26/02/2016

A look at the latest French laws on intelligence collection

Over the last year, The French parliament passed new laws granting additional powers to intelligence services regarding interception of communications and data requests. This is part of a broader reform aimed at creating a legal framework for intelligence practices which were not formally authorized by law before 2015. In the press, it was said that these laws allowed sweeping new surveillance powers, legalizing highly intrusive methods without guarantees for individual freedom and privacy. 

This article will focus on the provisions related to communications intelligence (COMINT), including targeted telephone tapping (lawful interception or LI), metadata collection and data requests to internet service providers (ISPs). Targeted interception of the content of internet communications is not regulated by these new laws, but only by older decrees which are still a bit unclear. The new laws are only about collection the metadata of internet communications. 

In France, communications interception is authorized under two distinct frameworks :
  • Judicial interceptions ordered by a judge of inquiry (juge d'instruction) during a criminal investigation. These interceptions can be done both by the police, the gendarmerie (a military force charged with police duties) and by DGSI.

  • Administrative interceptions, also known as security interceptions, which are requested by both the domestic security and the foreign intelligence services. 

Administrative interceptions are approved by the Prime Minister for various motives, such as defending and supporting major national interests including national defense, foreign policy interests, economical and industrial interests, or preventing terrorism and organized crime. Whereas the Unites States strongly denies conducting commercial espionage in the sense of stealing trade secrets for the benefit of individual companies, France is known for being less strict on this. 

The main French security and intelligence services are:
  • Direction Générale de la Sécurité Intérieure (DGSI) which reports to the Interior Ministry and is responsible for domestic security. It has some 3500 employees and an annual budget of 300 million euros. DGSI was formed in 2008 through the merger of the direction centrale des Renseignements Généraux (RG);  Direction de la Surveillance du Territoire (DST) of the French National Police.
  • Direction Générale de la Sécurité Extérieure (DGSE), which reports to the Minister of Defence and is responsible for collecting foreign intelligence on civilian issues and also performs paramilitary and counterintelligence operations abroad. DGSE is responsible for both HUMINT and SIGINT.
  • Direction du Renseignement Militaire (DRM), which reports directly to the Chief of Staff and to the President of France as supreme commander of the French military. DRM is responsible for collecting military intelligence in support of the French armed forces.
  • Direction de la Protection et de la Sécurité de la Défense (DPSD), which is also part of the Ministry of Defence. DPSD is responsible for the security of information, personnel, material and facilities of the armed forces as well as the defence industry.

A special advisory commission on intelligence activities 

The French laws, such as Loi n° 2015-912 and Loi n° 2015-1556, from July and November 2015, grant the Prime Minister full authority to order and approve intelligence activities both domestic and foreign. Each collection request is sent by the intelligence service director to its parent ministry and to the Prime Minister, who gives final approval. An advisory commission known as the CNCTR (Commission nationale de contrôle des techniques de renseignement, or National Commission for the Control of Intelligence Techniques) is kept informed of all requests for oversight purposes.

In most cases, before the Prime Minister can approve a request, this control commission must receive information related to its approval, including the request justification, the identity and location of the targeted individual, or any other identifying information (occupation, username...) when his identity is unknown. The CNCTR consists of nine members : four from the Parliament, two from the Council of State, two from the Court of Cassation, and one appointed telecommunications expert. This commission is considered an “Independent administrative authority” : it is neither part of the Parliament even though members of Parliament are among its members, nor part of the judicial branch, even though some its members are magistrates. 

The CNCTR only holds advisory power as it can not stop any decision from the Prime Minister regarding data requests or intelligence collection. The commission can express disapproval of a collection request, but the Prime Minister can overrule this advice and still authorize intelligence collection. The CNCTR can access all transcripts and logs from intelligence collected under the Prime Minister authority, but it can not compel any intelligence service for documents or information, and it can not investigate any irregularity on its own. However, it can express recommendations regarding intelligence procedures and bring any irregularity to the Council of State. All debates inside the commission, as well as all its communications with the Prime Minister and intelligence services are classified. 

