New Swedish draft proposal for government hacking powers violates human rights standards

On 24 October 2019, the Swedish government submitted a new draft proposal to give its law enforcement broad hacking powers. On 18 November 2019, the Legal Council (“Lagråd”), an advisory body assessing the constitutionality of laws, approved the draft proposal.

Privacy International believes that even where governments conduct hacking in connection with legitimate activities, such as gathering evidence in a criminal investigation, they may struggle to demonstrate that hacking as a form of surveillance is compatible with international human rights law. This is because such capabilities present unique and grave threats to our privacy and security (you can read more about why, here).

Nevertheless, given the reality that governments across the world are using hacking powers, we recommend that they at least do so lawfully, and in line with necessary safeguards.

Unfortunately, the new Swedish draft proposal falls short of even these basic requirements.

The Swedish government hopes that the new law, pending parliamentary approval, will enter into force on 1 March 2020.

Privacy International strongly recommends that the Swedish parliament does not approve the current draft proposal, and that the Swedish government withdraws or at least amends the proposal.

Where the new draft falls short

The new draft proposal falls short of an appropriate legal framework regulating government hacking powers for various reasons.

First, the scope of application of the Swedish proposal is unjustifiably broad.

According to the draft, government hacking powers can be used against: anyone that is suspected of a crime which gives more than 2 years in jail; anyone that is not suspected of such a crime but may be affiliated with a person who is; any person that remains in Sweden after their visa or asylum applications have been rejected; and even anyone who might become a suspect in the future.

This is why it is problematic:

• The use of government hacking capabilities should be restricted to the most serious offences that pose a serious threat to national security.
  Any crime punishable with more than 2 years in prison does not meet that threshold. Such broad application is striking if one considers that in Sweden house searches are permitted only for crimes punishable with more than 4 years in prison. For an increasing number of people, personal digital devices contain the most private information they store anywhere - even in their homes - replacing and consolidating address books, physical correspondence, journals, filing cabinets, photo albums and wallets, as well as adding new forms of information such as everywhere a person has travelled.
• The government authorities need to demonstrate that each and every interference is strictly necessary to achieve a legitimate aim. According to the draft proposal, hacking powers can be used irrespective of reasonable suspicion and to target an entire group of people either because of some remote association with a suspect or because the authorities believe someone might commit a crime in the future. The right to privacy protects everyone against unlawful interference.
• Finally, the law targets some of the most vulnerable and unprotected members of the population, undocumented migrants and migrants without an official permission to remain in the country. Using such intrusive powers to target those remaining illegally in a country, without other reasonable suspicion, constitutes a disproportionate interference with their privacy. Underlying such power is a presumption that those migrants are staying by choice and intend to commit serious crimes. Individual circumstances vary and such assumptions are dangerous as they feed into racist and nationalistic narratives.

Second, the law does not provide sufficient protections to ensure the security and integrity of the systems with which the Swedish authorities may interfere, or the integrity of the information being sought with the interference.

The new law provides that hacking tools need to be time-constrained, not gather more data than necessary, and also that the system must be returned to its original state before the interference (paras 24-25 of draft proposal.) However, these seem to be less legal obligations than aspirational requirements.

• There is no prior (ex ante) or ex post obligation imposed on any of the authorities involved to demonstrate that even these requirements have been upheld.
• There is no obligation for the authorities to conduct a risk assessment before taking the decision to intervene with a system. What are the expected consequences for accessing a system? What are the potential risks and unintended consequences? What are the measures taken to determine whether the hacked system was indeed returned to its original state?
• There is no obligation for the law enforcement authorities to demonstrate prior to the interference that they can bring the system back to its original state.

Prior to carrying out a hacking measure, government authorities must assess the potential risks and damage to the security and integrity of the target system and systems generally. A single hack can affect many people, including those who are incidental or unrelated to a government investigation or operation. Similarly, they must assess the potential risks and damage to the data on the target system and systems generally. Government authorities must not add, alter or delete data on the target system, except to the extent necessary to carry out the authorised hacking measure.

