The Federal Agency for State Protection and Counterterrorism (abbreviated BVT in German) is one of the most powerful institutions in Austria. Yet there is hardly any other organization of similar disrepute. There is no party which does not address deficiencies and the need for improvement. Foreign intelligence services already restricted cooperation with the BVT years ago and the abroad considers Austria a "security gap". An investigation committee on the house search in the BVT during the Kickl era and the terrorist attack in Vienna on 2 November 2020 have put plans for a reform on the agenda. Legislative proposals were announced for December, therefore they cannot build upon the expert commission’s investigation and examination of the attack.
When intelligence services fail to prevent terrorist attacks, they are usually rewarded with new surveillance powers. The anti-terror legislative package includes an ankle monitor for persons who pose a threat to public safety. This was already discussed in 2017, but when minister of justice Brandstetter prevailed against minister of the interior Sobotka – both from the right-wing conservative party (ÖVP) – the issue was finally dropped. However, the BVT reform entails several substantial and highly complicated problems, even without new surveillance methods. There is no country in the world where the oversight of intelligence services is solved how we would like it to be, but there are many international best practices. In the following, we want to use these best practices to establish benchmarks, against which the new reform of the BVT must be measured.
The present benchmarks are not civil society’s wish list, but rather they are strongly guided by international standards and jurisdiction, which Austria is subject to and which are currently not met. The ruling Schrems II showed once again that the right to privacy in the digital age cannot be enforced unilaterally with regard to national security. Therefore, experts meanwhile call for an international standard in democratic intelligence practice, so that democratic states do not violate each other's human rights and undermine democracy. Advances thereto have already been made with the “Intelligence Codex” proposed by the Parliamentary Assembly of the Council of Europe or the "Draft Legal Instrument on Government-led Surveillance and Privacy" by the UN Special Rapporteur on the right to privacy. The European Intelligence Oversight Working Group also calls for common standards and definitions in its latest report. So far, the only legally binding document on data transfers and protection in the field of national security is Convention 108+ set forth by the Council of Europe.
Why is an intelligence service always a problem?
In a democratic constitutional state, prosecution and enforcement authorities operate under the principle of legality. This means that their every act must be covered by law, they must investigate on the basis of criminal offences and suspicion and they must report and prosecute any possible misdemeanor. In contrast, intelligence services work under the principle of opportunity. Based on an abstract risk assessment, they thus investigate in one direction aiming to identify dangers and (potential) crimes which, however, are not always reported and prosecuted.
Often, this procedure is barely supervised, even if it is very large-scale: for surveillance programs like PRISM and UPSTREAM the NSA only needs a general approval from a court (the sessions of which are confidential). Moreover, what a secret service deems opportune always produces strange blossoms. For example, the Thuringian Office for the Protection of the Constitution financed the milieu of the National Socialist Underground for many years. Sometimes the impression of a state within the state arises: in 1978, for example, the Lower Saxony Office for the Protection of the Constitution blew a hole into a prison in Celle in order to smuggle an informant into the RAF and deceived the investigating authorities about its actions.
Austria is one of the safest countries in the world and for all we know the attack of 2 November 2020 could have been prevented with existent powers. This is not the time to expand surveillance powers. If the government heads for this direction, the reform has to be rejected as a whole. Restricting rights to freedom is not the way to react to this attack against our liberal democracy. Many of the powers other secret services hold, especially in mass surveillance, are so extensive that they regularly produce scandals.
Academic literature on international best practices agrees that effective oversight of intelligence services must cover the service’s entire course of work. From the political setting of priorities to gathering and evaluating data, complete end-to-end supervision should be ensured. This is necessary in particular to compensate the lack of legal protection (rights to information and legal action) against secret surveillance measures.
Oversight begins with defining the working basis (ex ante). Just like the scope of tasks, which the intelligence service is not allowed to define for itself, the development of the working basis should be subject to democratic oversight. It also comprises the approval of cooperation with other services (including the MoUs) and individual surveillance measures (e.g. telephone tapping). Furthermore, the workflow (e.g. data processing) requires oversight. Here, independent supervision equipped with sufficient resources and competences is needed.
