Following the terrorist attacks that occurred in Paris earlier this year, the French government is proposing a bill that will, supposedly, improve the control over intelligence services and give legal ground to some of the intelligence-gathering methods these services are already known to use, ie. render legal, the previously illegal, Internet wiretapping. Interestingly, opponents of the this time bill include not only the usual civil liberty activists such as La Quadrature du Net, Amnesty International or La ligue des droits de l’Homme. Professional trade unions, such as Syntec, companies, such as OVH and even official bodies, such as the CNIL and the Défenseur des droits also expressed an unusually vocal opposition to the proposed bill.
In this blog post, I’d like to make a short presentation of the proposed bill and explain why and how AdaCore would also be affected if it became law in its current format, focusing on three main aspects of the bill : the legal oversight of intelligence services; their scope of action; the mass collection of data permitted by the bill.
This is not a full legal analysis of the bill, for which other sources are available. I will leave also some interesting questions aside such as the motivation for a new anti-terror bill only five months after a previous one was introduced, or the reason for focusing on Internet communications in the wake of January attacks whose perpetrators radicalized in prison, not on the Internet.
An insufficient legal oversight
According to the bill, the use of wiretapping techniques can be ordered only by the Prime minister, after a body named the National Commission of Intelligence Techniques Control provides their opinion. The Prime Minister, however, is not bound by this opinion of the commission and, incases of emergency, does not even have to wait for its opinion.
This new independent administrative body is made of nine members, and includes two representatives, two senators, as well as two judicial judges, two administrative judges and one technical expert. It is similar in spirit to other similar bodies, such as the CNIL, the personal data watchdog created by the 1978 law which inspired directive 95/46/EC. However, its powers are considerably weaker : it can only emit a “recommendation” to the Prime Minister (art. L 821-1 and following) in case of infringement and submit the case to the Conseil d'Etat, the supreme court of the administrative order, if the Prime Minister disregard their recommendation. It has no repressive power of its own.
The bill also creates a special procedure before the Conseil d’Etat opened to the commission and to persons who complain about wiretapping. However, if the Conseil d’Etat can establish that the legal conditions for wiretapping are met based on the documents made available by the Commission, the plaintiff has no access to these classified documents (art. L773-1 and following of the Administrative Justice Code as modified by the bill). If the wiretapping is illegal, the Conseil d’Etat can enjoin the Prime Minister to stop it and destroy the records.
Many opponents complain that there is no judicial judge involved in this process, but this is not the most significant issue at stake here I believe, as the Conseil d’Etat, despite its name, has a long-standing tradition of independence from the government and legal rigor.
What is really significant here is that plaintiff would not have access to the case documents, a huge breach to the due process of law which will remove any possibility to effectively litigate : to all practical extents, there will be no effective access to the courts for those who are subject to wiretapping.
A broad scope of action
In this context, defining the scope of action of intelligence services is even more important to be able to have a minimum level of control. But the bill, beyond the expected “national security”, “preventing terrorism”, and “preventing organized crime” also covers “prevention of collective violence susceptible to gravely alter public peace” and protection of “the economical and scientific interests of France” (art. L811-3).
What does that mean for a company like AdaCore? Most of our customers are large companies, or subcontractors of large companies, dealing with the aerospace, defense, and railway domain. Typically the kind of markets where mega requests to tender are made, and fierce competition, supported by national interests, take place : just keep in mind what happened during the Saudi 1994 airliner tender. With this bill, targeting by the French services is acknowledged and documented and may deter American, Russian, or Indian customers to trust AdaCore. This is not pure theory : some of our large European customers have become much more sensitive to the issue of wiretapping in the wake of Edward Snowden’s revelations and we have had to specifically address their concerns.
In terms of geographic area, the jurisdiction of the commission is limited to the French territory. Not only does the proposed bill not put in place any control for wiretapping whenever one of the end points is located abroad (art. L854-1), but it also explicitly states that special agents are not criminally liable for wiretapping undertaken abroad (art. 323-8 of the penal code, as modified by the bill). Given how distributed the Internet is, this is probably an open door to the subcontracting of intrusive wiretapping activities to third party states.
A mass gathering of data
Another much discussed issue raised by the bill is the possibility offered to intelligence services to order ISP and providers of various Internet Services to “detect, by means of an automated process, any suspicious sequence of connection data, whose anonymity will be lifted only if a terror threat is revealed” (exposé des motifs and art. L 851-4). What is described with this falsely legalistic and truly fuzzy formula is the massive harvest of connection meta data by ISP and service providers on behalf of the government, with the fundamental inconsistency, clearly pointed out by the CNIL, that this supposedly anonymous collection of data can be turned to non-anonymous data on demand.
In theory, this possibility to gather huge amounts of individual data is restricted to “the prevention of terrorism”. However, it is hard to see how this will be effectively thus restricted. In particular, it is well-known that terrorists need to fund their activities and therefore commit ordinary crimes such as money laundering. So it is more than likely that Intelligence Services will use this broadly rather than narrowly, and target the business world like any other.
In addition, I must say, as a computer scientist and legal graduate, the fact there are people that believe it is possible from Internet meta data to infer even presumably that someone is planning a terror attack, is much more reminiscent of Minority Report than of rational crime fighting.In the movie at least, the Precogs were human beings ...
To summarize, for AdaCore, this bill means that our foreign customers can legally be targeted by French intelligence services; that these services can massively harvest internet metadata from our business communications; and that we have no legal course of action to stop this.
I trully hope that, in order to keep the same level of trust with our customers, we will not have to reorganize our services so that customers from a specific region are served only by AdaCore staff based in this region. AdaCore leverages on rare technical expertise located both in the United States and in Europe, and only this unique mix allows us to provide the complex services our customers appreciate.
Over and beyond our own situation, we can only refuse a society where all companies providing Internet services would be mandated to act as police auxiliary; where the end points of each communication would be identified, and revealed to intelligence services; in one word, a society where each citizen and business would be treated as a potential suspect.
Unless explicitly said otherwise, all references to articles below refer to articles of the homeland security code (Code de la sécurité intérieure), as they would be modified by the bill. Also, this blog post does not take into account amendments made to the original bill by the National Assembly