Last updated: 2017-09-13.
This working note is an attempt to describe the situation regarding Internet censorship and surveillance in Norway to the best of my ability. I try to keep it up-to-date as legislation and case law evolves, but there are no guarantees. Please use the comment field or send me a PM if you have corrections or think I've missed an important new development.
Surveillance on Internet activity takes place on three levels in Norway: 1) By private operators; 2) By the police; and 3) by the military. The legal framework for each of these groups are discussed below.
In Norway “Lov om behandling av personopplysninger” (Personopplysningsloven – Personal Data Act, which is based on the EU privacy directive) imposes regulation on what personal data a private operator can obtain through surveillance and record. An IP address is considered personal data according to this law, and an IP address about criminal activity is sensitive personal data, which cannot be processed unless the data subject gives his or her permission to the processing. However. a provision in the Norwegian copyright act makes an explicit exception to this rule, allowing data processors acting on behalf of holders of copyright to collect and process IP addresses of individuals suspected of being engaged in illegal file sharing of copyrighted materials on the Internet. This is actively used in Norway to target file sharers.
The IP address, however, does only indirectly identify the subscriber. It need to be linked with the traffic data record held by the subscriber's Internet Service Provider (ISP) to identify the subscriber. However, following a desicion in Høyesterett (the supreme court) in 2010 (HR-2010-1060-A - Rt-2010-774) where an ISP was ordered to identify the subscriber based upon IP-address, this information has been provided to copyright holders. This has resulted in the conviction in court of at least one individual for illegal file sharing, and is also used to send letters threatening legal action to individuals suspected of illegal file sharing.
The legal framework with regard to Internet surveillance by the police is the same as for all communication (i.e. the old legal framework for telephony wiretapping has been extended so that also applies to communication over the Internet).
The relevant law is “Lov om rettergangsmåten i straffesaker av 1981-05-22 nr. 25” (Straffeprosessloven – Penal process law), in particular chapter 16a. The Norwegian legal terms for wiretapping/eavesdropping are “kommunikasjonskontroll”, “kommunikasjonsavlytting”, while hacking into a computer system to extract data stored on is called “dataavlesning”.
To intercept email or Internet traffic, or to hack into a computer system requires a court order and person under surveillance need to be suspected of being involved in serious crime (i.e. a crime that may be punished with 10 years in prison, espionage, terrorism, downloading child abuse materials, human trafficking, narcotics, etc.).
In 2011, the EU data retention directive (Directive 2006/24/EC) was incorporated in Norwegian law, requiring ISPs to retain traffic data recirds for six months and make these available to the police. At the same time, the telecommunications act was changed to remove the duty of confidentiality that telecommuncation operators (including ISPs) otherwise has with respect to traffic data. However, when the European Court of Justice declared the Directive 2006/24/EC invalid for violating fundamental rights, the incorporation of the data retention directive was annulled. There has since been several attempt to reintroduce it in amended form, but none has so far made it into law.
Military Internet surveillance in Norway is regulated by “Lov om Etterretningstjenesten av 1998-03-20 nr. 11” (Law about the [military] intelligence service). The law gives Forsvarets Etterretningstjeneste (ETJ) a very broad mandate to collect information that “serves the interest of Norway in relation to foreign states, organisations and individuals” (§ 3). The service must however, refrain from collecting information about Norwegian persons or legal entities (§ 4), but there seems to be no restrictions as far as foreigners are concerned.
This broad mandate empowers ETJ to do electronic surveillance on communication originating from foreign individuals and organisations, but since the infrastructure that carries this traffic is owned by private telecom operators, ETJ has so far been unable to carry out electronic surveillance, as there was no provision for them to force the telecom operators to install the required snooping equipment. In 2016, the report Digitalt Grenseforsvar (Digital Border Defence) proposed that ETJ should have full access to this infrastructure. The current status (2017) is that legislation is being prepared to implement this proposal. When this is made into law, it is expected that ETJ will conduct electronic surveillance in Norway to the full extent of its mandate.
According to documents leaked by NSA whistleblower Edward Snowden, Norway shares signal information with USA, UK, Canada, Australia, New Zealand, Denmark, France, and the Netherlands through an arrangement known as “9-Eyes”.
Norway is not a member of the EU, but it is part of the EEA, which means that it is obliged to implement first pillar EU directives, including the EU Directive on electronic commerce 2000/31/EC and the EU Directive on copyright 2001/29/EC.
The EU Directive on electronic commerce says (among other things) says that ISPs shall not monitor their subscriber's use of the net. However, the general interpretation of the directive in Norway is that the ISP may be responsible for illegal content on its servers (e.g. child abuse materials, pirated copyrighted works) if the provider, upon obtaining such knowledge or awareness, do not act expeditiously to remove or to disable access to the content. A not-intended(?) result of the directive is that some ISPs have user agreements that empowers them to expeditiously remove any controversial content, including content that is clearly not illegal, just to make sure that they do not become part of any controversy surrounding such content.
For instance, in February 2008, the ISP Imbera removed the “Mohammed caricatures” from pages belonging to one of their customers. The removal was done on grounds that Imbera had a “user agreement” that banned users from posting controversial content on Imbera's servers.
The EU Directive on copyright article 8.3 requires
that rightholders are in a position to apply for an injunction against intermediaries whose services are used by a third party to infringe a copyright or related right.
