Built-in collection¶
Some collection is not an intrusion into the network. It is the network.
Lawful intercept, by design¶
The European Telecommunications Standards Institute (ETSI) publishes the standards for lawful-intercept capability that telecommunications providers operating in Europe are required to implement. Every mobile network, internet service provider and relevant platform builds interception in as a condition of operating. The apparatus for surveillance is not optional equipment bolted on later; it is part of the architecture by design. That it exists for authorised use does not stop it being a standing capability, and the same built-in access is a target for anyone who can reach it.
Intelligence-sharing alliances¶
Several EU member states take part in the Nine Eyes and Fourteen Eyes signals-intelligence arrangements alongside the United Kingdom and the United States, among them the Netherlands, Denmark, France, Germany, Belgium, Italy, Spain, Norway and Sweden. Each agency collects what it characterises as foreign intelligence, including communications transiting its territory, and shares the product with partners. Because “foreign” collection in one jurisdiction captures data about citizens of partner states, the combined effect is a distributed system in which a domestic bar on surveilling one’s own citizens can be navigated by receiving the same data from a partner whose threshold, or whose definition of “foreign”, is different.
Buying what a warrant would require¶
Government agencies can and do buy data from commercial brokers, acquiring location histories, behavioural profiles, social connections and identity information without the legal threshold that targeted collection would demand. Because brokers compile the material from advertising ecosystems, app telemetry and public databases, the product is detailed, current and lawfully held by the broker; the onward sale to an agency needs no warrant. In the United States the practice is documented and contested. In Europe it is less publicly examined, and it operates in the gap between consumer data protection, where the GDPR applies, and national security, where it does not. The Databroker Files investigation showed how far that reach extends, into the location traces of officials inside the EU’s own institutions.
Last reviewed: 2026-07-08.