Flickr/Christian Kurz. Some rights reserved.
Snowden's revelations triggered actions and protests all over the world, with few results. Despite President Obama’s statements and hints at surveillance reform, the Heartbleed security bug and its suspected exploitation by the NSA showed that surveillance activities in the cyber space have not stopped. We have to accept that American agencies have access to vast amount of data collected by major global companies headquartered in the USA. However, it would be naïve to believe that the USA is the only nation conducting such actions in cyber space, even if with less impressive results.
In the Czech Republic, reactions to Snowden’s revelations were modest. There were several articles in the media, the case might have worsened the image of American secret agencies but it has not influenced the Czechs' use of services provided by affected companies. There have been practically no official statements from Czech authorities on this affair.
The use of big scale online surveillance is not very developed in the Czech Republic, but the use of physical surveillance and phone tapping has recently become more common, especially for investigations relating to corruption among politicians. We can only presume that the same tendency applies to emails and other online information, but there are no public statistics about online surveillance to validate this hypothesis. Such actions might well involve innocent people in contact with suspects and breach their privacy. Despite the increased use of surveillance, each surveillance activity has to be authorized by a court. There is an exception for the Czech Security Information Service, whose actions are in the "national interest" and answer to the prime minister.
However, a recent affair showed that the supervision of the Czech Security Information Service is not so watertight and their actions were not authorized and therefore illegal. There is a trial going on right now in the Czech Republic, involving, among others, the former prime minister.
ISPs and state control
The original state-owned Telco and Internet service provider was privatized in 2005, and there has been no direct control of the state over Telco services or internet connections since then. Nevertheless, there are three main internet service providers that cover the vast majority of the Czech market, either directly or indirectly through intermediates. Indirect state control over the Telco industry is managed through the Czech Telecommunication Office (CTO). The CTO is responsible for regulating the market, issuing licenses to operators and ensuring free competition.
Internet service providers (ISPs) and Telco operators are required to cooperate with the police provided that there is a court decision. Major ISPs are also required to provide the US National Security Agency (Cyber security division) with technical information about certain data transfers and regarding the overall situation in Czech cyber space. This activity mainly aims at preventing any serious cyber-attacks from targeting critical infrastructure systems. According to NSA representatives, the content is in no sense monitored.
ISPs and content providers might be required to cooperate with police authorities when required. If this cooperation interferes with other laws, e.g. on personal data protection, they must present detailed court statements requiring this kind of cooperation from the ISP or content provider and particularly stating what type of data might be shared with police authorities.
ISPs or content providers are required to share mainly technical information with government authorities provided that they are part of critical infrastructure systems. Major telecommunication companies and ISPs are regarded as parts of national critical infrastructure and therefore are required to report to the authorities on the state of their systems on a regular basis. Nevertheless, this shared information does not include personal data or user-related data. Appropriate legal sanctions exist if a company belonging to the national critical infrastructure or operating critical infrastructure systems fails to report on time.
Surveillance in the Czech Republic
Surveillance of mobile text messages or emails is possible only when approved by court. Otherwise such actions are illegal in the Czech Republic. Surveillance of websites or other online presence is not conducted in the Czech Republic per se. Such activities might be part of police investigations in related cases (e.g. child pornography), but these activities are very limited and definitely do not happen on a regular basis.
Content intercepted during surveillance is admissible in court only if the surveillance was performed according to the law. This means that the responsible court issued an order empowering the police to start surveillance on specific individuals. The following graph shows the number of lines wiretapped by the Czech police:
There have been several cases relating to corruption in high political circles where content intercepted by means of surveillance constituted the key evidence.
For example, a former county representative and Member of the Czech Parliament was arrested when still in function on suspicion of corruption. The arrest took place in front of a private villa from where he carried a plastic bag with a vine box. This box contained cash worth over 250,000 EUR. Despite the fact that the legal action against this person is quite extensive, on this particular point the defendant claimed that he was not aware of what was really in the box. The intercepted content from phone calls and planted bugs was introduced to prove that he must have been aware of the content and therefore accepted the bribe. Only fragments of intercepted content have been played so far during the trial, but still the playback took dozens of hours.
The scale of intercepted content and number of affected persons – including high-ranking politicians and intelligence executives - has raised questions about the supervision of surveillance in the Czech Republic. What if the motivations were political? Police surveillance or wiretapping is possible only if the target is a suspect accused of something from a list of criminal activities and the action is approved by a court. In this particular case, the court that approved the surveillance is located in Ústí nad Labem, but the affiliated court is in Prague. This step was taken on purpose by the police to minimize any chances that information about the investigation would leak out.
Public authorities are not the only constituencies who are interested in personal and sensitive data about Czech citizens' use of cyberspace. Technically, it is possible to collect information about users without their knowledge. Such activities would only be illegal, based on the type of information collected. For instance, recording the number of users visiting a website is legal if such information is neither sensitive nor personal (as defined by the law). However, tracking the geographical position of the user together with his IP address could be regarded as illegal, because it might be possible to identify the user with such data.
Massive online surveillance conducted by national authorities is not very probable in the Czech Republic. Firstly, national authorities have only a limited range of companies they can use to acquire such data. Secondly, the analysis of such vast amounts of data requires skilled personnel, and specialized software and hardware, which might not be available for this purpose. On the other hand, the usage of 'traditional' surveillance methods (e.g. phone tapping) has increased in the Czech Republic during the past few years. It is used mainly in corruption cases, but recent events have proved that the usage of these methods is not always consistent with current legislation and can be deployed for political reasons. This only highlights the necessity of public discussion on the control mechanisms of surveillance in the Czech Republic, because in the case of online surveillance the impact will be much wider than in the case of 'traditional' surveillance methods.
AMO is organising an event named "Facing the Atlantic Cyber Challenge" in Prague on 28th and 29th May. A comprehensive report on internet freedom in the Czech Republic will be presented there.
Read more from our 'Joining the dots on state surveillance' series here.