Stakeholders' Views of Online Surveillance Capabilities

We examine how stakeholders ( n = 74) in the United Kingdom, Finland and Norway perceive security authorities’ online surveillance capabilities, and how these perceptions form patterns transcending national borders and organisational boundaries. Using a Q-methodological approach, we found variation within and between nations that is usually obscured in the polarised public debates. Furthermore, our stakeholders presented areas of consensus not usually apparent in public discourses. We argue for using awareness of this nuance and areas of convergence as platforms on which to build more effective public debates to further principles of deliberative democracy.


Introduction
The twenty-first century has seen a rapid increase in online surveillance, due partly to a boom in the development and use of connective technologies.By 'online surveillance', we refer to covert measures to capture, store and analyse the data gathered from networks and network-connected devices, either for the purpose of national security or for the criminal intelligence.Public discussion surrounding these developments, particularly following the Snowden revelations of 2013 which revealed extensive state surveillance of online spaces (particularly in the United States and United Kingdom), has tended to become polarised into antagonistic positions (Omand & Phythian 2013;Oomens et al 2023).While state representatives continue to argue that these types of capabilities are unavoidable for the safety of citizens, opponents warn of the risk of authoritarian control and the destruction of privacy (Oomens et al 2023).Usually only a few themes Extended author information available on the last page of the article are publicly discussed at a time, leading to oversimplified and fragmentary presentation of complex and interdependent issues (Bernal 2016).Furthermore, unequal media coverage of the online surveillance policy discussion may hinder a genuinely inclusive public debate reflective of the full range of subjective viewpoints (Hintz & Brown 2017;Savski 2020).
In this article, we systematically examine these viewpoints by asking relevant stakeholders from a variety of positions in three countries, the United Kingdom (UK), Finland and Norway, to rank and respond to an extensive set of arguments and issues about security authorities' online surveillance capabilities as presented in public discussion.The term 'stakeholders' refers to those organisations and individuals most engaged in policy debates or involved in the deployment of online surveillance, such as politicians, legal authorities, NGOs, researchers, active citizens, representatives of the media and the private sector.Q-method research design gives the stakeholders a unique opportunity to consider issues concurrently rather than in sequence.Our research contributes to existing scholarship on online surveillance debates, providing a rare empirical comparison of opinions across three European countries, revealing areas of consensus usually obscured by the polarised public debates.
Our research design was influenced by studies conducted under the rubric of deliberative democracy which strive to build inclusive, multi-voiced and reasoned discussion characterised by mutual respect and general acceptability over majority rule.While public dialogue, especially that conducted online, has an increasing tendency towards polarisation (Savski 2020), there is a growing body of literature which suggests that the relationships of the actors in debates on surveillance is more complex than it appears (Stevens and Allen-Robertson 2021;Martin et al 2009).Even where consensus seems to be manifest, there can still be important national variations (Hempel and Töpfer 2009).Therefore, research is needed which looks beyond national discourses and occupational boundaries to illuminate the nuances of the online state surveillance debate which may reveal otherwise obscured areas of convergence.
To achieve this, we follow the inductive logic and mixed-method nature of Q-methodological research.Our objective is to induce and explore the structures and key aspects of our research participants' subjective viewpoints on a complex assemblage of issues relating to online surveillance powers, rather than to operationalise conceptual constructs and measure these with survey items (Brown 1980).In addition, we explore whether the patterns constituting stakeholders' viewpoints transcend occupational roles and national borders.Oomens et al (2023) have also used Q-methodology to explore views from stakeholders on security vs privacy in digital intelligence powers but focused only on The Netherlands.The analysis and findings of this paper build on previous research on single country analyses by some of our authors, Leppänen and Houtsonen (2022) on Finland and Flinterud et al (2020) on Norway.Our main research question is: how do stakeholders respond to key issues and arguments about the powers of the security authorities to gather intelligence from online communications that have circulated in public discussion and have general relevance in the UK, Finland and Norway?Two considerations guided our choice of national contexts for this research.First, each country represents a different political outlook: Finland is a member of the EU1 and has embraced many of its central tenets.The United Kingdom, at the time of the research, was in the process of ending its membership of the EU.Norway is not a member of the EU but remains closely aligned to it in relation to trade and membership of the Schengen area.Secondly, at the time of the research each country was at a different stage of legislative and oversight reform regarding state surveillance practices.The UK has had comprehensive legislation in place since 2000, amended in 2016 to better comply with the European Convention of Human Rights.Finland was debating and passing its very first legislation on civilian and military intelligence including, for example, bulk interception of cross-border electronic communications, whereas Norway was in the initial stages of debate about adopting such capabilities.
