Print Friendly and PDF
only search openDemocracy.net

Sweden's surveillance: justice, freedom and security in the EU

Over the years, Sweden has become the biggest collaborating partner of GCHQ outside the English-speaking countries, and a key member of the Five Eyes network.

This is an excerpt from the annex of this October 2013 EU study. Read the introduction to the study here.

The available evidence indicates the use of electronic surveillance practices that go beyond traditional, targeted surveillance for intelligence purposes in five EU countries: the UK, Sweden, France, Germany and the Netherlands. Each member state is examined with the following criteria in mind: the basic technical features of large-scale surveillance programmes; stated purpose of programmes, targets and types of data collected; actors involved in collection and use, including evidence of cooperation with the private sector; cooperation or exchange of data with foreign intelligence services, including the NSA; and the legal framework and oversight governing the execution of the programme(s).

Sweden

According to revelations by investigative journalists and experts consulted for the purpose of this study, Sweden is becoming an increasingly important partner of the global intelligence network. Signals intelligence operations in Sweden are the responsibility of the National Defence Radio Establishment (FRA). In recent years, reports have emerged alleging that FRA has engaged in operations and programmes for the mass collection of data, with features that resemble in part those pursued by the US NSA and the UK’s GCHQ.

Programme(s) for large-scale surveillance

Swedish intelligence services have a longstanding history of intercepting signals intelligence, [1] however the past five years have seen allegations emerge stating that the FRA has been engaged in accessing data traffic crossing its borders from fibre-optic internet cables. In 2008 the TV broadcaster SVT reported that FRA was collecting/receiving data from Russia and the Baltic states and forwarding them in bulk to the US. These allegations were recently re-stated during Duncan Campbell’s testimony to the European Parliament Inquiry on Electronic Mass Surveillance of EU Citizens of 5 September 2013, where he alleged that while the Försvarets radioanstalt has been running satellite interception facilities for many years, Sweden’s new internet laws passed in 2009 (FRA law) authorised the agency to monitor all cable-bound communications traffic into and out of Sweden, including emails, text messages and telephone calls. FRA is now alleged to engage in intercepting and storing communications data from fibre-optic cables crossing Swedish borders from the Baltic sea.

The evidence indicates that FRA has been running operations for the ‘upstream’ collection of private data – collecting both the content of messages as well as metadata of communications crossing Swedish borders. The metadata are retained in bulk and stored in a database known as ‘Titan’ for a period of 18 months. It is understood that interception of these fibre-optic cables involves a legal obligation on communications service providers to transfer all cable communications crossing Swedish borders to specific ‘interaction points’, where the communications service providers surrender the data to the state. [2]

How the FRA processes communication and informations. Source: Klamberg (2010) How the FRA processes communication and informations. Source: Klamberg (2010)Concerning the profile of individuals targeted by the FRA's mass data interception programme, the initial targets again appear to be indiscriminate. As in the UK. the bulk retention of data is, under the Swedish legal regime, only meant to cover commuications entering or exiting Swedish borders and not internal communications. However, internal communications that have been routed through nodes based outside Swedish territory are likely to also be classified as 'foreign' communications and retained for analysis. The Swedish legislative framework regulating the collectionof signals intelligence provides that if there is uncertainty whether data are foreign or domestic, the data may be collected and retained.

Final (processed) intelligence, described as 'reports to clients' is discriminate and does not include citizens in general. The legislation differentiates between 'defence intelligenceoperations' and 'auxiliary operations'. Defence intelligence operations concern a relatively small fraction of the communications that are deemed to directly relate to external military threats, international terrorism and similar phenonmena. The content of such communictaions associated with such threats is selected and reserved for detailed analysis. By contrast the 'auxiliary operations', which make up the lion's share of communications intercepted, is analysed as metadata, not content, and are not intended for generating intelligence reports to FRA's clients.

However, academic experts argue that the division between these modes of processing these two kinds of data is not clear-cut. Dr.Klamberg states that this division:

...creates the impression that a wall has been erected where the large amounts of traffic data [metadata] collected through the auxiliary operations is used purely for some abstract technical matters and not for intelligence purposes. This is a misconception.

This misconception is due to the fact that the preparatory works for the Swedish law on signals intelligence state that since the auxiliary operations “aim to facilitate the defence intelligence operations it would not be incompatible with the purpose for which the data is collected that the data is also used to some extent in the defence intelligence operations.”

Second, the preparatory works explain that reports to clients may involve extensive descriptions of meta-data patterns and therefore, despite being intended for auxiliary operations, may also be used for defence intelligence purposes.

While there is no explicit statement as to which national entities receive the data or resulting intelligence drawn from this programme, according to the Swedish legislative framework, data collected by the FRA may be shared with the following ‘customers’.

