Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Chapter: 

II. Surveillance policies

National security, government surveillance and law enforcement

Wiretapping, access to, and interception of communications

Wiretapping normally requires the permission of a court and is initially limited to four weeks.1 Provisions of the Criminal Procedure Act allow for wiretapping in two circumstances. First, Section 216(a) allows wiretapping for narcotics investigations and in connection with cases involving national security, albeit with the permission of a magistrate court. Second, Section 216(b) allows wiretapping in connection with some less serious offences but requires the permission of a magistrate court. A Supervisory Board reviews the warrants to ensure the adequacy of the protections. This board also has detailed statistics on the use of wiretapping (number of cases, what type of method, how many phone numbers, IMEI number, network addresses, what police units were responsible, and what results came from or are expected to come from the investigation),2 but these are not available to the public. However, according to Section 216(d) of the Criminal Procedure Act, the prosecutor can permit interception without court order in urgent cases.

In 2009 the Government appointed a new Control Committee for Wiretapping. Its mandate is to control that the police use of wiretapping is within the framework of the law and that the use of such methods is as limited as possible.3 The Committee publishes a yearly report on the number of times, in what type of cases and under what legal provision wiretapping has been used.4

The Criminal Code5 first prohibited the publication of information relating to "personal or domestic affairs" in 1889.6 The Criminal Code of 1902 also prohibits the unauthorised opening of sealed correspondence, including cracking security mechanisms.7 It further prohibits covert monitoring or recording of telephone conversations or other conversations in closed settings.8

A Parliamentary Commission of Inquiry was created in 1994 to investigate the post-World War II surveillance practices of Norwegian police and security services. The Lund Commission delivered a 600-page report in 1996, causing a great deal of public and political debate on account of its finding that much of the undercover surveillance practices, including wiretapping of left-wing political groups until 1989, had been instituted and/or conducted illegally and that the courts had not generally been strong enough in their oversight.9 This included keeping files on children as young as 11 years old. Legislation to monitor the secret services was approved in 1995 following the Lund Commission's recommendations.10 The legislation created a new Control Committee to monitor the activities of the Police Security Services, the Defence Security Services, and the Defence Intelligence Services. The Control Committee publishes an annual report to the Parliament.11

In April 2002, the Norwegian Parliament adopted amendments to the Norwegian Penal Code, which include prohibitions against "terrorist acts."12 Many privacy advocates and non-governmental organisations have expressed concern that the prohibition against "terrorist acts" is too broad and imprecise, and may result in persons becoming victims of arbitrary, inaccurate, or politically motivated charges.13

A report from a government-appointed commission tackled the controversial issue of balance between crime prevention and privacy in the light of global terrorism and organised crime.14 In response, Norway passed a law that makes it easier for the police to use bugging of non-telephonic conversations between criminals, a practice known as "romavlytting" in Norwegian, and other means of covert investigation.15

In 2009 a government commission appointed to evaluate the use of such covert methods delivered its report.16 The conclusion is that most of the methods seem to be used as intended and that they have an effect in a significant amount of the cases used (40 to 50 percent of the cases). The commission also states that the number of cases where the police use covert methods have been stable over the last years, and that such methods are mainly used in drug cases, which is in line with Parliament's intention. One of the Commission's main concerns is that irrelevant conversations of a private character are often picked up. They also state that better statistics on the use and effect of the different methods would make it easier to review the effectiveness, and – following this – the appropriateness of the methods.

National security legislation

All information relating to national security legislation is found under other sections of this report.

Data retention

The Data Retention Directive has not yet been implemented into Norwegian Law. There is much debate on the matter, both in public and within the ruling coalition. Within the coalition the Labour Party is in favour of implementing the directive, while the Socialist Left Party and the Centre Party oppose it. The Ministry of Transportation and Communication and the Ministry of Justice and the police have sent a proposal for an implementation of the directive on a wide national hearing.17 To try to involve the general public in the debate, the Minister for Transport and communication has created a blog dedicated to the hearing.18 It is believed that no formal proposal will be made to Parliament until the EU's evaluation of the directive – which is supposed to take place in autumn 2010.

