The Romanian government has been drafting a law since last year, without holding public debates, and has now introduced it in Parliament with four additional articles on national security and allows security services to intercept non-personnel communications services that do not. is based on numbers – for example, Skype, WhatsApp, Facebook Messanger, Signal, Wire, Telegram applications.
Bogdan Manolea, the executive director of the Association for Technology and the Internet, explains in an interview for Free Europe that the articles introduced by the government have nothing to do with the European directive and have nothing to do there.
Free Europe: What to expect after the adoption of such a law introducing articles on interception of communications?
Bogdan Manolea: The correct answer is that I do not know, because the four articles that are inserted in this bill do not have any details about the procedures with which they will be implemented. It can be assumed that it will take some time, and perhaps even investment in infrastructure and procedures, to implement it. It certainly won’t be an overnight thing.
But the way in which they were inserted in a law, which has nothing to do with the interception part, raises some questions about the potential abuse of everything that means interception of communication.
Normally, they should be governed by the Code of Criminal Procedure with some extremely clear guarantees, with a procedure that is obvious to anyone concerned. Everyone needs to know the law and know how to apply it. Or, this is not happening.
Basically, this project broadens both the spectrum of actions that fall into the area of electronic communications interceptions, and the providers that must be obliged to do, to correct or, as the law says, to “support” the competent authorities. It is very incomplete.
Free Europe: You were talking earlier about a potential abuse by the authorities. Will human rights be endangered in any way? I’m thinking of apps that everyone uses – like Facebook, Whatsapp.
Bogdan Manolea: We are talking about widening access to electronic communications through a legislative proposal hidden by another legislative text and not through an organic law that would be an amendment to the Code of Criminal Procedure. And that’s where the main problems come from.
I’m not saying that if we talk about other types of access to electronic communications (for example, what do you mean by “access to encrypted content in transit”?), Beyond what is already regulated by the Code of Criminal Procedure, it should be and adequate guarantees – says the ECHR. It does not say that you are not allowed to intercept communications under any circumstances. If you have to investigate a case of drug trafficking, for example – of course you have to do this, only you have to do it respecting the guarantees and procedures.
But that doesn’t happen. Some legal provisions are being expanded without telling us exactly what is happening. On the other hand – the suppliers who are obliged to implement or support such measures – the text of the law does not say what to do. Do they only have to respond to requests? That was also in the Code of Criminal Procedure.
What does support mean in this context? That it needs to host SRI equipment on its own server? That they have to give the decryption key, if they have it? We do not know. There are many question marks.
Free Europe: This law in Parliament transposes a European directive. When it comes to transposing a European document, to what extent is it legal to put such articles in it?
Bogdan Manolea: This Directive (No – Communications Code) has nothing to do with the interception of communications. We are talking about a text that has nothing to do with the European directive. It’s an additional matter to the directive.
This European legislation was to be implemented by Romania in December 2020, has been in public debate for almost a year and has not been adopted. And then they took advantage of this vehicle, which is the directive, to add three more articles that have nothing to do with the directive, to say that it is an emergency. There are two different topics.
Free Europe: So what should the law that transposes the directive look like?
Bogdan Manolea: If we talk about the directive – or the European Communications Code – there are 300 pages on what an electronic communications operator has to do – with the allocation of radio frequency, with the part of the allocation of numbers, with ANCOM and what it has to do, with the rights users in the electronic telecommunications sector and so on. But what the government is proposing with interception has nothing to do with it. It’s like a walnut on the wall. It is as if we impose the Covid certificate for the Romanian population through the budget law.
Free Europe: Have the other countries that transposed this legislation also introduced elements on national security and interception of communications?
Bogdan Manolea: The rules on interception of communications are not regulated at European level. It’s another subject.
If he wants to intercept the government, he has to amend the Criminal Procedure Code, have a public debate and say that we want to do a, b, c because we have these problems d, e, f, the risks are these, the guarantees are these, the rules These are the ECHRs, Poland is doing this, the US is doing this, technically we may or may not be doing this. This is how a discussion should take place, not a secret paragraph in the law.
It has nothing to do with the transposition of the directive. It is a matter that only Romania has done and only in this way that is not correct. As far as I know, no other country has done such a thing.
Free Europe: What if Romania does not transpose the provisions of the directive? Can we get infringement?
Bogdan Manolea: It could risk infringement, yes. But the four articles have nothing to do with the European act. If the authorities decide that an update is needed for national security, then they do it where the rest of the provisions are.
The Code of Criminal Procedure, which also regulates the interception of communications, has a text and refers to A, B, C, D. Now comes this new text that seems to broaden the typology of providers (although not needed, the text of the Code of Criminal Procedure already covers and those) that should respond to those requests and the type of access requests. The government instead of taking the Code of Criminal Procedure and instead of amending it, adds this text. Stealthily.
The article introduced by the Government on communications service providers shows that they are obliged to support security services and allow the legal interception of communications:
Art.102. – (1) Providers of electronic hosting services with IP resources and providers of interpersonal communication services not based on numbers have the obligation to support law enforcement bodies and bodies with responsibilities in the field of national security, within the limits of their competences, for the execution of the methods of technical supervision or of the authorization acts ordered in accordance with the provisions of Law no. 135/2010 on the Code of Criminal Procedure, as subsequently amended and supplemented, and of Law no. 51/1991 on national security, republished, with subsequent amendments and completions, respectively:
a) to allow the legal interception of communications, including to bear the related costs;
b) to grant access to the content of the encrypted communications transited in its own networks;
c) to provide the information retained or stored regarding traffic data, identification data of subscribers or customers, payment methods and access history with the related time moments;
d) to allow, in the case of the providers of electronic hosting services with IP resources, the access to their own computer systems, in order to copy or extract the existing data.
(2) The obligations provided in par. (1) lit. a) – c) shall apply accordingly to providers of electronic communications networks or services.