The available evidence indicates the use of electronic surveillance practices that go beyond traditional, targeted surveillance for intelligence purposes in five EU countries: the UK, Sweden, France, Germany and the Netherlands. Each member state is examined with the following criteria in mind: the basic technical features of large-scale surveillance programmes; stated purpose of programmes, targets and types of data collected; actors involved in collection and use, including evidence of cooperation with the private sector; cooperation or exchange of data with foreign intelligence services, including the NSA; and the legal framework and oversight governing the execution of the programme(s).
Since 2008, France has been constantly improving its architecture for the large-scale collection of data, with the main intelligence agency in France, the DGSE (Direction générale de la sécurité extérieure) increasing its foreign intelligence capabilities in recent years. A report of 30 April 2013 by the French National Assembly highlighted the fact that:
Since 2008, progress has been made in terms of pooling of capabilities, in particular concerning electro-magnetic intelligence activities operated by the DGSE to benefit the entire intelligence community.
In this report, the French MPs also suggested strengthening the data-collection structure of the DGSE and the links between all levels of intelligence.
Experts consulted for this study claim that France now ranks fifth in the world of metadata collection after the US, the UK, Israel and China and runs the second-most important intelligence data collection and processing centre in Europe after the UK. Claims of this nature have been made publicly by Bernard Barbier, a Technical Director at the DGSE, in 2010.
Programme(s) for large-scale surveillance
Reportedly, France’s communications surveillance and collection architecture rest primarily on a supercomputer operated by the DGSE in Paris. This super-computer intelligence centre, allegedly installed on three levels in the basement of the DGSE headquarters, is reported to be capable of collecting, processing and storing dozens of petabytes of data. Data are intercepted and collected by approximately 20 interception sites located on both national and overseas territory, comprised of both satellite stations and interception of fibre-optic submarine cables.
In February and March 2013, the French National Assembly's Committee on National Defence and Armed Forces conducted hearings during which the heads of the main French intelligence services all confirmed the existence of a metadata intelligence centre located at the DGSE capable of intercepting and processing internet flows, social network and phone communications. For instance, on 20 February 2013, the then Head of the DGSE, Érard Corbin de Mangoux, alluded to France’s communications surveillance capabilities when he stated before the Committee:
Regarding the technical means, we have at our disposal the entire capabilities for electro-magnetic intelligence. Following the recommendations of the 2008 White Paper, we have developed an important apparatus for intercepting Internet flows.
Data storage appears to relate primarily to metadata from phone and internet use. Concerning the use of this information, evidence indicates that the metadata centre operated by DGSE forms an ‘intelligence platform’ that feeds a range of intelligence, defence and law enforcement bodies within France. The following six agencies have been cited as ‘customers’ of the DGSE metadata bank (named ‘mutualisation infrastructure’ by French officials):
- * National Directorate of Customs Intelligence and Investigations (DNRED), responsible for carrying out investigations on smuggling, counterfeit money and customs fraud;
* Directorate for Defence Protection and Security (DPSD), responsible for military counter-espionage;
* Directorate of Military Intelligence (DRM), tasked with centralising all military intelligence information;
* Central Directorate of Interior Intelligence (DCRI), soon to be replaced by the General Direction of Interior Security (DGSI), responsible for counter-espionage and counter-terrorism;
- * TRACFIN service (Intelligence Analysis and Action against Clandestine Financial Circuits), responsible for the fight against illegal financial operations, money laundering and terrorism financing.
- * The intelligence arm of the Police Prefecture of Paris
According to reports from Le Monde newspaper, these services send a request to the DGSE and the DGSE searches the database on a hit/no-hit basis. It then forwards intelligence reports on the basis of the data analysed to the client agencies. This is allegedly carried out routinely, discreetly and without any form of parliamentary control. According to a French Senate report, this logic of ‘mutualisation’ is long- standing:
...the logic of pooling of resources between services has been continued for several years. Therefore, the DGSE is specialised in communication interception and cryptography to the benefit of the entire intelligence community. The Directorate of Military Intelligence (DRM) is in charge of the observation satellites and radar signal surveillance. Approximately 80% of the annual budget of the DGSE is invested in projects linked to the other intelligence agencies.
There are currently no confirmed reports or evidence that agreements exist between the French intelligence services and French telecommunications operators such as SFR, Bouygues, Orange etc. exist giving access to data traffic.