Currently, the telecommunications providers are only allowed to store data as long as they need it to provide their service.19 This means that data is stored for billing purposes for three to five months (depending on how often the customer is billed). For Internet traffic data, the providers have to delete the communications data after three weeks. The police can get access to the data available if it is necessary for an investigation. Permission for this can currently be given by the Norwegian Post and Telecommunications Authority in the form of an exemption from professional secrecy.20

National databases for law enforcement and security purposes

Norway created a database of asylum seekers that contains biometric information such as fingerprints.21 This database was opened to the police for use in criminal investigations even though the original intent of the database was to help establish the identity of asylum seekers.22

In 2008 the police's storage of DNA samples was extended to everyone who is convicted to a prison sentence.23 Previously only felons in cases of murder, violent crimes, and serious crimes related to narcotics had to give up their DNA. One year later the number of registered profiles has increased by 40 percent to 16,600.24 According to numbers from the Ministry of Justice and the Police, around half of the DNA samples that are registered during criminal investigations match DNA profiles already in the register.

Currently, legislation related to different police databases is very fragmented. The Government has proposed to collect all legislation connected to such databases in a separate Act – the Police Register Act.25 The Act is sanctioned by Parliament but not yet implemented into law. The Act specifically mentions the following police databases (Chapter 3):(1) the "Reaction register", containing information on physical persons or legal entities who have been sentenced for breaking the law; the information registered is personal, such as name and address and what disposition was made in regards to the offence they were convicted of (e.g. prison sentence, fines, etc.);. (2) the "Journal", that is,  a running record of all activities at a local police station; (3) The "Criminal Investigations register"; (4) the "DNA register", consisting of four parts: the "Identity register" with the DNA profile of everybody sentenced for a crime that qualifies for a prison sentence; the "Investigation register", with all DNA-material collected from persons suspected of a crime that may lead to a prison sentence (if they are convicted, the material will be transferred to the Identity register); the "Trace Evidence register" with DNA from unknown persons that may be of importance to an unsolved case; the "Elimination register" with information on people working in the police and other institutions who are often in contact with crime scenes and evidence: (5) The "Fingerprinting and Photo register", containing the fingerprints and photo of anyone suspected of a crime that may lead to a prison sentence. As with DNA, the police can also maintain an "Elimination register" of the fingerprints of people working in the police and other institutions who are often in contact with crime scenes and evidence.

The new Act has general chapters on how to deal with the information (purpose binding, relevance, data quality – Chapter 2), information security (Chapter 4), access to the information (Chapter 5), limits on professional secrecy (Chapter 6), duty to notify the data subject (and the subject's right to review the information – Chapter 8), deletion of information that is no longer needed (Chapter 8), and the data subject's right to protest a registration (Chapter 9).

The Data Inspectorate previously had a right to perform inspections in all databases with personal information, with the exception of the police databases. The new Act states that the Data Inspectorate also has a right to inspect the police's systems.26

National and international data disclosure agreements

Norway has signed the Schengen agreement and will implement SIS II, the new Schengen Information System which allows for more extensive exchange of data among member countries.27 Norway has also signed the Eurodac agreement28 and the Prüm treaty.29

Cybercrime

Norway signed the Convention on Cybercrime in 2001. The necessary changes to comply with the convention were implemented into Norwegian law in 2005.30

The National Criminal Investigation Service (NCIS or Kripos), together with the ISP Telenor, has developed a filter to contribute to limiting the distribution of child pornography. The Child Sexual Abuse Anti Distribution Filter is in use by most Norwegian ISPs. The filter contains a list of domain names compiled by Kripos. When a user tries to access one of these domains, the filter instead returns a warning page informing the user that he/she has tried to access a page with content that is illegal under Norwegian law. The page also says that  the user has not been logged, and that there will be no follow-up.31 The filter has been debated on the grounds that it exists outside judicial control – it is maintained by Kripos, and there is no official list of the domains on it. There is, however, an opportunity to complain to Kripos if you are redirected to the stop-page while trying to access a domain with legal content.

In August 2008, the Minister for Justice and the Police, Knut Storberget, sent a letter to all ISPs encouraging them to implement the filter. He also states that the Government is considering making the filter compulsory, and the extent to which his request is followed will be a factor in this decision.32 The news generated some debate at the time, as Internet filtering is not presently incorporated into any Norwegian law. During a later debate about preventing Norwegians from gambling on Internet sites hosted abroad, the Minister for Culture, Trond Giske, stated that a filtering solution was out of the question, as this would threaten freedom of expression.33

Critical infrastructure

NorCERT (Norwegian Computer Emergency Response Team) coordinates work preventing and responding to IT security breaches aimed at vital infrastructure in Norway. NorCERT is a department of the Norwegian National Security Authority (Nasjonal sikkerhetsmyndighet or NSM). Since 2000, NorCERT has run the Early Warning System for Digital Infrastructure (Varslingssystem for digital infrastruktur or VDI) in Norway. VDI has break-in detection sensors on the Internet and at some major businesses that are important for the functioning of Norwegian society.34 According to NorCERT the VDI does not collect or store information about individual Internet users.

