February 26, 2016

A look at the latest French laws on intelligence collection


For the second time we have an article written in cooperation with the French weblog about intelligence and defence Zone d'Intérêt:


Introduction

Over the last year, The French parliament passed new laws granting additional powers to intelligence services regarding interception of communications and data requests. This is part of a broader reform aimed at creating a legal framework for intelligence practices which were not formally authorized by law before 2015. In the press, it was said that these laws allowed sweeping new surveillance powers, legalizing highly intrusive methods without guarantees for individual freedom and privacy.

This article will focus on the provisions related to communications intelligence (COMINT), including targeted telephone tapping (lawful interception or LI), metadata collection and data requests to internet service providers (ISPs). Targeted interception of the content of internet communications is not regulated by these new laws, but only by older decrees which are still a bit unclear. The new laws are only about collection the metadata of internet communications.

In France, communications interception is authorized under two distinct frameworks:
- Judicial interceptions ordered by a judge of inquiry (juge d'instruction) during a criminal investigation. These interceptions can be done by the police, the gendarmerie (a military force charged with police duties) and by the security service DGSI.

- Administrative interceptions, also known as security interceptions, which are requested by both the domestic security and the foreign intelligence services.

Administrative interceptions are approved by the Prime Minister for various motives, such as defending and supporting major national interests including national defense, foreign policy interests, economical and industrial interests, or preventing terrorism and organized crime. Whereas the Unites States strongly denies conducting commercial espionage in the sense of stealing trade secrets for the benefit of individual companies, France is known for being less strict on this.



Diagram of the various interception capabilities of French intelligence
(Diagram: ZonedInteret.net - Click to enlarge)


The main French security and intelligence services are:
Direction Générale de la Sécurité Intérieure (DGSI), which reports to the Interior Ministry and is responsible for domestic security. It has some 3500 employees and an annual budget of 300 million euros. DGSI was formed in 2008 through the merger of the Direction Centrale des Renseignements Généraux (RG) and the Direction de la Surveillance du Territoire (DST) of the French National Police.

Direction Générale de la Sécurité Extérieure (DGSE), which reports to the Minister of Defence and is responsible for collecting foreign intelligence on civilian issues and also performs paramilitary and counterintelligence operations abroad. DGSE is responsible for both HUMINT and SIGINT.

Direction du Renseignement Militaire (DRM), which reports directly to the Chief of Staff and to the President of France as supreme commander of the French military. DRM is responsible for collecting military intelligence in support of the French armed forces.

Direction de la Protection et de la Sécurité de la Défense (DPSD), which is also part of the Ministry of Defence. DPSD is responsible for the security of information, personnel, material and facilities of the armed forces as well as the defence industry.



Headquarters of the French foreign intelligence agency DGSE in Paris
(Click to enlarge)



A special advisory commission on intelligence activities

The French laws, such as Loi n° 2015-912 and Loi n° 2015-1556, from July and November 2015, grant the Prime Minister full authority to order and approve intelligence activities both domestic and foreign. Each collection request is sent by the intelligence service director to its parent ministry and to the Prime Minister, who gives final approval. An advisory commission known as the CNCTR (Commission Nationale de Contrôle des Techniques de Renseignement, or National Commission for the Control of Intelligence Techniques) is kept informed of all requests for oversight purposes.

In most cases, before the Prime Minister can approve a request, this control commission must receive information related to its approval, including the request justification, the identity and location of the targeted individual, or any other identifying information (occupation, username, etc.) when his identity is unknown.

The CNCTR consists of nine members: four from the Parliament, two from the Council of State, two from the Court of Cassation, and one appointed telecommunications expert. This commission is considered an "Independent administrative authority": it is neither part of the Parliament even though members of Parliament are among its members, nor part of the judicial branch, even though some its members are magistrates.

The CNCTR only holds advisory power as it can not stop any decision from the Prime Minister regarding data requests or intelligence collection. The commission can express disapproval of a collection request, but the Prime Minister can overrule this advice and still authorize intelligence collection.

The CNCTR can access all transcripts and logs from intelligence collected under the Prime Minister's authority, but it can not compel any intelligence service for documents or information, and it can not investigate any irregularity on its own. However, it can express recommendations regarding intelligence procedures and bring any irregularity to the Council of State. All debates inside the commission, as well as all its communications with the Prime Minister and intelligence services are classified.

A special status has been granted to journalists, lawyers and members of parliament, as when intelligence requests apply to them, the CNCTR must be informed just before collection starts so it can state whether the collection is necessary and proportionate. The CNCTR must also receive transcripts of the intercepted communications afterwards. The difference with regard to eavesdropping operations against regular citizens is that for them, CNCTR can access the transcripts if it asks for them, while for the privileged professions, CNCTR must receive and review them.

