point) are more exposed to surveillance
activities. If this logic were to be adopted
worldwide, a citizen would have privacy
of communications only in the nation in
which they had citizenship—and then
only if the communications remained
fully within the nation’s borders, a situation not always guaranteed when using the decentralized architecture of
the Internet. From the perspective of
all other countries the same Internet
communications would be treated as
foreign communications and are thus
susceptible to surveillance when on
transit through their territories. This
privacy threat is not just abstract, but is
a realistic assessment in a communications environment powered by Internet
technologies.
International adoption of the Internet has diminished the strategic
predominance of the U.S. over the Internet’s core infrastructure, while the
percentage of international transit traffic carried via U.S. routes continues to
decrease.
3 Many regions of the world
are catching up, setting up new intra-regional hubs for Internet exchanges
that carry international Internet traffic.
3
Europe has been mostly self-sustaining
for some time now and is also attracting
the majority of traffic from neighboring
regions like Africa and the Middle East.
At the same time, the European protection of the confidentiality of communications as a revered fundamental
value in the national constitutions has
seen some severe setbacks. It remains
to be seen whether electronic communications are any better protected
against sweeping legal interception.
The European Union (EU) Directive
mandating data retention laws in the
EU Member States largely compromised
the expectation of privacy when communicating electronically. Providers of
telephony, email services, and Internet
access are required to log communications metadata—the information on
who is calling whom when and for how
long—and retain these records for up
to two years. Such preemptive storing
of such data for every user based within
the territory of the EU is “just in case.”
As a consequence, the substance of
this fundamental right is condensed to
communications content, while the circumstances of individual communications via electronic means are subject to
data retention. The EU Data Retention
neighboring
countries are no
less outraged about
sweden’s approach
to international
surveillance, which
affects their national
communications
sectors.
rule, however, only applies to metadata
of Internet email and telephony that
originates and/or terminates within the
EU. Communications content and mere
transit of international traffic through
European Internet exchanges are not
affected by this rule.
However, a number of European
countries do maintain their own domestic surveillance programs that also
target international communications,
with Sweden recently catching up—and
now overtaking—other nations. In June
2008, the Swedish parliament passed the
New Signal Surveillance Act or FRA law,
as it had been dubbed, which grants, in
the name of national security, Sweden’s
National Defense Radio Establishment
(Försvarets Radioanstalt—FRA) the
power to access the complete Internet
and telephone communications in and
out of Sweden. The bill, which took effect at the beginning of this year, obliges all operators of Internet exchange
points in Swedish territory to channel
traffic though FRA’s facilities. Sweden’s
move toward international communications surveillance went far beyond
existing legal standards in other European countries. In his personal blog,
Peter Fleischer, Google’s Global Privacy
Counsel, compared the Swedish government initiative to those of governments
from China to Saudi Arabia and the U.S.
eavesdropping program.
1
The passage of the Swedish law involved some odd circumstances. The
Swedish center-right alliance in power
succeeded with a very narrow majority
of 143 votes to 138 in favor of the law
after the introduction of some last-minute changes to address oversight
of FRA’s surveillance activities. Even
after this, the first version of the FRA
law might have clashed with the privacy protection granted under the European Convention of Human Rights
(ECHR). The law’s language is vague
and its provisions might exceed what
is necessary in a democratic society. In
order to address some of these obvious weaknesses, the parliament asked
the government to propose further
amendments in a number of areas by
autumn 2008, well before the original
law would have taken effect.
5 It seems
quite unusual though that a law was
passed along with a mandate to fix the
flaws even before the law takes effect.
From a political perspective, the surveillance initiative has been a disaster
for the Swedish government: its sweeping effect upset political allies, voters,
businesses, and neighboring countries
alike. Beginning with the legislative
process, opposition to the law only
grew once the law was adopted. By now
awareness about the issue is extremely
high and the government has lost significant credibility with the public. The
Swedish daily newspaper Expressen offered a protest email form on its Web
site. The newspaper reported six million protest email messages had been
generated, a significant number in a
nation with a population of nine million (of course, the responses may not
all have been from different individuals or from Sweden).
Sweden’s reputation as a leading
location for international ICT services
was considerably damaged. In a public
statement, the CEOs of eight major Nordic telecom companies have warned the
country that their companies will relocate their activities away from Sweden
in order to protect the interests of their
international customers and to abide by
the legal requirements elsewhere.
4 The
Swedish-Finnish telecom operator Te-liaSonera has already moved email and
Web servers from Sweden. Google and
other companies are publicly contemplating withdrawing from Swedish territory as well, a negative trend that would
be self-perpetuating.
Neighboring countries are no less
outraged about Sweden’s approach to
international surveillance, which affects their national communications
feBRuaRY 2009 | vol. 52 | No. 2 | CommunICatIons of the aCm
27