which traffic data could be retained was for billing (i.e., for the benefit of customers) -- and even then it had to be erased in due course. Law enforcement agencies could only get access to the traffic data with a judicial order relating to the activities of a specific person or group.

The new measures simply overrides the 1997 EC Directive by deleting the provisions for telecommunication providers to erase all data and to have them keep traffic data for a so-called "limited period". Not surprisingly, this was initially rationalised under the guise of tackling "terrorism". But now, as war rhetoric increasingly falls on deaf or critical ears, the mantra is that law enforcement agencies need to have access to all traffic data for the purpose of criminal investigations in general. This includes such things as participation in a criminal organisation, terrorism, trafficking in human beings, sexual exploitation of children, drug trafficking, money-laundering, fraud, racism, hijacking and "motor vehicle crime".

Yet Statewatch sees this as just the tip of the iceberg. They maintain that the new measures also carries "a strong hint" that another measure is in the pipeline, that is, one to allow law enforcement agencies access to the content as well as the traffic data of personal communications. This would mean a further extension in the powers of European security and intelligence agencies, allowing them to see the contents of e-mails and intercepted calls and faxes.

For its part, the EU admits the plan involves an invasion of privacy but maintains that the retention period of 12 to 24 months is "not disproportionate". What is more, the "confidentiality and integrity" of retained traffic data must be "ensured", but the architects of the plan don't not say how. Also, there's no guarantee that the maximum retention period -- two years -- will be kept. "Once you start retaining the data it tends to hang around," commented Ian Brown of the Foundation for Information Policy Research.

The issue surrounding the EU's plans for data retention isn't limited to Europe, however. It extends far beyond, all the way to countries like Canada. Indeed, the Canadian government is also considering a proposal that would force Internet providers to rewire their networks for easy surveillance by police and spy agencies. Not only this, there is also talk of creating a national database of every Canadian with an Internet account, a plan that would sharply curtail the right to be anonymous online.

Like the EU, Canadian officials argue that since more and more communications take place in electronic form, such surveillance is necessary in order to fight terrorism and combat run-of-the-mill crimes. They also claim that Canada will be following its obligations under the Council of Europe's cybercrime treaty, which still hasn't been ratified by all EU members. Both Canada and the United States are non-voting members of the Council of Europe, and representatives from both countries' police agencies have endorsed the controversial cybercrime treaty, which has drawn protests from human rights activists and civil liberties groups. Yet so far, only Albania has formally adopted the treaty.

For Canada, the importance of the new plans for data retention within the EU is that it would further help the government make its case to introduce sweeping changes to Canadian law. As it stands, most experts agree that the Canadian proposal on its own seems weak to justify such radical legal changes. Indeed, according to Sarah Andrews, an analyst at the Electronic Privacy Information Center (EPIC) who specializes in international law, the proposal goes beyond what the cybercrime treaty specifies.

An increased sense of paranoia in Europe over the notion of "security"

EPIC opposes the cybercrime treaty, saying it grants too much power to police and does not adequately respect privacy rights. Yet the data-retention proposals of the EU, and subsequently Canada, shouldn't be viewed in isolation, but seen within the wider context of an "anti-privacy" action plan practiced by the state.

Already, the EU has extended the Schengen Information System (SIS) to create an EU database to target "suspected" protesters and bar them from entering a country where a protest is planned. The SIS also contains an EU database of all "foreigners" so as to remove "third country nationals" who have not left within the "prescribed time frame".

Meanwhile, the EU plans to combat terrorism by widening the definition of terrorism to cover groups that aim to "seriously alter the political, economic or social structure of one or more countries and their institutions". This de-facto criminalisation of the right to protest extends to the act of civil disobedience, which has now been rephrased as "urban violence". To this extent, efforts have been underway to create EU para-military police units to counter all forms of public protest.

All this comes on the heels of an increased sense of paranoia in Europe over the notion of "security". For instance, the latest fad in the UK is to have children tagged with a tracker implant. That is, children of worried parents are being fitted with a microchip so that their movements can be traced if they are abducted. The miniature chip, which is usually implanted in the arm or leg, will apparently send a signal via a mobile phone network to a computer, which will be able to pinpoint the location on an electronic map.

In one such example, parents said they had decided on getting the tracking implant for their daughter after the abduction and murder of two schoolgirls, Holly Wells and Jessica Chapman, a media story which had gripped the British public. The rationale for such technology in face of such a "threat" was summed up by the mother: "If a car is stolen, it can be fitted with a computer to enable it to be tracked -- so why not apply the same principle to finding missing children?"

What is frightening in this brave new world of Big Brother is that some parents actually think this way, leading others to assume that such logic is sound. It appears no-one questions the underlying fallacy of the car-child analogy; that is, children are not things.

Fortunately, not everyone is blindly stampeding down this alley. According to a spokesperson for Kidscape, the charity aimed at stopping children from being bullied and sexually abused:

Thanks to the present climate of security paranoia, which ranges from bearded terrorists milling in the crowds to sex offenders lurking in the streets, actions are being taken by governments and individuals alike with no thought of the possible ramifications and future abuse. In the case of the tracker implant, even the designer of the chip, Kevin Warwick of the Cybernetics Department at Reading University, conceded that some parents might abuse the system or overreact if their children were late home. Still, despite such obvious shortcomings, he maintains that tagging was the correct course of action in the light of recent events. "The implant won't prevent abductions, nothing will," he admits." However, if the worst happens, parents will at least be in with a chance of finding their children alive." As a result, he has called for an urgent government debate on the issue, and believes ministers should consider implants for all children.

The idea of tagging all children with a tracker implant is such a monstrous idea that its hard to believe even EU anti-privacy crusaders would be willing to endorse it. While most do raise questions about the technology of whether the chip should remain dormant in the limb until an emergency arose, or whether it should emit a signal 24 hours a day, there has been surprisingly little debate over the practice itself. What has been considered a "debate" is whether only the police should have the authority to allow the system to be activated (as things stand, parents can have that right as well). No one has yet dared to mention or even consider the following nightmare scenario: a society where everyone is tagged with a tracker implant, starting in early childhood and carrying on into our adult years, where the focus changes from protection to surveillance.

All this, in conjunction with the present plans for a data retention regime and the existing SIS, would make the power of the state over the individual total. Once this happens, Logan's Run can't be far off.