In theory, any individual living in France or abroad can ask the CNCTR to check if he has been placed under surveillance following proper procedure. The control commission must check for any irregularity, but can neither confirm nor deny to the individual that he has been placed under such surveillance. The commission only states that proper verification has been made, and if any irregularity is detected it can report it to the Council of State.



Headquarters of the French domestic security service DGSI in Paris
(Photo: Bertrand Guay/AFP - Click to enlarge)


New provisions for domestic intelligence collection

This section applies to all main intelligence services such as DGSI, DGSE and DRM. DGSE is a foreign intelligence service, which is not supposed to operate on French territory, but it is authorized to request data and intercept domestic communications. DGSE holds most technical capabilities for decryption and high-end communications collection and provides other agencies, such as DGSI or DRM, with technical means and expertise in this regard.

A recent decree provided authority to more than twenty police and gendarmerie services, some of which are not officially intelligence services, to intercept communications and request data, mostly for counterterrorism purposes. Allowing police services to collect communication intelligence is a shift from older French habits, which the French government justified by the ongoing terrorist threat.

As in most countries, French law provides higher privacy protection to its own citizens and to people communicating from France than to people communicating from abroad, who receive little legal protection against intelligence collection. Intelligence collection under the Prime Minister approval may apply to all electronic means of communication traced to a targeted individual, from mobile phones to landlines, to all metadata from his internet service provider, and even metadata from online services.

In France, telephone companies, ISPs and online services providers can be compelled to provide a wide range of metadata regarding a targeted user, including: technical data related to the identification of connection or subscription numbers (phone numbers, IP adresses, etc.), a list of all connection or subscription numbers linked to a targeted individual, location data of all devices traced to a targeted individual, and call detail records (CDR).

Under the Prime Minister’s authority, telephone companies can be compelled to cooperate with intelligence services conducting targeted phone calls interceptions. French intelligence services are not supposed to proceed to interceptions on their own, but have to go through a dedicated government technical agency called GIC (Groupement Interministériel de Contrôle or Interministerial Control Group).

The GIC operates under the Prime Minister direct authority, receiving approved requests and ordering telephone companies and ISPs to provide information or access to their networks for interception. Providers compelled to cooperate are forbidden to reveal any information related to interceptions or data requests, or to inform their users they have been targeted. Providers personnel refusing to cooperate could be sentenced to a 150,000 € fine and up to two years of imprisonment.

The parliament recently authorized intelligence services to use devices such as IMSI-catchers to identify and locate mobile phones or computers linked to targeted individuals. Intelligence services can only use IMSI-catchers to collect metadata, and all collected data unrelated to specified targets must be destroyed.

Regarding domestic communications, voice communication recordings must be destroyed 30 days after collection, but transcripts can be kept "as long as necessary" by intelligence services. Metadata requested from ISPs and Telcos can be stored up to 4 years. Intercepted communications that are encrypted can be stored up to 6 years.



The French satellite intercept station at the Tontouta naval air base
near Noumea on the main island of New Caledonia
(Photo: Google Earth - Click to enlarge)


A loose framework for the surveillance of foreign communications

Fewer restrictions apply to the surveillance of foreign communications, whether collected by the domestic security service DGSI, the foreign intelligence service DGSE or one of the military agencies.

The Prime Minister issues broad authorizations to intelligence services to monitor and collect communications, either for whole geographical regions, countries, organizations or individuals. The Prime Minister specifies which types of communication networks can be targeted for collection. These authorizations last for 4 months, but they can be renewed without restriction.

Foreign intercepted communications can be kept for 1 year after processing, or up to 4 years after collection. Collected metadata can be stored for 6 years. Encrypted data can be stored for up to 6 years after decryption, or up to 8 years after it has been collected. With these retention periods, the French law is more strict than for example American law, which allows NSA to store encrypted data for an unlimited period of time.


From French territory

The law on surveillance of foreign communications only applies to communications between users who are outside of France, but which are collected from French territory. Here it should be noted that many former French colonies spread around the globe are also considered part of French territory, and French law applies there, especially as this is stated in the latest intelligence laws.

This means that these laws not only apply to data collected from major fiber-optic cables and satellite intercept stations inside France, but also to those from the overseas satellite stations like those in French Guyana, on the island of New Caledonia in the South Pacific and on Mayotte in the Indian Ocean - providing French intelligence with a global SATCOM coverage probably second only to that of the Five Eyes partnership. After ECHELON, this French network was dubbed FRENCHELON.

