Despite widespread condemnation from NGOs, experts and opposition politicians, Poland's parliament passed a new surveillance law on January 15, 2016. The “Bill Changing the Bill about Police and Several Other Laws” — this is its official name — gives secret services and police authorities fast access to citizens’ Internet and telecommunication usage data without prior review or approval from a judge.
Poland's new government has wasted no time in this endeavor. Since winning parliamentary elections in October 2015, the ruling right-wing Law and Justice party has passed one controversial law after another, gaining unprecedented attention both domestically and on the international scene.
It appears that the Law and Justicfe party took a draft bill prepared by the Civic Platform party (previously in power) – considered almost equally bad by experts – and added online data to its scope. According to many critics, including leading Polish digital rights NGO Panoptykon, this made the situation even worse.
A “surveillance bomb” planted by the previous government
Poland's current legislation governing communications surveillance allows for uncontrolled access to telecommunication data (e.g. “billings” of phone connections, geolocation) by authorities.
In 2014, it was declared incompatible with the constitution by the Constitutional Court. But the party previously in power, known as Civic Platform, failed to implement changes to the law recommended by the Court before the end of its term.
The Law and Justice party appears to have rushed the bill so that the authorities wouldn’t lose these powers after a February 6 implementation deadline set by the Court.
The combination of political and time constraints prompted online newspaper Dziennik Internautów to describe the law as “a surveillance bomb planted by PO that will be detonated by PIS.”
The opposition criticized the bill, likening it to laws reforming public media and re-organising Poland's constitutional court, both moves that have expanded government control over the originally independent institutions and encroached on democratic norms.
With this latest bill the government is stepping into the field of the Internet and users’ right to privacy — one with a strong, if brief, history of heavy citizen engagement. And many are looking back at anti-ACTA demonstrations from 2012 and asking if the new law might result in a similar response.
The Polish Ombudsman, National Council of Judiciary, Helsinki Foundation for Human Rights, Polish Bar Council, as well as leading technology blogs, such as Antyweb each published statements harshly criticising the new bill for its unconstitutionality. Ten NGOs appealed in a joint statement to the parliament, urging them not to pass the bill in this form.
Post-factum control: A major threat to privacy?
The new law introduces several changes to the processes through which secret services and police access telecommunication data and applies them to online data as well.
For one, it expands the scope of cases where access to data is allowed, from supporting ongoing investigations to prevention and detection of crimes. This means that one doesn't have to be an official suspect to be surveilled. Theoretically, anyone who could commit a crime can be subject to monitoring.
The law also changes the format in which authorities submit data requests. The bill allows for fast data retrieval via telecommunication networks (secure links) between authorised entities and Internet service providers, thus eliminating paper forms. The costs of such access will be borne by the companies. The person under surveillance will not be informed of said monitoring, which can be sustained for up to 18 months.
These changes might sound worrisome. But according to Panoptykon, the most critical aspect is actually not the fast access or the scope but the lack of effective court control over such access, something the Constitutional Court demanded to be genuinely fixed.
The bill imposes post-factum control: authorized entities are obliged to report the total number and type of citizen data queries they make every 6 months and the court might then perform random checks. This means that the police won’t need any court warrant before accessing the data. While it may be hard to believe that policemen would spend entire days analysing Internet data of a random citizens, the law technically allows them to do this.
And we know the secret service has a healthy appetite for data. According to technology blog Spidersweb, government agencies including the secret services broke a record in 2014 by sending over 2 million data requests to mobile telecommunications providers.
The law also reflects a broader trend of dismantling key institutions of accountability. In November 2015 the Law and Justice party removed the head of the country’s anti-corruption agency and limited the opposition’s oversight over secret services.
Last-minute amendments: good but not enough
In response to concerns surrounding the vague definition of “online data” in an earlier draft of the bill, the content of Internet conversations was removed from the scope of the online data that can be retrieved without prior court approval.
But the metadata of sent and received messages, logins, contacts, Internet profiles, visited websites, and personal settings are all within the scope of the bill. And citizens are keenly aware of just how much this information can reveal about a user.
Security blogger niebezpiecznik.pl used the below slide of the Electronic Frontier Foundation to give some real-life examples:
Journalist JNizinkiewicz doubted the effectiveness and objectivity of the control in the context of recent changes:
— Jacek Nizinkiewicz (@JNizinkiewicz) 13. Januar 2016
So some judge, after changes in the judiciary, will sign the warrant and the secret service can read the correspondence of Poles.
“Relaxed” in a cosmetic way. There still will be no obstacles for police and secret services getting the data without court and prosecutor's permission. The court will evaluate their actions – but randomly once in 6 months based on the report of the police or services themselves (!). There is no technical barrier for an officer who would like to read our e-mails. Nobody will catch his hand. The bill allows him to have a “window” at the internet provider through which he will be able to spy on everything. “
National security is ‘more important’ than privacy
The Polish Minister of Interior Mariusz Blaszczak tried to diffuse citizens’ concerns, arguing that the bill is actually limiting the rights of secret services instead of enlarging them. In an interview for the Polish Radio he said that the bill is needed as Poland is “facing important events in 2016 such as World Youth Days or NATO summit so the authorities have to have instruments to guarantee safety”.
Bogdan Rzonca, a deputy of the Law and Justice party told the press that privacy is not the highest value in the times of terror:
Internet has to be controlled. Life is the most important thing. We want to protect ourselves from crimes. Societies struggling with crime acts and terror accept Internet surveillance. Please remember that representatives of ISIS stay in contact via Internet.
Protect yourself: Netizens share tips on how to protect your data
Once the bill was passed, organisations, security portals and experts began publishing practical guides on how to protect oneself from surveillance by using encryption, VPNs or Tor.
Panoptykon published an infographic, Professor for Management and founder of New Research on Digital Societies in Academy of Leon Koźmiński Dariusz Jemielniak wrote a short set of instructions (which was republished by one of the biggest newsmagazines, Polityka), and Spidersweb published an article. The Stop Inwigilacji initiative which also organised a small protest in front of the parliament's building on January 13 and posted a respective guide on their website.
But the fight is far from over.
Tens of thousands sign petition, plan demonstrations for Jan. 23
More than 31.000 people signed the online petition titled “The Authorities Want to X-ray Our Lives and Computers” started and submitted to the parliament by the leaders of Stop Inwigilacji. A similar online petition titled “Hands Off from Privacy” was launched by the civic organisation KOD (Committee for the Defence of Democracy) and has garnered more than 10.000 signatures so far. The organisations have planned big street protest for January 23 in many Polish cities.
Traditionally, social media became a platform for heated debates about the political situation in Poland and sparkle with black humour. Under the hashtag #inwigiliacja Poles are discussing the newest law and producing memes on Twitter.
— Aleksandra Zawisza (@AleksZawisza) 15. Januar 2016
Next stop: Senat
Although the parliament has passed the bill, the demonstrations are not hopeless. The new law is not effective yet as it still needs to go through the upper house of the Polish parliament – Senat – and has to be signed by the President. However, the recent history doesn't leave much illusions as to whether to expect any abbreviations from the government's political line.
Moreover, trying to keep up with the threats of today's world, the Law and Justice party is planning to create a new agency in the coming years focusing on cybersecurity and Internet communication surveillance, just like the NSA does in the US. While this might be considered a modern move by some, as many countries have these kind of institutions already, the interesting question remains the one of control over such agencies. Unfortunately, it is hard to see the described bill as best Polish practice in the field.