point) are more exposed to surveillance activities. If this logic were to be adopted worldwide, a citizen would have privacy of communications only in the nation in which they had citizenship—and then only if the communications remained fully within the nation’s borders, a situation not always guaranteed when using the decentralized architecture of the Internet. From the perspective of all other countries the same Internet communications would be treated as foreign communications and are thus susceptible to surveillance when on transit through their territories. This privacy threat is not just abstract, but is a realistic assessment in a communications environment powered by Internet technologies.
International adoption of the Internet has diminished the strategic predominance of the U.S. over the Internet’s core infrastructure, while the percentage of international transit traffic carried via U.S. routes continues to decrease. 3 Many regions of the world are catching up, setting up new intra-regional hubs for Internet exchanges that carry international Internet traffic. 3 Europe has been mostly self-sustaining for some time now and is also attracting the majority of traffic from neighboring regions like Africa and the Middle East.
At the same time, the European protection of the confidentiality of communications as a revered fundamental value in the national constitutions has seen some severe setbacks. It remains to be seen whether electronic communications are any better protected against sweeping legal interception. The European Union (EU) Directive mandating data retention laws in the EU Member States largely compromised the expectation of privacy when communicating electronically. Providers of telephony, email services, and Internet access are required to log communications metadata—the information on who is calling whom when and for how long—and retain these records for up to two years. Such preemptive storing of such data for every user based within the territory of the EU is “just in case.” As a consequence, the substance of this fundamental right is condensed to communications content, while the circumstances of individual communications via electronic means are subject to data retention. The EU Data Retention
rule, however, only applies to metadata of Internet email and telephony that originates and/or terminates within the EU. Communications content and mere transit of international traffic through European Internet exchanges are not affected by this rule.
However, a number of European countries do maintain their own domestic surveillance programs that also target international communications, with Sweden recently catching up—and now overtaking—other nations. In June 2008, the Swedish parliament passed the New Signal Surveillance Act or FRA law, as it had been dubbed, which grants, in the name of national security, Sweden’s National Defense Radio Establishment (Försvarets Radioanstalt—FRA) the power to access the complete Internet and telephone communications in and out of Sweden. The bill, which took effect at the beginning of this year, obliges all operators of Internet exchange points in Swedish territory to channel traffic though FRA’s facilities. Sweden’s move toward international communications surveillance went far beyond existing legal standards in other European countries. In his personal blog, Peter Fleischer, Google’s Global Privacy Counsel, compared the Swedish government initiative to those of governments from China to Saudi Arabia and the U.S. eavesdropping program.
1
The passage of the Swedish law involved some odd circumstances. The Swedish center-right alliance in power succeeded with a very narrow majority of 143 votes to 138 in favor of the law
after the introduction of some last-minute changes to address oversight of FRA’s surveillance activities. Even after this, the first version of the FRA law might have clashed with the privacy protection granted under the European Convention of Human Rights (ECHR). The law’s language is vague and its provisions might exceed what is necessary in a democratic society. In order to address some of these obvious weaknesses, the parliament asked the government to propose further amendments in a number of areas by autumn 2008, well before the original law would have taken effect. 5 It seems quite unusual though that a law was passed along with a mandate to fix the flaws even before the law takes effect.
From a political perspective, the surveillance initiative has been a disaster for the Swedish government: its sweeping effect upset political allies, voters, businesses, and neighboring countries alike. Beginning with the legislative process, opposition to the law only grew once the law was adopted. By now awareness about the issue is extremely high and the government has lost significant credibility with the public. The Swedish daily newspaper Expressen offered a protest email form on its Web site. The newspaper reported six million protest email messages had been generated, a significant number in a nation with a population of nine million (of course, the responses may not all have been from different individuals or from Sweden).
Sweden’s reputation as a leading location for international ICT services was considerably damaged. In a public statement, the CEOs of eight major Nordic telecom companies have warned the country that their companies will relocate their activities away from Sweden in order to protect the interests of their international customers and to abide by the legal requirements elsewhere. 4 The Swedish-Finnish telecom operator Te-liaSonera has already moved email and Web servers from Sweden. Google and other companies are publicly contemplating withdrawing from Swedish territory as well, a negative trend that would be self-perpetuating.
Neighboring countries are no less outraged about Sweden’s approach to international surveillance, which affects their national communications
feBRuaRY 2009 | vol. 52 | No. 2 | CommunICatIons of the aCm
27
References:
Archives