Why Kosovo’s new draft law on interception is still wrong

On 29 April Government of Kosovo said it would be sending to Parliament a revised Draft Law on Interception of Electronic Communication. The Draft has undergone some positive changes but is still unacceptable in this form.

Here are the problems with it:

Interception interfaces. First and major problem is the separate interception  interface it provides to the intelligence agency AKI. While the draft requires court warrants also for the AKI, in practice AKI has their own interface. The law calls for two types of electronic solutions: the monitoring facilities, placed at the authorized institutions who would be getting the feed that they have been authorized for upon showing the warrant,  and the interception interfaces placed at communication companies that do the actual feeding of the data. But AKI also gets one of these interfaces at their own facility. This is unacceptable as it provides no means to control against abuse and practically gives the Agency, which has been scoring negative headlines daily, a carte blanche to intercept.

Data retention. Second major problem. Despite promises by the Minister and the CJEU ruling annulling the Directive, data retention is still there, albeit in a somewhat lighter version. Data to be retained  for 12 month include (Article 12):

– the calling telephone number;
– the name and address of the subscriber or registered user;
– the user identification allocated;
– the user identification and telephone number allocated to any communication entering the public telephone network;
– the name and address of the subscriber or registered user to whom the internet protocol address or telephone number was allocated at the time of the communication;
– the numbers dialed, and, in cases involving supplementary services such as call forwarding or call transfer, the number or numbers to which the call is routed;
– the name and address of the subscriber or registered user;
– the user identification or telephone number of the intended recipient of an internet telephony call;
– the name and address of the subscriber or registered user and user identification of the intended recipient of the communication;
– concerning fixed network and mobile telephony, the date and time of the start and end of the communication;
– the date and time of the log-in and log-off of the internet access service, together with the IP address allocated by the internet access service provider to a communication, and the user identification of the subscriber or registered user;
– the date and time of the log-in and log-off of the internet e-mail service or internet telephony service;
– concerning fixed network and mobile telephony, the telephone service used;
– concerning internet access, internet e-mail and internet telephony, the internet service used;
– the calling and called telephone numbers;
– the international mobile subscriber identity of the calling and the called party;
– the international mobile equipment identity of the calling and the called party;
– in the case of pre-paid anonymous services, the date and time of the initial activation of the service and the location label from which the service was activated;
– the calling telephone number for the dial-up access;
– the digital subscriber line or other end point of the originator of the communication;
– the location label at the start of the communication;
– data identifying the geographic location of cells by reference to their location labels during the period for which communications data are retained.

Since sponsoring Minister Vlora Çitaku has stated that the Draft has been approved by the European Commission, and EU Special Representative / Head of EU Office in Kosovo  Samuel Žbogar  has said that the law, while not perfect, meets minimum standards, I wonder if the dragnet surveillance of the above data is the new interpretation of CJEU ruling by the Commission?

Authorized institutions. The Draft Law does not limit the “special laws” that could be used for issuing warrants to be complied with under this law. This means that if the law is passed in this form, permanent attention will be required to make sure that other institutions don’t get access through other less onerous laws through this back-door.

Purpose (Art 1 and 12.7). The EU directive was specifically directed at the fighting of serious crime, although we know that through implementation it became subject to much abuse. In the Draft the reference to the Directive has been expunged but limiting of scope to “serious crime” has now been introduced. This is an advancement, provided it does not get abused, which from European experience we know will happen.

Notification. The Law refers to the Criminal Code and the AKI Law as two of the legal basis for getting warrants. While the criminal code has the concept of notification of citizen upon surveillance built in, the AKI law does not. Therefore, no citizen would be allowed to know that they had been surveilled by the AKI, since unless otherwise expressly allowed by another law, the notification is prohibited by this one. As ruled by the ECtHR, notification is a right, hence the Draft is in violation of this Convention which Kosovo has unilaterally embraced but its citizens still can’t seek redress from its court due to Kosovo not being party to the Convention.

Interception assistance (Art. 9). “Based on a lawful inquiry, in full compliance with the Criminal Procedure Code of Kosovo” the Draft allows for the breaking of anonymity of a citizen by requesting the identity of a target in preparation for the interception. Indirectly this article states that no warrant would be required for this procedure. Furthermore, notification principle is once again violated in this article as it is expressly prohibited.

