Medverkan i tidningen Politiken och intressant tidskriftsartikel om europeiskt samarbete kring signalspaning

Politiken har publicerat artikeln "Debat om kabelaflytning gav tårer i Sverige og folkeafstemning i Holland" den 1 oktober 2020 

I Danmark råder debatt då Forsvarets Efterretningstjeneste (delvis samma funktion som FRA) undanhållit information från det danska kontrollorganet (motsvarande svenska SIUN). Jag kommenterar hos Politiken vad som bör vara hemligt respektive kan diskuteras offentligt 

Nyhetsartikeln i Politiken nämner tidskriftsartikel i  "Intelligence and National Security" av prof. Bart Jacobs där han beskriver hur Sverige sedan 1970-talet ingått i europeisk allians med Danmark, Tyskland & Nederländerna, samarbete inkluderar analys & kryptoforcering. Samarbetet kallas "Maximator".

The Swedish Kings of Cyberwar

I have been interviewed in New York Review of Books for the article "The Swedish Kings of Cyberwar", to be published 19th January 2017. I found one map/illustration in the article very interesting, see below. It shows how the division of work and dynamics between Western intelligence services may change, i.e. Finnish intelligence services may gain influence at the expense of its Swedish counterparts.

Transcript of interview in currrents events program SVT Agenda

Here is the video and a transcript in English of the interview with me on FRA (the Swedish equivalent of the NSA) in the currents events program  "SVT Agenda".

The following background is given before the interview: 1) The Norwegian Government is worried that Norwegian communication is under the surveillance of FRA because a substantial amount of Norwegian domestic communication is routed through Sweden. 2) General Alexander explains that the metadata is collected by European intelligence agencies which is shared the data with NSA. 3) Swedish Foreign Minister Carl Bildt explains that Sweden has the best legislation and oversight in the world.

Anders Holmberg (AH): Mark Klamberg is with us, lecturer in public international law at Uppsala University. You have been critical against the law on signals intelligence since the debate in 2008, welcome to our show.

Mark Klamberg (MK): Thank you.

AH: What is your opinion, does the Norwegian Government have any basis for their worries?

MK: The legislation permits surveillance towards Norwegian communication. I dont know if and to what extent such surveillance is carried out.

AH: What kind of guarantees could the Norwegian Government get?

MK: I think it would be difficult to issue such guarantees because Denmark and Finland are also worried, if Sweden would issue guarantees to all countries surrounding Sweden, there would not be any communication left to have surveillance on.

AH: Because it is only communications crossing Swedish borders that may be subjected to FRA surveillance?

MK: That is correct.

AH: In the introduction we heard top US officials explain that European intelligence agencies has collected the date and shared it with the US, has the FRA done the same?

MK: Such practice is consistent with my understanding of how the FRA operates, it was disclosed in 2008 by SVT (TV public broadcasting) that the FRA collects and stores huge amounts of metadata and there was a subsequent disclosure that the FRA transferred such data in bulk to the US. Thus it (the FRA modus operandi) is consistent with the current disclosures.

AH: You are talking about “bulk” and “metadata”, what is that?

MK (holding an envelope): Metadata is, if we take the example of a phone call, information on who is making the phone call and who is receiving it, the same applies to e-mails. When talking about an e-mail message one can choose either to read the content of the message or - if we look at an envelope - we can identify the receiver and the sender. One can do so in relation to phone communication and e-mails -  metadata is envelope information that is stored in huge amounts. That is what has been revealed now in relation to the US and what has previously been revealed in relation to Sweden.

AH: And it is enormous amounts of communication?

MK: In relation to France and Spain it amounts to tens of millions of records per month which are stored and transferred to the US.

AH: If one does not look into the envelope, what use can one have of it?