Finally, there must be effective ex post oversight. Here too, an intelligence service oversight body as well as parliamentary oversight can be used for this purpose. Questions of political responsibility, efficiency and infringements of fundamental rights should also be tackled and put into perspective in this stage.
Daniel Ellsberg, Annie Machon, Chelsea Manning or Edward Snowden: history provides us with many examples of courageous people who risked their careers, their freedom and sometimes even their lives to shed light on deficiencies in the security system. In Denmark, the head of the military secret service just had to resign because a whistleblower presented the intelligence service oversight with evidence of mass surveillance of the Danish population. In the US, Donald Trump's attempt to make the Ukrainian President Volodymyr Selenskyj investigate the family of his rival, President-elect Joe Biden, was revealed via whistleblower complaint to the legal protection officer. When everything else fails, whistleblowers are our last hope to remedy state deficiencies. This is why we should support these people in their courageous actions and offer them protection and contact points.
Firstly, it is essential to offer whistleblowers protection from penal consequences of their revelations if they acted morally and responsibly. Consequences in civil law should be excluded altogether. Secondly, whistleblowers have a right to preserve their anonymity and confidentiality in their communication with the contact point. Thirdly, the choice of whether to turn their information in to the intelligence service oversight body, the judiciary or internal bodies must be a free one – there must be no specification here, as there is no one answer that fits every situation. The rulings of the European Court of Human Rights have made it clear that whistleblowers too have the fundamental right to freedom of expression, explicitly including the intelligence sector. In case of lawsuits, it must be possible to take the public interest in disclosure into consideration. Not even today does the muzzle of total official secrecy as currently practiced in Austria meet international standards.
The EU Whistleblower Directive which must be implemented in Austria by December 2021 offers convenient inspiration. It includes a non-binding option to include the field of national security in the transposition. Excellent templates for proper implementation of this directive have been provided by the NGOs BluePrint, Transparency International and X-Net as well as independent scientists. This 2014 recommendation by the Council of Europe also addresses the importance of whistleblowers.
The current model uses a legal protection officer (abbreviated RSB in German) in the ministry of the interior to evaluate whether a specific surveillance measure is justified. This model does not meet the requirements for proper legal protection. We have already addressed this problem in the course of the last amendment to the BVT, the Police State Protection Act. The criticism led to minuscule and mainly apparent improvements, so that nowadays decisions are made by the RSB together with their deputies (one of which must have been a judge). In practice, however, the RSB is more of a facilitation body than a supervisory body. The RSB hardly ever refuses a measure, but rather provides feedback on how surveillance might still be authorized. Consequently, the RSB’s reports are meaningless. This form of legal protection falls short of the international standards set forth by the ECHR and the EDPB, as it is not sufficiently independent from the executive and, above all, it damages the public's trust in the intelligence service. Independent ex ante judicial review would be more sensible and comprehensible – new rules for sensitive procedures may possibly have to be established. In case the reform of the BVT separates police and intelligence service more clearly, judicial review is the only acceptable solution for the police sector. It is incognizable why the ministry of the interior should grant itself authorization for measures taken in the police sector as well.
The independent authorization procedure is one of the most crucial benchmarks, because it is the only opportunity for supervision before the infringement of fundamental rights. All other oversight is generally "too late" in the sense of "you were not allowed to do that". As international jurisdiction clearly demands, one basic requirement for a (judicial) authorization body is its independence. Other relevant aspects include how detailed the reasoning in requests for surveillance measures must be, whether the authorization of other (ongoing) surveillance measures should be taken into account for judging new requests or not and how authorization judgments should be documented.
In order to embed the judicial authorization procedure democratically, the legal framework should provide for obligatory review of the authorization, which is aimed at publishing as much information as possible e.g. regarding critical legal interpretations.
When the last reform of the BVT was passed in 2016, the field of parliamentary oversight was left out completely. The idea was to have the parliament establish oversight powers for itself – the task should not be left to the government as it is part of the executive that is to be supervised. This was a unanimous goal voiced by all parliamentary parties – unfortunately, nothing happened afterwards. We are all the more pleased about the two recent proposals submitted by the opposition aiming to increase parliamentary oversight. What NEOS, SPÖ and FPÖ have presented is, of course, a compromise. Partly, they only contain self-evident provisions such as proper minutes or obligatory briefings for parliamentary representatives to be given by the minister of the interior or the head of the BVT. We appreciate the long overdue minority rights the proposals encompass and we would favor to see them be upgraded further. We are all the more astonished that the right-wing conservative party (ÖVP) completely refused to discuss the proposals, whereas the green party (Grüne) showed willingness to address them.