We contextualise our empirical analysis in the next sections.First, prominent themes in debates about online surveillance in Western democracies are summarised, followed by country specific legal and organisational frameworks in Finland, Norway and the UK.The third section introduces Q-methodology, our research design and procedures for data collection and analysis.In the results section, we present the substance and structure of three views of online surveillance discovered through Q-factor analysis and areas of consensus among the stakeholders.Next, we contrast the three countries and discuss observations about the debates which emerged through comparative analysis.We conclude by highlighting the nuance of the online state surveillance debate within and between countries and occupations and argue for using areas of consensus as a platform on which to build more informed and effective public debates which avoid discourses of polarisation.

Common themes of online surveillance debates
The aim of this study is to explore the different views taken by participants in the debate on online state surveillance.The public debate indicates a tension between the legitimate interest of states in protecting their territories and citizens, and the idea of universal human rights (Omand & Phythian 2013;Oomens et al 2023).This tension is not unique to online surveillance but is fundamental to the question of authorities' legitimate use of force and coercive measures.Democratic and participatory society requires a degree of privacy-this is a prerequisite for the right to freedom of expression, association and assembly, and freedom from discrimination (Bernal 2016;Murray & Fussey 2019).A common worry voiced by human rights advocates is the possibility that online surveillance changes people's online behaviour, increases distrust in the authorities, and impedes democratic processes and discussions as citizens avoid presenting critical ideas and controversial opinions (Murray & Fussey 2019;Richards 2013).As summarised in the reports by the Agency for Fundamental Rights (FRA), the European interpretation suggests that the mere existence of surveillance laws interferes with the right to a private life defined in the European Convention on Human Rights (ECHR) (FRA 2015(FRA , 2017;;ETS No. 005).According to Article 8 (2) of the ECHR, public authorities' interference in private life must be necessary, and surveillance measures proportional and justified by a legitimate aim such as public safety, national security or prevention of disorder or crime.Therefore, surveillance is deemed lawful under certain conditions, and the debate in this area thus focuses on how to define and understand what these conditions entail in practice.
The enhancement of a state's online surveillance powers has typically been justified by reference to terrorism, serious crime, espionage, hybrid threats and cyber-attacks undermining security in general or a specific national security threat.Security authorities are shifting towards proactive rather than reactive measures, while technological developments also expand the threat landscape and force countries to consider wider access to online communication for security authorities (Ministry of Defence 2015).The question remains as to what extent the public can take an informed stand on the trustworthiness of these justifications, particularly when the evidence is classified and cannot be cited (Murray & Fussey 2019).
One way of ensuring legitimacy is to provide a robust system for democratic oversight and transparency.Strong oversight mechanisms, safeguards and remedies are regarded as prerequisites for accountable intelligence, but such measures are also criticised for simply re-producing certain types of state sanctioned truths about equal rights in liberal democracies (Molnar & Warren 2020).Various accountability mechanisms are established in different countries, such as oversight by a parliamentary committee and data protection authorities, the existence of public interest advocacy, and court assessment of warrants (FRA 2017).In addition, governments have a duty to demonstrate that expanded online surveillance capabilities are effective and produce tangible results in an acceptable manner (Murray & Fussey 2019;Omand & Phythian 2013).
The media can also be counted among the oversight and control mechanisms because, as a gatekeeper, they have the power to set the agenda for public discussion and frame policy issues (Hintz & Brown 2017;Hintz & Denick 2016).Different media can, however, assume various roles ranging from a watchdog to a legitimiser of government proposals.For instance, Wahl-Jorgensen et al (2017) argue that journalists' reliance on official sources tends to lead to normalising and legitimising surveillance.
A central condition for accepting surveillance is that it is targeted, though what 'targeted' entails in practice is a matter of debate (Richards 2016).Legislation regarding the surveillance of suspects of crime has been quite detailed in Western democracies, but the crux lies in stipulating surveillance used in situations where the target cannot be specified in advance to proactively detect more ambiguously defined 'national security' threats via general surveillance of communications (FRA 2017).Debate continues as to whether surveillance occurs as soon as the data are collected, or later when a computer analyses the data, or only when a human analyst views the results (Bernal 2016;FRA 2017).
