In light of a recent circuit court ruling, there has been considerable discussion about the retention of individuals' communication data, which telecommunications companies are required to store for potential criminal investigations, as well as for other reasons mandated by the state. The Ministry of Justice has recognized the need to amend the current practice of a one-year universal retention period. However, a note of concern consistently surfaces in ministry discussions: what should be done about security agencies, which also make use of this data?

Harrys Puusepp, the Electronic Communications Act orders telecommunications services providers to retain data on who called or texted whom and when, as well as in which cell tower's area the devices involved were at the time. This data used to be available in criminal investigations. Now, the courts have determined that such a blanket data retention obligation is not allowed. However, this data is also used by security services, the ISS and the Foreign Intelligence Service (EFIS). What do you use it for?

Various experts have covered why the data is used in criminal proceedings. Now, our peculiarity as a security service is that we are not just concerned with the past – the what happened, who did it and how – but must be able to foresee national security threats and react appropriately. If we have information to suggest someone is planning an attack or to take hostile action against Estonia, we are obligated to react.

Our first task is prevention, but we also investigate crimes against the state once committed. In order to navigate these threats, the information on which is not always complete or reliable, we need to be able to go back in time to look for the missing puzzle pieces.

This is where telecoms data comes in as an important tool for investing people's possible involvement and/or ruling out suspects. This method of elimination is crucial if you are basically looking for a needle in a haystack.

Figuratively speaking, if we have information to suggest the needle is hot, that it might catch fire, do we have the magnet with which to extract the needle from the haystack, without causing it to collapse or burn down. Telecoms data is not our only tool for this, but it is an important one.

While criminal investigators needed court permission to access communications data, security services have different rules. In their case, accessing telecoms metadata does not require active criminal proceedings, and permission from the ISS director is enough. How high is the threshold? In which cases is this permission granted, and what does it mean that you need to have an existing piece of information?

I would emphasize once more for clarity that we're not talking about communications data in terms of the contents of messages or who phoned whom or where they were at the time. For example, we need an indication to suggest a particular phone number might be connected to a particular location or a potential threat, try and find that crucial piece of information if we have nothing else to go on.

Let's say you learn of a meeting where actions harmful toward Estonia may have been discussed. Can you rely on telecommunications data if you want to know who attended?

Communications data is no magic wand, but it is an important tool with which to catch on faster and more effectively. Especially when dealing with time-critical matters or large data volumes. For example, it helps if you need to find the potential threat from among a lot of people. But there are no unjustified use cases, simply looking at everyone's communications data. It is a lot of routine work for us.

How many people are affected by such [surveillance] permits?

They concern people who might have been in a particular area in cases where we need information quickly. They may also concern people who have been in contact with a person we're looking at.

Let me put it this way – the Prosecutor's Office applies for 300-400 surveillance permits in a few hundred different criminal cases every year. I take it your number is considerably bigger?

It is considerably bigger, while I couldn't give you an exact figure.

What's the ballpark? Are we talking about 1,000 annual permits? Before the law was amended, the prosecution didn't need court permission to access the data and made 2,000-3,000 requests for information annually. Are we talking about 1,000-10,000 permits every year in the case of the ISS?

I would stick with my initial answer that it is many times more. Because we are not looking at specific events or individuals and are still looking for people who might be involved. There is also a technological aspect here, and as it is sometimes necessary to make several inquiries for data associated with a single person, the statistics can be somewhat misleading.

At the same time, a single request for location data might concern a hundred people.

It depends on what kind of information is needed. For example, which phone numbers were in a particular area. Such communications data also includes IP-addresses, internet traffic, where it is crucial for us to in the field of cyber crime to understand certain movements, who may have been involved with cyberattacks, so it is largely metadata. Now, the problem is that if this kind of data is not retained, we simply won't have it.

What is the user experience like on the ISS side? I mean it is surely not a case of the ISS director granting permission and an ISS operative then knocking on a telecom's door to request access for an eventual email with the data. I take it there is an electronic bridge. You log in with your ID-card, look up the data you have permission to access, move it to your system and then analyze it more thoroughly. Is this a more or less accurate description?

