Venice Commission - Report on a rule of law and human rights compliant regulation of spyware
www.venice.coe.int
Disclaimer: this information was gathered by the Secretariat of the Venice Commission on the basis of contributions by the members of the Venice Commission, and complemented with information available from various open sources (academic articles, legal blogs, official information web-sites etc.).
Every effort was made to provide accurate and up-to-date information. For further details please visit our site : https://www.venice.coe.int/
1. Does your legal framework allow for the use of spyware as a tool of targeted surveillance either in criminal or intelligence investigations or is there an explicit prohibition on the use of spyware? If so, how does your domestic legal framework define spyware?
Yes. The possibility for the police and security police to use spyware was introduced by the Act (2020:62) on Secret Reading of Data (Lagen om hemlig dataavläsning, hereinafter, “the Act”). For domestic purposes, secret data reading means (Act section 1) that “information, which is intended for automated processing, is secretly and with technical means, read from or recorded in a readable information system”. “Readable information system” in turn means “an electronic communication device or a user account for, or a correspondingly delimited part of, a communication service, storage service or similar service”. Thus, it covers both physical equipment, such as a mobile phone or a computer, as well as a user account to, or a correspondingly delimited part of, a communication service, storage service or similar service.
2. Are there specific rules (covering notably the scope ratione materiae, temporis and personae) in place or do the general rules on targeted surveillance (interception of communications) apply (could you please provide us with such specific or general rules)?
Both specific rules in the Act as well as the more general rules (proportionality etc.) which apply to all special investigative measures apply to the use of spyware. The Act is complicated. One of the reasons for this is that it refers back to the legal regimes applicable for other secret investigative measures, namely metadata interception, telecommunications interception, secret video surveillance and secret audio surveillance, previously introduced into Swedish law. These regimes were introduced during different time periods, with the possibility for secret audio surveillance (bugging) being the most recent. They provide for different thresholds for their use, depending upon how large an interference with personal integrity each of them is perceived as posing, with metadata interception being the least intrusive, and secret audio surveillance being the most intrusive. Moreover, understanding the area is made more difficult because of the frequent cross-referencing which is necessary between the Act and the more general rules, safeguards etc. on surveillance contained in the Code of Judicial Procedure, as well as certain other legislation (e.g. that establishing the oversight body, SIN, see below p.6). Finally, the area is a “moving target” in that new rules are constantly being added.
3. What kind of data, if any, could be collected with spyware?
Section 2 of the Act distinguishes between the following categories of data which can be collected:
4. Has there been any official evaluation of the need for, or added value of, spyware?
Yes. The initial authority to use spyware was preceded by a commission of inquiry (as is the norm for any new legislation in Sweden), Hemlig dataavläsning – ett viktigt verktyg i kampen mot allvarlig brottslighet, SOU 2017:89. The Act introduced in 2020 was to apply for a limited period of time (until March 2025). During 2023, the operation of the Act was reviewed by another commission of inquiry, Hemlig dataavläsning – utvärdering och permanent lagstiftning, SOU 2023:78. The general conclusion of this second commission of inquiry was that the Act, even though only a short period of time had elapsed, had been used more than expected, and that it was an essential tool of investigation which should be made permanent.
5.Who authorises/approves measures of targeted surveillance in criminal and intelligence investigations (judiciary, executive, expert bodies, security services)?
Normally, the police or the Security Police provide the basis for the application to a prosecutor who in turn applies to a court which decides upon its use. As regards the use of secret data reading in connection with foreign terrorist suspects (section 9 of the Act), the application is made directly to a specialist court by the Security Police.
6. What are the national oversight mechanisms in place in your country for the activities of the security services (are they judicial, parliamentary, executive, or expert)? Do these bodies have (binding) remedial powers?
Sweden has parallel oversight systems for domestic and foreign intelligence functions. For domestic law enforcement (police, customs) and the security police, there is the Commission on Security and Integrity Protection (Säkerhets- och integritetsskyddsnämnden or SIN). This oversees the use of surveillance in investigations conducted under the criminal law. SIN was created in 2007 when the police and Security Service were granted increased surveillance powers. There was a realisation that the prosecutorial and judicial control only checked if there was reasonable cause to initiate surveillance, and there was no post hoc monitoring with focus on “lessons learnt”. SIN was thus given a follow-up oversight function over use of electronic surveillance for domestic investigations and other special investigative powers (such as the use of infiltration).
