Venice Commission - Report on a rule of law and human rights compliant regulation of spyware

Disclaimer: this information was gathered by the Secretariat of the Venice Commission on the basis of contributions by the members of the Venice Commission, and complemented with information available from various open sources (academic articles, legal blogs, official information web-sites etc.).

Every effort was made to provide accurate and up-to-date information. For further details please visit our site : https://www.venice.coe.int/

Norway

1. Does your legal framework allow for the use of spyware as a tool of targeted surveillance either in criminal or intelligence investigations or is there an explicit prohibition on the use of spyware? If so, how does your domestic legal framework define spyware?

There is no explicit prohibition either for the Police or the Intelligence Service.
In criminal investigation, by either the Police Security Service or the “ordinary” police, the use of spyware as a tool of targeted surveillance would fall under the scope of “communication control” (kommunikasjonskontroll) in Chapter 16 of the 1981 Criminal Procedure Act. There are two provisions in this chapter that would allow the use of spyware installed on the recipient’s phone or computer.
In 2016, two provisions were added that appears to specifically allow for targeted surveillance by use of spyware. Article 216 o allows for “reading of data” (dataavlesing), which in the text is defined as “reading of non-public information in a data system”. In the preparatory works, data system is defined as “any device, consisting of hardware and software, which processes data using computer programs, see section 14.8.7. For example, computers, tablets and smartphones are included. The method gives the police the opportunity to monitor the continuous use of the computer system, and to extract information that is stored or generated in the system” (Prop. 68 L (2015-2016)).
Article 216 p, which provides the procedure for “reading of data”, explicitly allows for the use of software to be installed remotely on the target’s device and to breach security barriers on the device. The provision reads, in English (Google translate) translation:
“Data reading according to § 216 o can only be carried out by personnel who are particularly suitable for it and who are appointed by the chief of police, chief PST [Eirik Holmøyvik: Police Security Service] or the person authorized. The reading can be carried out using technical devices, computer programs or in another way. Section 199 a applies accordingly. The police can break or bypass protection in the computer system if it is necessary to carry out the reading. Technical devices and computer programs can be installed in the computer system and in other hardware that can be linked to the computer system. When the court does not decide otherwise, the police can also break in to place or remove technical devices or computer programs that are necessary to carry out the data reading.
The data reading must be arranged so that no information is unnecessarily captured about the use of the computer system by anyone other than the suspect. The reading must be carried out in such a way that there is no unnecessary risk of operational disruption or damage to equipment or data. The police shall, as far as possible, prevent the risk that, as a result of the implementation, someone is enabled to gain unauthorized access to the computer system or protected information or to commit other criminal acts.”
The preparatory works says in their comment to Article 216 p that the police will have a wide discretion in the choice of approach and tools to do the data reading, and they explicitly mention “computer program” as a possible tool.
For context:
It is also possible that the use of some types of spyware could fall under the scope of Article 216 a, which allows for “tap of communications”/“monitoring of communications”/“interception of communications” (translation from the Norwegian: kommunikasjonsavlytting). The concept is defined in section 3 of article 216 a, which in English (Google translate) translation reads:
“Communication interception can consist of intercepting calls or other communications to and from certain telephones, computers or other facilities for electronic communication that the suspect possesses or can be assumed to want to use. Communications interception is also considered identification of communications facilities using technical equipment, cf. section 216 b second paragraph letter c, which occurs by intercepting conversations or other communications.”
Typically for Norwegian legislation, the provision is neutral as to technology, which applies both to the method of intercepting and the media of communication. Yet the wording is not clear if Article 216 a would allow for software to be installed remotely on the device of the person under surveillance. Given that there is a more specific provision on data reading, It can be assumed that the use of most spyware would require a permit for data reading according to Article 216.
For the Intelligence Service, the basic criteria for targeted surveillance are found in Article 5-2 of the 2020 Intelligence Service Act. See the link above to English translation.
As for targeted surveillance using spyware, there is no explicit regulation. Chapter 6 in the law regulates the methods for information collection (open sources, human intelligence, systematic observation, technical tracking, searches etc., bugging an imagery surveillance, other technical collection, mid-point collection, end-point collection).
The preparatory works mentions that remote searches or scans of mobile phones and computers are regulated by Article 6-9 on mid-point collection (midtpunktinnhenting) or Article 6-10 on end-point collection (endepunktinnhenting). What distinguish mid-point and end-point collection, is that the former is a passive method that collect information in transit and do not require breaching of security barriers, while the latter is an active method that may require the breaching of security barriers to collect information. It can be assumed that Article 6-10 on end- point collection would allow the Intelligence Service to use spyware to do targeted surveillance. The preparatory works stress that the provisions are technology neutral. Here is a translation of a relevant paragraph in the preparatory works (Prop. 80 L (2019-2020), p. 211) that defines end- point collection:
“In contrast to mid-point collection according to § 6-9, end-point collection is not aimed at information that is in transit, but at information that is available from the end point itself. It could, for example, be a saved message. A typical end point is a computer or a mobile phone, but the provision has been designed in a technology-neutral way, so that it is irrelevant which technology is used.”

