it
en
fr
es
eo
Nl
Unrest in the spanish Internet. Statement of Arturo Quirantes Sierra
Tweet
Taller de Criptografía: http://www.ugr.es/~aquiran/cripto/cripto.htm
The XXI century does not seem to be good for privacy. In the aftermath of the 9/11 events, governments all over the world are setting a digital iron curtain on cyberspace. The process, which started back in the 50s with the birth of the UKUSA alliance, is speeding up and will shape the relationship between the rulers and the ruled for the next generations.
The case of Spain is typical of this trend. Several initiatives are being prepared to curb civil liberties in cyberspace. They have been justified in terms of both national security and e-commerce. Their names: CNI and LSSI
I – CNI: The National Intelligence Center
In late 2.001, Congress approved the National Intelligence Center (CNI) bill. The CNI is Spain´s new intelligence service, replacing the old military service (CESID). It is fashioned in the same line as the american CIA or the british MI5/MI6. Among other tasks, it will obtain, evaluate and interpret intelligence to protect Spain´s vital interests; promote cooperation with other countries´ intelligence bodies; obtain “signal traffic of strategic nature” (sigint); and other tasks like cryptologic assessment. It will be authorized to establish cooperation links with other law-enforcement bodies (customs, police).
The CNI does show the “influence” of the anglo-saxon intelligence community, not only in their tasks (sigint, international cooperation, intelligence collection and evaluation) but also in its nature and structure: its role will be defined by an annual “intelligence directive”, will report to a government´s cabinet committee, the CNI´s director will play the role of National Intelligence Authority and lead the –still secret- National Criptologic Center... and the bill itself claims to be “inspired in the model of countries in our political and cultural environment”
One of the things that scared the political opposition is that CNI agents needing a court order (for subreptitious entries, bugging, home tapping) could obtain them afterwards. An amendment requires a court order –from a special judge- prior to any such action. There is also a legislative overseeing: a Congress Commission will oversee the CNI´s work.
However, there are two cases in which congress member will not have access to information:
a) when related to sources and means used by the CNI, and
b) when the information comes from foreing intelligence services and international bodies, when information-exchange agrements so state.
That means that information passed on by the CIA, NATO, or obtained with foreign Echelon-style systems will not be accountable to legislative control at all. This will leave a door open to abuse, since there´ll be no guarantee that such information has been obtained, transferred or exchanged following the spanish law code (including privacy/data protection,). Apparently, such trapdoor has not been noticed by policymakers (not couning the government, of course).
There are strong indications that both domestic and foreign intelligence agencies are using and abusing their surveillance powers. One example is the joint naval base of Rota (in southeastern Spain, near the city of Cádiz). For a long time –it might be as long as 40 years-, US naval personnel assigned to the Naval Security Group (a section of the US Navy performing surveillance and cryptanalysis for the NSA) have been stationed in Rota, working in what is called an elephant-cage antenna.
In April 2002, a new defense agreement was signed between Spain and the US, calling for the enlarging of the Naval Security Group detachment at Rota (from 100 to 180 people). It also authorized some US intelligence bodies to work in criminal matters concerning threats to US personnel. According to the spanish foreign affairs minister, “it´s been so for many years”
There are other, more serious, echelon-like activities being carried out by spanish intelligence and law-enforcement bodies in Spain. They range from direct tapping of trunk telephone lines to interception of satellite communications. Unfortunately this writer is not authorized to comment further on this subject (research is still being made and will be made public in due time), but it show that the Echelon scheme of all-out tapping is also being “made in Spain”
In July 2.001 President Bush and Prime Minister Aznar announced an increase in cooperation against terrorism; according to some sources, the US would put the Echelon resources available to spanish security forces in their fight agains the basque terrorist group ETA. This shows that the Spain-US antiterrorist cooperation has been strong even before September 11.
