In the context of Snowden’s leaks and the controversy about communication tapings, France passed, at the end of December, a military law to give more legal power to intelligence agencies. Globally, this new, almost unnoticed legislation, gives more financial and technical resources to these agencies.
It has been more than one and a half years that French Parliament has been discussing topics about the intelligence roles and the way to give them new powers. Under the French law, these agencies are not enforcement services, and their activities are not under a judge’s control, but rather government’s. This separation between two polices was declared compliant with the French Constitution by several decisions from the Constitutional Council in charge of the review of the constitutionality of legislation. For example, in a decision about the 2006 antiterrorist law, the Council confirmed the intelligence agencies’ data collection. Accordingly, the intelligence agents do not need a warrant when investigating or accessing data in the limits defined by the legislation. Knowing this fundamental legal definition would have helped some French journalists and influencers to not misunderstand the new law and spread a wrong analysis of the controversial new legislation.
In this context, the new legislation was supposed to extend the intelligence services powers, including new warrantless access to criminal indices and ID databases. They can also receive the PNR (Personal Name Records) of all passengers boarding an international flight, even if the PNR EU Directive is not yet adopted. It also changed the warrantless access by intelligence agents to the data retained by electronic communication providers, Internet access providers, Internet services providers and hosting providers (article 20, former article 13 of the Bill), including geolocation in real time. What does this legislation really change on spying and snooping from French intelligence activities?
Who are the French intelligence agencies?
The French legislation does not list the intelligence agencies. However, six services are known and working on intelligence snooping. Three of them report to the Ministry of the Defense: the external intelligence agency (DGSE), the military intelligence agency (DRM) and the counter-intelligence agency (DPSD); one reports to the Ministry of the Interior: the homeland intelligence agency (DCRI); and two report to the Ministry of the Economy: the custom intelligence agency (DNRED) and the money laundering agency (TRACFIN).
While some of these agencies have both intelligence and enforcement departments, the new legislation concerns only their intelligence activities.
The existing interception of electronic communications framework
The interceptions of electronic communications framework have legally existed since the 1991 Secrecy of Correspondence Act. Despite its name, this act allows intelligence agencies to tap telephone call traffics and, by extension, cellphone call traffics and Internet traffics. However, this Act does not allow for collecting information and documents kept by providers.
The interception has to be authorized by the Prime Minister for four months, he limits the number of interceptions processed during this time and a Commission controls post ante the interceptions.
As a result, the French Law does not allow a global tapping of the communications, although some press articles have revealed a massive tapping processed by intelligence services.
The current warrantless data access framework
After the New York, London and Madrid terrorist attacks, French political and intelligence agencies wanted to have the right to access the data retained by communication, Internet and hosting providers for their enquiries. The 2006 antiterrorist law, as well as the 2006 EU data retention directive, created the legal framework for the data collection by the intelligence agents. As a result, they can access the data to monitor suspects they have already identified for illegal activity, or suspect of illegal activity, online. The Internet Access Providers keep the logs of every connection made by a computer from an Internet access point, which is related with the name of an Internet subscription’s contract including address, email, phone number, and credit card number; however, the current legislation does not permit agencies to follow a cellphone in real time through its geolocation data. Thus, the new law creates the legal framework for this particular collection for intelligence agencies.
An extension of the intelligence agencies’ roles to access the data
The first main change created by article 20 is the extension of the intelligence agencies’ roles. Most of them were previously focused on counter-terrorism and national security. The Antiterrorist Act of 2006 allows these agencies to access the data just for the anti-terrorism intelligence, as the data retention directive also says.
However, the new legislation extends the roles, allowing the intelligence agencies to access the data retained by communication, Internet and hosting providers. With the new law, they can access the data to protect national security, to preserve France’s strategic (scientific and economical) elements, and to fight against terrorism, organized crimes and groups constituting threats to the national security.
Nevertheless, the access is supervised and controlled by a “qualified person” who receives all the demands from the agents to validate, or not, the requests. It must be specified exactly who is the suspect and what data is targeted. Without this authorization, the intelligence agencies cannot access the data.
The warrantless geolocation in real time
As previously stated, the new law allows geolocating suspects in real time. This particular data is more intrusive than the location retained by the providers. In fact, the access to data is always done after the action, which means the intelligence agents can just know where the suspect was and not where it is currently located or where it is going. The geolocation is supposed to be able to follow the suspect in real time, in all its movements. Consequently, geolocation is not regular data and must be considered as an interception of communication.
The same Commission that controls the interceptions also controls the geolocation processing. Therefore, the agent needs authorization from the Prime Minister to geolocate a suspect in real time for thirty days.
The controversy regarding the warrantless data access framework
The main controversy came from the way the article was written.
First, the modification of the data access framework says the intelligence agencies may have access to “information, documents, including data” retained by providers. This is the first time the data retention framework uses the terminologies “information” and “documents”. Consequently, commenters understood that the specific data collection legislation for intelligence agencies was extended to the collection of all documents, which was, so far, regulated by the interception law
In fact, the interception law mentions only one time access to “information and documents” to help process the tapping. Anyway, it does not allow collecting all the documents they want. However, I agree that the new law is not clear and an extended interpretation would permit the intelligence services to collect much more information and documents than they were allowed to do before.
Secondly, commenters talked about direct access to the databases for warrantless snooping and collecting everything the agencies want. They clearly misread the law. In fact, it is written that the providers transmit the required data to the intelligence services, not that the intelligence agents pick the data up directly from the providers’ databases. Moreover, this sentence is located not in the data access article, but in the article regarding geolocation in real time.
So, I am convinced that this new law does not create full access to all the data, information and documents retained by providers, permitting free snooping and tapping, as the Snowden leaks revealed about the NSA processes.
Is this data access unconstitutional?
The French parliamentarians have not referred to the Conseil constitutionnel (the French constitutional court) to review the constitutionality of this legislation. Anyway, this law deals mostly with the data access for intelligence agencies, a topic that was already validated by the Council. Concerning geolocation, the European Court of Human Rights (Uzun v. Germany, 2010) gave the conditions processing a suspect’s geolocation in real time. It seems that the new law creates the conditions pronounced by the Court.
Still, the debate about the intelligence agencies’ access should not be at a legal level since all these laws were already validated by the Constitutional Council, but at a political level. French people have to think about what they want for their intelligence agencies, which is acting under government supervision. However, this new legislation is neither a French Prism system that allows French officials to monitor Internet, nor a citizens spying system as some foreign press have said. It expands the power of the intelligence agencies on spying on suspects. Now, the question is: how do the intelligence agencies select their suspects and who is suspected: him, you, me? Maybe… who knows?