2. Are there specific rules (covering notably the scope ratione materiae, temporis and personae) in place or do the general rules on targeted surveillance (interception of communications) apply (could you please provide us with such specific or general rules)?

The general rules apply.
For the police, in criminal investigation, it is a basic criterion for all coercive measures, which includes surveillance, must have reasonable grounds and be proportionate, see Article 170 a of the 1981 Criminal Procedure Act. This would in effect limit the temporal scope of surveillance, even if the maximum time by the law is not yet reached.
As for material limitations, data reading pursuant to Articles 216 o and p, requires “reasonable grounds” to suspect a crime which carries a penalty of more than 10 years in prison, or which concerns crimes of illegal intelligence activities against state secrets, revelation of state secrets, other illegal intelligence activities, participation in violent associations, influence by foreign intelligence services, incitement and recruitment to terror, travels with the intent of terror, participation in and recruitment to illegal military activity abroad, deprivation of liberty offences, human trafficking, production and dissemination of materials sexualizing children, receiving of stolen goods, money laundering, violations of the law on export control of strategic products, technology etc., and certain violations of the law on immigration.
As for personal limitations, Article 216 o section 4 says that requests for data reading must refer to “specific computer systems or user accounts for network-based communication and storage services that the suspect possesses or can be assumed to want to use”.
As for temporal limitations, Article 216 o section 5 limits a permit to 2 weeks at the time, after which the police must ask the court for a new permit. Regardless of this maximum limit, Article 216 f requires the measure to be used “no longer than strictly necessary”.
For context:
For communication interception, Article 216 a requires “reasonable grounds” and is limited to the same types of crimes as data reading mentioned above, with the exception that communication interception can also be used for drug crimes. Data reading, and thus spyware, was considered too invasive for the use in the investigation of less serious drug crimes.
For communication interception, Article 216 f limits the use of this measure to a maximum of 4 weeks, or 8 weeks if the surveillance concerns suspected crimes against Norway’s independence and fundamental national interests (2005 Criminal Code chapter 17). Regardless of these maximum limits, the provision requires communication interception to be used “no longer than strictly necessary”.
The Intelligence Service cannot use targeted surveillance, or other surveillance, of persons in Norway. There is an explicit ban in Article 4-1 of the 2020 Intelligence Service Act. There are exceptions for foreigners acting on behalf of another state and in case of war (Article 4-2).
For end-point collection, Article 6-10 states that information not intended for communication, can only be collected if “strictly necessary” (in relation to the work of the Intelligence Service).

3. What kind of data, if any, could be collected with spyware?

There appears to be no specific limitations to the kind of data. Both laws are technology neutral. For data reading, Article 216 o section 4 says that “The reading may include communications, electronically stored data and other information about use of the computer system or the user account”.

4. Has there been any official evaluation of the need for, or added value of, spyware?

Not spyware specifically. There was a significant political and public debate during the adoption of and implementation of the 2020 Intelligence Service Act, but the main issue there was bulk collecting of electronic communication, which for internet traffic would also include persons in Norway, since most domestic internet traffic is routed by other countries.
There was no significant public debate on the introduction of “data reading” for the police in 2016. However, in Norway, legislative reforms such as this is usually based on a comprehensive evaluation and assessment by an independent expert group. This was also the case for the 2016 reform that allowed for spyware in “data reading”. The 2016 amendments were based on
recommendations by the “Method control panel” (Metodekontrollutvalget) in a 2009 Norwegian Public Inquiry (official series of documents from independent law commissions). The report (reference: NOU 2009: 15, Hidden information - open control) can be found here: https://www.regjeringen.no/contentassets/ac3de9f4288f481e8d6b7971a82310d1/no/pdfs/nou200920090015000dddpdfs.pdf. Summary on “data reading” on p. 26.
Here is an op-ed by the then Minister of Justice, justifying the introduction of “data reading” for the police (Google Translate works fine): https://www.aftenposten.no/meninger/debatt/i/18zwQ/dataavlesing-vil-gjoere-hverdagen-tryggere-anders-anundsen .
From legal academia, the introduction of “data reading” has not met strong objections, but here is a paper that points to some issues concerning safeguards (in Norwegian, but with an English abstract): https://phs.brage.unit.no/phs-xmlui/bitstream/handle/11250/174670/Rettfærd%20dataavlesing.pdf?sequence=3&isAllowed=y . The main criticism is that the use of spyware should not be regulated in the same chapter and according to the same logic of safeguards as other surveillance, and that such spyware should be subject to third-party assessment to prevent abuse.

