On the last day in session, the Swedish parliament passed the law, giving the Swedish signal intelligence agency, FRA, the right from January 1 2009 to eavesdrop on international wire communication. The discussion has continued since then with numerous Letters to the Editors and newspaper articles. Yesterday saw two new letters to the Editor, one letter to the editor in DN by several high ranking members of the Moderaterna party (conservative), and another by Jan Kallberg (JK) in Expressen. While I normally agree with JK, I think that he here simplifies the matter, as well as I believe that the conservative party representatives, misses some of the issues related to the law.
In general, I believe that the debate has been harmed by to much use of metaphors. This is a complex issue, and complex issues lends it self poorly to metaphors. I therefor wanted to analyze what I believe are some of the issues. Let's first start with the most commonly used metaphor, that FRA would use "keywords" for their searches through the data. The expression "keywords", have led the debate into the assumption that these would be plaintext words such as "bomb" or "nuclear". Admittedly, I have no idea how FRA have implemented or plan to implement, their signal intelligence gathering, but from my "Algorithms and Datastructures" course in university, as well as several years in networking - I wouldn't implement it so. First of all, what you are really looking for are probably a matrix. I.e you are looking for traffic to and from known and static sources, so you filter on their addresses. Furthermore, you probably have an idea of a bit pattern that you are looking for, certain types of cryptos, crypto key lengths, data payload, etc. You are probably also looking for what in reality is a multidimensional matrix, where each element in turn is another matrix. You are most like also counting occurrences of a match in each row and column in the matrix in order to assess data volumes and activities in certain areas. Over time you can learn to correlate all the data, which will help in your understanding of the data flows you look at.
Jan, in his letter to the editor highlights another one of the fairly simplified claimed goals with the new law, to stop terrorism. This has fairly often been used as an argument for the law in the debate. Jan in his article highlights that although the US National Security Agency (NSA) is one (if not the) largest intelligence agencies in the world, they failed to detect or prevent the 9/11 attacks. This is true, and I would like to argue that terrorism and terrorist makes for an immensely hard target for signal intelligence (and most likely not the prime target). Terrorism tends to be performed by groups that are undefined and unidentifiable, what is referred to as "asymmetrical threats". Communication in and between these groups, if identified at all, will be hard to interpret, and at most just give traffic statistic data that might show statistical deviation over history. If it is collected it might at most give an indication that something is happening, but where and when might be unknown. In this light, and based on guesses and reading on signal intelligence through history, I would doubt that terrorism is a primary target for signal intelligence. I am sure that intelligence agencies over the world include it, partly due to pressure from politicians, but also as it's a tangible and sweeping explanation that can be given to "the masses". My guess as to why terrorism is often used, is that the real targets behind signal intelligence is often uncomfortable to discuss and relates to a nations international relationships. I.E, signal intelligence targets other nations, their political, diplomatic and military communications.
It's hard to asses the success of signal intelligence through history, as it for natural reasons is protected by utmost secrecy. The known public references we have go back to the second world war or shortly after. One of the most detailed and modern accounts is Peter Wright's autobiography Spycatcher, and for example James Bamfords books about the NSA. Few of these (with the notable exception of Spycatcher) however are true historic sources with access to all documentation. What we do know from these sources, is that signal intelligence has mostly been targeted at a nations international relationships, and at that been fairly successful. It has also served to gather assessments on military capabilities, military strength, trade negotiation positions, etc. The true value of the last decades of (the fairly new tool) signal intelligence we won't know before historians will get access to archives, which will take many more decades.
Herein lies the problem with the first letter to the editor, by the conservative party representatives. They, as many before them, have argued that only suspected criminals should, after due legal tests, be allowed for listing for signal intelligence. The problem here is illustrated above. Being a foreign embassy is not a crime under swedish law, and neither is being a foreign trade delegation, etc. Other comments, have argued that FRA should be allowed to continue signal intelligence on radio and collect information from military radar stations, etc. While this is clearly and important military data operation, it's of limited use for a country's formation of security and foreign policy.
The argument that only suspected criminals should be eavesdropped upon might be easy enough to understand. It comes from a wish to protect the privacy of the citizens. However, several arguments have centered on when the personal privacy is actually broken. Some argue that the mere fact that FRA is given access to the cables is a violation of the personal privacy. Others argue that giving FRA access to the radio spectrum does not lead to the same violation of privacy. For me these arguments are not clear at all. The eavesdropping, either done in radio spectrum or cable, will entail some sort of filtering. In both cases most certainly done in three steps, a basic frequency / target filter, and secondly by the matrix / "keywords" filter, and thirdly by human analysts. In today's signal intelligence world, I would assume that the two first steps are done with computers. So from a technical point of view, there is no difference between signal intelligence in radio spectrum or on in international cable communication. That is a fictive creation created by lack of technical understanding. So when does the privacy violation occur? In my view, this only happens when data is stored permanently - or when the filtering reaches a stage that it could practically be stored. For practical purposes I would argue that at the first level of filtering, the volume itself will mean the data can't be stored. Just as for radio spectrum communication. I would even be surprised if data pre-second stage was stored. Post-second stage is certainly can and most likely will. And I believe this to be the key.
The forceful passing of the law was certainly a public relations disaster for the current government, but the law is also poorly written. And I sincerely hope that the government in the planned amendment this fall will take the opportunity to clarify the inner workings of the personal protection mechanisms. First of all, I would explicitly ban FRA from storing all traffic. As this is not practical, it won't harm operations, but it will also narrow the scope. Secondly, I would regulate the FRA collection system so that FRA only are allowed to process the data so that post-filtering data can be stored. Have this supervised by an independent or parliamentary group with the help of external experts (and not the secret policy, of the largest FRA customers - as suggested by the opposition). Third, ensure that the search criteria are reviewed but the same board. I believe that the law can be written so that internal FRA operations are not disclosed or threatened, and that privacy for the vast majority of citizens is protected. But that is not the current law. The government needs to stop hand waving, be explicit and overcome the generalizations that are all too common in legal texts and proposals. This wish for generality as a relic from a time when technology was limited and implementations a given from the expressed goals. That is no longer the case, and the methodology for writing legal texts and laws needs to take this into account. We have seen several horrible examples recently in laws related to the field of telecommunications.
It will be an exciting fall. The opposition to the law is not a coherent group. It consists of people who want amendments to protect privacy, people who only want signal intelligence in radio spectrum and people who believe we should have no signal intelligence at all. The press have so far, in my mind, done an awful job of analyzing and reporting the discussion. The worst example will have to be Thomas Mattson who has ignored traditional journalistic values of integrity and independence. After expressing that he and his paper is against the law, they have failed to express and alternative view point or even to report on the split in the opposition camp. I personally looking forward to an informed, probably heated, and interesting debate.