If data is collected under the foreign communications status, but is then traced back to domestic communications (call number or subscription located in France), it can be processed only if approved under the domestic communications framework, or it must be destroyed under 6 months.



The DGSE satellite intercept station near Kourou in French Guyana,
which was built in cooperation with German BND
(Image: Google Maps)


Outside French territory

Intelligence collection conducted by French intelligence services outside of France is not restricted by law. Because the overseas satellite stations are considered to be on French territory, this situation only applies to for example covert eavesdropping operations in foreign countries, as well as to tactical SIGINT collected through land, sea and airborne platforms during military operations abroad. French armed force are based in countries such as Mali, Gabon, Djibouti and UAE. This will mainly result in communications for military purposes.

While this kind of collection is not regulated by law, it will be limited by the available resources and the specific goals set by the government in the annual PNOR (Plan National d’Orientation du Renseignement or National intelligence orientation plan), a classified document sent to the chiefs of intelligence services and to the parliamentary delegation for intelligence (DPR - Délégation Parlementaire au Renseignement), which only receives a redacted version of this document.



A French army vehicle for collecting tactical SIGINT and ELINT in Afghanistan
(Photo: ageat.asso.fr - Click to enlarge)


Automated bulk metadata collection

In July 2015, a law introduced a new automated bulk metadata collection system against terrorism. The Prime Minister can order French internet service providers to add specified metadata collection and filtering systems to their networks. He can issue such orders for 2 months, and they can be renewed without restriction. Data collected on ISPs networks can be stored up to 60 days, and would be filtered and processed by government issued algorithms to detect terrorism related threats. If such a threat is detected, the Prime Minister can compel ISPs to identify related users.

The development of threat-detection algorithms, and their so-called "black boxes", should be done under supervision from the CNCTR. However, providing oversight at the hardware and software level could be very tricky and difficult, especially as algorithms would be updated and modified very regularly and it would also require specialized knowledge of such internet filter systems.

The scope and purpose of this metadata provision is largely a mystery. At first sight it may look similar to what NSA did by collecting domestic telephone records in order to find unknown terrorist associates by contact chaining. But if that was the purpose of this French law too, then it would have been much easier to order the ISPs to hand over their metadata in bulk, just like it happened in the US.

Actually, French telecommunications and internet service providers already have to store their customer's metadata for at least one year under the EU data retention directive. Moreover, a French legal decree even requires web hosting companies, like Facebook, Google and Amazon, to store their user data for at least one year and provide it to government authorities at their request. However, these metadata may only be used for targeted investigations, as intelligence services must provide specific requests to ISPs & web hosting companies with either the full name of a target, its user name, IP address or other identifying information.

It seems that installing "black boxes" at ISP networks serves the bulk collection of smaller sets of data: they filter traffic using specific threat-detection algorithms, so they will likely only pull in those metadata that match certain communication patterns and routines, based on digital forensics from counterterrorism investigations. The metadata would then be used to identify the users showing such patterns.

Given the very high data rates of traffic passing internet service providers, such filter systems are very expensive and ISP generally don’t like external systems to be plugged into their networks. That makes it surprising that the orders for installing them are valid for just 2 months, and although they are renewable without any limitations, it’s not clear whether these "black boxes" would be removed from ISPs networks at the end of each order, or if they would only be turned off until further notice.



Cyber defense

Interestingly, filtering internet traffic using threat-detection algorithms sounds very much like detecting and preventing malware and cyber attacks. But maybe except for a case when a terrorists group would conduct cyber attacks, the law precisely states that this "black box" metadata filtering and collection system can only be used to detect terrorist threats. It can not be used for any other purpose, including cybersecurity, counterintelligence or criminal investigations.

Nonetheless, the cyber domain did receive special attention from French lawmakers in the latest regulations on intelligence. All collected intelligence which is related to cyber attacks can be stored indefinitely for technical analysis. In addition, all penalties for computer hacking and cyber-related crimes have been doubled as part of the new Law on Intelligence passed in July 2015. This fits a general shift of intelligence agencies towards "cyber", as for example in the US, cyber threats replaced terrorism as top priority for the intelligence community since 2013.



Links and Sources
- New York Times: French Inquiry Urges Changes to Intelligence Services in Light of Failures
- The Guardian: France passes new surveillance law in wake of Charlie Hebdo attack
- Matthew Aid: French SIGINT: Part II
- Overview of French intercept sites: Comment on peut, en trois clics, découvrir la carte des stations d'écoute des espions de la DGSE

No comments: