Future Tense

How Governments and Telecom Companies Work Together on Surveillance Laws

It isn’t a coincidence that the U.S., Canada, Australia, and the U.K. are proposing similar laws to permit monitoring of Internet communications.

Binoculars.
Governments and telecom companies are working closely on how to lawfully monitor Internet communications.

Photo by Ernest Nikl/iStockphoto.

When Americans are displeased with their politicians, they like to threaten to move to Canada. But if you’re tempted to move north—or even further afield—to get away from plans for increased Internet surveillance by the government, think again. Controversial new surveillance laws proposed in the United States, Canada, the United Kingdom, and Australia have quite a bit in common. And it’s no coincidence.

Over the past few months, authorities in these countries have separately been arguing the case for expanded power to monitor Internet communications. Changes could include making it mandatory for social networks and online chat providers to build in back doors for law enforcement eavesdropping and instituting so-called “deep packet inspection” technology to enable monitoring and interception of data.

The plans have prompted an outpouring of negative reaction, much of it centered on concerns about government invading Internet users’ privacy. But what has gone largely unremarked upon is the role played by little-known networks of telecom companies and international government agencies, which have been quietly collaborating to reform surveillance laws so that they are “harmonized” to a similar standard from country to country.

In cities across the world, groups composed of telecom companies and government representatives have met to discuss how to integrate surveillance capabilities into existing and developing technologies. The decisions they have made, largely beyond public scrutiny, could lead to a fundamental shift in the Web’s basic architecture.

Below, alongside links to documents offering insight into ongoing discussions between industry and government on surveillance issues, you can find details about some of the key organizations, countries, and companies involved.

The Alliance for Telecommunications Industry Solutions
ATIS is an organization that brings together the communications industry and law enforcement. Focused mainly on North America but collaborating internationally, ATIS’s list of more than 180 members includes the FBI’s specialist Electronic Surveillance Technology Section alongside many familiar companies: Microsoft, AT&T, Sprint Nextel, T-Mobile, Time Warner Cable, and Verizon, among others.

ATIS runs a series of subcommittees and task forces, some of which focus specifically on integrating surveillance capabilities into the latest communications technologies. One recent ATIS presentation, given by a representative from CenturyLink in late 2011, detailed how the organization was working on updating standards for intercepting communications sent over voice over IP chat services (like Skype) and IMS networks. IMS is considered a “next generation” telecom network that combines mobile and fixed networks into one. Law enforcement agencies see IMS as a challenge in part because it can enable difficult-to-intercept mobile VOIP calls.

The European Telecommunications Standards Institute
Like ATIS, the European Telecommunications Standards Institute has been working with government and law enforcement agencies to integrate surveillance capabilities into communications infrastructure.

ETSI holds meetings on lawful interception three times a year, attended by up to 80 participants from countries such as the United Kingdom, the United States, Canada, and Australia. It has more than 700 members across five continents. Some are government departments tasked with upgrading surveillance laws in their respective countries: Canada’s public safety department; Australia’s attorney general’s department; and the National Technical Assistance Centre, a subunit of the U.K. spy agency GCHQ.

Several of the world’s largest telecom firms—including Vodafone, RIM, Nokia Siemens, and British Telecom in previous years—participate in ETSI’s lawful-interception meetings. ETSI’s January 2012 white paper on “security for ICT” (information and communication technologies) detailed that it is working toward “the standardisation of lawful interception,” and has the “active participation of the major telecom manufacturers, network operators, and regulatory authorities of Europe and from around the world.”

Ultan Mulligan, an ETSI spokesman, said the organization focuses on finding “agreed technical solutions” to lawful interception across borders because it’s not economical for telecommunications companies to have a different mechanism in each country. He added that consumer groups and universities focused on telecommunications and ICT industry can attend and contribute to ETSI’s lawful interception meetings if they are paid-up members. But “private individuals” (including journalists or interested citizens) cannot attend or apply for membership.

An ETSI presentation dated 2011 shows the organization is working to help enable cross-border interception of data held by cloud storage services.

The 3rd Generation Partnership Project
The 3rd Generation Partnership Project unites six telecommunications standards bodies, including ETSI and ATIS, which meet regularly and host a series of quarterly plenary meetings. Jargon and acronym-laced minutes from 3GPP meetings published online occasionally offer a fascinating glimpse into the scale of international collaboration on upgrading surveillance capabilities.