Representatives often believe they are the answer to every challenge. However, parliamentary oversight is only one component of effective intelligence service oversight. In practice, there are merely a few situations where a parliamentary committee is actually able to shed light on deficiencies. This is due to the fact that representatives only have limited time available and they often lack the professional qualifications required for this task. In case a committee succeeds nonetheless, representatives are not even allowed address these deficiencies to their fellow party members or staff due to confidentiality obligations. Germany provides a deterrent example for the limitations of parliamentary oversight.
Nevertheless, parliamentary oversight equipped with clear means of supervision and resources is valuable. Examples for sensible use would be approval of the service’s scope of tasks and of cooperation with foreign secret services (MoU). In case of severe deficiencies, a minority of representatives must have access to further means of supervision beyond the committee. These could be to withdraw particular members of staff from office or to declassify documents because they contain evidence of grave offences.
Gaps in parliamentary oversight should be complemented with an oversight body tasked with technical supervision. While this technical oversight body should act independently of parliamentary oversight, the both should cooperate in many areas. Experts employed in the oversight body should be recruited from the judiciary, IT, data protection and the security sector. They should be equipped with extensive powers such as access to classified documents or on-site inspection. This body must also be able to summon intelligence officers and have them testify under the obligation to tell the truth. Similar to the Court of Audit, the head of the oversight body should appointed in a supra-partisan way.
The tasks of this body also include oversight of the service’s the operational work, which encompasses the supervision of data processing. Examples would be whether data is deleted timely, whether all data gathered and stored falls within the judicial authorization, whether data provided by foreign services conforms to the cooperation agreement (MoU) approved by the parliamentary oversight committee or even statistical pattern analysis of data deletion e.g. to detect any significant increase in data deletion after an attack. The technical oversight body also serves as contact point for whistleblowers from the intelligence service and may initiate investigations in case of suspected illegal activities.
If the intelligence service restricts access to information, it must do so based on comprehensible and publicly available criteria. The Tshwane Principles provide an international standard for this area. However, they presuppose an existent Freedom of Information Act, which Austria unfortunately – as the only EU country – still does not have. If one of the reasons for classification such as concrete military, intelligence or diplomatic interests exists, a document may be classified for a certain period of time. If this reason ceases to exist, the document must be declassified. Classification may also be repealed if the information contains evidence of human rights violations, corruption or other grave offences. Intelligence oversight bodies must be given access to classified documents, as must ombudspersons and courts in specific cases. The classification of a document may be challenged in court and by the intelligence oversight body. The institution which decided upon classification may defend against declassification with factual arguments.
To balance classification mechanisms supervisory authorities must have clear and comprehensive rights of access. Nowadays all oversight stands and falls by giving supervisors access to the service’s technical systems. There can be no trust in effective oversight without the possibility to log into the real system and retrieve and analyze data independently.
Direct access to IT systems is the be-all and end-all, as it enables supervisory authorities to examine data processing unannounced and automatically. This way, oversight is less reliant on information provided by the BVT itself. In Switzerland, for example, the independent supervisory authority may access all relevant information and documents, request copies of documents and may also access all information systems and data pools.
Although complete transparency of supervisory activities is not always possible due to confidentiality requirements, regular reports delivered by supervisory authorities are a crucial means to gain the public’s trust and to fulfill accountability obligations.
This includes rules on whether and when an oversight body may depart from confidentiality - in parliamentary committees it could be via special votes. At the US FISC, for example, every judge may request the publication of resolutions, statements and other decisions on their own initiative or at the request of a party involved. Upon such a request, the presiding judge may decide that the document in question be published after hearing other judges of the court. (See United States Foreign Intelligence Surveillance Court (FISC): Rules of Procedure, 1 November 2010, Rule 62).
