In wake of Paris attacks, France introduces dangerous and broad surveillance bill
The French Government unveiled a new Bill that aims at providing a legal framework to intelligence services last Friday. While Privacy International welcomes the positive step of placing powers that were until now poorly regulated under the law, we remain alarmed by many aspects of this Bill. Two months after the deadly terrorist attacks in Paris that targeted the satirical weekly Charlie Hebdo and a Kosher supermarket, the Government seeks to provide the intelligence services with a worryingly broad 'spying pass'.
ISP providers turned into spies
Possibly the most concerning aspect of the Bill is the provisions empowering the intelligence services to request that ISPs place mass monitoring technologies on all of their networks. The equipment will allow them to collect the traffic of all internet users and to then search for patterns, defined by the Government, intended to reveal terrorist threats. However, no details are provided as to what would define a "terrorist-like" pattern. The technology will thus browse through the traffic looking for elements such as individuals' visits to certain websites, purchases of particular products or their travel plans. Once the technology identifies what might be a terrorist threat, the law allows for the information collected to be deanonymized for further investigation by intelligence services. The deployment of such technology enables the French government to conduct mass surveillance and mass storage of personal data, a clearly disproportionate incursion into the privacy of all French internet users. Furthermore, representatives from the ISP industry have already started expressing their concerns that such an infrastructure – if it was to be constantly running – would greatly reduce the speed of the internet in France.
Not-so-targeted interception
Regarding the interception of electronic communications, the Bill contains a worryingly broad power. The Bill claims that “when a person is targeted, the acquaintances of the person may be subjected to the interception of their electronic communications, if they are likely to act – voluntarily or not – as an intermediary in the activities that justified the targeting of the person.” The term used for “acquaintances” is “entourage”, a very broad term in French that could refer to anyone from your family members to the baker that sells you bread in the morning. . So, what this means is that if your neighbour is suspected of being involved in a terrorist plot, your electronic communications could be intercepted as well, even if you have no idea of your neighbour's affiliation.
The excerpt of the Bill pertaining to the interception of communications from/to foreign countries is extremely short and does not provide any clarifying element. In the context of modern communications, the distinction between domestic and international communications is very blurred. As a result, the lack of specificity of the Bill on this issue raises serious concerns about potential abuses. The broad powers granted to French intelligence agencies to intercept foreign communications resemble those which have enabled the British intelligence services to conduct mass surveillance in the UK, and which are currently under legal challenge in the UK's Investigatory Powers Tribunal.
Beyond blurry terms, a chilling technical reality
The Bill remains generally imprecise regarding the technical capabilities of French intelligence agencies. However the use of certain terms clearly sanction hacking as a method for intelligence gathering (“the capture, transmission and recording of digital data […] may be authorised when the information cannot be obtained by another legally acceptable mean.”). Similarly the authorisation in certain cases to conduct the “capture, transmission and recording of confidential spoken words or images in private location” could suggest that the use of certain spyware, which allow surveillance agencies to turn on the camera and microphone of people's electronic devices, would become legal.
Similarly the Bill proposes giving intelligence services the ability to geolocate phones and cars. The language granting such powers remains vague, however, meaning that this could potentially be achieved by hacking and/or placing bugs into phones and cars.
IMSI-Catchers are also authorised by the Bill and referred to in similarly vague terms. IMSI-Catchers are mobile interception devices that are subject to US and European export controls, and have recently come under close scrutiny in US courts and legislatures. The Bill stipulates that IMSI-Catchers can be used for collecting the live geolocation information of individuals using their devices. Because IMSI-Catchers are not targeted devices but identify and geolocate individuals within a given locale (such as a plaza or an airport) this would inevitably facilitate the surveillance of individuals who are not suspected of any crime.
All powers to the Prime Minister
The Bill grants unprecedented powers to the Prime Minister, who in effect becomes the head of the intelligence services. No judicial process will be in place to request the interception of communications. While the Bill creates a new commission, the Commission nationale de contrôle des techniques de renseignement (National Commission for the Control of Intelligence Techniques), it is only there to offer recommendations. .
While the Commission theoretically has control over the actions of the Prime Minister's surveillance powers, we are very concerned that it won't be sufficient. Nine members will form this new commission: four will be judges, four will be parliamentarians and one will be an expert in telecommunications. The Union of judges have already expressed their discontent with the Bill, arguing that only judges are qualified to guarantee civil liberties, not parliamentarians.
Too late for reason to prevail?
The limited details provided in this Bill are even more concerning in a context where the Government will attempt to rush the adoption of the law. Will the parliamentarians even understand the implications of using a tool like an IMSI-Catcher, which can allow much greater capabilities – such as intercepting the content of all communications in a given area – than the ones described in this Bill? Will the parliamentarians be informed of the risks involved with hacking? These are risks that may eventually affect computer systems on a global scale, and leave the French people vulnerable to attacks.
Privacy International joins French civil society organisations in calling for thorough revisions of the Bill. France has to stand as an example on the European and international scene in regard to the protection of civil liberties. Following the terrorist attacks in France, we saw an impressive movement of unity among the French population, with people marching in the streets to claim they would not let fear divide the country. The French Government must not fail those people by letting fear destroy their liberty.