During meetings in Estonia and Italy in 2010 and 2011, for instance, it was revealed that law enforcement representatives from the United Kingdom, Canada, and the Netherlands expressed reservations about adopting so-called “man-in-the-middle” attacks—a kind of hacking—to intercept communications as they are being sent over IMS networks. The United Kingdom in particular was said to be concerned that performing an “active attack” to spy on people “may be illegal” under British law. The U.K. was reportedly working on a separate method of intercepting IMS communications so it would not have to resort to man-in-the-middle attacks.

In recent weeks 3GPP meetings have focused on the “challenges for interception” posed by cloud storage of data. The group is trying to find a solution that will enable law enforcement agencies to monitor, and have access to, cloud data as part of their investigations.

The Telecommunications Industry Association
The TIA is a trade group based in Washington, D.C., which works to address policy issues and set standards for the telecommunications industry. Formed in 1988, the group operates a series of committees and subcommittees—attended by companies including Sprint Nextel, Nokia Siemens Networks, and Verizon Wireless—which deal with issues covering electronic surveillance. The TIA is currently helping develop standards for interception of VOIP and data retention alongside ETSI and ATIS. Interestingly, it has also been pressuring authorities in India to adopt global standards for surveillance, calling on the country’s government to create a “centralized monitoring system” and “install state-of-the-art legal intercept equipment.” 

The Global Standards Collaboration
The Global Standards Collaboration plays a significant role in bringing together organizations from across the world to facilitate “global standardization” of telecommunications infrastructure.

Representatives from the United States, Europe, Japan, China, Europe, Canada, and Korea attend annual GSC meetings, where they discuss and vote on issues affecting the industry—including upgrading surveillance capabilities. Crucially, in 2003 the GSC approved a resolution that called for “global cooperation and collaboration on lawful access and interception.” This was a collective commitment made by all participating organizations—among them ETSI, the TIA, and ATIS—to work toward “common, harmonized, shared systems of law” relating to communications interception.

Convention on Cybercrime
The Council of Europe’s Convention on Cybercrime has been signed and ratified by 19 countries, including the United States and the United Kingdom. Canada has also signed—but not ratified—the treaty, and Australia intends to sign. The convention codifies a commitment to establish a system of mutual assistance for issues related to computer crime. This includes measures related to enabling real-time surveillance of communications content.

A Canadian parliament report in 2006 noted that the convention’s call for “harmonization of lawful access legislation” was a factor in its own push for new surveillance powers. The report also stated that Canada had based a proposed surveillance bill, C-74, on “legislation existing in other countries, primarily the United States, the United Kingdom and Australia.”

Designed to ensure that law enforcement agencies could legally intercept any communication regardless of the technology used to send it, C-74 never became law due in part to opposition from the public and civil liberties groups. But Bill C-30, currently being pursued by Canada’s government, is essentially a second generation version of C-74 and would implement many of the same powers.

*****

The latest developments in the United States, Canada, the United Kingdom, and Australia, could well be part of a tradition dating back more than 60 years. In his book GCHQ: The Uncensored Story of Britain’s Most Secret Intelligence Agency, academic Richard J. Aldrich noted that after World War II, a series of surveillance and intelligence-related treaties, alliances, and agreements were made between the countries, leading to the creation of “a complex spider’s web of cooperation” that is still in existence.

Unlike in previous decades, though, the proposed expansion of surveillance today is inward-looking: domestic, not foreign. It is linked not to combating state-level threats but to unprecedented technological advances. With more people communicating online than ever before, authorities say they are losing the ability to track and monitor suspects and that secrecy is necessary to conceal their techniques from criminals.

Given this, it makes some sense that governments and technology firms are working together to find solutions. The problem is that the relationship is tainted by a lack of openness.

I’m not suggesting here that we’re in the depths of some sort of grand conspiracy, and nor am I arguing that the FBI should reveal intricate details about its surveillance methods or divulge the inner workings of its most complicated interception technologies—things that might actually be a benefit to serious criminals. What I’m saying is that without greater levels of public scrutiny or input, officials will sow mistrust—and end up defeating themselves. Already some are proposing “surveillance-proof” Internet providers, in part fueled by well-founded fears about clandestine mass snooping programs.

The deeply rooted tension between sweeping demands for increased online surveillance and privacy concerns of citizens is not going to disappear soon, and there are no quick fixes or easy answers. What’s essential is honest debate on surveillance between all sides in all countries. But that debate can’t and won’t happen until governments and telecom companies can at least commit to being more transparent about the scale and purpose of their collaboration.

This article arises from Future Tense, a collaboration among Arizona State University, the New America Foundation, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page.  You can also follow us on Twitter.