Blog

Policy on “research measures” for the Swedish Tax Agency

One of the more interesting questions in the second survey is whether authorities have a policy in place for dealing with collection of user data or take down of information. Unfortunately most authorities that answer the second survey do not have one of these policies in place. Recently though, the Swedish Tax Agency got around to answering the survey, answered that they have a policy, and we can now show what this policy contains! In the end, the policy does turn out to regulate things that don’t quite match our research, but there are some common elements, so it’s worth looking into.

The Tax Agency make two distinctions when it comes to research. First of all, is the information open, or closed. Open information means information that is publicly available with having to use a log in. In some cases, where a service only requires an email for verification, systems are still considered open even if you have to take active measures to get to the information. Closed systems are all systems that require creating accounts, befriending, connecting or similar ways to actually see the information. The closed parts of the internet is also the part of the internet “that could be considered as private”.

In the same line of reasoning, they also differentiate between “normal” internet and social media, and we’ll come back to the reason for this.

The second distinction is whether or not the information gathering is tied to an errand that the agency is dealing with, or if it is gathering information without a goal. The quickly disregard the second alternative as it is “ineffective” but a viable option for narrowing options before going in to an active investigation.

These two distinctions end up in a grouping where different actions on different levels of openness add up to allowed or disallowed actions, creating a comprehensive list of options for investigators at the agency.

In the end, the policy of the Swedish Tax Agency is very strict in what is allowed, when an investigator needs to ask for permission and get an ok from supervisors, and when data collection is prohibited. All in all, they are pretty much only allowed to look into openly available information (where it is NOT necessary to even contact the company in question) and only rarely is it possible to go into social media even with permission. If they do need information, there are also guidlelines for what kind of identity they are allowed to take on – they always have to show either full name, or the name of the Tax Agency, or both.

We’re taking Transparency info to Europe.

Thanks to Ungdomsstyrelsen, The Swedish National Board for Youth Affairs, we have received funding to take the transparency info project to other european countries.

The study will be a comparative study on 2-3 countries, comparing legislation and practice on how authorities can and try to access information from IT- and telecommunication corporations.

Stay tuned on this site if you want updates on the progress.

For information on the project or if you want to contribute, contact jacob.dexe@fores.se

Ekobrottsmyndigheten answers our formal inquiry

Our first formal inquiry has now been answered, but the result is not as pleasing as it could be. Ekobrottsmyndigheten, the Swedish Economic Crime Authority, has declined to give us the information we requested, citing the Freedom of Press Act (Tryckfrihetsförordningen), the Public Access to Information and Secrecy Act (Offentlighet och sekretesslagen) and their own internal statistics. Kanske är sms lån något som kommer fortsätta växa? En tanke jag hade bara.

The reason for the refusal boils down to an interpretation of the Freedom of Press Act when it comes to the circumstances for giving access to documentation of the authority has. According to the authority, the legal precedent (rättspraxis) requires the authority to hand out the information if – and this is an important if – the collection of materials and the research that goes in to it is reasonable in regards to the range and disposition of the material that needs to be analyzed according to the request. (det kan “inte krävas annan efterforskning än sådan som är rimlig med hänsyn till omfattningen och dispositionen av det material som måste gås igenom”)

The reason for it not being a reasonable amount of work for the authority is two-fold: First of all, the authority handles about 4500 cases per year, and our request covers two years, meaning 9000 separate cases. Secondly, for each case, there needs to be a validation on grounds for secrecy in regards to personal information and security. So before they can give us the material we’ve asked for, they need to first find the files of 9000 cases, make separate assessments of each according to the law, and then compile the specific information we’ve requested. That’s why they decline to hand out the information.

It is noteworthy, however, that they only cite legal precedent and not the law, something that doesn’t hold quite as much sway in Sweden as in the US. They have also informed us of how we could go about taking this request to get appealed (överklaga).

Opinion

The following is a translated version of an opinion piece in Swedish daily newspaper Svenska Dagbladet on the 11th of december 2013. The original can be found here.
___________________________________________
How will the open society defend itself against the threats it is facing? With what tools will the defense be organized and to what extent should these tools be used? These are some of the most important issues facing us today.