A special status has been granted to journalists, lawyers and members of parliament, as when intelligence requests apply to them, the CNCTR must be informed just before collection starts so it can state whether the collection is necessary and proportionate. The CNCTR must also receive transcripts of the intercepted communications afterwards. The difference with regard to eavesdropping operations against regular citizens is that for them,  CNCTR can access the transcripts if it asks for them, while for the privileged professions, CNCTR must receive and review them. 

In theory, any individual living in France or abroad can ask the CNCTR to check if he has been placed under surveillance following proper procedure. The control commission must check for any irregularity, but can neither confirm nor deny to the individual that he has been placed under such surveillance. The commission only states that proper verification has been made, and if any irregularity is detected it can report it to the Council of State.

New provisions for domestic intelligence collection

This section applies to all main intelligence services such as DGSI, DGSE and DRM. DGSE is a foreign intelligence service, which is not supposed to operate on French territory, but it is authorized to request data and intercept domestic communications. DGSE holds most technical capabilities for decryption and high-end communications collection and provides other agencies, such as DGSI or DRM, with technical means and expertise in this regard. A recent decree provided authority to more than twenty police and gendarmerie services, some of which are not officially intelligence services, to intercept communications and request data, mostly for counterterrorism purposes. Allowing police services to collect communication intelligence is a shift from older French habits, which the French government justified by the ongoing terrorist threat. 

As in most countries, French law provides higher privacy protection to its own citizens and to people communicating from France than to people communicating from abroad, who receive little legal protection against intelligence collection. Intelligence collection under the Prime Minister approval may apply to all electronic means of communication traced to a targeted individual, from mobile phones to landlines, to all metadata from his internet service provider, and even metadata from online services. 

In France, telephone companies, ISPs and online services providers can be compelled to provide a wide range of metadata regarding a targeted user, including : technical data related to the identification of connection or subscription numbers (phone numbers, IP adresses...), a list of all connection or subscription numbers linked to a targeted individual, location data of all devices traced to a targeted individual, and call detail records (CDR). 

Under the Prime Minister’s authority, telephone companies can be compelled to cooperate with intelligence services conducting targeted phone calls interceptions. French intelligence services are not supposed to proceed to interceptions on their own, but have to go through a dedicated government technical agency called GIC (Interministerial Control Group). The GIC operates under the Prime Minister direct authority, receiving approved requests and ordering telephone companies and ISPs to provide information or access to their networks for interception. Providers compelled to cooperate are forbidden to reveal any information related to interceptions or data requests, or to inform their users they have been targeted. Providers personnel refusing to cooperate could be sentenced to a 150,000 € fine and up to two years of imprisonment. 

The parliament recently authorized intelligence services to use devices such as IMSI-catchers to identify and locate mobile phones or computers linked to targeted individuals. Intelligence services can only use IMSI-catchers to collect metadata, and all collected data unrelated to specified targets must be destroyed. 

Regarding domestic communications, voice communication recordings must be destroyed 30 days after collection, but transcripts can be kept “as long as necessary” by intelligence services. Metadata requested from ISPs and Telcos can be stored up to 4 years. Intercepted communications that are encrypted can be stored up to 6 years.

A loose framework for the surveillance of foreign communications 

Fewer restrictions apply to the surveillance of foreign communications, whether collected by the domestic security service DGSI, the foreign intelligence service DGSE or one of the military agencies. The Prime Minister issues broad authorizations to intelligence services to monitor and collect communications, either for whole geographical regions, countries, organizations or individuals. The Prime Minister specifies which types of communication networks can be targeted for collection. These authorizations last for 4 months, but they can be renewed without restriction. 

Foreign intercepted communications can be kept for 1 year after processing, or up to 4 years after collection. Collected metadata can be stored for 6 years. Encrypted data can be stored for up to 6 years after decryption, or up to 8 years after it has been collected. With these retention periods, the French law is more strict than for example American law, which allows NSA to store encrypted data for an unlimited period of time. 

From French territory

The law on surveillance of foreign communications only applies to communications between users who are outside of France, but which are collected from French territory. Here it should be noted that many former French colonies spread around the globe are also considered part of French territory, and French law applies there, especially as this is stated in the latest intelligence laws.

