Surveillance by intelligence services – Volume II: field perspectives and legal update
number of IMSI catchers that can be used simultaneously
is set by the prime minister, following an opinion on the
matter by the CNCTR.142
Safeguards in case of foreign
surveillance
In all five Member States that have detailed legislation
on general surveillance of communications, their
respective laws provide for lower safeguards for
foreign-focused general surveillance of communications
than for domestic surveillance. All five permit their
intelligence services to perform foreign surveillance. As
noted, for Germany, the citizenship criterion is crucial;
however, the prior authorisation procedure applicable
to foreign surveillance requires the intelligence services
to disclose less information to the approving body than
for domestic surveillance. In the United Kingdom and
France, compared to domestic surveillance, there is
no such safeguard banning the collection and access
to communications content.
In Germany, since 2016, the law on the federal
intelligence service (BNDG) regulates the federal
intelligence service’s (BND) surveillance of foreignforeign telecommunication. The reform adapted the
legal framework to take into account technological
evolution. The relevant sections were incorporated into
the BND Law to highlight that German constitutional
protection (Article 10 of the Basic Law) does not
extend to these type of data.143 The data can be
intercepted outside Germany, through cooperation
with foreign services or at German communication
hubs and via satellite interceptions.144 However, the
law imposes the safeguard that only a foreigner’s
telecommunications may be intercepted. In practice,
the BND is authorised to collect and process any
foreign telecommunication content data (as well as
metadata) from telecommunication networks if such
data are deemed necessary to detect and pre-empt,
among others, “threats against internal or external
security”.145 Section 6 (4) of the BNDG prohibits the BND
from collecting and processing data on German citizens
outside Germany. Communications of EU institutions,
public institutions in the EU Member States, and
EU citizens can be intercepted in the counter-terrorism
and non-proliferation context or if they provide
important information on third countries.146
142 France, Interior Security Code (Code de la sécurité
intérieure), Art. L. 851-6. See also France, CNCTR (2016),
p. 41.
143 See Germany, Federal Parliament (Deutscher
Bundestag) (2017b), p. 1245 and following.
144 See Löffelmann, M. in Dietrich, J.-H. and Eiffler, S. (eds) (2017),
p. 1236 and following, Wetzling, T. (2017), p. 2 and 16.
145 Germany, BNDG, S. 6.
146 Ibid. S. 6 (3) and (7).
46
The telecommunication networks to be targeted must
be ordered by the Federal Chancellery in advance, with
effect for no more than nine months, and approved by
a newly established oversight body, the Independent
Committee (Unabhängiges Gremium).147 The selectors
established by the head of the BND to search the flow
of telecommunication data must be aligned with the
interests of German foreign and security policy. The
Federal Chancellery needs to be informed.148
In the United Kingdom, the ‘bulk’ powers that require
a foreign-focus under the Investigatory Powers Act are
bulk interception of telecommunications data149 and
bulk equipment interference.150
‘Bulk interception’ is the power of “interception of
overseas-related communications”151 and “obtaining
secondary data from such communications”.15 2
Essentially, the intelligence services tap undersea
fibre optic cables landing in the United Kingdom to
intercept their traffic. Anderson provides the following
example of the use of bulk interception powers: after
the disruption of a United Kingdom-based terrorist cell,
GCHQ and MI5 continued to investigate its potential
overseas links. GCHQ had been analysing data obtained
through bulk interception warrants to look for patterns
of behaviour indicative of operational planning. They
identified an email address that was in contact with
a United Kingdom-based individual. Analysis of the
communications data and content of these emails
revealed more members of the United Kingdom
network and details of the attack plot.153
‘Bulk equipment interference’ covers a range of
techniques involving interference with electronic
equipment. This includes computers, electronic
storage devices and smartphones for the purpose of
obtaining communications or other information. The
bulk equipment interference techniques are colloquially
referred to as “hacking or the implantation of software
into endpoint devices or network infrastructure
147 Ibid. S. 9 (4).
148 Ibid. S. 9 (2).
149 United Kingdom, Investigatory Powers Act 2016, Part 6
Chapter 1. Not yet into force and will be brought into force in
due course by means of regulations made by the Secretary
of State (See United Kingdom, Investigatory Powers Act
2016, Explanatory Note).
150 Ibid. Part 7. Not yet into force and will be brought into
force in due course by means of regulations made by the
Secretary of State (See United Kingdom, Investigatory
Powers Act 2016, Explanatory Note).
151 Ibid. s. 136 (2)(a). Not yet into force and will be brought
into force in due course by means of regulations made by
the Secretary of State (See United Kingdom, Investigatory
Powers Act 2016, Explanatory Note).
152 Ibid. s. 136 (2)(b). Not yet into force and will be brought
into force in due course by means of regulations made by
the Secretary of State (See United Kingdom, Investigatory
Powers Act 2016, Explanatory Note).
153 Anderson, D. (2016), p. 159.