Another issue of disagreement concerns the intrusive nature of collecting content data versus metadata.The definitions of the phenomena are not contested: content data refer to the content of communications whereas metadata comprise, for example, a communication's route, origin, destination, size and timestamps (ETS No. 185).There is also overall agreement that access to content data should be restricted due to privacy.The question is whether metadata should be perceived as any less private than content data, since metadata can also reveal information about individuals, their habits, preferences and social relations (Riekkinen 2019).It is also argued that metadata are in standard form and access to it is less limited, which easily leads to mass retention of data (Hintz and Brown 2017).
The borderless nature of the internet further challenges ideas of lawful data collection.Domestic surveillance typically has more effective legal safeguards than foreign surveillance or international intelligence cooperation (FRA 2015(FRA , 2017;;Lubin 2018).In practice, the interception of communications outside territorial jurisdiction or involving foreigners often has lower standards of privacy protection, and data subjects have fewer possibilities to address complaints or seek remedies.Cooperation with countries that obtain intelligence by violating human rights is problematic, and sometimes foreign partners circumvent domestic restrictions by exchanging intelligence on each other's citizens (Lubin 2018).However, the global intelligence community is dependent on intelligence cooperation, and the debate concerns the conditions, rules and minimum standards that make it acceptable.
Finally, the speed of technological development over the last decades has led to close cooperation between governments and the private sector in the field of technology and security (Lubin 2018).The private sector develops technology that is also used by state security authorities.However, sometimes interests collide, for example if encryption products prevent the interception of potentially dangerous communications.Security authorities also request data and assistance to gather data from private sector operators.In this sense, surveillance crosses the divide between public and private spheres (Richards 2013).The regulation of relations and cooperation between government and service providers has received considerable attention in policy discussion (Bernal 2016).Kreissl and Wright (2015) warn about the emergence of a 'surveillance elite' as governments and the private sector work to establish a mutually beneficial rapport.
The above discussions represent prominent themes of public debate in the context of online state surveillance at the time of the research.They appear in all three countries, but with varying details or emphasis.The discussions form the backdrop of our subsequent Q-methodology interviews, explored further below.Before then, we present a summary of the development of online intelligence practices in the UK, Finland and Norway to provide a national legal context for our results.

National contexts
The United Kingdom (UK) The UK has a long tradition of national security intelligence, and it is a core member of the international intelligence alliance, Five Eyes, and of NATO.Its legal structures are therefore considered separately from those of Finland and Norway, who are more recent entrants to this legislative field.The legal framework for online investigation and surveillance in the UK is a complex patchwork of common law powers, primary legislation, statutory instruments and codes of practice.It reflects the gradually evolved constitutional settlement that also governs policing in the UK, where Scotland and Northern Ireland retain legislative competency for both substantial and procedural criminal law.In addition, the UK was, for over forty years, a member of the EC/EU and as a result incorporated significant amounts of European legislation into domestic law.Schafer 2016).A common pattern across these three laws that exemplify the UK approach to surveillance regulation are that they: a) were introduced in response to perceived gaps in existing legal provisions created by new technologies, supposedly to 'retain the status quo' by updating existing powers.b) typically introduced extensive 'in principle' permissions for surveillance, mitigated by 'safeguards' to prevent their abuse such as authorisation requirements and oversight bodies.c) empowered a broad range of public bodies, including but not limited to, police and intelligence services, to exercise these powers, some of them with extraterritorial reach.
While a pragmatic approach to regulation is typical for common law systems and reflects a comparatively high level of public acceptance, it often sits uneasily with the more abstract and principled approach to rights protection.This has led to several successful legal challenges in both domestic and EU courts, which influenced the online surveillance debate in many countries (Big Brother Watch and Others v. the United Kingdom; Privacy International v. Secretary of State; Woods 2019).

Finland and Norway
Finland and Norway maintain a legalistic approach to state powers, based on relatively detailed statutory regulations in Acts of Parliament.The statutory structure is similar in both countries, and thus considered together here.Powers to conduct covert online investigation and surveillance are held by law enforcement agencies for the purpose of investigating and preventing more serious criminal conduct, by the National Security Services (NSS) for the purpose of averting threats to national security, and by the Military Intelligence Agencies (MIA) for the purpose of safeguarding the state's territory.However, the extent of the powers varies, both between the two states and between the various agencies.