This means that these laws not only apply to data collected from major fiber-optic cables and satellite intercept stations inside France, but also to those from the overseas satellite stations in French Guyana, on the island of Tontouta in the South Pacific and on Mayotte in the Indian Ocean - providing French intelligence with a global SATCOM coverage probably second only to that of the Five Eyes partnership. After ECHELON, this French network was dubbed FRENCHELON. 

If data is collected under the foreign communications status, but is then traced back to domestic communications (call number or subscription located in France), it can be processed only if approved under the domestic communications framework, or it must be destroyed under 6 months. 

Outside French territory

Intelligence collection conducted by French intelligence services outside of France is not restricted by law. Because the overseas satellite stations are considered to be on French territory, this situation only applies to for example covert eavesdropping operations in foreign countries, as well as to tactical SIGINT collected through land, sea and airborne platforms during military operations abroad. French armed force are based in countries such as Mali, Gabon, Djibouti and UAE. This will mainly result in communications for military purposes.

While this kind of collection is not regulated by law, it will be limited by the available resources and the specific goals set by the government in the annual PNOR (Plan national d’orientation du renseignement or National intelligence orientation plan), a classified document sent to the chiefs of intelligence services and to the parliamentary delegation for intelligence (DPR - Délégation parlementaire au renseignement), which only receives a redacted version of this document.

Automated bulk metadata collection

In July 2015, a law introduced a new automated bulk metadata collection system against terrorism. The Prime Minister can order French internet service providers to add specified metadata collection and filtering systems to their networks. The Prime Minister can issue such orders for 2 months, and they can be renewed without restriction. Data collected on ISPs networks can be stored up to 60 days, and would be filtered and processed by government issued algorithms to detect terrorism related threats. If such a threat is detected, the Prime Minister can compel ISPs to identify related users. 

The development of threat-detection algorithms, and their so-called “black boxes”, should be done under supervision from the CNCTR. However, providing oversight at the hardware and software level could be very tricky and difficult, especially as algorithms would be updated and modified very regularly and it would also require specialized knowledge of such internet filter systems. 

The scope and purpose of this metadata provision is largely a mystery. At first sight it may look similar to what NSA did by collecting domestic telephone records in order to find unknown terrorist associates by contact chaining. But if that was the purpose of this French law too, then it would have been much easier to order the ISPs to hand over their metadata in bulk, just like it happened in the US. 

Actually, French telecommunications and internet service providers already have to store their customer's metadata for at least one year under the EU data retention directive. Moreover, a French legal decree even requires web hosting companies, like Facebook, Google and Amazon, to store their user data for at least one year and provide it to government authorities at their request. However, these metadata may only be used for targeted investigations, as intelligence services must provide specific requests to ISPs & web hosting companies with either the full name of a target, its user name, IP address or other identifying information. 

It seems that installing "black boxes" at ISP networks serves the bulk collection of smaller sets of data: they filter traffic using specific threat-detection algorithms, so they will likely only pull in those metadata that match certain communication patterns and routines, based on digital forensics from counterterrorism investigations. The metadata would then be used to identify the users showing such patterns. 

Given the very high data rates of traffic passing internet service providers, such filter systems are very expensive and ISP generally don’t like external systems to be plugged into their networks. That makes it surprising that the orders for installing them are valid for just 2 months, and although they are renewable without any limitations, it’s not clear whether these “black boxes” would be removed from ISPs networks at the end of each order, or if they would only be turned off until further notice. 

Cyber defense

Interestingly, filtering internet traffic using threat-detection algorithms sounds very much like detecting and preventing malware and cyber attacks. But maybe except for a case when a terrorists group would conduct cyber attacks, the law precisely states that this “black box” metadata filtering and collection system can only be used to detect terrorist threats. It can not be used for any other purpose, including cybersecurity, counterintelligence or criminal investigations. 

Nonetheless, the cyber domain did receive special attention from French lawmakers in the latest regulations on intelligence. All collected intelligence which is related to cyber attacks can be stored indefinitely for technical analysis. In addition, all penalties for computer hacking and cyber-related crimes have been doubled as part of the new Law on Intelligence passed in July 2015. This fits a general shift of intelligence agencies towards “cyber”, as for example in the US, cyber threats replaced terrorism as top priority for the intelligence community since 2013.

