On 29 April Government of Kosovo said it would be sending to Parliament a revised Draft Law on Interception of Electronic Communication. The Draft has undergone some positive changes but is still unacceptable in this form.
Here are the problems with it:
Interception interfaces. First and major problem is the separate interception interface it provides to the intelligence agency AKI. While the draft requires court warrants also for the AKI, in practice AKI has their own interface. The law calls for two types of electronic solutions: the monitoring facilities, placed at the authorized institutions who would be getting the feed that they have been authorized for upon showing the warrant, and the interception interfaces placed at communication companies that do the actual feeding of the data. But AKI also gets one of these interfaces at their own facility. This is unacceptable as it provides no means to control against abuse and practically gives the Agency, which has been scoring negative headlines daily, a carte blanche to intercept.
Data retention. Second major problem. Despite promises by the Minister and the CJEU ruling annulling the Directive, data retention is still there, albeit in a somewhat lighter version. Data to be retained for 12 month include (Article 12):
– the calling telephone number;
– the name and address of the subscriber or registered user;
– the user identification allocated;
– the user identification and telephone number allocated to any communication entering the public telephone network;
– the name and address of the subscriber or registered user to whom the internet protocol address or telephone number was allocated at the time of the communication;
– the numbers dialed, and, in cases involving supplementary services such as call forwarding or call transfer, the number or numbers to which the call is routed;
– the name and address of the subscriber or registered user;
– the user identification or telephone number of the intended recipient of an internet telephony call;
– the name and address of the subscriber or registered user and user identification of the intended recipient of the communication;
– concerning fixed network and mobile telephony, the date and time of the start and end of the communication;
– the date and time of the log-in and log-off of the internet access service, together with the IP address allocated by the internet access service provider to a communication, and the user identification of the subscriber or registered user;
– the date and time of the log-in and log-off of the internet e-mail service or internet telephony service;
– concerning fixed network and mobile telephony, the telephone service used;
– concerning internet access, internet e-mail and internet telephony, the internet service used;
– the calling and called telephone numbers;
– the international mobile subscriber identity of the calling and the called party;
– the international mobile equipment identity of the calling and the called party;
– in the case of pre-paid anonymous services, the date and time of the initial activation of the service and the location label from which the service was activated;
– the calling telephone number for the dial-up access;
– the digital subscriber line or other end point of the originator of the communication;
– the location label at the start of the communication;
– data identifying the geographic location of cells by reference to their location labels during the period for which communications data are retained.
Since sponsoring Minister Vlora Çitaku has stated that the Draft has been approved by the European Commission, and EU Special Representative / Head of EU Office in Kosovo Samuel Žbogar has said that the law, while not perfect, meets minimum standards, I wonder if the dragnet surveillance of the above data is the new interpretation of CJEU ruling by the Commission?
Authorized institutions. The Draft Law does not limit the “special laws” that could be used for issuing warrants to be complied with under this law. This means that if the law is passed in this form, permanent attention will be required to make sure that other institutions don’t get access through other less onerous laws through this back-door.
Purpose (Art 1 and 12.7). The EU directive was specifically directed at the fighting of serious crime, although we know that through implementation it became subject to much abuse. In the Draft the reference to the Directive has been expunged but limiting of scope to “serious crime” has now been introduced. This is an advancement, provided it does not get abused, which from European experience we know will happen.
Notification. The Law refers to the Criminal Code and the AKI Law as two of the legal basis for getting warrants. While the criminal code has the concept of notification of citizen upon surveillance built in, the AKI law does not. Therefore, no citizen would be allowed to know that they had been surveilled by the AKI, since unless otherwise expressly allowed by another law, the notification is prohibited by this one. As ruled by the ECtHR, notification is a right, hence the Draft is in violation of this Convention which Kosovo has unilaterally embraced but its citizens still can’t seek redress from its court due to Kosovo not being party to the Convention.
Interception assistance (Art. 9). “Based on a lawful inquiry, in full compliance with the Criminal Procedure Code of Kosovo” the Draft allows for the breaking of anonymity of a citizen by requesting the identity of a target in preparation for the interception. Indirectly this article states that no warrant would be required for this procedure. Furthermore, notification principle is once again violated in this article as it is expressly prohibited.
Records of interception (Arts. 11 & 13). Request to keep records and provide data on the number of interception requests is a positive change in this draft. Yet this point becomes somewhat moot when considering that AKI will have its own interface. In the reporting requirements, there is no criteria about the effectiveness and indispensability of data retained to combat crime, only on the effectiveness of the ability to provide data, which privacy advocates in Europe have argued with regard to the Data Retention Directive.
Penalties (Art. 15). For violations of non-compliance a network operator or service provider could be fined with a penalty of at least 86,000 EUR and up to 7% of the annual income from their economic activity in electronic communication. There are no penalties foreseen for the violations that harm the privacy of citizens, clearly favoring the sharing of citizen’s data with the authorities.
Data transmission security standards (Art. 5.5). The law refers to data security standards used otherwise by the operator, or relegates this matter to secondary legislation.
There you have it.
Looking at how well done the relevant parts of the Criminal Code and the Criminal Procedure Code are, it seems to me that there could be only two reasons to push this new law: data retention and extension of AKI’s ability to tap.