NorCert is the coordinating body for all major cybersecurity incidents related to Norway and the national point of contact for cyber defence.

Territorial privacy

Video surveillance

The PDA provides specific rules for video surveillance. Video surveillance that does not create actual files is more weakly protected than regular personal data registers. However, if the surveillance results in the recording of pictures, then the surveillance falls under the Act and the Data Inspectorate must be informed (Section 37). The Inspectorate has the power to intervene and prohibit surveillance if it does not conform to the Act. If video surveillance is performed in a public place, there must be clear notice given, such as through use of a warning sign (Section 40). However, the Criminal Procedure Act of 1981 allows police to perform covert video surveillance of public areas if permitted by court order and the surveillance is of "essential significance" for investigating suspected criminal conduct that can result in more than six months imprisonment (Section 202(a)).35

Location privacy (GPS, mobile phones, location based services, etc.)

On average, Norwegians have more than one mobile subscription per person. After adjusting for people with more than one subscription, mobile penetration in the Norwegian population is 96 percent.36 Ten percent have smart phones, while an additional 10 percent say they plan to buy one.37 As smart phones are used much more actively than standard phones (because of applications such as "push" mail), there is a concern that this will generate more electronic traces. This has been addressed specifically by the Data Inspectorate in its response to the hearing on the Data Retention Directive.38

In 2010 the Norwegian telephone company Tele2 launched the service "Bipper". The service gives parents more control over their children's mobile use. Parents can control the numbers their children are allowed to call and block the mobile for use at certain times of day (for instance, between 11 pm and 7 am). In addition, children can use the phone as a safety alarm. However, "Bipper" also allows the parents to locate their children through an Internet service.39 This has lead to a debate on the balance between sound parental control and surveillance.40

It is to be expected that the use of popular commercial location services such as Facebook Places, Gowalla, etc. are proportionate to Norway's high Internet and smart phone penetration rates.

Travel privacy (travel identification documents, biometrics, etc.) and border surveillance

In October 2005, the production of biometric passports started in Norway.41 The security mechanism was BAC (Basic Access Control).42 The Data Inspectorate expressed serious concerns regarding the security of the passports because the data stored on the RFID chips is not encrypted.43 The chip contains a digital photo and the holder's personal information. The digital photo in the chip can be measured against the facial features of the person travelling with the passport, intended to make it easier to authenticate passport holders and reduce the risk of theft and fraud.

In April 2010, Norway started deploying passports incorporating a digital representation of the holder's fingerprint onto the chip. The fingerprint is stored only on the chip and not in a central database. When the holder enters the country, the traveller's fingerprint is compared to the one stored on the passport. The print is only stored for long enough to make the comparison.44 The biometric passports with fingerprints are protected with Extended Access Control (EAC). There has been some debate related to the implementation of biometric passports, and the Data Inspectorate has been critical of the security mechanisms in the chip.45 The initial suggestion to also store the fingerprint in the central passport database was abandoned because of arguments that this could be a threat to privacy.

Norway is part of the Schengen cooperation, and in theory Norwegian citizens may travel without a passport in the Schengen area. But because the passport is the only internationally accepted ID card available in Norway, in practice Norwegians must carry their passport anyway.

At most Norwegian airports it is possible to take fingerprints of airline passengers when they check in luggage for a flight for later verification  at the gate. The prints are deleted when the plane has landed. This is optional, and the passenger may choose to show documentation (typically a passport) instead.

There are no security checks or ID checks to travel by train, but in order to travel to a foreign country by boat, ID has to be shown upon boarding.

National ID and smart cards

Identification is required to open a bank account. In practice the only internationally accepted ID in Norway is a passport. Because many people do not qualify to get a passport, the Government has decided to issue a national identity card.46 This will not be a compulsory ID, but an alternative to a passport. For Norwegian citizens it will also function as a passport in the Schengen region. The information and security mechanisms will be the same as for the passport. In addition, it is meant to function as a digital signature (with information on a separate chip for this). There are also other providers of digital signatures in Norway. Because the information on the cards will be encrypted, it should not be possible to read them remotely in order to identify or track people.