Links and sources
http://www.theguardian.com/world/2015/may/05/france-passes-new-surveillance-law-in-wake-of-charlie-hebdo-attack
http://www.matthewaid.com/post/54752805337/french-sigint-part-ii
http://www.slate.fr/story/86395/dgse-stations-ecoute-carte-espion

Electrospaces (electrospaces.net) & Zone d'Intérêt (zonedinteret.net)

06/10/2015

U.S. Intelligence Support to Find, Fix, Finish Operations

In recent military operations such as Operation Enduring Freedom (OEF) and Operation Iraqi Freedom (OIF), US commanders have adopted F3EAD, an operational methodology created in the 1980s for US Special Operation Forces (SOF) supporting Host Nation forces in Latin America. [1] F3EAD stands for Find, Fix, Finish, Exploit, Analyze and Disseminate. The first two phases rely on intelligence capabilities to find and locate high value targets or individuals, in order to proceed with a "kill or capture" operation (Finish phase). In the exploitation phase, US forces conduct on-site collection of intelligence material, before analyzing it and making it available to commanders, and to the broader Intelligence Community (IC). F3EAD is a key component of the doctrine known as Attack the Network, a strategy designed to neutralize unconventional threats such as criminal organizations, terrorist groups and insurgencies.

High Value Individuals (HVI) are the focal point of most F3EAD missions and are defined in official doctrine as “person(s) of interest (friendly, adversary, or enemy) who must be identified, surveilled, tracked and influenced through the use of information or fires”. [2] A High Value Individual may become a target for a kill or capture operation after an evaluation by intelligence officers, and then placed on a target list approved by the commander. Targets on the list are ranked by priority, based on a method called CARVER to assess the final impact that the removal of each target would have on the adverse network. “CARVER assigns weighted values for a target’s criticality to his insurgent cell, accessibility for capture, recognizability for positive identification after capture, vulnerability to capture, positive effect on the environment if captured, and the lack of recuperability within the insurgent network if captured.[3]. As intelligence officers reported in official litterature, the target selection process, even though based on common standards, differs among targeting teams both in the priority given to certain targets and in the choice of lethal action over capture.

29/09/2015

Quelques notes sur le colloque CyberDef 2015

Le 24 septembre dernier s'est déroulé le premier colloque international CyberDéfense organisé par le ministère de la Défense à l’École militaire, accueillant une vingtaine de délégations de pays membres de l'OTAN, ainsi que du Maghreb et du Golfe.

Le vice-amiral Coustillière, officier général cyberdéfense à l'état major des Armées a tenu à préciser en introduction qu'il s'agissait d'un colloque consacré exclusivement au domaine militaire et non à la cybersécurité, expliquant peut-être qu'aucun responsable de l'ANSSI n'ait été convié comme intervenant en séance plénière.

Conférence conjointe des cyber commandeurs
Crédits: Ministère de la Défense

Le ministre de la Défense Jean-Yves Le Drian, a souhaité rappeler que les enjeux de cyberdéfense n'étaient pas absents des théâtres d'opérations où les armées françaises ont été récemment engagées, relatant que les forces françaises avaient été victimes en Afghanistan d'une attaque cyber qui avait coupé temporairement la liaison entre la métropole et plusieurs drones. Cette exposition des armées au risque cyber a été réitérée tout au long du colloque, et notamment lorsque l'un des intervenants a indiqué que l'exercice interalliés Combined Endeavor avait subit dès le premier jour des attaques cyber provenant de l'extérieur. Dans le domaine de la lutte informatique offensive (LIO) le ministre a pointé comme objectif principal l'intégration du combat numérique aux autres formes de combat, jusqu'à l'appui tactique du combattant. Il s'agit également de recueillir du renseignement pour cibler les capacités adverses, en vue de les frapper. Le ministre a rappelé au sujet du « renseignement cyber » que la DRM avait créé un centre de recherche et d'analyse cyber, et que la DGSE était dotée depuis plusieurs années de moyens propres en la matière. Jean-Yves Le Drian a fixé comme objectif à l'action de cyberdéfense de « tendre à créer les conditions d'une paix numérique ». Il s'agirait sans doute d'un état de paix relatif, puisque les responsables du CALID (Centre d'analyse de lutte informatique défensive) rapportent des attaques quotidiennes contre les réseaux du ministère de la Défense.