A personal point has to be made in Aznar´s concern on terrorism. Not only his party (the conservative Popular Party) has lost many members, including councilmen and former ministers to ETA bombs and bullets, but he himself was a terrorist target. Whlie still a presidential candidate, his car was nearly blown out by a bomb; only his car´s armour saved him.
II – LSSI: the Information Society Services Bill
In May 2.001, spanish internauts were awakened by an alarm call by the security/privacy web portal Kriptopolis (http://www.kriptopolis.com), alerting of a threat called LSSI. Short for “Information Society Services Bill”, it was originally intended to comply with the European Parliament Directive 2000/31 on certain legal aspects of electronic commerce.
The problem is, for many people in Spain the LSSI goes far beyond that. It intends to legislate not on “certain aspects” but on the entire concept of “information society services”, with special emphasis on the obligations and responsibilites of service providers. In the first draft version, wide powers were to be given to the so-called “administrative authorities”. It was unclear what an administrative authority is, but it could be interpreted so that a government official (not necessarily police or judge) can order a digital publication off the Internet. Other nasty articles lurked the law, like the heavy regime of responsibilities on service providers; basically, they had to obey prompty and without hesitation the order of judicial or “administrative” authorities, under heavy penalties. Those orders could include the erasure of web pages, blocking of traffic and even blocking of services provided from other countries (a sort of digital Iron Courtain). Responsibilites were defined even for the setting up of hyperlinks or search engines, something the Directive did not contemplate.
Why bother if you are an average netizen? Because the definition of “information society service” (ISS) is so broad that virtually the entire spanish Internet fit into it. Not only e-commerce, but the average Pepe Navegador with a small banners in his personal webpage were considered an ISS. The criterion of “there´s an ISS whenever there´s an economic activity” is quite broad and ambiguous.
This, along with the secrecy surrounding the bill, scared many spanish citizens. With kriptopolis (a well-known and respected, but essentially noncommercial, project) on the lead, several initatives were carried out to stop this bill. A fraction of the spanish cybercitizens aligned themselves with the government view. Basically, it was an association (let´s called it X) with close links to some high-ranking officials in the Ministry of Science and Technology. I won´t give names –I don´t want to contribute to a civil cyberwar.
But most other internauts, along with the industry and ISP community, took sides on the other side of the Force. What the spanish government thougt would be settled by the summer of 2.001 took a whole year more. The deadline of Jan 17 2002 passed, the date at which the Directive was supposed to be taken into national law.
Eventually, the government´s party (the conservative Popular Party) used its absolute majority to its full extent. In spite of all efforts from the opposition parties, the LSSI was passed through Congress. It then went to the Senate. There, to add insult to insult, the LSSI was approved on June 20... the same day that a general stike paralyzed the country, as a protest against another unpopular government bill (a decree on social protection, concerning specially the unemployed).
A remarkable fact is that the government party passed a new amendment calling for all service providers to keep all traffic data for up to one year. The concerned reader will recall a bitter debate at European level concerning another Directive: COM(2000)385, concerning the privacy of electronic communications. One of the most controversial points was an article forbidding the storage of traffic data. In spite of the European Parliament´s LIBE Committee, the EP deleted that article, thus allowing national governments to set up national “data warehouses”
The first LSSI draft carried that obligation, but it was deleted in subsquent drafts. People´s concerns about the LSSI explains why, when a campaign was launched to stop the data-storage initiative (http://www.stop1984.com) with an open letter, it was signed by 17.000 people ... with spaniards on the lead (over 6.000 signatures).
But at the last moment of the LSSI tramitation –barely three days after the Directive was finally approved and the data storage given green light- the government party re-created an amendment calling for the storage of traffic data for up to one year. This way, Spain now requires that its citizens be considered suspects until proven otherwise, following a way lead by the US, the Uk and other countries.