Talking about out methods in detail makes me a little fidgety, but there is a technological solution in place and layers, which make sure the operative only gets to access the data they requested. This is an important thing to note to avoid a misconception.

What do you do next with the data? I mean there are probably thousands of lines of information, and I doubt a person goes over all of it to see whether a number phoned another or who is behind a phone number. I take it that you use algorithms for risk analysis?

I'm no IT expert of course. Suffice to say there is a technological tool, while the ability to understand which parts of the information are important boils down to people. Technology helps, but robots do not draw conclusions for us just yet.

Next, the information is put in a case file and classified for 50 years, except if it comes up in a criminal matter.

Even when we are investigating crimes, we do not rely solely on communications data, which also goes for other activities that require court permission. When we need surveillance on a suspect, the relevant permission will need to be based on more than communications data. Otherwise, we know in advance we'll lose access to this evidence, which might be crucial for solving the case and ascertaining the truth. We usually do not take that risk anymore.

By the way, the rules for cover surveillance are more or less the same. Permission needs to come from the ISS director general, while in some cases, people need to be notified of the fact they were monitored should the case not culminate in criminal proceedings. How many such permits are issued?

I cannot tell you off the top of my head. The Office of the Chancellor of Justice has the power of supervision over different ways of gathering intelligence to ensure people's basic rights. They monitor our activities from time to time to make sure we, including our inner regulations, do enough to ensure basic rights and for there to be no practical human rights violations. I have not heard of relevant problems, there is supervision and control, and we use the data responsibly.

Let us come back to what the courts have said. Markko Künnapu, penal law adviser at the Ministry of Justice, told ERR that telecoms can be required to retain all communications data if there is a direct threat to national security. In other words, the European Court of Justice finds that the current legal obligation of retaining all communications data should be taken out of the law and replaced with an obligation to retain data for a certain area and during a certain time period. How would that affect the work of the ISS?

That would depend on said national security situation. But as far as I understand, the Court of Justice decisions do not suggest security agencies cannot use the data moving forward.

The question is whether blanket retention of data is a problem. But the question I'd like to ask is whether we'll have fewer tools for ensuring national security, which all signs suggest is only set to become more strained in Europe, in a situation where, according to the EU base treaties, it is the sole responsibility of member states? Will it result in security threats Estonia faces growing to a point where we'll need to say that national security faces a direct threat, which is why we need to retain the data?

I would like to hope things won't go that far. We will do our best to try and manage these risks enough to avoid having to say there is a direct national security threat, which there generally is not presently, even though there are worrying incidents taking place in Estonia and Europe.

To quote Markko Künnapu again, there cannot be a situation where data is retained all over Estonia following the excuse of direct threat, as it would clash with what the Court of Justice has found. I'll ask again, what would it mean for the ISS to lose access to data in recent form? You can request business-related data, and the telecoms have said that they'd retain three months' data.

Our ability to check or make sure whether threats we have indications of could manifest would be less. We would have a much smaller window in which to check if a piece of information suggests something important happened six months ago. In terms of whether there are any good alternatives – I don't know what they could be.

We're always talking about the threat posed by Russian special services, but do I understand it right that you use the same tools for corruption prevention?

Talking about communications data, it is a tool for us in almost all fields – cybersecurity, protection of state secrets, security checks to determine whether a person can access classified information.

While people consent to their data being checked in the latter case, again, if we have nothing to analyze, we won't know whether the person may have lied about something that happened in the past. Things could get very difficult.

Also as concerns, as you mentioned, corruption cases. We are talking a lot about Russia, and for good reason, but what matters next to who might attack us is how vulnerable to attack we are ourselves, and we know from Ukraine's experience that Russia wanted to undermine Ukraine as much as possible, including through corruption, which is considered Russia's number one export.

Corruption is a source of inner weakness also for us and could become a security threat in certain cases and regarding specific people.

--

Follow ERR News on Facebook and Twitter and never miss an update!