The world has gone cyber and the government has decided to join other countries by pushing ahead with a new law regarding cybersecurity.

However, several experts and politicians are now questioning whether the law would make it easier for the government to hand over personal information to foreign intelligence services like America’s NSA.

Democratic principles at risk

“I understand that it is necessary to co-operate internationally in order to fight hacker attacks,” said Birgitte Kofod Olsen, the chairman of Rådet for Digital Sikkerhed, an independent organisation concerned with digital security.

“However, I find it difficult to see how we can uphold democratic principles, if we give our intelligence services such extended powers.”

The proposal would consolidate the Center for Cybersikkerhed’s placement under the wings of the Danish defence intelligence service, Forsvarets Efterretningstjeneste (FET), where it was moved to from the Research Ministry in 2012 – at which point the information became exempt from public scrutiny.

It would enable the centre to not only collect and hand over information to foreign governments, but also to prevent ordinary citizens and journalists from obtaining access to information regarding the centre’s activities.

A reassuring meeting
Rikke Frank Jørgensen, a researcher and cyber expert at the Danish Institute for Human Rights, agreed with Kofod  Olsen.

“The overall picture is that they get to exchange more with fewer safeguards,” said Jørgensen.

However, she was more reassured after a meeting on March 17 with the Defence Ministry and other organisations, where the ministry promised that no personal information would be handed over to foreign governments.

Access to personal details
Both experts pointed out that one of the problems was that the draft law gave too broad a mandate as to when personal data may be handed over to cybersecurity units abroad – for example to foreign intelligence services such as the NSA and British intelligence services.

”It can be each time they [the Defence Ministry] say there is a security incident,” Jensen said. “But what is a security incident? It could cover a wide range of situations.”

What is a ‘security incident’?
The law proposal only specifies that a “security incident” is a negative occurrence that could influence data or information systems. An example given is the installation via an email attachment of a trojan horse, which either destroys the existing data or allows the hacker to absorb the information of the targeted computer.

This not only includes information in connection with a terrorist attack, but also when a hacker, located in for example China, has hacked into a public computer in a council’s health department. In a case like this, the information could be handed over to the NSA if the American authorities have experienced similar attacks by a Chinese hacker.

Ministry: Nothing personal
”It could be information regarding a person’s health, their social security number and other personal information related to the incident,” Olsen said.

However, the Ministry of Defence at a meeting with all the relevant organisations on March 17 said it would further specify the type of situations in which data may be exchanged. Moreover, it was reiterated that the information that could be transferred abroad concerned traffic data, like email addresses, not content.

Majority critical
Several politicians on both sides of the aisle are concerned the new law could go too far.

“The road is paved with good intentions, but it opens up for a truckload of personal information that can be collected, stored for a long time and handed on to others – without anyone knowing about it,” Venstre’s IT spokesperson Michael Aastrup Jensen told Politiken on March 10.

The former government partner SF and its co-operation partner Enhedslisten are also concerned.

“I would be concerned that citizens and companies lose their legal rights, and that we lose control over our own information,” Stine Brix, the IT spokesperson for Enhedslisten, told Politiken on March 5.

Defence spokesperson Zenia Stampe (R) told Politiken on March 5 that her party is willing to look closer at the proposal.

Under civilian authority
Olsen recommended that the centre should be moved back under the jurisdiction of one of the civil ministries like the Justice Ministry or the Research Ministry, where the public would have insight into the information under the rules of openness in government.

“It should be removed from the Ministry of Defence,” she said.

“We do not discuss whether they can look at the information. The problem is that it [the information] is obtained by the intelligence services. When it is there, it can also be used.”