MK: One could use such data in an efficient manner to chart crime and terrorism, however it can also be abused and derail. Please allow me to make a comparison. It is not an example of FRA operations. There was a recent disclosure of monitoring by the Skåne province police which involved a large database with records of people with Romani ethnicity. They have not been wire-tapped or had their messages read. They have been monitored (charted). Each record on an individual in isolation may appear harmless but when aggregated it is perceived as very invasive. Now, the FRA is not interested what is happening on the Skåne countryside but it is a good example how metadata surveillance may be intrusive.

AH: Now, the FRA has the (legal) right to conduct surveillance and share data with other countries, what is the problem if the FRA is doing the same thing as other European intelligence agencies?

MK: My view is that the problem is that when this legislation was adopted the message was that it was very regulated and that only small amounts if information would be stored. However, when one studies the internal (FRA) documents leaked to SVT, when I study the law and you read the reports of the Swedish Data Inspection Board the opposite picture emerges: the surveillance and storage of data is massive. The problem is that the Government gives one picture, the law and leaks from inside the FRA on how it actually works gives a totally different picture.

AH: But you have heard Minister of Foreign Affairs Carl Bildt say that we have the best legislation in the world, there is no better law in this area than the law on the FRA.

MK: Sweden has legislation but I don’t think it establishes strong limits, the law has many provisions but each prohibitive provision is subject to a (permissive) caveat/exception. I think this legislation is hollow.

AH: But there is special committee that is exercising oversight over the FRA? It is called SIUN.

MK: As long as the law is very permissive, it does not matter what this committee thinks. Further, it is the Government that makes the appointments to the committee and if the committee would find something unsuitable (in the FRA operations) although still legal, it reports to the Government. Moreover, it is also the Government that has the final say on who sits on the court that approves the reporting (sic! it should be “surveillance”) and the Government can ask the FRA to conduct surveillance. Too much power is associated with the Government (of Sweden) and I perceive that as a problem.

AH: Hold on, I need to understand. So you mean that the Government can ask for surveillance and the Government decides which persons are exercising oversight over the FRA?

MK: That is correct.

AH: And that is not, you…

MK: I don’t agree with Carl Bildt that Sweden has the best legislation. In the US they are having congressional hearings where top officials are questioned. That has not happened in the Swedish parliament, I would have liked such hearings in the Swedish parliament.

AH: These are secret activities. Isn’t obvious that we can’t have public hearings, the FRA cannot provide information on who they are targeting, can they?

MK: Yet they are now having (public) hearings in the US. True, it would be inappropriate if the FRA would disclose to the public who they are targeting and which networks are under surveillance. However, I find it reasonable that the people is entitled to information on the scale of the surveillance. We (the people) don’t know that at the moment.

AH: The Government has been very silent with comments on this matter, what is your conclusion (interpretation)?

MK: Sweden has an exchange of data with the US, if the Swedish Government would start to complain against the US it could soon come right back (at the Swedish Government).

AH: This story will not disappear soon. Mark Klamberg, thank you for being with us.

MK: Thank you.

Medverkan i SVT Agenda

Jag har medverkat i SVT Agenda under rubriken "FRA:s avlyssning oroar Norge", nedan finns ett klipp. Strax före har en norsk statssekreterare uttryckt oro över att norsk kommunikation är övervakad.

Contribution to European Parliament Report on mass surveillance - two clarifications

Today I read the report to the European Parliament on mass surveillance. I have contributed research to the report and really appreciate that I was allowed to do so. I find the report very useful and want to congratulate the team that the drafted the report.

Much of the section on Sweden was based on my research and there is a need for two clarifications. This report compares United Kingdom, Germany France, the Netherlands and Sweden. I only contributed with research in the form of previous publications and I answered a questionnaire. I did not draft the section on Sweden and I did not receive or review any drafts of that section before it was made public.

Clarification 1: The history of the FRA and Swedish signals intelligence
1. The report states on p. 58 that "Since five years, there have been reports of FRA accessing data traffic crossing its borders".