All steps taken should be planned in advance and properly documented before, during and after the interference with the system was completed. The authorities should be able to demonstrate in advance the security-restoring measures they will be taking, and not be allowed to operate merely under a general recommendation to bear in mind that security should be restored. They must maintain an independently verifiable audit trail to record their hacking activities, including any necessary additions, alternations and deletions.

Third, the draft proposal does not require judicial authorisation in all occasions.

While the law does provide that the authorities would need prior permission from a court, such approval is limited to verifying that formal criteria are fulfilled, i.e. that the hacking is undertaken in relation to a crime such as that specified by the law. The courts are not invited to assess the necessity and proportionality requirements, nor do they ensure that executing authorities have followed the due diligence aspirations with respect to security restoration and integrity.

In addition, there is a possibility to circumvent the court’s authorisation through an expedited process which only requires prosecutorial approval. The prosecutorial approval needs to be assessed by a court afterwards, yet again with judicial control restricted to looking at whether the request meets the formal criteria.

Judicial authorisation needs to be meaningful to be effective. Prior to carrying out a hacking measure, government authorities must make an application, setting forth the necessity and proportionality of the proposed measure to an impartial and independent judicial authority, who shall determine whether to approve such measure and oversee its implementation. The judicial authority must be able to consult persons with technical expertise in the relevant technologies, who may assist the judicial authority in understanding how the proposed measure will affect the target system and systems generally, as well as data on the target system and systems generally. The judicial authority must also be able to consult persons with expertise in privacy and human rights, who may assist the judicial authority in understanding how the proposed measure will interfere with the rights of the target person and other persons.

Fourth, the law does not provide sufficient guarantees in relation to the destruction and return of data.

The law provides some restrictions on the uses of surplus information (information caught “en passent”), which under Swedish law would not otherwise be free to use for other types of secret surveillance in any future criminal investigation. However, these restrictions are not sufficient. Government authorities must immediately destroy any irrelevant or immaterial data that is obtained pursuant to an authorised hacking measure. That destruction must be recorded in the independently verifiable audit trail of hacking activities. After government authorities have used data obtained through an authorised hacking measure for the purpose for which authorisation was given, they must return this data to the target person and destroy any other copies of the data.

Fifth, the law does not provide sufficient oversight and transparency guarantees.

Government authorities must be transparent about the scope and use of their hacking powers and activities and subject those powers and activities to independent oversight. They should regularly publish, at a minimum, information on the number of applications to authorise hacking approved and rejected; the identity of the applying government authorities; the offences specified in the applications; and the method, extent and duration of authorised hacking measures.

Sixth, there is no meaningful obligation to notify individuals, or service providers, who have been hacked by government authorities, of the type of surveillance they have been exposed to.

Government authorities must notify the person(s) whose system(s) have been subject to interference pursuant to an authorised measure, regardless of where the person(s) reside. Governments authorities must also notify the affected software and hardware manufacturers and service providers, with details regarding the method, extent and duration of the hacking measure, including the specific configuration of the target system. Any delay in notification is only justified where notification would seriously jeopardize the purpose for which the hacking measure was authorised or there is an imminent risk of danger to human life and authorisation to delay notification is granted by an impartial and independent judicial authority.

In system security the lack of notification is so much worse, since any delay in notification of a security flaw means a risk not only to the specific individual and service provider targeted by the authorities, but also all other individuals and service providers globally that may be vulnerable to the same type of hacking attack.

Finally, the law does not provide effective remedies.

The lack of a meaningful obligation to notify people who have been hacked makes it almost impossible for them to seek a remedy for unlawful activity.

For all these, reasons, we call on the Swedish parliament to reject the current draft proposal and for the Swedish government to withdraw or at least amend the proposal.

* Photo by Crawford Jolly on Unsplash