Records of interception (Arts. 11 & 13). Request to keep records and provide data on the number of  interception requests is a positive change in this draft. Yet this point becomes somewhat moot when considering that AKI will have its own interface. In the reporting requirements, there is no criteria about the effectiveness and indispensability of data retained to combat crime, only on the effectiveness of the ability to provide data, which privacy advocates in Europe have argued with regard to the Data Retention Directive.

Penalties (Art. 15). For violations of non-compliance a network operator or service provider could be fined with a penalty of at least 86,000 EUR and up to 7% of the annual income from their economic activity in electronic communication. There are no penalties foreseen for the violations that harm the privacy of citizens, clearly favoring the sharing of citizen’s data with the authorities.

Data transmission security standards (Art. 5.5). The law refers to data security standards used otherwise by the operator, or relegates this matter to secondary legislation.

There you have it.

Looking at how well done the relevant parts of the Criminal Code and the Criminal Procedure Code are, it seems to me that there could be only two reasons to push this new law: data retention and extension of AKI’s ability to tap.

One thought on “Why Kosovo’s new draft law on interception is still wrong

  1. As for the data retention, it was already covered by the Law on Telecommunications, to the letter as per the now defunct EU directive.
    Given that the highest EU court ruled this directive was unconstitutional, it was tempting to expect that all laws transposing this directive would have to be repealed or amended shortly afterwards.
    Since Kosovo, although not a member of EU, transposed this directive in its Law on Telecommunications, by having the whole sections of this law copied to the letter directly from this directive, it was to be expected that this law would have to be repealed or amended too. If nothing else, to respect the fact that the legal base, whatever it might have been, for copying from that directive, simply does not exist anymore. Thus, it is incomprehensible to see that there is yet an additional law proposed which copies the very same sections of the same now defunct directive (see, for example, Articles 5 and 12 of the proposed law).

    And as for the issue of legal interception, it was also well covered by other laws and codes, such as the Code of Penal Procedure, the Law on Telecommunications, and the Law on Intelligence Agency.

    So, what novelties does this new law on interception essentially brings, apart from:
    – adding economic and procedural burden to telecom operators reflected on hardware, software, staff , facilities, responsibility;
    – adding the burden to Intelligence Agency who now must work with all such operators to certify their staff, inspect their software, facilities and anything in between, which, incidentally, is exactly in contradiction to the law on the agency that explicitly states that the agency can not impose any “cooperation” to third parties (see Article 3(iv) of the law on intelligence agency);
    – creating the burden of drafting exactly 16 additional secondary legislative acts (by whom?); and
    – explicitly stating that should anything in the proposed law be in contradiction with prior laws (Law on Intelligence Agency and the Law on Penal Procedure), the prior laws will prevail (see Article 18 of the proposed law)?

    How can one understand this utter lack of logic and nonsense?

    IMHO, the purpose of this law shows through in the a single explicit and clear section of the law:
    Eulex is now entitled to intercept and tap on all electronic communications (Article 17, Section 4).

    The section on Eulex does not appear on the first draft which, curiously, can be still accessed on the parliament site (http://www.kuvendikosoves.org/common/docs/ligjet/04-L-173.pdf).

    If you recall, after the declaration of independence almost all laws where re-enacted by the Kosovo Parliament, usually with just one change: they had it removed all references to UNMIK and other international organisations that were in charge of various areas up to the independence.
    The law on Intelligence Agency, for example, does not have Eulex mentioned nowhere in the law.
    To further illustrate the point, one may recall when some time ago Eulex tapped phone conversations of some politicians and leaked them to the public. They were received with delight by the public, but also as shocking – to say the least, by politicians and various government spokespersons that even went to say that it was entirely unlawful.

    Well, now Eulex can do it, explicitly, lawfully.

    The question remains though, do we need the whole of this embodiment of garbage regulation, just so to justify this one requirement?

    The telecom and IT sector will certainly be hurt should this proposed law be adopted by the parliament. Many small and medium providers will not survive. The sector will be left to few big players, leading to de facto monopolies, and the most certain increase of the cost of services. Everyone providing end user access to the internet will have to also assume the role of a telecom provider and secure all and everything required by this law. This means your business, libraries, the schools, you name it, all will have to identify all their users, such as each and every student, prior to granting them internet access. And to keep the data. Should there ever come a request to have a peek on this data. For 12 months. For everyone.

    And, yes, no more free internet while having your coffee in the nearby café either.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.