The past few months brought Romania three different surveillance proposals which blatantly increase the powers of the already excessively powerful Romanian intelligence organisations.

1. The first proposal is the new cybersecurity bill that we’ve already covered in past EDRi-gram articles. It would put computer and network security almost entirely under the purview of the many local intelligence services. They would receive information about all security breaches and handle all “cybersecurity infrastructures of national importance”. The public consultation was a complete fiasco, as nothing in the original text of the bill was changed as result of the process. Moreover, the Minister of IT&C even participated in several conferences and explained how the law will work even before the consultation period was over. This shows that the final text was set in stone from the start of the consultation process, even though the text is almost identical to the one that the Romanian Constitutional Court previously ruled unconstitutional.

The NIS directive seems like a list of quaint guidelines when compared to the current text of the Romanian cybersecurity bill. The bill would apply to all legal persons that handle personal data using IT systems, which includes newspapers, NGOs, SMEs or doctors, to name just a few.

Hosting providers somehow get a special regime, with the bill forcing them to help “competent authorities” (whatever that means) and to log all activities taking place on their IT systems if they get an unknown type of judicial order.

Ten different public institutions get various responsibilities in the field of “ensuring cybersecurity”, with the Romanian intelligence organisations being given the lead role on “cybersecurity infrastructures of national importance”, which are intended to be a class of service providers which will be established later by a procedure led by the Ministry of Communications, and which includes vague definitions such as “IT system which ensures citizens and business access to public services”. Would that be an ISP? An open data portal? A small app to pay your taxes? Nobody knows…

It gets worse – for example, in some instances, an IT security provider would need to notify various intelligence services before they notify their own clients of threats against the client’s own equipement.

2. The second proposal is the mandatory registration of pre-paid SIM cards. After the Brussels attacks, the first reaction of the Romanian authorities was to announce a new law on mandatory registration of pre-paid SIM cards. This is the fifth attempt of this kind, after the previous three were rejected by the Parliament and the fourth one was ruled unconstitutional by the Constitutional Court in 2014.

The alleged reasons for this fifth attempt was that, allegedly, some pre-paid SIM cards were used in the Brussels attacks. This was soon proved to be a false alert, but then the stories were changed into allegations that some of these cards are being used in Iraq and Syria. No one could tell if those were used in any kind of attacks, but this was claimed by intelligence organisations to be a major “security threat”.

As a result, a new bill will be proposed by the government for the mandatory registration of all pre-paid SIM cards bought in Romania. We don’t know what the text will entail, but sources say that it needs to happened “very fast”. Of course no one could pay 0.25 Euros to a beggar to use his ID in order to buy a pre-paid SIM card. That just can’t happen.

3. The third (and successful) proposal increased the powers of the biggest local intelligence organisation when it comes to technical surveillance measures. It started with the Constitutional Court ruling which stated that three words (“other competent authorities”) in the article of the Criminal Procedural Code concerned with technical surveillance measures are too vague and thus unconstitutional. The government took this as a potential threat to the fight against corruption, so it considered it needed to be fixed quickly.

And a fix quick it was. An “Emergency Ordinance” was adopted in just half a day, after the text was agreed – not by the Parliament, but by the Supreme Council of State Defense, where the intelligence organisations are present and have an inordinate amount of influence. Even the leaked text of the Emergency Ordinance was changed by the time it was published in the Official Monitor. What was supposed to be a “temporary fix” somehow managed to morph into a permanent measure. This text brought even more bad news: the Romanian Intelligence Service (SRI) has now been given powers in the penal proceedings for certain crimes, which brings back terrifying memories of Ceausescu’s Securitate. The same organisation are now the official owner of “interception devices”, through a special unit which no one knows when it was set up and what its actual role is.

We have a cynical saying in Romania, which, unfortunately, proves to be true one more time: “We live in Romania and that keeps us busy all the time”.

EDRi-gram: Romanian cybersecurity law reloaded (10.02.2016)

https://edri.org/romanian-cybersecurity-law-reloaded/

The Mandatory Registration of Prepaid SIM Card Users (11/2013)

http://www.gsma.com/publicpolicy/wp-content/uploads/2013/11/GSMA_White-Paper_Mandatory-Registration-of-Prepaid-SIM-Users_32pgWEBv3.pdf

Tehnical and legal guaratees for technical supervisions (in Romanian) (31.03.2016)

https://privacy.apti.ro/2016/03/31/garantii-tehnice-si-de-transparenta-in-mandatele-de-supraveghere-tehnica/

Open letter: Mr. Prime minister, we wait for the open discussions on

pre-pay, cybersecurity and wiretapping (in Romanian) (30.03.2016)

https://privacy.apti.ro/2016/03/30/domnule-prim-ministru-asteptam-calendarul-discutiilor-asezate-si-pe-pre-pay-si-pe-interceptari-si-pe-securitate-cibernetica/

(Contribution by: Bogdan Manolea, ApTI)