7. Does a post-surveillance notification mechanism exist? Are there any other remedies available for individual targeted by measures of targeted surveillance?
For notification afterwards on the use of secret investigative measures, the rules in the Code of Judicial Procedure Chapter 27, sections 31-33 apply. These provide, formally speaking, for notification, but there are a large number of exceptions, in particular where notification would damage ongoing investigations or damage other interests requiring secrecy. There is a list of serious offences (mainly security offences) where notification need not occur. In such cases of non-notification, SIN is to be informed.
Sweden
Generally speaking, secret data reading may only be authorized to investigate an offence which has either already been committed or is ongoing (including criminalized attempts). It may also be authorized to investigate to prevent the commission of an offence under the Act (2007:979) on measures to prevent particularly serious crimes, when, having regard to the circumstances, there is reason to believe that a person will perform such an offence in the future. The 2007 Act is mainly aimed at national security offences (sabotage, arson, terrorist offences etc.), but it has been recently expanded to cover a small number of serious offences (murder, aggravated narcotics distribution etc.) committed within the context of organized crime.
There is also an exception to the requirement for there to be a criminal offence when the Security Police are acting under the Act (2022:700) on Special Control of Aliens, investigating a non-national who is suspected of belonging to a terrorist organization.
For all special investigative methods there is a “least intrusive means” test. This requires the requesting body (usually a prosecutor) to demonstrate to the authorizing body (a court or other independent body) that the information sought in the investigation cannot be obtained by less intrusive means. The use of spyware is still a very resource-intensive process which means that the investigating police or security agency also has a strong interest in effective husbanding of its limited resources.
The first basic conditions for use of spyware are to be found in section 4 of the Act. This makes a distinction between secret data reading involving, and not involving, activating a device’s microphone to record sound. For use not involving activating a microphone, there is a relatively long list of offences, namely those for which communications interception is permitted under Chapter 27 section 18 a of the Code of Judicial Procedure. This in turn refers to:
1. a crime for which a lighter penalty than imprisonment for two years is not prescribed,
2. gross data breach according to ch. 4 Section 9 c, second paragraph of the Criminal Code,
3. gross sexual abuse, sexual exploitation of children, sexual abuse of children, gross sexual abuse of children, exploitation of children for sexual posing, gross exploitation of children for sexual posing, exploitation of children through the purchase of sexual acts, sexual molestation of children or gross sexual harassment against children according to ch. 6 § 2 third paragraph, § 5, § 6, § 8, § 9 or § 10 first or third paragraph of the Criminal Code,
4. contact to meet a child for sexual purposes according to chapter 6. Section 10 a of the Criminal Code, if it can be assumed that the offense does not lead to only fines,
5. gross fraud according to ch. 9 Section 3 of the Criminal Code, if the act has been committed using electronic communication,
6. extortion according to ch. 9 Section 4, first paragraph, of the Criminal Code, if it can be assumed that the penalty value of the crime exceeds imprisonment for three months,
7. sabotage according to ch. 13 Section 4 of the Criminal Code,
8. arson, general destruction, hijacking, maritime or aviation sabotage or airport sabotage according to ch. 13 § 1, § 3 first or second paragraph, § 5 a or § 5 b of the Criminal Code, if the crime includes sabotage according to § 4 of the same chapter,
9. perjury according to ch. 15 Section 1 first paragraph of the Criminal Code, if it can be assumed that the penalty value of the crime exceeds imprisonment for three months,
10. serious child pornography crime or child pornography crime that is not minor according to ch. 16 Section 10 a of the Criminal Code,
11. abuse in legal proceedings or protection of a criminal according to ch. 17 § 10 first or fourth paragraph or § 11 first or second paragraph of the Criminal Code, if it can be assumed that the penalty value of the crime exceeds imprisonment for three months,
12. serious protection of a criminal according to ch. 17 Section 11, third paragraph, Criminal Code,
13. violation of civil liberties according to ch. 18 Section 5 of the Criminal Code,
14. espionage, foreign espionage, unauthorized position with a secret task, gross unauthorized position with a secret task or illegal intelligence activities against Sweden, against a foreign power or against a person according to ch. 19 § 5, 6 a, 7, 8, 10, 10 a or 10 b of the Criminal Code,
