Venice Commission - Report on a rule of law and human rights compliant regulation of spyware
www.venice.coe.int
Disclaimer: this information was gathered by the Secretariat of the Venice Commission on the basis of contributions by the members of the Venice Commission, and complemented with information available from various open sources (academic articles, legal blogs, official information web-sites etc.).
Every effort was made to provide accurate and up-to-date information. For further details please visit our site : https://www.venice.coe.int/
1. Does your legal framework allow for the use of spyware as a tool of targeted surveillance either in criminal or intelligence investigations or is there an explicit prohibition on the use of spyware? If so, how does your domestic legal framework define spyware?
In Finland, legal framework allows for the use of spyware as a tool of targeted surveillance both in criminal and civilian and military intelligence investigations (see in more detail below). There is no explicit prohibition on the use of spyware, and domestic legal framework does not define spyware. Instead, legal framework employs the generic notion of “software” or “programme” (see e.g. Section 42 of the Coercive Measures Act; and Section 42 of the Act on Military Intelligence below).
2. Are there specific rules (covering notably the scope ratione materiae, temporis and personae) in place or do the general rules on targeted surveillance (interception of communications) apply (could you please provide us with such specific or general rules)?
There are no specific rules in place. Instead, the general rules on targeted surveillance
3. What kind of data, if any, could be collected with spyware?
There are no specific rules limiting the collection of data with spyware. However, there are general rules on prohibitions of intelligence collection. For instance, Section 82 of the Act on Military Intelligence provides that elecommunications interception, collecting data other than through telecommunications interception, on-site interception, technical observation, radio signals intelligence or network traffic intelligence shall not be targeted at communications or information in respect of which a party may not testify or has the right to refuse to testify under chapter 17, section 13, 14, 16, 20 or section 22, subsection 2 of the Code of Judicial Procedure. These provisions of the Code of Judicial Procedure relate to professional secrecy in the relationship between a lawyer and his client, clergy privilege and doctor-client privilege. Similar provisions can be found from the Coercive Measures Act and the Police Act.
4. Has there been any official evaluation of the need for, or added value of, spyware?
Up until now, there has not been any official evaluation sof the need for, or added value of, spyware. The annual reports by the Intelligence Ombudsman – who is responsible for overseeing the legality of civilian and military intelligence and the implementation of fundamental and human rights in intelligence activities – are silent on the use of spyware, and the need for, or added value of, spyware.
5.Who authorises/approves measures of targeted surveillance in criminal and intelligence investigations (judiciary, executive, expert bodies, security services)?
Criminal and civilian and military intelligence investigation methods vary widely, with the choice of method adapted to the nature of the threat in question. Depending on the method used, decisions on the use of criminal and intelligence collection methods are made by a court, the Director of the Finnish Security and Intelligence Service or the head of intelligence operations. In each case, the Finnish Security and Intelligence Service must justify why the use of the method is necessary. While most measures of targeted surveillance in criminal and civilian and military intelligence require auhtorisation by a court, the installation and removal of a decive, process or software does not need authorisation by a court. Instead, Section 42 of the Act on Military Intelligence on installation and removal of a decive, process or software simply provides that “(a) public official serving a military intelligence authority has the right to install a device, process or software used for telecommunications interception, collecting data other than through telecommunications interception, data traffic monitoring, on-site interception, technical observation, technical tracking or technical surveillance of a device in the object, substance, item of property, premises or other location or in the information system targeted by the action if the use of the said intelligence collection method necessitates this.” Section 26 of the Coercive Measures Act provides essentially similarly on the installation and removal of a decive, process or software in criminal and civilian intelligence investigations.
6. What are the national oversight mechanisms in place in your country for the activities of the security services (are they judicial, parliamentary, executive, or expert)? Do these bodies have (binding) remedial powers?
The system of oversight constitutes a combination of both legal and parliamentary mechanisms of oversight in which various actors are charged with the task of oversight of criminal and intelligence investigations as follows.
7. Does a post-surveillance notification mechanism exist? Are there any other remedies available for individual targeted by measures of targeted surveillance?
Section 60 of the Coercive Measures Act provides on giving notice of the use of covert coercive measures; Section 20 of the Act on the Use of Network Traffic Intelligence in Civilian Intelligence provides on the notification of the use of network traffic intelligence; and Section 89 of the Act on Military Intelligence provides on the notification of the use of intelligence collection methods. Individuals can file investigation requests and complaints to the Intelligence Ombudsman. The complainant will receive a response to the complaint, but the content of the response should be considered on a case-by-case basis. Furthermore,
Finland
The legal framework regulating the use of Pegasus and other equivalent spyware in the context of criminal investigations.
