Elizabeth Pond Blog

What the NSA Can Learn From Sweden

When Congress reconvenes in Washington after the summer break, it will try – for the first time since the 1970s – to recalibrate the proper balance between security and privacy in treatment of signals intelligence. It could learn a lot from the Swedes.

First, Sweden has an ombudsman as a contrarian public advocate at the secret court that must authorize all signals surveillance operations. Second, those operations by the National Defense Radio Establishment (FRA) that are approved are reviewed after six months and terminated if they are not productive. Third, the FRA, Sweden’s equivalent of America’s National Security Agency (NSA), is more keen on getting rid of the clutter of unnecessary metadata than maximizing the bulk-collection “haystack” for future rummaging.

FRA spokesman Fredrik Wallin wouldn’t presume to teach the United States anything, of course, but an American hearing his description of how the FRA functions can’t help but draw her own conclusions.

Granted, Sweden is not the United States, and its signals intelligence agency has a far less comprehensive mandate than the NSA’s. The country is a medium-sized player on the globe, not the hegemon of the seven seas. Sweden neither led the West’s defense over six decades nor has it fought a national war in centuries, and it doesn’t have as many foes as America does. Moreover, with some 700 employees, the FRA simply cannot be as omnivorous as America’s basic Fort Meade team of 30,000, with access to the world’s second-best supercomputer (running 58 times faster than Sweden’s) or as Chinese intelligence and the world’s top supercomputer (112 times faster).

Nonetheless, modern Swedish signals intelligence has a lustrous record going back to mathematical genius Arne Beurling, who cracked the Nazi Geheimfernschreiber (“secret teletypewriter”) code with a pencil and graph paper in two weeks in 1940—and, even more discreetly, also decoded Moscow’s serial wartime encryption. During the cold war and the predominance of communication by satellite, Sweden’s thousand miles of coast facing east gave the country ideal geography for monitoring radio signals from the Soviet superpower and its Russian successor. In the present era, analysis of traffic from trans-Atlantic fiberglass cables that transit Swedish territory—with, as recently as 2007, the world’s fifth-fastest supercomputer —has kept Stockholm in the signals-intelligence big leagues.

At the same time, the fierce Swedish ethos of personal integritet, or privacy, provides cultural constraint on snooping. The FRA is not technologically driven to tap into everything it could access as capabilities expand exponentially, FRA spokesman Wallin says. The systematic ethics training for all FRA employees seems to be reinforced by the esprit of the agency, along with need-to-know compartmentalization of access to raw intelligence.  Ethics training covers the relevant legal framework, oversight agencies, obligations of the civil service, and the public’s right to freedom of information.

Most important, the Defense Intelligence Court that must approve new targets for surveillance has an ombudsman present at all authorization hearings to raise objections about potential violations of  Swedish citizens’ privacy rights. This is not the case with its American counterpart, the Foreign Intelligence Surveillance Court, where there is no built-in challenge to mission creep and where American reporting has described a bench that philosophically favors expansion of secret surveillance at the cost of privacy.

When the Swedish Military Intelligence and Security Service, Intelligence Office (CIA equivalent), or Security Police (FBI equivalent) propose targets for FRA eavesdropping, the Defense Intelligence Court ombudsman raises questions about safeguards, explains Annica Hellstrom, head of the court secretariat in Stockholm. The ombudsman does not participate in writing the final judgment. That is made by the court chairman (or his deputy) and two persons from the court roster of six “special members” drawn from prominent Swedes across the political spectrum. Because of the secrecy of court proceedings, Hellstrom could not give any indication of how often, if ever, requests for surveillance targeting are rejected on grounds of potential violation of the country’s robust privacy laws.

A further control mechanism is the Defense Intelligence Court review of new surveillance targets after six months. There is no extension of authorization by default. The court sends copies of its authorizations to the Defense Intelligence Inspection, which then monitors ongoing compliance with the mandate. The court does not report to a parliamentary oversight committee, as there has been no permanent Riksdag intelligence committee since the first six months after the basic law for the current FRA came into force in 2009.

In answer to a question, FRA spokesman Wallin said the FRA is not technologically driven by ever improving surveillance capabilities to expand its operations and bulk data storage. On the contrary, it is eager to get rid of excess data, “not only because it is good for privacy, but also because it would fill our capacity with a lot of junk.” It adheres to the legal ban on monitoring domestic communications between Swedes. As a general rule, it destroys metadata after one year, although this period may be extended to three years for cases of ongoing analysis.

And, oh yes, there is one more Swedish example the US Congress might like to think about. Apart from strictly ringfenced technical jobs, the FRA does not outsource its tasks to subcontractors.

Elizabeth Pond is a Berlin-based American journalist and author.

World Policy Journal
© Elizabeth Pond