February 3, 2024

Safe and Free: comparing national legislation on electronic surveillance

A project called Safe and Free by the University of Texas now provides an overview of the legal framework for electronic surveillance by intelligence and law enforcement agencies in 12 democratic countries.

Here, I will introduce the project and discuss some general trends, as well as the different forms of prior approval of electronic surveillance operations.

Since the start of the Snowden revelations in June 2013, electronic surveillance has become a highly disputed topic. The controversy does not just concern the activities of the American signals intelligence agency NSA, but is also raised in European countries like Germany, The Netherlands and Denmark.

As the regulation of electronic surveillance is highly specialised, it's often difficult to judge whether certain measures are appropriate and effective. One way to improve them is by looking at solutions in other countries, preferably those with a similar rule-of-law tradition. This comparison is now provided by the Safe and Free project of the Strauss Center on International Security and Law at the University of Texas at Austin.

The project explores the variety of ways in which democratic states try to align surveillance for national security purposes with their values and laws. Safe and Free is an initiative of Adam Klein, director of the Strauss Center and former chairman of the Privacy and Civil Liberties Oversight Board (PCLOB), which oversees the civil liberty implications of US intelligence and counter-terrorism activities.

For Safe and Free a wide variety of surveillance experts, like think-tank members, academics, former government officials and journalists were asked to describe the legal framework for electronic surveillance in their country. This resulted in papers about the situation in Australia, Canada, France, Germany, The Netherlands, Poland, Romania, Sweden, the United Kingdom, and the United States.

Papers about Japan and South-Korea can be expected some time in the future. I had the honor of writing the paper about The Netherlands, describing the development of the legal framework for government interception from the 1960s until the current law from 2018 (which, quite unique, was subject to an advisory referendum).

Map showing the countries covered by the Safe and Free project
Click the map for a clickable map!

Reading all the papers shows how different national laws and regulations are, despite the fact that in practice, the technical methods are largely the same. All over the world, the telecommunications infrastructure for telephone and internet communications is very similar, as are the methods for interception. Hacking operations may require more creativity but have many tools and techniques in common as well.

Because states have different legal systems, institutional traditions and political constellations, the regulation of electronic surveillance methods differs from country to country. Nonetheless, some basic trends can be distinguished. An important one is the distinction between foreign and domestic, which affects many aspects.

First, most countries have separate agencies for foreign intelligence and domestic security, with signals intelligence traditionally being conducted by the military and domestic wiretapping sometimes by a national or federal police service.

In The Netherlands the civilian AIVD and the military MIVD both combine a foreign and a domestic mission, separated by their goals, instead of collection methods. Dedicated signals intelligence agencies are typical for the Five Eyes countries (the US, the UK, Canada, Australia and New Zealand), but Sweden has one as well, the FRA.

Usually, the domestic security agencies are governed by rather strict laws to safeguard the rights of their national citizens, while for foreign intelligence agencies we see more lax or even no regulations as monitoring foreign targets is considered "fair game".

Edward Snowden, however, considered this distinction very unfair and demanded equal protection for everyone. In some countries his view was picked up by the press, civil rights organizations and public opinion and eventually led to legal changes.

In the United States, presidents Obama and Biden implemented a range of constraints on the NSA's signals intelligence collection abroad, while in Germany the constitutional court ruled that fundamental rights restrict the BND's intelligence collection outside the country as much as they do inside German borders. In The Netherlands and Romania the law does not distinguish between foreign and domestic operations.

The building of the European Court of Human Rights (ECHR) in Strasbourg, France
(photo: CherryX/Wikimedia Commons)

A further increase in safeguards for human rights comes from the European Court of Human Rights (ECHR), the jurisdiction of which is recognized by 46 European countries. A notable requirement of this court is that the most intrusive surveillance methods, including tapping and hacking operations, need prior approval by an independent body.

Intercepting domestic communications for criminal prosecution is subject to judicial approval almost everywhere, but when it's done by a security agency for national security or intelligence purposes, it's usually a cabinet minister who signs off. This bore the risk of politically motivated eavesdropping, so now there has to be ex ante oversight in order to meet the case law of the ECHR.

Germany has already had such a body for decades, called the G10 Commission. Other countries followed more recently: Sweden has had the FUD since 2009, France created the CNCTR in 2015, the UK installed Judicial Commissioners in 2016 and The Netherlands established the TIB commission in 2018.

All these bodies largely consist of former judges, but in France, Germany and Sweden they include (former) members of parliament as well. This shows the differences between political cultures, as in The Netherlands parliamentarians would probably not be seen as a sufficient safeguard for independent control.

Canada has an independent Intelligence Commissioner as well, while in Australia surveillance operations which affect Australian citizens have to be approved by three ministers and the attorney general. Finally, in the US, national security operations by the FBI have to be approved by either a regular court or the FISA Court, but so-called National Security Letters can be issued by the Bureau without judicial involvement.

Depending on each country's legal situation, some of these independent bodies for prior approval also authorize or review foreign intelligence operations, but in many states the monitoring of foreign communications only needs to be approved by a minister or even just within the intelligence agency itself. The latter is the case, for example, in Poland and Romania.

In the US, the NSA merely needs a general annual certification by the FISA Court when foreign data are collected inside the US (notably via the PRISM program) and no external approval is required when collection against foreign targets takes place abroad.

In Western European countries we see that new legislation comes with increasing safeguards for civil liberties and privacy rights, but in some Eastern European countries the situation is different.

Despite the fact that Poland and Romania both have to adhere to the case law of the ECHR, their most recent laws are aimed more towards extending electronic surveillance powers and less towards accountability, democratic control and privacy safeguards. Exemplary was that Polish authorities used the notorious Pegasus spyware against political opponents.

By comparing the legal frameworks of each country we can see these kinds of general trends as well as the different ways in which safeguards are eventually implemented. They provide a set of best practices and options that can be used to improve the often complex regulation of electronic surveillance in a particular country.

Here, I focused on the issue of prior approval, but similar lessons can be learned about other topics, like the regulations for targeted and untargeted tapping operations, the use of metadata and ex post oversight by independent and parliamentary commissions. Therefore it's highly recommended to read all the papers of the Safe and Free project, which can be found at www.safeandfree.io

- Lawfare: Safe and Free: National-Security Surveillance and Safeguards Across Rule-of-Law States (2023)
- See also: International repository of legal safeguards and oversight innovation

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties