National Defence Radio Establishment

The National Defence Radio Establishment (Försvarets radioanstalt, FRA) is a Swedish government agency organised under the Ministry of Defence. The two main tasks of FRA are signals intelligence (SIGINT), and support to government authorities and state-owned companies regarding computer security.

The FRA is not allowed to initialize any surveillance on their own, and operates purely on assignment from the Government, the Government Offices, the Armed Forces, the Swedish National Police Board and Swedish Security Service (SÄPO). Decisions and oversight regarding information interception is provided by the Defence Intelligence Court and the Defence Intelligence Commission; additional oversight regarding protection of privacy is provided by the Swedish Data Protection Authority.

History
Signals Intelligence has existed in Sweden since 1905 when Swedish General Staff and Naval Staff respectively, had departments for signals intelligence and cryptanalysis. These departments succeeded, for instance, to decode the Russian Baltic Sea Fleet cipher. After World War I, this ability mostly ceased as politicians did not see its value and did not grant funding. The Swedish Navy still continued in a smaller scale and developed the competence further. One of the first major successes was in 1933 when the cipher of the Russian OGPU (predecessor to KGB) was solved.

In 1937, the Swedish Defence Staff was established and the Crypto Department, with its Crypto Detail IV, was responsible for cryptanalysis. In 1940, when Germany occupied Denmark and Norway, the German Wehrmacht requested to use the Swedish telephone network for its communication. This was accepted and Crypto Detail IV immediately started to intercept. The traffic was almost always encrypted by the German state-of-the-art cipher machine Geheimfernschreiber. This device was believed to produce indecipherable messages, with its 893,622,318,929,520,960 different crypto key settings. After two weeks of single hand work, the Swedish professor of mathematics Arne Beurling, decoded the cipher of the Geheimfernschreiber with only use of pencil and paper. This achievement was described by David Kahn, in his book The Codebreakers: "Quite possibly the finest feat of cryptanalysis performed during the Second World War was Arne Beurling's solution of the secret of the G-schreiber." During World War II, some 296,000 German messages were intercepted and in 1942 the Swedish Government took the decision to establish Försvarets Radioanstalt.

The first stationary collection site was located in the middle of Stockholm, but in 1940 it was moved to a number of villas in the suburban island of Lidingö. More sites were established in Sweden and in 1943, FRA moved its headquarters to Lovön, some 15 km from Stockholm. In the 1960s, even the location of the FRA headquarters was still highly secret.

Operation Stella Polaris
In the final stage of the Continuation War, 1943–44, when the Soviet Union threatened to occupy Finland, Finnish intelligence requested to transfer about 200 specialists and advanced intelligence equipment to Sweden to establish an exile organisation. A transfer of a small contingent personnel and materials, Operation Stella Polaris, was carried out over a couple of nights in September 1944. Stella Polaris gave Sweden access to a wealth of qualified materials and signals intelligence officers, some of which were also employed. For Finland, it resulted in a domestic political affair and due to the Communist Party's strong influence in the government, several of the so-called "Soviet Hostiles" involved received prison sentences.

The Catalina affair
On 13 June 1952, the Swedish Air Force aircraft Tp 79 Hugin (DC-3) disappeared during a signal intelligence reconnaissance mission east of the Swedish island of Gotland in the Baltic Sea. The Swedish government initially claimed that the flight was only a navigational exercise, but later admitted that the aeroplane had U.S. electronic surveillance equipment and five specialists from FRA on board. Three days later, a Swedish Air Force search-and-rescue plane of the type Tp 47 (Catalina) was shot down by a Soviet MiG-15 fighter, but the crew was rescued by a nearby West German freighter ship. The Soviet Union denied any involvement in the disappearance of the DC-3, despite the fact that a raft from the aeroplane was found during the search with shrapnel from MiG-15 ammunition. In 1956, the Soviet leader Nikita Khrushchev admitted to Swedish Prime Minister Tage Erlander that the Soviet Union was indeed responsible for shooting down the plane, but this was not made public, not even to the relatives of the crewmen. Russia officially acknowledged the shooting down in 1991. In 2003, the wreck of the shot-down DC-3 was found about 55 km east of Gotland. Several of the crewmen's remains were found in the fuselage and the damage to the plane showed that it really had been shot at by a Soviet MiG-15 fighter.

Organizational structure
FRA's operational activity are organized into four departments: The Signals Intelligence Service (Signalunderrättelsetjänsten), The Department for Internet Operations (Avdelningen för cyberverksamhet), The Department for Internal Support Services (Avdelningen för verksamhetsstöd) and The Department for Technical Development and Other Technical Assistance (Avdelningen för teknisk utveckling och annat tekniskt stöd). In addition to this there is also a command staff and a number of specialist functions reporting directly to the Director-General.

Facilities and equipment


The main headquarters is located on the island of Lovön in Stockholm County. The government allocated a total of SEK 860 million for the FRA in the annual budget for the fiscal year of 2014; an increase in spending with 38 million compared to the previous year, due to "greater technical costs and changes abroad". In 2009, the number of employees was "just below 700", according to the FRA.

Interception of signals is done from fixed sites on Swedish territory, from the SIGINT ship HSWMS Orion (A201) operated by the Swedish Navy, to be replaced by HSwMS Artemis, and from two Gulfstream IV aircraft operated by the Swedish Air Force.

Computing
TOP500 credited FRA with owning the world's fifth fastest supercomputer in their November 2007 list. According to the director-general's chief of staff, the computer is being used for "cryptography and information security." By November 2013, the supercomputer had fallen off the list.

Change in legislation
The FRA has a long history of intercepting radio signals, as the main intelligence agency producing and managing SIGINT in Sweden since 1942. However, up until 2009 the FRA was limited to wireless communications intelligence (COMINT), including wireless phone and Internet signals, something that was also left largely unregulated. As an ever-increasing amount of communications have transferred from radio to cables, the question of enabling FRA to collect information from cable communication was addressed by Göran Persson's cabinet in a government appointed committee of inquiry led by General Owe Wiktorin in 2003, resulting in a report suggesting a change in legislation (SOU 2003:30). In July 2005, the Minister for Defence Leni Björklund published a memorandum (Ds 2005:30) with proposed legislation changes, later passed on to the Cabinet of Fredrik Reinfeldt and Minister for Defence, Mikael Odenberg.

Prior to the change in legislation, the main law regulating FRA was the defence intelligence act (SFS 2000:130); and the telecommunications act of 1993 (SFS 1993:597) required all companies operating a telecommunication network in Sweden to assist in government COMINT, under confidentiality. This act was replaced in 2003 by the electronic communications act (SFS 2003:389), as a result of changes in EU directives.

The FRA-law
The new bill (Prop. 2006/07:63), generally referred to the "FRA law" (FRA-lagen), proposed changes in the defence intelligence act, the electronic communications act, the secrecy act of 1980 (SFS 1980:100), and the creation of an all new law regulating SIGINT. These changes would have allowed the FRA to monitor both wireless and cable bound signals passing the Swedish border without a court order, while also introducing several provisions designed to protect the privacy of individuals, according to the original proposal. The law's proponents argued for the need to give FRA new guidelines and a modernised legal framework, in order to regulate Internet surveillance and to combat threats to national security more effectively, such as terrorism and serious transnational crime; while opponents to the law claimed it enabled mass surveillance and violated privacy rights. The Riksdag passed the bill on 18 June 2008, after a heated debate amid public protests, and it went into effect on 1 January 2009.

Criticised for being too far-reaching, in an attempt to address the privacy concerns raised during the parliamentary procedure, the Government soon thereafter proposed an amendment to the law (Prop. 2008/09:201), to strengthen protection of privacy by making court orders a requirement, and imposing several limits on the intelligence-gathering. The amendment passed the Riksdag on 14 October 2009 and went into effect on 1 December 2009 (SFS 2008:717).

Current legal framework
According to the law (SFS 2008:717), SIGINT is only permitted in order to assess:


 * 1) external military threats to the country,
 * 2) conditions for Swedish participation in peace support operations and international humanitarian efforts or any threat to the security of national interests in the implementation of such efforts,
 * 3) strategic matters regarding international terrorism or other serious transnational crime that could threaten important national interests,
 * 4) development and proliferation of weapons of mass destruction, military equipment and items referred to in the law on the control of dual-use items and technical assistance,
 * 5) serious external threats to the public infrastructure,
 * 6) conflicts abroad with ramifications for international security,
 * 7) foreign intelligence operations against national interests, or
 * 8) a foreign powers actions or intentions of vital importance to Swedish foreign policy or security and defence policy.

The FRA is not allowed to initialize any surveillance on their own, and only gets access to communication lines as decided by The Defence Intelligence Court. Communications service providers are legally required, under confidentiality, to transfer cable communications crossing Swedish borders to specific "interaction points", where data may be accessed after a court order. The number of companies affected by the legislation was estimated as "being limited (approximately ten)". The law does not permit intelligence-gathering by interception of signals where both the sender and recipient is located in Sweden, only signals crossing the borders of Sweden.

Initially, only the Government, the Government Offices and the Swedish Armed Forces could use FRA's SIGINT capabilities. But after criticism from Swedish Security Service (SÄPO), a change was made allowing The Swedish National Police Board and SÄPO to make use of the FRA as well, under otherwise unchanged regulations. The bill (Prop. 2011/12:179) passed in the Riksdag on 28 November 2012 with the help of the Social Democratic Party, and went into force on 1 January 2013.

Data retention
Any personal data that may have been retained can not be stored for longer than 12 months, which is a year less than the maximum allowed by the Data Retention Directive. In 2008, prior to the change in legislation, a news report from SVT, based on an account from an anonymous source, alleged the FRA had been storing personal information for much longer; leading to a private citizen lodging a complaint with the police. Ultimately, a prosecutor did not launch a full-scale investigation, as it was deemed not illegal at the time.

Oversight
FRA is subject to regular reviews by several external government agencies.

The Defence Intelligence Court
All SIGINT has to be authorized by the Defence Intelligence Court (Swedish: ), a special court based in Kista, independent of the FRA and appointed by the Government. It is composed of a chairman, assisted by one or two vice-chairmen, and 2-6 special members of the court, holding office for four years. The quorum of the court is a chairman and two special members, and each case is assessed and approved individually. A special ombudsman from the court is also tasked to monitor and argue for the privacy rights of individuals. The decisions of the court cannot be appealed, something that is motivated, in part, by information sensitivity and the fact that special knowledge and physical protection of infrastructure and documents is needed. A government agency of legal experts reviewed the amendment (Prop. 2008/09:201) in 2009, and did not express any objection:

"The ban on appeal deviates from the perceived main rule in Swedish law, namely that a decision of a court may be appealed. In reality, however, a leave to appeal is mostly required nowadays for a case to be considered by a higher court, which is why the first court decision is also the final instance for most cases. [...] The marginal benefits to be gained with a right of appeal by the special ombudsman can equally well be achieved with high-quality court members and delegates. [The Council] considers the proposed appointment process a guarantee for high-quality members and delegates."

The court has been led by former district court chairman Lieutenant Colonel Runar Viksten since 2009.

The Defence Intelligence Commission
The Defence Intelligence Commission (Swedish: Statens inspektion för försvarsunderrättelseverksamheten, SIUN) is the management authority tasked to supervise the FRA, ensuring it follows court orders issued by the Defence Intelligence Court, and that all laws and regulations governing FRA is followed, including privacy laws. SIUN obtains possession over all signals, and they are only made available to the FRA by permission of the court. Furthermore, the commission is obliged to launch an investigation whenever someone suspects they are the target of unauthorized SIGINT. The commission is not tasked or authorized to review decisions made by the court.

The Swedish Data Protection Authority
The Swedish Data Protection Authority is a public authority, organized under the Ministry of Justice, tasked to protect the individual's privacy. As such, it audits the FRA on how they process personal data. In December 2010, after a two-year-long audit, a special mission led by the board examining FRA concluded its operations are within bounds of applicable legislation.

International cooperation
The legislation allows for the transfer of data to other states, if authorized by the Government, enabling exchanges of intelligence. In return, Sweden could receive information of importance to the national interest, something the Director-General of FRA Ingvar Åkesson and the Minister for Foreign Affairs Carl Bildt both stressed when the legislation was debated in 2008.

In 2013, documents provided to the media by Edward Snowden appeared to confirm Sweden had shared intelligence with foreign intelligence agencies, revealing Sweden had provided the NSA with a "unique collection on high-priority Russian targets such as leadership, internal politics, and energy." In response, Minister for Defence Karin Enström was quoted as saying that Sweden's intelligence exchange with other countries is "critical for our security" and that "intelligence operations occur within a framework with clear legislation, strict controls and under parliamentary oversight." Anni Bölenius, head of communications at the FRA, told Reuters: "We do in general have international cooperation with a number of countries, which is supported in Swedish legislation, but we do not comment on which ones we cooperate with".

Mass surveillance
The FRA have been contested since the change in its legislation, mainly because of the public perception the change would enable mass surveillance. The FRA categorically deny this allegation. Anni Bölenius, head of communications at the FRA, believes the public perception of mass surveillance is incorrect, saying: "It is not as we can turn on the traffic ourselves. We have to show cause and seek authorization."

The Social Democratic Party expressed their opposition to the legislation changes initially, but have since changed their views. In 2013, they provided support for an expansion of the law, to also include SÄPO and The Swedish National Police Board. This change comes after the amendment to the law, with the establishment of The Defence Intelligence Court and a narrowed scope, giving it more emphasis on defence intelligence. The court also hear each case on an individual basis, something Minister for Defence Sten Tolgfors have been quoted as saying, "should render the debate on mass surveillance invalid."

Reports and reviews

 * In 2008, the Swedish public interest litigator Centrum för rättvisa brought at case against the FRA to the European Court of Human Rights. The court decided to push ahead with the case in spite of objections from the Swedish government and is expected to make a ruling in 2017.
 * In 2009, The Council on Legislation expressed its opinion on the amendment (Prop. 2008/09:201), saying it results in "significant changes", "strengthening protection of privacy, as protected by the constitution and conventions", because "SIGINT may only take place with expressly stated purposes in accordance with the law, which does not include general criminal investigation or prevention."
 * In 2010, a report issued after a two year long review by the Swedish Data Protection Authority said, "they hadn't made any observations indicating FRA process personal data in order to map general Internet usage." However, the Swedish Data Protection Authority found that the FRA did not follow the law in all cases, and that it was, in particular, difficult to follow up on how well the FRA follows the law through logs. The exact same violation was observed again by the authority in a follow-up review in 2016. So far, no sanctions have been exacted on the FRA for not following the law.
 * In 2014, as a result of the NSA leaks, LIBE passed a motion for a European Parliament non-binding resolution, calling on Sweden to ensure its legislative frameworks were in line with the standards of ECHR and EU data protection legislation.