FinFisher and digital surveillance, by former ombudsman András Jóri

András Jóri, former Parliamentary Commissioner for Data Protection and Freedom of Information, wrote for atlatszo.hu about the legal background to the Hungarian secret service using FinFisher.

The news that such a spyware package is used for state surveillance in Hungary should not come as a surprise. Already in 2009, the data protection commissioner had published a recommendation regarding secret service practices using digital surveillance technologies.

Formerly the data protection commissioner, and since January 2012 the Hungarian National Authority for Data Protection and Freedom of Information, has the legal tools to regulate the surveillance operations conducted by the secret services. Such activities, by definition, take place in secret and violate the privacy of the person under surveillance. Therefore, the law regulating digital surveillance must guarantee that it is proportionate and used only when necessary.

This guarantee is safeguarded by requiring that secret surveillance needs special permission, either from the director of the secret service, as happens in “smaller” cases, or from an outside authority, meaning the competent minister or judge.

In 2009 the data protection commissioner conducted an investigation into permissions made by the minister or judge, studying the legal environment and (secret) data about the number of such cases, in order to determine whether the system of “permissions from outside” provided adequate guarantees against unjustified secret surveillance.

The recommendation based on the investigation revealed a number of problems, such as:

  • it is possible to define the targeted persons as a group;
  • it is not explicitly required to delete unnecessary data produced during the surveillance;
  • it is not clear in which cases it is the minister and when the judge who has to give permission.

In the latter case the secret service, by carefully selecting how to categorise its activities, can ensure that permissions will fall into the minister’s sphere of competence. If there are a large number of cases, the minister would be quickly overloaded (while judges could distribute the work among themselves), and decisions might not be as well informed as they could be. Therefore, the data protection commissioner recommended either clarification of the system or that all permissions be referred to judges.

Another issue the investigation covered was digital surveillance. At the time the law was not clear whether monitoring online activity requires a permission from outside. Since January 2011 however, such a permission is required. That means, FinFisher can be used only with the permisssion of the competent minister or judge. But the previous question is still unresolved, whether the process of “permission from outside” provides enough guarantees against unlawful secret surveillance. In order to properly answer the question, another investigation similar to the one in 2009 should be conducted in order to ensure proportionality and legality.

Author: András Jóri
Translator: Anikó Mészáros