15. serious crime of money laundering or commercial money laundering, serious crime, according to section 5 or section 7, second paragraph of the Act (2014:307) on punishment for money laundering offences,
16. serious insider crime according to ch. 2 Section 1, third paragraph of the Act (2016:1307) on penalties for market abuse on the securities market,
17. corporate espionage according to § 26 of the Act (2018:558) on business secrets, if there is reason to assume that the act has been committed on behalf of or has been supported by a foreign power or by someone who has acted on behalf of a foreign power,
18. participation in a terrorist organization, association with a terrorist organization, financing of terrorism or particularly serious crime, public incitement to terrorism or particularly serious crime, recruitment for terrorism or particularly serious crime, training for terrorism or particularly serious crime or travel for terrorism or particularly serious crime according to section 4 a, 5, 6, 7, 8, 9 or 10 of the Terrorist Crimes Act (2022:666),
19. attempt, preparation or incitement to a crime referred to in 1-5, 7, 8, 10 or 12-18, if such an act is punishable,
20. attempt, preparation or commission of a crime referred to in 6, 9 or 11, if such an act is punishable and it can be assumed that the punishment value of the act exceeds imprisonment for three months,
21. another crime, if it can be assumed that the punishment value of the crime exceeds imprisonment for two years, or
22. several offences, if
a) one and the same person is reasonably suspected of all crimes,
b) it can be assumed that the total offense punishable by more than two years imprisonment,
(c) it may be presumed that each of the offenses formed part of a criminal offense which
was carried out in an organized or systematic manner, and
d) imprisonment for one year or more is prescribed for each of the offences
Although the list of offences for which spyware is permitted is long, it should be noted that in Sweden, corporations as such cannot commit crimes (only the representatives of these). In recent years, criminals, especially those involved in drug crime, have used dedicated encrypted mobile phones (e.g., Encrochat). Swedish law does not provide for the possibility to gain backdoor access to these platforms generally, as opposed to secret data reading of a specific criminal’s endpoint device. However, rules on mutual assistance in law enforcement meant that it was possible for Sweden to receive information from law enforcement in other countries (France, Netherlands, USA etc.) where this was legal.
Membership of a terrorist organization is criminalized. Moreover, as already mentioned, there is a special rule regarding foreign nationals suspected of belonging to a terrorist organization.
For secret data reading which involves activation of the device’s microphone to record sound, the list of permitted offences is much shorter, reflecting a higher minimum threshold of seriousness as regards offences. Section 6 of the Act refers to Chapter 27 section 2 d of the Code of Judicial Procedure, which provides for “bugging” for offences punishable by a minimum sentence of four years imprisonment, as well as a small number of security offences (espionage etc.) punishable by a lower minimum sentence. As mentioned, the reason for the higher threshold is that “bugging” (i.e. audio surveillance of a locality) is generally perceived as more intrusive of privacy than interception of the content of telecommunications.
Permission to use secret data reading involving bugging is limited to a place where there is special reason to assume that the suspect will reside. If the location is a permanent residence other than the suspect's, permission for covert data reading may only be granted if there is particular reason to assume that the suspect will reside there. There is however an exception to this requirement, where, if there are special reasons for this, the permission can be linked only to the suspect instead of to the suspect and a specific location. In such circumstances, the secret data reading may then only be used in a place where there is special reason to assume that the suspect will be staying. If the location is a permanent residence other than the suspect's, the secret data reading may only be used if there is special reason to assume that the suspect will reside there.
The second general requirement in all cases (i.e. both under sections 4 and 6 of the Act) is that an identified person must be reasonably suspected for the offence or offences (although see below). This is a basic safeguard applying to all use of special investigative measures. As mentioned, there is, however, an limited exception for preventing certain particularly serious security offences, and certain serious offences committed within the context of organized crime.
