Following the recent terrorist attacks in Paris, the French government has put forward a controversial bill aimed at boosting its intelligence services. The proposal is expected to be voted into law by the Senate before Summer. The proposal brings to mind the USA PATRIOT Act and other controversial counterterrorism laws which were all rushed through under fear and later heavily.
The French intelligence bill could have a number of worrisome consequences for online rights. Civil society group La Quadrature du Net and France’s tech industry highlight a number of serious threats, notably that the bill:
- Will extend the scope of intelligence targets to include political groups, civil society, and economic and scientific organizations.
- Will introduce new technologies of mass surveillance of electronic communications. This include so-called “black boxes” or source code injected by French intelligence services on Internet service providers’ infrastructure to detect suspicious user behaviour in real time. This would bring all French under surveillance and expand monitoring to include private pictures, company trade secrets, medical records, etc.
- Will propose a new register for suspected persons and new measures to record phone calls without authorization from a judge thus undermining data privacy protections.
- Lacks any real and independent supervision to rein in mass surveillance and limit abuse.
- May not actually improved security as terrorists can utilise circumvention tools or use more traditional means of communication.
The litany of concerns with the French bill bear a striking resemblance to the widely criticized surveillance programs operated by the U.S. National Security Agency, and will undoubtedly lead to similar backlash. The USA PATRIOT Act has been interpreted to allow for the bulk collection of telephone call records, and the Foreign Intelligence Surveillance Act has similarly been used to authorize the bulk collection of international Internet communications and records. By comparison, the French legislation goes further in many ways, particularly through the collection of call content and the real-time algorithmic surveillance of the digital communications of French Internet users.
Just as the revelations about the United States’ mass surveillance authorities resulted in significant adverse consequences for the U.S. government and its economic interests, the French law obviously will lead to distrust amongst users and damage France’s image abroad as a defender of human rights.
Importantly, it will also hurt France’s growing Internet industry. As a first indication of a looming industrial exodus, one French hosting company has already announced that it will leave the country for Norway. Other Internet companies may similarly move their data centres abroad as clients correctly will worry of possible French industrial espionage via the mandated spyware. This self-handicapping of France’s Internet industry will impact other sectors in the Internet ecosystem and result in lost orders, investments, and loss of jobs.
France should look at international attempts at counterterrorism laws before enacting its own Loi de renseignement. The surveillance authorities found in the USA PATRIOT Act lowered global trust in the U.S. government and is now under reform in the U.S. Congress. The EU’s Data Retention Directive, rushed through following terrorist attacks in Madrid and London, was annulled by the European Court of Justice last year. Other national surveillance laws have also been annulled.
Fear is an effective, but troublesome motivator for legislation. France now has the opportunity to learn from other attempts at intelligence laws to enact a framework that truly ensures security, safeguards online rights, and enables digital growth.