The methods specified by the statutory framework for online surveillance for law enforcement purposes (relating to offences or perpetrators) vary between Finland and Norway, but include, for example, online technical surveillance and various forms of (legal) hacking.Online sting operations are regulated in Finland, but not in Norway.A general prerequisite is that the covert methods are both necessary and proportionate.
In both countries, this legal regime distinguishes between covert methods for investigating criminal conduct on the one hand, and methods for preventing certain forms of aggravated criminal conduct on the other.In Finland, rules on covert collection of information for the purpose of investigating criminal conduct are presented in chapter 10 of the Coercive Measures Act (806/2011), while corresponding rules on the prevention of criminal offences are found in chapter 5 of the Police Act (872/2011).In Norway, both sets of rules are found in the Criminal Procedure Act (the preventive rules are found in chapter 17 b).It follows that there is a marked difference between the Finnish and Norwegian rules.The Finnish regime permits covert methods on preventative grounds (i.e.independently of any preliminary investigation) where there are reasonable grounds to believe that such conduct will occur.The Norwegian regime, in contrast, requires that a preliminary investigation has been initiated regarding some other offences; in this case, covert methods can be used preventatively at a lower evidential threshold than ordinarily required.
In addition to online investigation and surveillance powers for law enforcement purposes, both countries have rules facilitating covert collection of information by the NSS where this is necessary for the purpose of preventing threats to national security, such as terrorism or foreign intelligence activities.These rules were implemented in Norway in 2005, while in Finland they formed part of large intelligence package which entered into force in 2019.The methods employed by the security services largely correspond to those employed for law enforcement purposes.Both Norway and Finland recently implemented rules on bulk interception of cross-border electronic communications. 2In Norway, bulk interception and storage can only be conducted by the MIA, while in Finland interception is conducted by the MIA, but can be requested also by the NSS.
The rules on bulk interception have been relatively controversial in both countries, as is also reflected in our results.After considerable debate, they entered into force in Finland on 1 June 2019, while the Norwegian counterpart entered into force 1 January 2022.A key provision in the Norwegian regime (Sect.7-3 of the Intelligence Service Act) was put on hold awaiting assessment of the compatibility of the Norwegian regime with recent decisions by the EctHR eventually entering into force on 2 September 2022.Table 1 provides a summary of the three national contexts.

Methods and data
We now turn to the Q-method data collection, and the key findings which arose from this analysis.Q-methodological data collection protocol requests research participants rank statements about one topic in relation to each other according to the degree to which they agree with the statements (see Fig. 2 below).They are then asked to explain their ranking.The procedure assists participants to present their subjective viewpoint on a complex issue as a whole construction by taking a stand on all items in parallel instead of examining individual items separately.This distinguishes the method from thematic interviews or survey research where questions are typically answered one at a time (Brown 1980).The procedure enables us to uncover the composition of viewpoints and the relative salience of various items presented to the participant.In other words, we do not only observe the similarities and differences between the composite viewpoints but also specify in detail what issues individuals agree or disagree on, and to what degree.

Concourse and Q-set
Our data collection instrument is a set of statements, a 'Q-set', covering core issues in public discussion about online surveillance in the UK, Finland and Norway.Reaching a balanced and valid Q-set requires a thorough comprehension of opinions, arguments and perceptions related to the research topic, known as a 'concourse' (Brown 1980).Dryzek and Holmes (2002) point out that starting a comparative study from discourses transcending national borders may compromise important national characteristics.To avoid this pitfall, we first mapped the relevant contemporary national policy debates in each country.We collected statements expressed on diverse online surveillance issues from national official data sources, such as materials from the drafting of legislation, official reports, and parliamentary debate transcriptions as well as media sources such as newspapers' online databases and social media.In the collection process, a "statement" referred to a direct quote identified as an utterance expressing a clear opinion or view on online surveillance.During this process, we also identified individuals who were active debaters in this space.The collection of statements continued until a satisfactory saturation point was reached.
Next, we organised the three sets of national statements inductively into core themes, reflected in the discussion presented in the above section of this article.These statements were reduced to a number which covered the themes but did not overlap.Since the UK had more material (reduced from 1,367 statements to 111), we first compared the abridged set of statements obtained from Finland (from 706 to 63) with the one from Norway (from 283 to 42).The new combined set was then compared to the reduced set of statements from the UK.In total, this process took four months and included face-to-face workshops, video calls and many rounds of written comments between the researchers.Figure 1 illustrates this process.