Benchmark 10: Due diligence obligations for the head of the authority, penal consequences for false testimony before oversight bodies and for abuse of surveillance powers
An intelligence service is equipped with enormous power within a state. Abuse of competences must have severe personal consequences for the person acting. In the US, abuse of surveillance powers can mean up to five years in prison. In the NSA, cases in which intelligence officers used their surveillance tools against dates and ex-partners have been discovered. There must be deterrent penalties for this abuse of state power and necessary consequences for incomplete internal controlling.
If oversight of intelligence services is to function properly, these few supervisory bodies which are allowed to know about the real work must be able to rely on the fact that they are not being lied to. Unfortunately, there are many cases where intelligence supervisors have been lied to. This is why in Norway all acting and former intelligence officers may be summoned to testify before the oversight body under the obligation to tell the truth. In case of violation they may be fined or imprisoned for up to one year. A regulation like this one would also be a major gain for the Austrian system.
The head of the intelligence service should be subject to a personal due diligence obligation concerning data protection compliance and the quality of algorithms used by his authority, similar to the Netherlands. The head of the authority must therefore take appropriate measures against breaches of data protection and to ensure the validity and accuracy of data processed. It is important to stress that in Austria there are no penalties or other consequences for data protection breaches committed by the public sector. This legal vacuum combined with the confidential work of a service and the gigantic mountains of data it typically entails could have disastrous consequences, which can only be countered with proper due diligence obligations.
Intelligence cooperation now accounts for a large part of intelligence work. On an international level, a veritable exchange market for intelligence information has developed. On the one hand, this is comprehensible as threats do not stop at national borders. On the other hand, gaps in oversight arise as the endeavor of supervising intelligence services remains a strictly national one. Due to the so-called Third Party Rule, oversight bodies can often neither view nor examine data obtained from partner services. This is problematic as it means that a large part of intelligence work remains unsupervised.
In the worst case, national laws and rules protecting the own population could be undermined by international cooperation. It is therefore crucial to incorporate oversight of international cooperation. In its landmark ruling on the BND Act in April, the German Federal Constitutional Court clearly demanded that international cooperation finally be supervised better. On the one hand, it calls for a rule of law test to ensure the protection of human rights and adequate data protection in recipient countries (Paras 236-238). On the other hand, it claims that oversight must not be hindered by the Third Party rule in the future. For supervisory bodies in Norway, Denmark and the Netherlands, for example, this has long been standard practice. Austria should not lag behind here.
If this reform takes the principle of separation of police and intelligence service seriously, it is only consistent to deny intelligence officers the right to bear arms. A person is either part of the police and enforces the state monopoly on legitimate use of force, or they are part of an intelligence service which means their job is to gather information for an overview of the situation, and that is precisely not operative work. They do not require weapons for their job.
History provides enough examples of what happens when the separation of police and intelligence services is repealed (Gestapo, Stasi, etc.). The special powers of intelligence services can only be legitimized by the fact that services themselves do not prosecute. If there is a concrete suspicion or a concrete danger, it is the police's turn.
What happens next?
These and other demands based on scientific literature were handed to minister of the interior Peschorn by us on 14 October 2019. At the time, he was head of the BVT reform team in the ministry of the interior. This means that this expertise is available in the ministry. It is a political decision to not establish effective intelligence service oversight after the massive failure of authorities on 2 November 2020. We expect the legislative proposals on the reform of the BVT in the next few weeks and we will do our best to ensure the reform respects fundamental rights.
These are our benchmarks for the upcoming intelligence agency reform in Austria:
- Benchmark 1: No new surveillance powers
- Benchmark 2: Oversight of all stages of intelligence gathering
- Benchmark 3: Whistleblower protection
- Benchmark 4: Ex ante judicial review of individual surveillance measures
- Benchmark 5: Increase parliamentary oversight
- Benchmark 6: Establish technical oversight of intelligence services
- Benchmark 7: Comprehensible classification of documents
- Benchmark 8: Access for supervisory authorities
- Benchmark 9: Make supervisory activities as transparent as possible
- Benchmark 10: Due diligence obligations for the head of the authority, penal consequences for false testimony before oversight bodies and for abuse of surveillance powers
- Benchmark 11: Oversight of international cooperation of the BVT
- Benchmark 12: Principle of separation and no gun possession for intelligence officers