The third requirement in sections 4 and 6 of the Act is that the measure must be of particular importance for the investigation.
Another requirement is that the use of spyware is primarily available only for a suspect’s communication device (section 4a). Only if certain (more onerous) requirements are fulfilled is it possible to plant spyware on a device belonging to an identified third party which the suspect is in contact with, i.e. only if there are particularly strong reasons to believe that the suspect will contact the other device.
The requirement that there be someone who is reasonably suspected for the offence is central to Swedish special investigative measures, and is an important safeguard. However, it is modified by an exception. Where the identity of the suspect is not known, but his contacts are known, or a third party (such as a website which the suspects visits) is known, one can permit secret data reading of these contacts, or the third party, but only in order to identify the suspect. Only (stored) historical metadata, not real-time data or communications and not by means of activation of audio or video surveillance functions can be used for this (section 4b).
There are protected categories of people. Under section 11, an authorization for secret data reading may not refer to a readable information system that is normally being used or is specifically intended to be used:
1. in situations where confidentiality applies according to ch. 3. Section 3 of the Freedom of the Press Ordinance or ch. 2 Section 3 of the Freedom of Expression Act, (i.e. protection of journalists’ sources, editors’ offices etc.)
2. in activities conducted by lawyers, doctors, dentists, midwives, nurses, psychologists, psychotherapists or family counselors according to the Social Services Act (2001:453), or
3. by priests within faith communities or by those who have a corresponding position within such communities, in activities for confession or individual pastoral care.
Under section 12 of the Act, an authorization can provide for secret entry to premises to plant spyware physically on an information system (e.g. a stationary computer). If the premises are a dwelling house that is constantly used by someone other than the suspect, then this is only allowed under special circumstances (section 7 first paragraph or section 9 first paragraph)
and only if there is special reason to assume that the information system is there.
Under section 13 of the Act, permission to enter premises cannot be issued for premises belonging to the categories of “protected” professions set out in section 11 (places of worship, mass media, lawyers’ offices etc.).
Swedish law places limits on who can be heard as a witness in certain circumstances (e.g. spouses may not be obliged to witness against each other). Section 27 refers to these limits, prohibiting the use of surveillance data to circumvent this.
Another safeguard is time limits. Sweden provides for a maximum (renewable) period of one month (section 18). However, the Act also provides that if the conditions for the authorization have changed, the surveillance is to cease immediately. Figures from 2023 show that the average period of authorization was 21 days, with the median period 13 days.
In making an application to the court, it is the prosecutor’s duty to set out conditions aimed at minimizing, as far as possible, the interference the measure entails with individuals’ personal integrity (Section 18 first paragraph 4 of the Act). In the preparatory legislative works, these conditions were seen as an important part of justifying the measure. According to the travaux préparatoires, conditions can encompass any circumstances that benefit the protection of the personal integrity. Such conditions are in addition to the duty on the requesting body (police, Security Police, customs) to specify what types of information sought (see p. 3 below on differentiation of the data), which is also a safeguard. The oversight body, SIN (below p. 6) has on occasion criticized prosecutors for not setting conditions – the reason for this apparently being lack of time in the case in question.
Procedurally speaking, the setting of conditions is usually assisted by the fact that a security screened advocate participates in the procedure, and may propose to the court that such conditions are set. A failure to set conditions in a particular case thus means that this safeguard mechanism (not simply the prosecutor) has failed in some way. Those providing electronic communication services are obliged by law to cooperate with the police/security police (section 24). These people have a duty of confidentiality (section 32).
Secret data reading performed remotely involves the exploitation of a vulnerability. This exploitation risks exacerbatin software and hardware vulnerabilities of devices belonging to third parties. Section 25 therefore provides that “When the enforcement is terminated, the executive authority must take the necessary measures to ensure that the information security in the readable information system to which the permit relates must maintain at least the same level as at the beginning of the enforcement.
A technical aid that has been used must be removed, uninstalled or otherwise rendered unusable as soon as practicable after the permit has expired or the permit has been revoked”.
As secret data reading is likely to produce a considerable amount so called “surplus information”, it is important that prohibitions/regulations exist regarding this information.
There are a series of different provisions in the Act providing for whether, and if so, under what circumstances, surplus information can be used (sections 28-31). The basic rule is to require the destruction of this information. However, an exception is permitted where the offence, respectively threat to national security in question, while not part of the basis of the original authorization, is nonetheless of sufficient seriousness, were it known at the time, to have fulfilled the conditions for authorizing hacking in the first place.
Finally, in the changes that were made more recently, it was found necessary to make a statutory requirement to document all decision-making in secret investigative measures. It was no longer regarded as sufficient that such matters be governed only by internal instructions in the prosecutor’s office or police/security police.
communication interception data: data on the content of messages that are transmitted or have been transmitted to or from a telephone number or any other address in an electronic communication network, communication monitoring information: information about messages that are transmitted or have been transmitted in an electronic communication network to or from a telephone number or any other address, location information: information about the geographical area in which certain electronic communication equipment is or has been, camera surveillance data: data obtained through optical personal surveillance, audio surveillance data: data relating to speech in a private room, conversations between others or negotiations at meetings or other gatherings to which the public does not have access, other stored and real-time data on the device not falling into the above categories.
Section 23 of the Act provides “The technology used in connection with secret data reading must be adapted to the permission granted. The technology must not make it possible to read or record any other type of information than what is specified in the permit. If such information has been read or recorded, recordings and records of this information must be immediately destroyed and the Security and Privacy Protection Board notified.
Information specified in the first paragraph may not be used in a criminal investigation to the detriment of the person who has been covered by the measure or anyone else to whom the information relates.”
Annual figures on the use of different surveillance methods by the police (including secret data reading) are published by the Prosecutor General. These break down the authorisations into the different categories above. The most recent figures, for example, show that.
However, this has a function in terms of providing evidence in a future prosecution.
Authorisation to remotely activate video surveillance on a device was given only four times in 2023. Authorisation to remotely activate audio surveillance on a device was also given only four times in 2023. The figures, published since 2020, when the Act was introduced, show that the overwhelming purpose for which secret data reading is granted in Sweden is to break a device’s encryption.
In addition to this commission of inquiry, the oversight body, the Security and Integrity Protection Board (below p. 6) has made a number of proprio motu investigations into how the Act is being applied.
Where an application is made by a prosecutor, the prosecutor is to propose conditions on its use (section 18, first paragraph 4).
All such requirements to provide concrete/factual indications, and satisfy given evidential thresholds must be accompanied by duties to document this in the application. This is necessary, partly because the conditions might well change during the investigation and partly because it will be necessary for the follow-up oversight which must occur.
SIN’s mandate is 1) to ensure that surveillance activities by the police, including the Security Police, are conducted in accordance with laws and other regulations and 2) that the Security Police filing of personal data is ‘conducted in accordance with laws and other regulations’.
These laws etc. include the limits set out on the filing of sensitive data in the constitution (Instrument of Government Chapter 2, Section 6; ECHR Article 8) and in the Police Data Act, as well as the Security Police’s own regulations on initiating, adding to, correcting and terminating personal files. Although the mandate is only framed in terms of ensuring compliance with the law, a proportionality test is a fundamental part of this.
SIN is an example of a “hybrid” body, mixing political and legal oversight. Under Section 5 of the Act on Supervision of Certain Crime-Fighting Activities, SIN shall have a maximum of ten members. These are appointed by the government for a (renewable) fixed period of no more than four years. The members are to be ‘suitable for the assignment in terms of judgment, independence, obedience to the law and other circumstances’. All the parties in the Riksdag can propose a member of the Commission. Most of the parties have appointed experienced politicians, some of whom are active MPs. The Chair and Vice Chair shall be, or have been, a tenured judge or have other equivalent legal experience. The position was taken at the time of its creation that this was necessary for the integrity and competence of SIN.
Appointment of the Chair is preceded by consultations with the heads of the other parties represented in the Riksdag.