This writer wouldn´t like to give the impression that the LSSI war was dull or boring. An entire year of bitter warfare cannot be properly described in a few lines. All I can do is describe the current situation. At the moment of writing this (4 July), the LSSI has been in the official Bulletin of Parliament. It´s only a matter of time until the law is officially published in the State Official Bulletin; three months after that, the LSSI will be an enforceable law.
Is this the end of spanish liberty in cyberspace? Not coincidentially, we are the land of the Quixote, and we refuse to give up a fight even if the chances of winning it are none. Fortunately, there´s still ground to fight. There´s a new campaign (again, led by Kriptopolis) to take the LSSI to the Constitutional Court (TC). The goal is to have the TC declare that the LSSI goes agains the spanish Constitution, and is therefore void and null. In order to achieve this goal, an official petition has to be made by any of the following groups: 50 congressmen, 50 senators, the People´s Defender (Ombudsman) or the head of any of spain´s regional governments.
Many messages are in this moment being addressed to those groups trying to convince them to take to matter to the TC. Kriptopolis´ campaign will close on July 15. And afterwards? Nobody knows. But something is for sure: we won´t stop. Don Quixote will ride on and charge the windmills over and over again ... until they collapse.
REFERENCES:
Unfortunately, there´s little information other than in Spanish. Hope this helps:
“US wins spain´s favour with offer to share spy network material (www.smh.com.au June 18, 2001)
“US offers to spy on ETA for Spain (www.guardian.co.uk/Archive/Article/0,4273,4204464,00.htm The Guardian)
SPAIN – New intelligence agency (Statewatch vol. 12 nº 1, Jan-Feb 2002; maybe there´s an online version at www.statewatch.org)
Taller de Criptografía (author´s website: http://www.ugr.es/~aquiran/cripto/cripto.htm). Info on the LSSI in the “No queremos vivir así” (“we don´t want to live like this), and “Informes” (Reports) sections. Also some information on Enfopol and the data privacy Directive in the “Enfopol Zone” (both spanish and english!)
More information on the LSSI (sorry, mostly spanish) at:
http://villanos.net/makypress
http://mienten.com
http://www.kriptopolis.com
And, of course, a google search (CNI, LSSI) will also help!
The XXI century does not seem to be good for privacy. In the aftermath of the 9/11 events, governments all over the world are setting a digital iron curtain on cyberspace. The process, which started back in the 50s with the birth of the UKUSA alliance, is speeding up and will shape the relationship between the rulers and the ruled for the next generations.
The case of Spain is typical of this trend. Several initiatives are being prepared to curb civil liberties in cyberspace. They have been justified in terms of both national security and e-commerce. Their names: CNI and LSSI
I – CNI: The National Intelligence Center
In late 2.001, Congress approved the National Intelligence Center (CNI) bill. The CNI is Spain´s new intelligence service, replacing the old military service (CESID). It is fashioned in the same line as the american CIA or the british MI5/MI6. Among other tasks, it will obtain, evaluate and interpret intelligence to protect Spain´s vital interests; promote cooperation with other countries´ intelligence bodies; obtain “signal traffic of strategic nature” (sigint); and other tasks like cryptologic assessment. It will be authorized to establish cooperation links with other law-enforcement bodies (customs, police).
The CNI does show the “influence” of the anglo-saxon intelligence community, not only in their tasks (sigint, international cooperation, intelligence collection and evaluation) but also in its nature and structure: its role will be defined by an annual “intelligence directive”, will report to a government´s cabinet committee, the CNI´s director will play the role of National Intelligence Authority and lead the –still secret- National Criptologic Center... and the bill itself claims to be “inspired in the model of countries in our political and cultural environment”
One of the things that scared the political opposition is that CNI agents needing a court order (for subreptitious entries, bugging, home tapping) could obtain them afterwards. An amendment requires a court order –from a special judge- prior to any such action. There is also a legislative overseeing: a Congress Commission will oversee the CNI´s work.
However, there are two cases in which congress member will not have access to information:
a) when related to sources and means used by the CNI, and
b) when the information comes from foreing intelligence services and international bodies, when information-exchange agrements so state.
That means that information passed on by the CIA, NATO, or obtained with foreign Echelon-style systems will not be accountable to legislative control at all. This will leave a door open to abuse, since there´ll be no guarantee that such information has been obtained, transferred or exchanged following the spanish law code (including privacy/data protection,). Apparently, such trapdoor has not been noticed by policymakers (not couning the government, of course).
There are strong indications that both domestic and foreign intelligence agencies are using and abusing their surveillance powers. One example is the joint naval base of Rota (in southeastern Spain, near the city of Cádiz). For a long time –it might be as long as 40 years-, US naval personnel assigned to the Naval Security Group (a section of the US Navy performing surveillance and cryptanalysis for the NSA) have been stationed in Rota, working in what is called an elephant-cage antenna.
In April 2002, a new defense agreement was signed between Spain and the US, calling for the enlarging of the Naval Security Group detachment at Rota (from 100 to 180 people). It also authorized some US intelligence bodies to work in criminal matters concerning threats to US personnel. According to the spanish foreign affairs minister, “it´s been so for many years”
There are other, more serious, echelon-like activities being carried out by spanish intelligence and law-enforcement bodies in Spain. They range from direct tapping of trunk telephone lines to interception of satellite communications. Unfortunately this writer is not authorized to comment further on this subject (research is still being made and will be made public in due time), but it show that the Echelon scheme of all-out tapping is also being “made in Spain”
In July 2.001 President Bush and Prime Minister Aznar announced an increase in cooperation against terrorism; according to some sources, the US would put the Echelon resources available to spanish security forces in their fight agains the basque terrorist group ETA. This shows that the Spain-US antiterrorist cooperation has been strong even before September 11.
A personal point has to be made in Aznar´s concern on terrorism. Not only his party (the conservative Popular Party) has lost many members, including councilmen and former ministers to ETA bombs and bullets, but he himself was a terrorist target. Whlie still a presidential candidate, his car was nearly blown out by a bomb; only his car´s armour saved him.
II – LSSI: the Information Society Services Bill
In May 2.001, spanish internauts were awakened by an alarm call by the security/privacy web portal Kriptopolis (http://www.kriptopolis.com), alerting of a threat called LSSI. Short for “Information Society Services Bill”, it was originally intended to comply with the European Parliament Directive 2000/31 on certain legal aspects of electronic commerce.
The problem is, for many people in Spain the LSSI goes far beyond that. It intends to legislate not on “certain aspects” but on the entire concept of “information society services”, with special emphasis on the obligations and responsibilites of service providers. In the first draft version, wide powers were to be given to the so-called “administrative authorities”. It was unclear what an administrative authority is, but it could be interpreted so that a government official (not necessarily police or judge) can order a digital publication off the Internet. Other nasty articles lurked the law, like the heavy regime of responsibilities on service providers; basically, they had to obey prompty and without hesitation the order of judicial or “administrative” authorities, under heavy penalties. Those orders could include the erasure of web pages, blocking of traffic and even blocking of services provided from other countries (a sort of digital Iron Courtain). Responsibilites were defined even for the setting up of hyperlinks or search engines, something the Directive did not contemplate.
Why bother if you are an average netizen? Because the definition of “information society service” (ISS) is so broad that virtually the entire spanish Internet fit into it. Not only e-commerce, but the average Pepe Navegador with a small banners in his personal webpage were considered an ISS. The criterion of “there´s an ISS whenever there´s an economic activity” is quite broad and ambiguous.
This, along with the secrecy surrounding the bill, scared many spanish citizens. With kriptopolis (a well-known and respected, but essentially noncommercial, project) on the lead, several initatives were carried out to stop this bill. A fraction of the spanish cybercitizens aligned themselves with the government view. Basically, it was an association (let´s called it X) with close links to some high-ranking officials in the Ministry of Science and Technology. I won´t give names –I don´t want to contribute to a civil cyberwar.
But most other internauts, along with the industry and ISP community, took sides on the other side of the Force. What the spanish government thougt would be settled by the summer of 2.001 took a whole year more. The deadline of Jan 17 2002 passed, the date at which the Directive was supposed to be taken into national law.
Eventually, the government´s party (the conservative Popular Party) used its absolute majority to its full extent. In spite of all efforts from the opposition parties, the LSSI was passed through Congress. It then went to the Senate. There, to add insult to insult, the LSSI was approved on June 20... the same day that a general stike paralyzed the country, as a protest against another unpopular government bill (a decree on social protection, concerning specially the unemployed).
A remarkable fact is that the government party passed a new amendment calling for all service providers to keep all traffic data for up to one year. The concerned reader will recall a bitter debate at European level concerning another Directive: COM(2000)385, concerning the privacy of electronic communications. One of the most controversial points was an article forbidding the storage of traffic data. In spite of the European Parliament´s LIBE Committee, the EP deleted that article, thus allowing national governments to set up national “data warehouses”
The first LSSI draft carried that obligation, but it was deleted in subsquent drafts. People´s concerns about the LSSI explains why, when a campaign was launched to stop the data-storage initiative (http://www.stop1984.com) with an open letter, it was signed by 17.000 people ... with spaniards on the lead (over 6.000 signatures).
But at the last moment of the LSSI tramitation –barely three days after the Directive was finally approved and the data storage given green light- the government party re-created an amendment calling for the storage of traffic data for up to one year. This way, Spain now requires that its citizens be considered suspects until proven otherwise, following a way lead by the US, the Uk and other countries.
This writer wouldn´t like to give the impression that the LSSI war was dull or boring. An entire year of bitter warfare cannot be properly described in a few lines. All I can do is describe the current situation. At the moment of writing this (4 July), the LSSI has been in the official Bulletin of Parliament. It´s only a matter of time until the law is officially published in the State Official Bulletin; three months after that, the LSSI will be an enforceable law.
Is this the end of spanish liberty in cyberspace? Not coincidentially, we are the land of the Quixote, and we refuse to give up a fight even if the chances of winning it are none. Fortunately, there´s still ground to fight. There´s a new campaign (again, led by Kriptopolis) to take the LSSI to the Constitutional Court (TC). The goal is to have the TC declare that the LSSI goes agains the spanish Constitution, and is therefore void and null. In order to achieve this goal, an official petition has to be made by any of the following groups: 50 congressmen, 50 senators, the People´s Defender (Ombudsman) or the head of any of spain´s regional governments.
Many messages are in this moment being addressed to those groups trying to convince them to take to matter to the TC. Kriptopolis´ campaign will close on July 15. And afterwards? Nobody knows. But something is for sure: we won´t stop. Don Quixote will ride on and charge the windmills over and over again ... until they collapse.
REFERENCES:
Unfortunately, there´s little information other than in Spanish. Hope this helps:
“US wins spain´s favour with offer to share spy network material (www.smh.com.au June 18, 2001)
“US offers to spy on ETA for Spain (www.guardian.co.uk/Archive/Article/0,4273,4204464,00.htm The Guardian)
SPAIN – New intelligence agency (Statewatch vol. 12 nº 1, Jan-Feb 2002; maybe there´s an online version at www.statewatch.org)
Taller de Criptografía (author´s website: http://www.ugr.es/~aquiran/cripto/cripto.htm). Info on the LSSI in the “No queremos vivir así” (“we don´t want to live like this), and “Informes” (Reports) sections. Also some information on Enfopol and the data privacy Directive in the “Enfopol Zone” (both spanish and english!)
More information on the LSSI (sorry, mostly spanish) at:
http://villanos.net/makypress
http://mienten.com
http://www.kriptopolis.com
And, of course, a google search (CNI, LSSI) will also help!