The indicated source is "N. Nielsen (2013), ‘EU asks for answers on UK snooping programme’, EU Observer, 26 June 2013.


This may create the impression that the FRA has only conducted surveillance since 2008.

Clarification: In the SOU (Swedish Government Official Reports) 2009:66 Signalspaning för polisiära ändamål (signals intelligence for law enforcement purposes), p. 55 it is stated that the police started with signals intelligence 1939. The Defence Radio Establishment (FRA) was established 1942 (its predecessor already in 1937). Professor Agrell has found documents in the archives of the Swedish state that show that the Swedish Government in a secret decision in 1948 obligated Telegrafstyrelsen (government-owned corporation, public enterprise, responsible for telecommunications) to transfer all telegram destined or from foreign embassies to the FRA. This power was gradually expanded in secret until 1991 when the Government out of fear of a potential public disclosure cancelled these powers ending FRA's access to cable communications. FRA could still intercept communication radio, satellite and microwave relay link which during the 1990s was enough for the needs of FRA. All of this was secret but it all became public in when the Government introduced legislation which was under debate 2007/2008. One of main purposes of the law was to grant the FRA access to cable communications which was perceived as necessary because most international communication went from satellite to fibre-optics.To sunmarize, the FRA and its predecessor has been monitoring communication since the late 1930s.

Media sources
2. The reports states that on p. 58 "In 2008 the TV broadcaster SVT reported that the FRA was collecting/receiving data from the Baltic states and forwarding in bulk to the USA, based on the testimony of a FRA whistleblower."

The indicated source is M. Klamberg, (2010), ‘FRA and the European Convention on Human Rights’, Nordic Yearbook of Law and Information Technology, Bergen 2010, pp. 96-134.

The problem is the following, it was probably a whistle-blower who revealed the FRA-NSA cooperation but I don't know.

I write the following on p. 121: "A TV news broadcaster (SVT’s programme Rapport) disclosed in June 2008 that the FRA indiscriminately collects traffic data, including data relating to communication from or
to Swedish citizens. The data is stored in the traffic database (Titan) for 18 months. The source of the information was a FRA employee who also disclosed a confidential document from a Q&A session held within the FRA supporting the claims made (henceforth the FRA Q&A document). The document discusses the scope of the collection and storage in the terms of “all available communication” and “large amounts of information”. The source for this news piece in June 2008 was a FRA whistle-blower.

The same journalists at SVT (and other media outlets) revealed in late august 2008 that that the FRA was collecting/receiving data from the Baltic states and forwarding in bulk to the USA. They did not explain who was the source. It appears as the report conflates the two related, but still separate stories in June and August into one.

These are minor details concerning the history of the FRA and media sources which does not affect the reliability of the report.

Intervju i SR Ekot om FRAs utbyte med andra länder

Med anledning av DNs (även Metros) rapportering är jag intervjuad i SR Ekot om FRAs utbyte med andra länder, läs här och lyssna här.

Ska staten ha direkttillgång till all passagerardata?

SvD skriver att EU-kommissionär Cecilia Malmström ska presentera ett förslag som innebär att alla flygbolag som flyger inom EU kommer att bli tvingade att lagra information som passagerare ger när de bokar biljett och checkar in. Det brukar benämns passagerardata eller PNR (Passenger Name Record).

För de som vill fördjupa sig i frågan kan jag rekommendera artikeln "Air Passenger Lists in Civil Aviation" skriven av Olga Mironenko, publicerad på sid. 217-242 i temanumret "Overvåkning i en rettstat" av Nordisk årbok i rettsinformatikk 2010. Här finns en innehållsförteckning där de olika delrubrikerna i artikeln framgår. Mironenko är en rysk jurist som för närvarande doktorerar vid "Norwegian Research Center for Computers and Law".

Det kan ingå en del känslig information i PNR-register. Mironenko skriver följande på sidan 225.