17/04/2015

Un projet de loi qui n'inquiète pas le renseignement extérieur

Le projet de loi relatif au renseignement, a été adopté en première lecture à l'Assemblée nationale dans le cadre d'une procédure d'urgence et après un débat rapide en commission des lois. Parmi les différentes mesures prévues par le projet de loi, traitées dans un précédent article de Zone d'Intérêt, figure l'encadrement des « mesures de surveillance internationale » qui relèvent principalement du renseignement extérieur.

Ces mesures d'encadrement figurent dans l'article 3, chapitre IV du projet de loi et stipulent que l'interception des communications « émises ou reçues à l'étranger » sont soumises à l'autorisation du Premier ministre, ou des personnes spécialement déléguées par lui. Cette disposition légale semble encadrer assez précisément l'interception des communications à l'étranger, avec un contrôle a posteriori de la future Commission nationale de contrôle des techniques de renseignement (CNCTR).

Cet article de loi a, selon l'exposé des motifs donné par le rapporteur de la loi, l'ambition de faire rentrer dans le cadre de la loi la pratique, souvent clandestine, des interceptions de communications par le renseignement extérieur.

« Ce type de surveillance, qui représente un besoin crucial, s’exerçait donc sans encadrement juridique ; ce projet de loi y remédie, et il s’agit d’un progrès décisif. » 
- Extrait du rapport de Jean-Jacques Urvoas, 2 avril 2015


22/03/2015

Quelques observations sur le projet de loi renseignement 2015

Le projet de loi relatif au renseignement a été présenté le 19 mars 2015 en conseil des ministres et  a pour objectif de fournir une « loi cadre » à l'ensemble des services de renseignement français. Son examen a été accéléré suite aux attentats de janvier 2015, mais ce n'est pas pour autant une loi de circonstances. En effet, la quasi-totalité des mesures décrites dans ce projet de loi est issue des travaux menés au sein de la Fondation Jean Jaurès, depuis plus de quatre ans. Cette « réforme des services de renseignement français » est donc un travail de longue haleine, qui a connu des soubresauts et des refus, et dont ce projet de loi devait constituer l'étape finale.

Une politique publique sans « politique publique » ?

L'exposé des motifs du projet de loi insiste bien sur la volonté ancienne de ses créateurs, de proposer une loi cadre pour l'ensemble des activités de renseignement étatiques, dont le Titre Ier doit établir les fondements, déterminant « les principes et les finalités de la politique publique de renseignement ». Il ne reste toutefois plus grand chose de cette politique publique du renseignement dans la version finale du projet de loi puisque la mention même de « politique publique » qui apparaissait dans le deuxième article du Titre Ier a été supprimée.

On pouvait s'attendre à trouver une réflexion de fond sur le bien fondé de l'existence des services de renseignement dans une république, sur l'éthique des fonctionnaires de l'Etat qui les servent ou encore sur les grandes missions qu'ils doivent remplir. On ne trouve plus qu'un résumé succinct du cycle du renseignement et un rappel au Livre blanc sur la sécurité et la défense nationale : les services « ont pour mission, en France et à l’étranger, la recherche, la collecte, l’exploitation et la mise à disposition du Gouvernement des renseignements relatifs aux enjeux géopolitiques et stratégiques ainsi qu’aux menaces et aux risques susceptibles d' affecter la vie de la Nation. Ils contribuent à la connaissance et à l’anticipation de ces enjeux ainsi qu’à la prévention et à l’entrave de ces risques et menaces ». La définition des intérêts publics dont les services de renseignement sont chargés reste assez limitée et on peut s'étonner que la mention de la « prévention de la prolifération des armes de destruction massive » qui figurait dans l'avant-projet de loi ait été retirée.

En ne poursuivant pas ce qui semble avoir été leur intention première, les créateurs du projet de loi ne définissent pas en profondeur les missions de chacun des services de renseignement. Pour cela, il faudra se référer à des décrets, tels que le récent décret organique portant sur la DGSE qui donne une vision plus complète des missions du renseignement extérieur. En laissant à l'exécutif le rôle de définir les missions des services et en ne l'intégrant pas à ce qui est présenté comme une loi cadre, le gouvernement ne favorise pas un débat de fond au parlement sur l'essence du renseignement, ses enjeux, ses nuances et ses limites. L'exécutif conserve donc la main, par décret, sur la définition des missions régaliennes des services de renseignement, avec la possibilité de les modifier sans vote.


22/12/2014

Antennes chinoises et interceptions de communications

Le 4 décembre dernier, L'Obs révélait l'existence d'une annexe de l'ambassade de Chine en France, située à Chevilly Larue, au sud de Paris. Sur le toit de cette annexe, on peut observer plusieurs antennes paraboliques de grande taille, dédiées aux communications par satellite.

Selon L'Obs, l'ambassade de Chine justifie la présence de ces antennes en affirmant qu'elles ne servent qu'à des transmissions diplomatiques vers Pékin. Les experts consultés par le journal estiment pour leur part qu'au moins deux des trois antennes de grande taille servent à intercepter des communications par satellite.

Contacté par Zone d'Intérêt, Alain Charret 1, spécialiste des écoutes radio et rédacteur en chef de Renseignor, considère qu'il est « pratiquement impossible de différencier visuellement une antenne parabolique utilisée pour assurer une liaison spécifique, d'une destinée uniquement à l'interception ».

Toutefois, compte tenu des pratiques habituelles des services de renseignement extérieurs consistant à installer des stations d'interception dans leurs postes diplomatiques, l'hypothèse de L'Obs selon laquelle cette annexe de l'ambassade chinoise servirait à intercepter des communications par satellite ne semble pas invraisemblable.

Thuraya et Inmarsat ? Pas si sûr.

Une des sources consultées par L'Obs considère que l'une des antennes présentes sur le toit de l'annexe chinoise intercepterait les communications du satellite Thuraya 2, en orbite géostationnaire au-dessus de la corne de l'Afrique, alors qu'une autre antenne orientée vers l'ouest capterait les communications d'un satellite de la constellation Inmarsat ou Intelsat.

On comprend aisément que le spécialiste consulté par L'Obs pense rapidement aux satellites Thuraya et Inmarsat comme des cibles intéressantes pour les services de renseignement chinois. On trouve en effet, parmi les utilisateurs réguliers des services de télécommunication Thuraya et Inmarsat, de grands groupes industriels français, mais aussi des services de l'État. Les satellites Thuraya relaient notamment des communications de la DRM, de la DGSE et de l'état-major de l'armée de terre.

Néanmoins, lorsqu'on prête un peu attention à l'imagerie commerciale disponible sur cette annexe diplomatique, il apparaît que les satellites surveillés par les services de renseignement chinois ne sont peut-être pas ceux cités par L'Obs.


05/08/2014

What if Google was an intelligence agency ?

Zone d'Intérêt publie ici un premier article en anglais, co-écrit avec le blog Electrospaces, spécialisé dans les questions de renseignement et de sécurité des communications. Nous comparons le recueil de données et les moyens techniques de Google, avec ceux de grandes agences de renseignement. 

Since 1998, Google has grown to become an essential part of the web infrastructure and took an important place in the daily lives of millions. Google offers great products, from search engine to video hosting, blogs and productivity services. Each day, users provide Google, willingly and candidly, with many different kind of personal information, exclusive data and files. Google justifies this data collection for commercial purposes, the selling of targeted ads and the enhancement of its mostly free services.

These terabytes of user data and user generated content would be of tremendous value to any intelligence service. As former director of CIA and NSA Michael Hayden half-jokingly stated at Munk debates : "It covers your text messages, your web history, your searches, every search you’ve ever made! Guess what? That’s Google. That’s not NSA."

But really, how would a company like Google compare to an intelligence agency like the NSA ? How would it be able to gain access to confidential information and go beyond OSINT (Open Source Intelligence) ? Does Google even have the resources, data and technical capabilities to harvest all-sources intelligence like a major intelligence service would ?

Google's unofficial motto is "Don't be evil", but what if Google started being evil and used all of its collected information as an intelligence agency would ? What if intelligence professionals had access to Google's resources and data ? What would it mean for the users ? And can this be prevented somehow? (it’s also rather ironic that many people now see NSA as a big evil organization, but Google collects even more)

This is the worst case scenario we would like to explore :

What if Google was an intelligence agency ?