The legal framework regulating the use of spyware in the context of criminal investigations is provided by Section 26 (Installation and removal of a device, process or program) of the Coercive Measures Act.
Section 26 – Installation and removal of a device, process or program
(1) A criminal investigation official has the right to install a device, procedure or program to be used in technical surveillance in the object, substance, property, premises or other place that is targeted, or into an information system, if the performance of the surveillance requires this. In so doing the criminal investigation official has the right, in order to install, take into use or remove a device, procedure or program, to enter covertly the premises or other place or information system referred to above and to bypass, uninstall or in another corresponding manner temporarily avert or hamper the protection on the objects or the information system. Separate provisions apply to search of a domicile.
(2) A device, procedure or program for technical surveillance may be installed in premises used as a permanent residence only if the court has granted a warrant for this on the request of an official with the power of arrest.
The legal framework regulating the use of Pegasus and other equivalent spyware in the context of civilian and military intelligence
Section 42 of the Act on Military Intelligence regulates the use of spyware in the context of military intelligence gathering as follows:
Section 42
Installation and removal of a device, process or software
A public official serving a military intelligence authority has the right to install a device, process or software used for telecommunications interception, collecting data other than through telecommunications interception, data traffic monitoring, on-site interception, technical observation, technical tracking or technical surveillance of a device in the object, substance, item of property, premises or other location or in the information system targeted by the action if the use of the said intelligence collection method necessitates this. To install, start using or remove a device, process or piece of software, a military intelligence authority official has in this case the right to secretly go to the said targets or information system and to circumvent, dismantle or in some other similar way temporarily bypass the protection of the target or information system or to impede it. The installation or removal of a device, process or piece of software may not be performed at premises used for permanent residence.
The Police Act has identical provision on the use of spyware in the context of civilian intelligence.
(interception of communications) apply.
The Intelligence Ombudsman
The Intelligence Ombudsman oversees both the civilian intelligence and military intelligence authorities: the Finnish Security and Intelligence Service (Suojelupoliisi/Skyddspolisen), the Intelligence Division of the Defence Command (Pääesikunnan tiedusteluosasto/Huvudstabens underrättelseavdelning) and the Finnish Defence Intelligence Agency (Puolustusvoimien tiedustelulaitos/Försvarsmaktens underrätelsetjänst). According to Section 15 of the Act on the Oversight of Intelligence Gathering, the Intelligence Ombudsman has competence to order the use of the intelligence method to be suspended or stopped if the Ombudsman considers that the intelligence authority has acted unlawfully in intelligence gathering. The Intelligence Ombudsman can also order the intelligence method authorised by the court to be suspended or stopped, but only with a temporary order. This temporary order must be submitted to the court without any delay. The court can then confirm or cancel the temporary order or amend the order. Individuals can file investigation requests and complaints to the Intelligence Ombudsman. The complainant will receive a response to the complaint, but the content of the response should be considered on a case-by-case basis. Furthermore, a response is provided to investigation requests, but such a response would only state that the investigation has been carried out.
The Intelligence Oversight Committee of Parliament
The Intelligence Oversight Committee of Parliament carries out parliamentary oversight. The Committee oversees the proper implementation and appropriateness of intelligence operations, monitors and evaluates the focus areas of intelligence operations, monitors and promotes the effective exercise of fundamental and human rights in intelligence operations, prepares reports by the Intelligence Ombudsman and processes the supervisory findings of the Intelligence Ombudsman.
The Parliamentary Ombudsman and the Chancellor of Justice of the
Government
The Parliamentary Ombudsman and Chancellor of Justice of the government carry out supreme oversight of legality in Finland (for their duties, see Section 108 and Section 109 of the Constitution). The Parliamentary Ombudsman and Chancellor of Justice have also the competence to oversee the lawfulness of the acts of the Intelligence Ombudsman. Parliament has also charged the Parliamentary Ombudsman with the special task of the oversight of legality of covert intelligence. Intelligence is used by the police, Customs, the Border Guard and the defence forces. All these organisations submit a report to the Ombudsman each year on the resources used to acquire intelligence. Under the Coercive Measures Act, the Ministry of the Interior must submit an annual report to the Parliamentary Ombudsman on the use and supervision of covert coercive measures by the police and their security. Likewise, the Ministry of Finance must submit a report on the use of these measures to Customs, and the Ministry of Defence must provide the defence forces with a similar report. The Parliamentary Ombudsman's report contains its own section on covert intelligence gathering.
The Data Protection Ombudsman
The Data Protection Ombudsman oversees the legality of the processing of personal data in the context of criminal investigations and civilian and military intelligence.
a response is provided to investigation requests, but such a response would only state that the investigation has been carried out.