5.Who authorises/approves measures of targeted surveillance in criminal and intelligence investigations (judiciary, executive, expert bodies, security services)?

6. What are the national oversight mechanisms in place in your country for the activities of the security services (are they judicial, parliamentary, executive, or expert)? Do these bodies have (binding) remedial powers?

7. Does a post-surveillance notification mechanism exist? Are there any other remedies available for individual targeted by measures of targeted surveillance?

or all surveillance measures, there are two tracks of oversight. One is the ex ante judicial track, by the courts. The other is the ex post non-judicial track, by specially designated oversight bodies.
Ex ante
For the Intelligence Service, decisions on information gathering on cross boundary electronic information (internet traffic) requires approval by a court, see Article 8-1 of the 2020 Intelligence Act. This includes orders to internet providers to mirror electronic communication that crosses the Norwegian border, searches in stored meta data, the targeted gathering and storage of meta data, targeted gathering of information, and the processing of information concerning journalistic sources. The court will control the legality of the decision, see Article 8-4, including that the surveillance falls within the remit of the Intelligence Service’s mandate, as well as the basic criteria (necessity, proportionality etc.) and limitations are respected.
For the Police Security Service, Article 17 d of the 1995 Police Act (https://lovdata.no/lov/1995-08-04-53/§17d – not in English) requires all decisions of surveillance to be approved by a court. For the police in criminal investigations, surveillance measures (data reading, wire taps, data taps) must be approved by a court. For data reading, see Articles 216 o section 1 and generally Chapter 16 a of the 1981 Criminal Procedure Act (https://lovdata.no/lov/1981-05-22-25/§216a – not in English).
Ex post
The intelligence services, including the Intelligence Service and the Police Security Service, are subject to ex post oversight by the Norwegian Parliamentary Oversight Committee on Intelligence and Security Services (the EOS Committee). They have information in English on their website: https://eos-utvalget.no/en/home/, including on the legal framework: https://eos-utvalget.no/en/home/about-the-eos-committee/legal-framework/ . The EOS Committee is regulated by the 1995 Act relating to the Oversight of Intelligence, Surveillance, and Security Services. You can find an English translation of the law at the end of the EOS Committee’s annual report: https://eos-utvalget.no/wp-content/uploads/2023/06/EOS-Committee-annual-report-2022.pdf . According to Article 8 of the Act, the EOS Committee has complete access to all information held by the intelligence services regardless of classification. Unhindered access is also provided for by Article 7-10 of the 2020 Intelligence Act. The Intelligence Service must report decisions of bulk gathering of cross boundary data to the EOS Committee, see Article 7-3 of the 2020 Intelligence Act. The EOS Committee can address complaints by individuals and whistle blowers, see more on the procedure here: https://eos-utvalget.no/en/home/complaint-procedure/. The EOS Committee can also investigate issues by its own initiative. It produces an annual report to Parliament. If the EOS Committee during a control finds that surveillance is illegal, it can demand a cease of the surveillance and deletion of all information by a motion to the Oslo city court, see Article 7-12 of the 2020 Intelligence Act.
As for ex post oversight for the police, not including the Police Security Service, Article 216 h of the 1981 Criminal Procedure Act (https://lovdata.no/lov/1981-05-22-25/§216h – not in English) requires the establishment of an independent body tasked with controlling the legality of the use and storage of communication control measures (wire taps, surveillance, data taps). This body of at least 3 members (currently 6 members) is appointed by the Government. The leader must fulfil the requirements to qualify as a Supreme Court judge. The current leader is a professor of law, while the other members are barristers (3), a city court judge, and an engineer. The body and its procedures is further regulated by Article 12-16 in a regulation on communication control (FOR-2016-09-09-1047kommunikasjonskontrollforskriften, https://lovdata.no/dokument/SF/forskrift/2016-09-09-1047 - not in English). This regulation allows the body to address any issue raised by individuals or organisation concerning police surveillance, Article 15. The body may also by its own initiative address any issue, and shall prioritise issues that have raised public debate or criticism. The body has access to all information related to communication control measures, including the actual wire taps, videos, data taps etc., Article 16. Article 18 provides the body an independent status, meaning that it cannot be instructed.