Scandals involving government surveillance have continued since this summer, especially regarding the leaks about the US National Security Agency. But Swedish authorities have also shown an increasing interest in gaining access to information about Swedish citizens stored by  IT and telecom companies. Most recently, the Swedish Security Service have sought to gain direct and unrestricted access to telecom companies’ databases, without the possibility of review and safeguarding the privacy of citizens.

The issue of surveillance has also led to both diplomatic complications and loss of prestige, not only for the United States – but for the entire Western world. The eventual moral high ground that the West had against dictatorships has been undermined by revelations of secret surveillance and abuse of public trust.

While the discussion concerning privacy hasn’t always been constructive – as if the question was a binary yes or no to surveillance – we believe that the real issue is about how the open society can be protected in a manner that is reasonable, proportionate and legitimate. The Swedish self-image is that our society is based on openness and transparency, not least due to the principle of public access. But recently, that self-image has – for good reasons – started to take turn for the worse.

We need to discuss the transparency that is necessary in a democracy , the extent to which surveillance should occur and by what means. An absolute prerequisite for such a debate is that we have transparency in the surveillance already conducted. Without it, the Swedish people can hardly debate the issue.

During 2013, Fores has worked on this project, where we try to obtain information on how Swedish authorities, use surveillance, control and affect freedom on the internet. The result is depressing. Either authorities do not respond to our questions or they delay the process. Institutional weaknesses and policy problems restrict transparency. The consequence is that the Swedish people no longer knows how information gathering works, who engages in it, and to what extent or with the purposes for which it is implemented. This is a problem for the Swedish democracy.

The situation is unacceptable. If Sweden, formerly one of the world’s most open democracies, can not account for how authorities are monitoring their citizens activity online, which country can? Here are a variety of shortcomings that prevent authorities from answering even simple questions about information gathering, decision making and responsibility for action against net freedom.

It’s not about the helpful and talented people working on the authorities and who often struggle to help when they receive a request: the problem is institutional. It is the lack of policies and procedures with the authorities as lacking transparency.

Therefore Fores works to support transparency and openness in Swedish society. We want to see a Swedish transparency report for openness to Swedish citizens are able to determine if the power we entrust the state exercised responsibly and within reasonable limits. We see it as a first step to Sweden to become the world’s most open democracy.

Who is responsible?

When questioned, several Länsstyrelser (county administrative boards) has referred to the IT unit of Länsstyrelsen i Västra Götalands län (the county board of Västra Götaland) but after contact with Mats Lilie Berg, CIO Provincial Offices IT unit, the answer was ” .. each one will answer for possible extradition of documents.. “. After forwarding this answer to Länsstyrelserna (the county administrative boards) we received additional responses.

Rikspolisstyrelsen (the National Police) apologizes

The Police finally answered. They answered with the 2012 annual report of the use of certain secret coercive (2012 årliga rapport om användningen av vissa hemliga tvångsmedel). The report is produced together with the Åklagarmyndigheten (Prosecutor’s Office), Ekobrottsmyndigheten (Economic Crimes Bureau), Rikspolisstyrelsen (the National Police) and Tullverket (Customs). The Rikspolisstyrelse och Tullverket joint activities in the field are summarized in an appendix. With the answer comes an admission that the reading/treatment of the requests “went wrong” and that they “regret the delay.”

The appendix states that due to the fact that regulations authorizing the police to make such requests had only been in place for six months at the time of the report, they had insufficient data to properly assess the results. They had, however, made a bit over 300 different requests of user data during that time period.

Socialstyrelsen and FRA

After the latest reminder, Socialstyrelsen (The National Board of Health and Welfare) wants to discuss their answers. They answered the first questionnaire with two quick “Yes”, meaning they have tried to take part of the user data and requested take-downs from the internet. Now they are trying to locate the person who answered the questionnaire.

FRA, Försvarets Radioanstalt (the National Defence Radio Establishment) responded to our request to view public documents. They won’t provide any documents, but they responded that they have not contacted any Internet or online service provider, telephone company or other operator to get hold of user data or user id, owner of an email address, location data or other metadata. About the documentation about FRA’s requests / demands / requests for take-down of data, information or documents from website, web or internet service, the FRA says that they are working expeditiously to provide these.