1) the Government offices (Regeringskansliet)
2) National Police Board (Rikspolisstyrelsen - RPS) which includes the National Bureau of Investigation and the Secret Service
3) the Swedish Agency for Non-Proliferation and Export Controls (Inspektionen för strategiska produkter - ISP)
4) the Defence forces (Försvarsmakten)
5) Swedish Defence Materiel Administration (Försvarets materielverk - FMV),
6) Swedish Defence Research Agency (Totalförsvarets forskningsinstitut - FOI),
7) Swedish Civil Contingencies Agency (Myndigheten för samhällsskydd och beredskap - MSB)
8) Swedish Customs (Tullverket)

Cooperation with foreign intelligence services

There is evidence that FRA may be sharing substantial quantities of the data it collects with foreign intelligence services, including NSA. Swedish legislation allows for the bulk transfer of data to other states if authorised by the Government. Reports from media, experts as well as government statements indicate that Swedish authorities have made use of this possibility through exchanges of large amounts of raw data with the US as well as the Baltic states.

Duncan Campbell, during his testimony to the European Parliament hearing on 5 September 2013, stated that Sweden’s FRA has become a new and important partner of ‘Five Eyes’, by providing major satellite and undersea-cable interception arrangements, stating that FRA “is deemed, according to the documents, to be the biggest collaborating partner of GCHQ outside the English-speaking countries”. Code-named ‘Sardine’, he highlighted that Sweden makes an important contribution to the Five Eyes organisation, having access to cables that were hitherto inaccessible (those from the Baltic states and Russia).

In a statement following the revelations by Campbell, Defence Minister Karin Enstrom said Sweden’s intelligence exchange with other countries is “critical for our security” and that “intelligence operations occur within a framework with clear legislation, strict controls and under parliamentary oversight.” Likewise a FRA spokesperson has acknowledged that FRA shares data with other countries, but declined to specify which countries or to provide further details of the types of data shared. Similarly, there is no indication of whether Sweden has been the recipient of data from other states, including data from the NSA’s PRISM and other mass-surveillance programmes.

Legal framework and oversight

The legal authorisation for Sweden signals intelligence-gathering operations are issued by an intelligence court (Underrättelsedomstolen - UNDOM). However, according to the legislative framework governing the issuing of warrants – namely Act 2008:717 on signals intelligence within defence intelligence operations, Act 2009:966 on the Intelligence Court, and Decree 2009:968 with instructions for the Intelligence court – warrants can be sweeping and are not limited to a specific individual.[3]

The surveillance activities of the FRA are monitored by a national oversight body, the Inspection for Defence Intelligence Operations (Statens inspektion för försvarsunderrättelseverksamheten – SIUN) which is composed of representatives from the Government and Opposition parties.

However, academic experts have critiqued the weak system of checks and balances when it comes to Swedish collection of signals intelligence. With regard to the UNDOM and the SIUN, Dr. Mark Klamberg contends:

All of these institutions are under very tight control of the Government, an entity that can issue requests for signals intelligence operations. The intelligence court has one chief judge, one or two deputy chief judges. The judges are appointed by the Government. One of the three nominees for the next chief judge is currently the chief legal advisor at the Ministry of Defence. The current head of the signals intelligence agency was previously the chief legal advisor at the Ministry of Defence when the legislation was drafted. The members of SIUN do represent different political parties but are appointed by the Government and report to the Government. Most of the members of SIUN are former parliamentarians, which weakens the parliamentary oversight in comparison to a system where the responsibility for oversight is conducted by a committee of parliament, i.e. parliamentarians in office. All in all, the Swedish system of checks and balances is weak when it comes to signals intelligence. 

The information gathered on the large-scale surveillance practices of Sweden is based primarily on the expert input of Dr . Mark Klamberg, Uppsala University as well as press articles, and official documentation.

[1] Swedish Government Official Reports record that Swedish law enforcement agencies began working with signals intelligence as early as 1939.

[2] M. Klamberg, (2010), ‘FRA and the European Convention on Human Rights’, Nordic Yearbook of Law and Information Technology, Bergen 2010, pp. 96-134.

[3] For further information on the Swedish legal framework covering communications surveillance, see Klamberg, (2010)

Read more from our 'Joining the dots on state surveillance' series here.

About the authors

Didier Bigo is Director of the Centre for Research on Conflicts, Liberty and Security (CCLS) and professor of war studies at King’s College, London.

Sergio Carrera is a Senior Research Fellow and Head of Justice and Home Affairs Programme, CEPS. He is an Associate Professor/Senior Research Fellow at the Faculty of Law in Maastricht University (the Netherlands). Carrera is also an Honorary Professor at the School of Law in Queen Mary University of London (UK).

Nicholas Hernanz, is a Research Assistant, Justice and Home Affairs Section, CEPS

Julien Jeandesboz is Assistant Professor at the University of Amsterdam and associate researcher at CCLS.

Joanna Parkin is a Researcher, Justice and Home Affairs Section, Centre for European Policy Studies (CEPS)

Francesco Ragazzi is assistant professor in international relations in the University of Leiden’s Institute of Political Science (The Netherlands), and associate researcher at the Centre for International Studies in Paris, affiliated with Sciences-Po. He is also attached to the Centre for Conflict, Liberty and Security, headed by Didier Bigo.

Amandine Scherrer is research dissemination manager at CCIG and CCIG member.


We encourage anyone to comment, please consult the
oD commenting guidelines if you have any questions.