The Norwegian government is currently developing an e-identity hub (ID-porten) to facilitate interoperability between, on the one hand, electronic identities available on the market and, on the other hand, different e-government service providers, such as the tax authorities and the social security authorities. The basic idea is to allow the end user to choose from a catalogue of selected electronic identities (both government-issued and others) when accessing government services. Providers of e-government services select a required security level (on a scale from one to four) when they agree to let the identity hub carry out the authentication of their users. Once the Norwegian national identity card is available, it is expected that it will include an electronic identity at the highest level of security (level four), which can also be used within the identity hub.

People have also to show ID to enter a central Government building and the Parliament building, and to buy alcohol or tobacco (if they are under 25). In practice, people can use any form of ID for this, such as a driver's licence or a bank card.

RFID tags

Most people living in or near a big city in Norway have an active RFID tag in their car, called an AUTOPASS tag.47 This is used to register passing through toll booths for billing purposes. The trips are registered with AUTOPASS and also locally on the chip. The information is not encrypted and can be read remotely with the right equipment.48 The Data Inspectorate has been very critical of the removal over recent years of the possibility of anonymous passage through toll booths; the option of paying in cash has been removed almost everywhere.49

RFID is also used in libraries for checking books in and out. The tag in the book only contains an ID number. Information on the name of the book and the borrower are held in the library database.

RFID has been used to tag domestic animals for many years. RFID is also used in retail, but still mostly in the back end systems and not to tag individual products that are purchased by the consumers.

There has been some debate about the use of RFID tags in tickets for public transportation. Many of these systems register every time the cardholder enters or exits a means of transportation, and the information is made available to the user online. Critics feel that this means that the individual's pattern of movement can be exposed to others, and that this information is not necessary in order to provide the service. In response to pressure from privacy advocates, there is now also a prepaid anonymous option.

In a recently published strategy for intelligent transport systems (ITS)50 the Ministry for Transport and Communication states that effective use of ITS can be a threat to privacy. The implementation of ITS can create excess information that makes it possible to map people's patterns of movement in relative detail. The Government states that there should be more emphasis on shaping such solutions to keep the personal information captured to a minimum. Travel information should not be exchanged between sectors in order to enable the tracking of individual travel patterns. The Ministry of Government Administration, Reform and Church Affairs has developed a guideline for public privacy impact assessments.51 The ITS strategy document, as well as the National Transport Plan 2010-2019,52 states that this shall be used for all relevant cases in the transport sector.

Bodily privacy

In 2007 the Norwegian Aviation Authority, Avinor, proposed to try out body scanners in the security checkpoints at Stavanger Airport. Strong negative reaction from the public and politicians led Avinor to cancel the plan.53

For many years it was unclear how biometrics related to the Personal Data Act: are fingerprints sensitive data that should be treated as such, or are they more like a person's name? This has been clarified to some extent by a series of rulings by the Privacy Appeals Board.

In case PVN-2006-754 a Norwegian municipality, Tysvær, had implemented a system using fingerprinting to log into its computer system. The need for secure identification in the case was not disputed, as access to the computer system would also allow access to sensitive personal data. The Data Inspectorate acknowledged this, but stated that other means of identification, such as a smart card and password, could provide the same level of security. The Appeals board ruled in favour of Tysvær, and stated that its use of fingerprinting is within the scope of the Personal Data Act. In the reasoning they stated that there are risks associated with smart card solutions that are not found in solutions that are based on fingerprinting.

In two other cases – PVN-2006 8 and 955 – two fitness centres wanted to use fingerprinting as a means of access control. In these cases the Appeals Board agreed with the Data Inspectorate that other, less secure means of identification would be sufficient.

In case PVN-2006-10,56 the Data Inspectorate had ruled that Esso Norway could not use fingerprinting as part of its entry control at four facilities where only trained and authorised personnel have access. The Appeals Board overturned this, and stated that in this case there was a real need for secure identification, and that an ID card combined with a fingerprint reader could provide it.

In case PVN-2006-11,57 the retailer REMA 1000 wanted to use fingerprints for authentication when its employees checked in and out for work. The Appeals Board ruled that REMA 1000 could not use fingerprinting as there are other, even though less accurate, means of satisfying its need for authentication.

These five cases have established precedents for when fingerprinting can and cannot be used.

Footnotes