The return of mass online surveillance

It was shelved in 2014 because it did not help police fight crime. But session logging, which tracks our online behaviour, may be reinstated. The government argues that a tweaked version will allow police to better monitor the online communications of criminals, but it faces heavy opposition from civil rights groups and parliament

The internet has propelled economic, social and scientific development. Information is at our fingertips, knowledge can be shared instantly. But for all its benefits, there exists a dark side.

Terrorists, criminals, people smugglers and child pornographers can easily hide their communications using encrypted messaging services, while ordinary citizens can use anonymous browsers, such as TOR, to shop for illegal products on the so-called ‘Dark Web’.

In a bid to equip police with better surveillance tools, the government has announced its intention to introduce so-called ‘session logging’. The new law, which is in the process of being written, is designed to enable the police to track who we communicate with online, which websites we visit, as well as our movements.

“Session logging is a central tool for the police and intelligence agencies,” justice minister Søren Pind wrote in a comment for Berlingske.

“We currently register which phone numbers call each other and at what time, but if people used internet services such as Messenger, Skype, or iMessage, the information is not logged. That is not acceptable in the times we live in. We, therefore, need to modernise the rules about logging, and we will do it together with the industry.”

The national police, Rigspolitiet, supports the government’s initiative.

“Crime is increasingly moving from the physical to the digital world,” Rigspolitiet’s Police Commissioner Jens Henrik Højbjerg told Berlingske.

“The police are facing new challenges and our abilities are weakening in relation to the ability of criminals to communicate over the internet. Old tools and methods don’t have the same power they once did and we need access to the same information as is now available for ordinary telephone communications.”

New and improved
While the specifics of the law have yet to be released, an outline was presented to telecommunication companies and think tanks in February. Internet service providers (ISP) will be required to register every online communication sent by internet enabled devices. They will be mandated to store the sender’s and recipient’s IP addresses and port numbers, the number of bits exchanged, the time the data session started, as well as mast data if the communication was made through a mobile device. ISPs will have to store the data for six months and the police will only be able to access the data with a warrant.

The data should provide a detailed oversight of which websites, services and servers users interact with. But police will not be able to find out the content of online communications, just who communicated with whom, when and where.

It’s not the first time this type of surveillance has been used in Denmark. In 2007, the government introduced session logging of internet and phone use. Mobile phone communications were stored for a year, while a sample of communications between computers and websites – every 500th datapacket – was stored.

In 2012, Rigspolitiet found that the sampling of internet communication was essentially useless in crime fighting efforts. In 2014, then Social Democrat (Socialdemokraterne) justice minister Karen Hækkerup announced that session logging would no longer be mandatory.

EU courts opposed
Hækkerup and the police insisted that the old logging regulations were scrapped because they were useless. But the decision was made soon after the EU Court of Justice declared the EU’s Data Retention Directive – which formed the basis of the Danish law – invalid.

“The directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data,” the court ruled in April 2014.

The court found that the retention of internet communication could genuinely be in the national interest in the fight against serious crime and for protecting public security, but in practice the directive was too far reaching and “exceeded the limits imposed by compliance with the principle of proportionality”.

The Justice Ministry maintains Hækkerup’s line, that the decision to abandon the old rules was because it didn’t prove helpful in fighting crime, not because of its questionable legality.

Easy to avoid
The new law faces much opposition. In February, 21 organisations, including Amnesty International, signed a letter to the justice minister expressing their concern over the wide-reach of the law, as well as the haste surrounding its implementation.

“The proposal is legally questionable, based on an unclear foundation and will involve massive surveillance of Danish citizens and businesses,” Amnesty International wrote.

Amnesty International also pointed out that it is questionable that the government could pass a new law, given the ruling by the EU Court.

“The logging and surveillance that has been proposed will go much further than the invalidated directive, and would constitute mass surveillance of an entire population, which is hard to unify with the rights of citizens and the fundamental principles of rule of law.”

The internet policy think tank Bitbureauet was also a signatory to the letter. Co-founder Christian Panton identifies a number of issues with the new proposal, including how easy it would be to avoid being traced. Libraries and universities, for example, will be exempt from logging their users, while users can route their internet traffic through so-called VPNs which hide the origin of internet communication. It would even be possible to avoid phone surveillance by using public wifi connections.

Furthermore, it is unclear whether the logging will reveal who is communicating through digital messaging and voice services. Only when a connection is made directly between two parties, p2p, would police be able to determine its source. But often the communication is routed through a central server, which masks the identity of the communicating parties.

Even if the logged information shows which websites a person has visited, Panton says it is unlikely to prove useful to the police. He makes an example from the logs of his internet communication, which he was delivered after a right of access request.

“It showed that I had visited the Socialist Youth Party’s website, when all I was doing was unsubscribing from their mailing list. But the police could use this information to paint a picture of me that isn’t real,” he says.

“The data can say a lot about our daily cycle. They want to log location and time at the same time, which is the most invasive aspect. You can’t hide it easily on your mobile device with apps that are running and communicating with servers in the background. But this is what they want, to know where we are and when.”

While Panton is primarily opposed to the law’s breach of privacy, others are more concerned about the costs. ISPs will have to invest in new hardware that allows them to log and store their users’ internet communications.

“They need to put the new proposals back where the sun doesn’t shine,” says Jakob Willer, director of the Telecom Industry Association (TI).

According to TI, the new rules could end up costing the industry a billion kroner.

“They want us to log the communications of each individual customer, which means that operators have to purchase technical equipment able to pick up all the traffic. It will be extremely expensive.”

Willer fears that the costs will end up being transferred onto consumers and will delay the rollout of faster internet connections, such as high speed 4G mobile networks.

“No operator has a budget for implementing session logging, and we will have to take money from investment budgets to spend on supervision. The big issue is that rural areas will have to wait even longer for investment in digital infrastructure, as it would be the easiest place to cancel investments. We have to make sure rural areas have digital infrastructure, but this proposal damages that ambition.”

Political opposition
The government expects to present the law to parliament by the end of March and, so far, only the Danish People’s Party (DF) has openly come out in support. Opposition leader Social Democrats (Socialdemokraterne) have said they intend to wait for the proposal to be laid out before taking a position.

The remaining six parties oppose new session logging laws. Liberal Alliance (LA) MP Christine Egelund says session logging violates personal freedoms.

“We live in a liberal democracy and we should maintain the fundamental principle of respect for privacy. This cannot be reconciled with mass surveillance of citizens who have done nothing to warrant suspicion,” Egelund told BT.

René Gade, IT spokesperson for the Alternative (Alternativet), argues that it is unlikely the proposal would prove useful in combatting terrorism.

“I find the proposal a symbolic gesture that will be an enormous violation of privacy. If the police have a valid suspicion of criminal action, the next step is to acquire a warrant before surveillance can take place. But here we are talking about a total mapping of the digital behaviour of all Danes, and that is a step in the wrong direction,” he wrote on Facebook. M

Features, News

By Peter Stanners

Co-founder and Editor-in-chief. Occasional photographer.

Facebook comments