Amidst the Covid-19 pandemic, the Norwegian government has proposed new surveillance powers for its military intelligence agency.
A bill sent to parliament two weeks ago has received little public attention even within Norway, yet it would allow the Norwegian Intelligence Service (NIS) to monitor all cross-border communication of citizens and foreigners alike, storing the metadata for up to 18 months.
Norwegian providers will be obliged to mirror communication metadata to the intelligence agency. It then may scour the metadata using search criteria known as „selectors“, provided the Oslo District court signs off on agency requests in non-public proceedings.
The government insists data from within the country should be filtered out as far as possible.
But even if some data is filtered, many internet services operate via servers in other countries. Records of billions of IP addresses and phone calls, including numbers and duration of calls, are likely to be retained.
The Norwegian government first mooted new surveillance powers in a public consultation in 2018, where they were met with considerable criticism from civil society organisations.
Norwegian defence minister Frank Bakke-Jensen says giving the intelligence agency more powers can not wait until after the pandemic. Threats from abroad needed to be acted upon swiftly, he said while presenting the law.
„While the primary concern of the government at this time is handling the coronavirus situation, we also need to continue working on other issues of importance“, Bakke-Jensen told netzpolitik.org in an e-mailed reply.
„The timing of the submission, which has been discussed with the Parliament, is not related to the coronavirus situation“, the defence minister said.
Target country: Russia
The Norwegian proposal could have consequences beyond the country, even potential geopolitical implications. Norway is a member of NATO and shares more than 200 kilometres of Arctic border with Russia.
The intelligence service, known as E-tjenesten in Norway, already helps with reconnaissance during NATO exercises on the border with Russia. The agency recently was linked to snooping activity when Russia said it had exposed a Norwegian spy on its territory.
The new law gives the Norwegian intelligence agency powers similar to those that services in Sweden, Denmark and the United Kingdom already have.
While there so far is little discussion of the proposal in the Norwegian public, it has faced resistance even within the government. The social-liberal party Venstre, a minor partner in the ruling coalition of conservatives and right-wing populists, rejects the law as invasion of privacy.
But the law is likely to receive at least some opposition votes, members of parliament have indicated. The new bill therefore has good prospects of passing.
Warnings of a slippery slope
Meanwhile, the Norwegian Data Protection Agency wants to investigate whether the law provides sufficient control over the work of the intelligence service, agency head Bjørn Erik Thon says.
The vague wording of the draft law raised doubts whether citizens would be affected by the measures. „We are convinced that this would mean mass surveillance of Norwegians,“ Thon told Norwegian news agency NTB.
Beyond concerns about the scope of the law and oversight issues, digital rights advocates see a dangerous path towards ever-wider access to the collected data.
„The Norwegian Intelligence Service can disclose collected information to the Norwegian police and other authorities in cases of threats to life, public health and the freedom of citizens“, says Jesper Lund of the Danish NGO IT-Pol.
„Electronic communications intercepted by NIS can be used as evidence in criminal cases involving terrorism.“
„These provisions represent a slippery slope since conditions for access to the retained data by other authorities are often watered down over time. In terrorism cases, there is no clear line between operations of intelligence services and law enforcement. This could easily spread to other areas“, Lund explains.
Pending court decision
Furthermore, question remain over whether the Norwegian proposal is compatible with EU law. Norway is part of the European Economic Area, it therefore follows EU law on issues such as data protection.
The EU’s ePrivacy Directive, which regulates privacy in electronic communications, has an exception for „national security“.
However, the European Court of Justice (ECJ) is set to rule within the months in a case brought against the UK Home Office by Privacy International, an NGO. The ECJ’s Advocate-General recently gave a non-binding opinion stating that national security measures did not justify unlimited data retention.
It is unclear whether the ECJ ruling would have an impact on the proposed data retention measures, the Norwegian government notes in its draft law.
However, should the EU judges in Luxembourg decide to put a curb on data retention powers of intelligence agencies, the effect will perhaps be felt all the way 3.000 kilometres north, up to the Norwegian-Russian border.