In Norway, rightsholders can go to the courts and request such injunctions. So far injunctions has been imposed by the courts for Norwegian ISPs to block (by means of DNS blacklisting) their customers' access to the following web sites: Pirate Bay, Extratorrent, Viooz, Primewire, Swefilmer, DreamfilmHD, Movie4k (2015), Watch Series, Putlocker, TUBE+, CouchTuner, Watch32, SolarMovie, Project Free TV and Watch Free (2016).
In March 2016, the Norwegian National Authority for Investigation and Prosecution of Economic and Environmental Crime (ØKOKRIM) impounded the Internet domain name popcorn-time.no, citing a clause in Norway's Penal process law (§ 203) allowing the police to impound “things” that the victim of crime may gain possession of if a criminal trial leads to conviction. The typical application of this clause is that stolen goods is impounded pre-trial to prevent them from being disposed off by the criminals. In this case, the “thing” is intangible (a domain name), and the legality of the action take by the police has been challenged as an attack om free expression by Norwegian digital rights group EFN and Norway's Unix User Group (NUUG). At the time of writing (Sep. 2017), the lawsuit has not yet been decided.
Beyond the EU Directive on electronic commerce and the EU Directive on copyright, there is no legal framework in Norway supporting Internet censorship. There is a voluntary child sexual abuse filter that is discussed below.
However, in 2007, the Data Crime Committee (Datakrimutvalget – committee appointed by the Government to review the penal code with respect to computer crime) discussed making blocking of illegal content (i.e. child abuse materials, gambling sites) mandated by law. However, this proposal was dismissed by the majority of the committee, never proposed to the legislative, and not enacted into law.
The police shall on demand be given subscriber information associated with a particular IP-address used by a subscriber of the ISP without a court order. This follows from a Supreme Court decision in 1999 (HR-1999-88-A - Rt-1999-1944). The case in 1999 involved a user suspected of distributing child abuse materials, but as a result of this ruling, the police now get this data on demand in all types of cases.
Voluntary filtering scheme
The filter is simply a blacklist of DNS-addresses that is maintained and distributed by Kripos (the Norwegian police for organised crime, economical crime and other serious criminal issues). Each ISP implements this blacklist in its Domain Name System (DNS) servers by redirecting attempts to access blacklisted pages to a page with a warning message. For my ISP (Uninett) this is the warning page.
The filter is an unlegislated cooperation between the ISPs and Kripos, initiated in 2004. The list of filtered addresses is secret, but a list of supposed blocked addresses was posted to Wikileaks in April 2009. The list on Wikileaks contains 3518 DNS-addresses.
In September 2008, Minister of Justice, Knut Storberget, sent a letter to all Norwegian ISPs stating that unless adoption of the voluntary filtering scheme became universal, he would seek a change in legislation that made the CSAADF filter mandatory. In light of this interference by the minister, it may may be argued that Norway's CSAADF filter constitute a covert form of government censorship, under the guise of a “voluntary” filtering scheme.
Illegal or harmful content
Online child abuse materials and some sites that are found by the courts to facilitate file sharing of copyrighted materials are filtered on an ongoing basis. The provisions for this filtering are described elsewhere in this working note.
Unregulated gambling is also regarded as illegal in Norway, and from time to time there are vocal proposals from various pressure groups that Norway should also filter gambling web sites, but this is currently not done.
In addition to the ongoing censorship by means filters (described above), the other restrictions on free speech that exists in the Norwegian legal framework are handled by the courts after the speech has become public. The offender may be punished, or obliged to pay compensation, and to take down the materials found to be illegal or harmful.
There is a provision in the Criminal Code (Straffeloven § 267) that makes it a crime to violate somebody's privacy. It says:
Den som gjennom offentlig meddelelse krenker privatlivets fred, straffes med bot eller fengsel inntil 1 år.
Unofficial translation into English by me of the above text:
The person that violates privacy by means of public communication, is punished by a fine or incarceration up to one year.
In addition, Norway has a law that make hate speech illegal (Straffeloven § 185).
Hate speech is defined as communications to the public that disparages, incites hatred, persecution or contempt for a group or indivudals based on the following attributes: colour of skin, nationality or ethnicity; religion or philosophy; sexual orientation; disability.
It is also a criminal offence to breech a duty of confidentiality for certain professionals such as priests and physicians, to reveal military secrets.
There is no provision in the criminal code that covers defamation or libel, but victims of defamation and/or libel may seek satisfaction through the civil courts for financial and other harm caused by the communication.
Who initiates filtering/censorship?
According to this article, when the child sexual abuse filter debuted in 2004, it was the result of an initiative of the Minister of Justice, Odd Einar Dørum.
As noted, the Minister of Justice, Knut Storberget, in 2008 took an active role in getting all ISPs to adopt the “voluntary” filtering by sending the ISPs a letter telling them – in effect – that unless they adopted the CSAADF filtering scheme voluntary, he would seek legislation change to make filtering mandatory.
Currently, the main lobby organisations calling for filtering, censorship, and extended powers for private operators to monitor Internet activity is representing the recording and film industry. Among the most active is TONO (Norway's collecting society for musicians), the Norway chapter of IFPI (International Federation of the Phonographic Industry), and the Norwegian society for film- and tv producers, In addition to participate in the general public debate about filtering and censorship, these organisations participate in government working groups and publish white papers with specific proposals for changes to be made in copyright and privacy laws.
In the general public debate about filtering, both politicians, special interest groups such as “Redd Barna” (Save the Children), religious leaders, etc. from time to time suggests that specific censorship is implemented, but these are less visible and less successful in their lobbying than the recording and film industry.
You may also be interested in: Online Censorship News.