The first phase of the SIGINT process involves the identification and formulation of intelligence priorities. The process of strategic planning should draw on insights from previous assessments of collected intelligence and their value after analysis.
- A clear and specific legal mandate is the precondition for the transparency and accountability of foreign intelligence gathering. The mandate should describe specific legal grounds, against which the permissibility and proportionality of a particular measure can be assessed. It should also stipulate what data sources or types of communications may and may not be included in SIGINT collection.
- According to jurisprudence by the European Court of Human Rights (ECtHR) and the Court of Justice of the European Union (EU), bulk surveillance is only permissible when it is strictly necessary to protect the democratic institutions of society. This indicates that intelligence services of signatory countries of the European Convention on Human Rights and the European Union Charter of Fundamental Rights may only engage in bulk collection techniques in relation to clearly confined categories of serious threats to a democratic society. These categories ought to go beyond a general understanding of what constitutes a serious threat.
- Accountability for tasking:
- The actors involved in setting intelligence priorities play a significant role here. There may be both external planning and tasking by government officials or ministers outside the services, and internal planning and tasking by the services. External planning and tasking traditionally focus more on a strategic/political level, whereas internal planning typically includes a stipulation of data sources or types of communications.
Setting strategic goals and formulating operational priorities is a core competence of the executive. Consequently, we found only very limited involvement of oversight bodies in the tasking and planning phases. Privacy International also found that no intelligence oversight body currently possesses the power to authorize decisions to share intelligence. Clearly, this invokes not just legal and operational questions but also political ones. Can a government sufficiently trust a foreign service to engage in new cooperations? Interestingly, some oversight bodies have recently taken an interest in reviewing the tasking of and cooperation between intelligence services, as the following examples illustrate.
Keeping oversight bodies regularly informed about operational purposes in actual practice helps them to identify shifting priorities and assess their compatibility with the legal framework. Thus, having a legal statute that prescribes detailed purposes or uses for bulk powers is one thing. Better still is to add actual reports on how priorities have been set in practice.
- Citizenship-based discrimination:
- The majority of foreign intelligence laws are structured along a basic separation between “domestic” and “foreign” data. Domestic communication – defined either according to citizenship or based on territoriality – typically enjoys greater protection in most countries than what is seen as “foreign” or “overseas” communications. In a global digitized environment, however, it is very difficult to distinguish accurately between national and non-national data.
Moreover, separating populations may conflict with the principle of non-discrimination, as laid down in some national constitutions, EU law, as well as in international human rights law. In addition, although international law may not explicitly prohibit suspicionless bulk surveillance, it does not endorse it either. Democracies have an obligation to interpret their national laws with a view to their compatibility with international law. Human rights cannot be territorially restricted. This includes the right to privacy under Article 17 of the International Covenant on Civic and Political Rights, which, many people argue, cannot be construed as a club good.
But even without taking this into account, filtering such data so as to allow it to be subject to different data processing and data protection standards is extremely difficult. Unless the filter programs work with 100 percent precision, incidental collection of domestic data appears inevitable. No foreign intelligence service can know in advance whether national data will be swept up in its bulk collection activities. There is comprehensive evidence suggesting that no filter system can sufficiently sort out domestic communications from an internet data stream. Even communications that are sent and received within the same country can be routed via third countries. The technical features of packet-based transmissions of communications on the internet make it practically impossible to clearly encircle a complex data category such as “German citizen.” Even if filters were to attain approximately 99 percent accuracy, in the sphere of bulk collection, where millions of communications are intercepted indiscriminately, such a small percentage of wrongly categorized communications data amounts to large-scale infringements of the right to privacy of thousands of people. Consequently, poorly documented and designed filter systems do not assuage concerns about the chilling effects on certain fundamental rights and the possible violations.