Through special service codes, PNR reveals details of traveler's physical and medical conditions; through special meal requests, they contain indications of travelers' religious practices, i.e. category of data typically referred to as "sensitive information".

Mironenko skriver bl.a. att eftersom många resebyråer även bokar uthyrning av bilar och hotellbokningar via samma system så kan även data beträffande personer som inte flyger finnas i de aktuella registren (se sid. 226). På samma sida kan man läsa om nyttan (vilket vissa skulle beskriva som fara) med PNR.

PNR provides a comprehensive and extremely detailed record of every entry and includes data from which aspects of the passenger's history, conduct and behaviour canm be deduced. Thus PNR can be used in profiling, offering national authorities information on the background of the indvididuals and their possible relationship to other persons being investigated There is therefore a growing interest in the use of PNR worldwide for anti-terrorism and law enforcement purposes.

Mironenko riktar framförallt kritik mot avtalet från 2007 mellan USA och EU eftersom USA i vissa hänseenden har ett lägre skydd för personuppgifter. Hon pekar på att avtalet från 2007 mellan USA-EU tjänar som modell för det förslag som för närvarande diskuteras i EU och skriver följande (sid. 229-230, 234 och 239).

The first PNR Agreement between the European Community and the USA was subjected to substantial criticism from different institutions such as the European Parliament, Article 29 Working Party and privacya advocay groups. ... A "pull" instead of a "push" system was used, meaning that the US does not have to ask for data but has immediate access to it. ... In the meantime, the EU is itself establishing its own PNR system using the EU-US PNR Agreement 2007 as a model. The proposal suffers, apart from its own weaknesses, many of the shortcomings as the EU-US deal. ... In November 2007, the EU announced a project containg anti-terrorism measures, including the creation of a European PNR system. ... EU carriers will be required to "push" the data to member states authorities.

Jag kan förstå varför brottsbekämpande myndigheter vill ha ett system med direkttillgång ("pull"), vilket kan vara effektivt men samtidigt utgör ett intrång i den personliga integriteteten för samtliga flygpassagare. Om Cecilia Malmström väljer en lösning med direkttillgång hoppas jag att hon kan förklara varför ett system med begränsad tillgång ("push") inte räcker.

Bloggar
Maria Ferm I HAX I Lena Ek I Farmor Gun I Cecilia Malmström

Datainspektionen säger nej till förslag om informationsutbyte

Datainspektionen meddelar i ett yttrande att myndigheten säger nej till justitiedepartementets förslag som lagts fram för hur EU:s rambeslut om informationsutbyte mellan brottsbekämpande myndigheter ska införas i Sverige. Datainspektionen skriver bl.a. följande i sitt pressmeddelande.

Enligt rambeslutet ska en brottsbekämpande myndighet inte bara lämna ut information på begäran från ett annat land utan i vissa fall även på eget initiativ. De närmare villkoren för detta så kallade spontana informationsutbyte ska regleras i respektive lands lagstiftning. Justitiedepartementets förslag innehåller dock inte några sådana närmare villkor och saknar bland annat uttryckligt krav på att utlämnandet måste vara relevant och nödvändigt för brottsbekämpningen.

EU:s rambeslut omfattar utbyte av känslig information som även kan röra personer som visar sig sakna koppling till brottslig verksamhet och uppgifter om personer som inte själva misstänks för brottslig verksamhet men som har kopplingar till misstänkta personer.

Har detta rambeslut någon bäring på FRAs informationsinsamling? Mitt svar är nej. Av 2 § i den föreslagna förordningen framgår det att är endast polisen och inte SÄPO som berörs. Det finns inte heller några formuleringar om direktåtkomst till svenska databaser vilket är bra. Bristerna tycks vara de som Datainspektionen beskriver ovan. Förslaget är delvis överlappande med Prümsamarbetet. Prümsamarbetet tar mer sikte på terrorism och omfattar även SÄPO. Alldeles oavsett, så är det bra att Datainspektionen drar i bromsen.