Decisions are taken by majority vote: there is a quorum when the Chair and half of the other members are present. Any member may request that a meeting should be held but the Chair decides. SIN as a monitoring/complaints body meets around once a month, as do its delegations.
The permanent staff of SIN consists of a number of lawyers (usually 15-20). Since 2023, it also has a technical expert.
Section 2 of the Supervision Act provides that SIN exercises its supervision through inspections and other investigations. It takes up a number of cases of its own motion every year. On complaints, see the reply to the next question.
Section 4 of the Supervision Act provides that SIN is entitled to obtain the information and assistance it requests from agencies subject to its’ supervision. Even courts and agencies that are not subject to its supervision are also obliged to supply it with the information it requests.
While SIN cannot compel witnesses to appear before it, failure to cooperate with SIN can, ultimately, be seen as misuse of office and reported as a criminal offence (Criminal Code, Chapter 20, Section 1).
Another restriction is that SIN’s mandate in relation to monitoring surveillance applies to the law enforcement agencies (i.e., the police, including the Security Police and the prosecutors). It does not, as such, extend to the courts which authorise the use of such measures. Scrutiny of the adequacy of the reasoning of a court thus is not within SIN’s mandate. This restriction is to preserve judicial independence. However, satisfactory oversight here really involves matching the initial suspicions justifying the surveillance against the product of the surveillance. Where a pattern emerges of weighing losses to integrity too lightly against
alleged gains to an investigation, SIN should criticise this and demand improvements in routines. This must, reasonably, involve implicit criticism of the body which has authorised the surveillance—the courts.
SIN members and staff are bound by secrecy. The Public Access to Information and Secrecy Act, Chapter 15, Sections 1 and 2, deals with maintaining secrecy for purposes of protection of national security and foreign relations. Chapter 18, Sections 1 and 2 deals with secrecy in the prevention and investigation of crime and in intelligence gathering. As SIN is an administrative agency, its members (even if they are serving MPs) can be and are security vetted. Criminal sanctions for breach of the Act are to be found in the Criminal Code, Chapter 20, Section 3. Other security crimes in Chapter 19 of the Code (espionage, unlawful revealing of secret information, reckless revealing of secret information etc.) may also be applicable.
Section 2 of the Supervision Act provides that SIN ‘may make statements on established circumstances and express its opinion’. It can decide to publish special reports, something which is an important feature of oversight. Parliament may not formally task SIN to look at a particular issue but the fact that the composition of SIN consists mainly of politicians means that the same thing can be achieved informally: where there is a majority for investigating a particular issue, SIN will do so.
SIN reports annually to the government. The report is published. SIN itself decides what information to reveal (albeit applying its duty to keep confidential secret information). If SIN considers that laws or regulations are deficient, it may express its opinion on this, if need be confidentially. It can be noted that SIN’s reports are not the only official source of information on surveillance.
If SIN considers that a criminal offence has been committed, it is to refer the case to the Prosecutor-General. If it considers that errors have been committed in handling of personal data which should be rectified, or which might entitle an individual to damages, it is to refer the case to the Data Inspection Board or the Chancellor of Justice (or both). These bodies
make an independent assessment of the need for rectification/damages, so SIN’s decision in this regard should be seen as only the first stage in the obtaining of an effective remedy. As far as I am aware, so far, only one referral has been made to the Chancellor of Justice.
As regards secret data reading specifically, unlike for other secret investigative measures, such as telecommunications interception, there is a duty on an authorising court to inform SIN when an authorization has been granted (section 21 of the Act). This proactive duty gives SIN a better overview of how the Act is being applied, and to decide whether or not to initiate an oversight investigation.
There is a standing remedy mechanism. Section 3 of the Supervision Act provides that, at the request of an individual, SIN is obliged to check whether he or she has been the subject of secret surveillance or subject to processing of personal data and whether the use of secret surveillance and associated activities or the processing of personal data was in accordance with laws and other regulations. There is an exception where the complaint is ”manifestly ill-founded”. SIN is to inform the complainant that a control has been carried out. However, the standard reply is ”no violation of the law has occurred”.