Cooperation with foreign intelligence services
The French intelligence services engage in wide cooperation with foreign intelligence services. During the above-mentioned hearing, Head of DGSE Érard Corbin de Mangoux declared before the French Parliament that the Agency was working with more than 200 foreign services, among which 50 formed part of the ‘second circle’ engaged in ‘frequent’ collaboration, while 10 were considered part of a ‘first circle’ engaged in intense cooperation. The states with which the DGSE engages were not named, nor the nature of the cooperation detailed beyond a reference to joint analysis of information and research. He added that, on the initiative of the US, western intelligence services have set up a database allowing each nation to immediately obtain access to all the information gathered.
These statements supplement revelations from 2005 that, according to disclosures by the Washington Post, France has been hosting a secret intelligence centre in Paris named “Alliance Base” where six countries, namely USA, UK, France, Germany, Canada and Australia routinely exchange information. It was reported that Alliance Base is headed by a French general assigned to the DGSE and hosts case officers from Britain, France, Germany, Canada, Australia and the United States. Alliance base is believed to have ended in 2009 due to tensions between the French and the US.
Legal framework and oversight
Electronic surveillance is regulated by the Code de la Sécurité Intérieure, a legislative code established in 2012 and regrouping various laws and rules related to French internal security. The specific rules on “security intercepts” (interceptions de sécurité) can be found in Book 2, Title IV of this Code. They strictly regulate security intercepts authorised by the Prime Minister on the advice of the National Advisory Commission on security intercepts (CNCIS), an independent administrative authority reviewing surveillance requests. The Code de la Sécurité Intérieure abrogated a 1991 law on secrecy of correspondence which had, until 2012, regulated the conditions for wiretaps (which required permission of an investigative judge). The new Code was strongly criticised by the CNCIS in its activity report for including security intercepts in a broader and vaguer package of rules along with, for instance, “security in public transportation” or “security guards in buildings”. The report underlined the fact that any exception to the right to secrecy of correspondence should be provided for in a specific law and not in a code.
In addition, a new Anti-Terror Act enacted on 23 January 2006 granted increased powers to the police and intelligence services, allowing them to get telecom data directly from ISPs and extended telecom data retention possibilities.
The law strictly regulates security intercepts authorised by the Prime Minister on the advice of the National Advisory Commission on security intercepts (CNCIS). However, there is a gap in the legal framework regarding the large-scale interception and storage of data, leaving a degree of legal uncertainty which intelligence services appear to have exploited. Hence a senior member of the intelligence services interviewed by Le Monde journalists is reported to have claimed that collection of meta-data by DGSE is not illegal but ‘alegal’ – conducted ‘outside the law’. This was however contrasted by the CNIL, the independent body which stated that:
Le régime juridique des interceptions de sécurité interdit la mise en œuvre par les services de renseignement, d'une procédure telle que Prism. Chaque demande de réquisition de données ou d'interception est ciblée et ne peut pas être réalisée de manière massive, aussi quantitativement que temporellement. De telles pratiques ne seraient donc pas fondées légalement.
Parliamentary oversight over communications surveillance in France is deemed to be relatively weak. First, because all requests for classified documents from parliamentary committees to intelligence services are rejected since all data transmitted by a foreign service remain property of the service to which the data have been directed. A senator or representative has no right to hear or question a member of a defined intelligence service. The directors of intelligence agencies can only be subjected to official hearings.
The main body responsible for the oversight of interception surveillance in France is the CNCIS (Commission nationale pour les interceptions de securité). The CNCIS is mandated to exert an a priori control on security interceptions (wiretapping) and to assess whether the purpose of the interception meets principles of proportionality etc. However, its reach is judged to be substantially constrained by its limited personnel (only five members), budget and administrative capacity. Moreover it is doubtful that it has been routinely consulted (if at all) during the DGSE’s metadata collection activities.
It is relevant here to note that two French human rights NGOs are attempting to launch an official judicial investigation into the surveillance scandals in France. The Paris prosecutor’s office has opened a preliminary inquiry following the submission of a joint complaint by the NGOs Fédération internationale des droits de l’homme (FIDH) and Ligue des droits de l’homme (LDH) on 11 July 2013. Both NGOs claim that infringements of personal liberties have taken place through automated data processing. On the basis of the French Criminal Code, they challenge the fraudulent access to an automated data processing system, collection of personal data by fraudulent means, wilful violation of the intimacy of the private life and the use and conservation of recordings and documents obtained through such means.
The data presented here was gathered on the basis of news articles and official documents and complemented by an interview with an expert academic source who wishes to remain anonymous.
Read more from our 'Joining the dots on state surveillance' series here.