Interception warrants not granted without proper justification - minister

Home Affairs minister Manuel Mallia has insisted that data released by Vodafone on the number of requests by law enforcement agencies in Malta for metadata, does not refer solely to requests from the Malta Security Service.

Mallia was reacting to claims in the press about the extent of phone-tapping by the MSS, which has access to the legal interception system that is run by all internet and telephonic operators in Malta.

Mallia said that requests by MSS was a small part of the statistics presented by Vodafone Malta, "the majority of which refer to police investigations wanting to identity geo-location data to pinpoint the locations of telephone calls, without the need to intercept a phone-call," Mallia told MaltaToday.

Mallia said that requests for the legal interception of electronic communications by the MSS have to be backed up by a detailed report justifying interception, before the minister for home affairs issues a warrant. "This is the same procedure even when a similar request is made by foreign secret service agencies."

Mallia said that every warrant issued by his ministry, since he was appointed home affairs minister, has to be made on specialised security paper, carrying a signature with its precise date and time. "These warrants are then registered within a specialised registry, which does not allow a different registry number to be applied to the warrant. Every single warrant is verifiable through the system," Mallia said.

Malta' Security Services also present a report at law on their annual activities to the House of Representatives.

Vodafone’s difficult balancing act two weeks ago, in which it published an extensive, 40,000-word report on government monitoring, has revealed the extent to which private telephone and internet transfers of data can be accessed by national security agencies and police forces.

Vodafone, the world’s second largest carrier, said that government agencies were using secret wires to tap its network in many of the 29 countries where it offers wireless service.

In 2013, there were 3,773 warrants filed by Maltese government agencies for metadata – information that includes clients’ names, addressed, device locations and times of calls and messages.

While the the home affairs ministry said that very few of the requests were interceptions or information requested by the Security Services, the Vodafone report also reinforces the absence of proper judicial oversight on the Maltese Security Services: the MSS can access all the metadata it requires and intercept electronic communication with warrants issued by the home affairs minister himself, or even by permanent secretary or the Cabinet secretary.

Vodafone Malta said the demands related to crimes such as theft of phones which mostly anonymous calls, homicides and other criminal investigations. In the large majority of cases demands received by law enforcement agencies are in response to reports initiated by the public, Vodafone Malta said. 

Vodafone, GO plc and Melita and other internet providers had to finance a €2.5 million legal interception system that gives the Malta Security Service access to any metadata it requires, on a simple warrant issued by the government minister responsible – and not by a court judge.

But in March 2012, the three companies told the MCA they would not contribute any longer to the financing of the legal interception. The Maltese government intervened to finance the system itself.

Who can access your internet and telephone data?

Security Service Act The Security Service of Malta can obtain authorization for interception or interference with communications by means of a warrant issued by the minister responsible for the Security Service.

The Security Service is tasked with the protection of national security, in particular, against threats from organised crime, espionage, terrorism and sabotage, and activities of agents of foreign powers.

“Interception” requires a warrant that allows the MSS to disrupt, seize, eavesdrop and listen in to communications.

Following a request made by the Security Service, the minister may issue a warrant authorising the taking of such action, or in an urgent case where the minister has expressly authorised its issue and a statement of that fact has been endorsed by a Permanent Secretary or the Cabinet Secretary.

Ministers’ warrants are generally valid for six months and can be extended.

Electronic Communications rules All undertakings like Vodafone and GO plc, and other electronic communication firms are obliged to comply with requirements to allow legal interception and data retention.

Telecommunication companies are required to assist law enforcement agencies, most notably the Security Service, in implementing the interception capabilities on their networks.

While the Malta Communications Authority, as the regulator, defines the technical and operational requirements to enable legal interception of all electronic communications, the companies have to finance the provision of the legal interception technology.

Although no direct legal provision exists relating to the obligation of authorised undertakings to implement interception capabilities on their networks, companies have a legal obligation to fund the infrastructure used for interception.

Processing of personal data Disclosure of metadata is governed by the Processing of Personal Data (Electronic Communications Sector) regulations. 

Disclosure of metadata – the information that identifies users of electronic communications such as email, internet, SMS, and telephonic communication – has to be made available in an intelligible form to the police or the Security Service.

This includes: data necessary to trace and identify the source of a communication, such as the calling telephone number; the name and address of the subscriber or registered user; and the user IDs, names and addresses of an Internet Protocol address.

Other information that has to be provided are telephone numbers dialled, call transfers, telephone subscribers’ names, recipients of internet telephone calls, the date and time of the start and end of telephone and internet communications, the date and time of the log-in and log-off of the Internet access service, IP addresses, and what equipment was used to make any electronic communication.

Other crucial information police and the MSS have access to is the data necessary to identify the location of mobile communication equipment, which includes the cell ID at the start of the communication, and the data identifying the geographic location of cells – such as mobile phones – for the time during which data is retained.

In this case, the information can be made available for the investigation of a “serious crime”, defined as any crime which is punishable by a term of imprisonment of not less than one year.

A request for data is to be made in writing and shall be “clear and specific”, but if that data is urgently required, the request may even be made orally. A written version of the request must however be made at the earliest opportunity.

There is no legal obligation on providers of publicly available electronic communications services or of a public communications network to retain data revealing the content of any communication.

Emergency Powers Act Under the provisions of the Emergency Powers Act, following a declaration by the President of Malta of a state of public emergency, the President acting in accordance with the advice of the Prime Minister, may make any necessary regulations to “secure the public safety and defence of Malta”.

Such regulations can include taking control of any property or even a telecommunications company to apply any law with or without modification. Such regulations shall expire and cease to have effect after two months unless approved by a resolution of the House of Representatives.

Oversight of the use of powers The Security Service Act does not provide for judicial oversight. However, it establishes the post of a Commissioner who shall keep under review, among other things, the exercise by the minister responsible for the Security Service of his powers to issue warrants.

The Information and Data Protection Commissioner is responsible for the compliance and enforcement of the processing of personal data and data retention rules. Aggrieved persons can request his or her intervention. Any decision by the Information and Data Protection Commissioner may be contested in front of the Data Protection Appeals Tribunal.