All the main topics were traceable to all countries, but with different details and significance that forced us to present some statements in a more general form than the national concourses initially suggested.Oversight mechanisms are one example, because they work differently in each country due to the distinct legal and political traditions.Furthermore, the Finnish concourse differed from UK and Norway in a stronger presence of business sector views and less focus on criminal intelligence.These minor divergences were considered unproblematic, because Q-method encourages informants to elaborate the statements in post-sort interview, leaving room for national variations on the common theme.As our research is aimed at revealing complexity and enhancing policy debate, it was reasonable to incorporate some statements that might provide an unusual or a novel insight.Statements were evaluated on the following criteria: intelligibility, coverage of the national concourses, potential to elicit new insights, and deleting overlaps.Once satisfied with the commensurability of the concourses, we combined the statements into a reduced Q-set covering the major aspects of discussion in all three countries.The final step in the process included generalising the statements and fine-tuning their phrasings.Linguistic meanings were carefully considered because the statements were originally expressed in three languages.The final statements were translated into Finnish and Norwegian from English.After pilot interviews in each country, 45 statements were selected for the Q-set (Appendix 1).

Interviews and participants
The data for this study comprise Q-sorts and post-sort interviews of 74 stakeholders (UK N = 24, Finland N = 25, Norway N = 25) conducted face-to-face in 2018.The same Q-set and Q-sort as this paper for each of their 25 participants were used in previous publications by Leppänen and Houtsonen (2022) in Finland and Flinterud et al (2020) in Norway.Each data collection session lasted approximately 1½ hours.Participation was voluntary and based on written informed consent obtained before the interview.The session involved a short background questionnaire, a Q-methodological card-sorting exercise (Q-sort) where participants arranged the 45 laminated and numbered statement cards onto a fixed grid of 45 cells in accordance with their preferences (see Fig. 2) and a recorded post-sort interview where they reflected on the sorting.Sorting begins with reading the cards and arranging them into three piles: agree, disagree and neutral.Neutral can refer to neutrality of opinion but also confusion, mixed feelings, or that the issue does not raise strong emotions.The sorting continues one pile at a time, starting from the agree pile and then the disagree pile, ranking the cards from the extreme ends (+ 5 s, + 4 s, + 3…−5 s, −4 s, −3 s…) towards the centre, the neutral pile being last.Once every cell has a card and the participant is satisfied with the sorting, the researcher asks the participant in a recorded interview about their reasons for ranking and offers an opportunity to add potential missing aspects.
We chose our participants from among the knowledgeable stakeholders of the online surveillance policy debate, representing a variety of opinions, expertise and organisations (Watts & Stenner 2012;Lehtonen & Aalto 2017).Despite our best efforts, gender or age could not be determinants in participant selection.Women and Fig. 2 Fixed grid of 45 boxes for ranking statements people under the age of 40 are underrepresented in the public debate in all three countries and therefore there were not many we could approach for interviews (Table 2).The active debaters identified during the collection of statements were categorised into eight categories based on their backgrounds: active citizens, private sector workers, journalists, oversight organisations, politicians, public authorities, researchers and other persons.The last category consisted of relevant people who did not fit into any other category.Each national research team then invited participants ensuring a spread across these categories.To protect the anonymity of research subjects when reporting the results, participants were organised into four overarching categories: interest group, user, politician and outside observer. 3Analysis Q-factor analysis calculates correlations between the participants' Q-sorts.Factors are constructed based on the degree of similarity of views represented by the Q-sorts which resemble each other (Brown 1980;Watts & Stenner 2012).Q-methodology seeks to expose multiple subjective viewpoints, while recognising emerging patterns in the data showing differences and similarities between the views of individuals, and what issues (statements) evoke the strongest opinions.The analysis reveals the most pivotal statements in distinguishing between viewpoints, and which statements participants tend to agree/disagree on.In practice, the statistical component helped us structure the comparative analysis according to these emerging patterns, which could have been more difficult to detect from trilingual interviews.The process described below was also used in Leppänen and Houtsonen (2022) in Finland and Flinterud et al (2020), but in those cases only with the Q-sorts from each of their 25 participants.We used the free software PQMethod for Q-factor analysis of the 74 Q-sorts (Smolck 2014), applying centroid extraction with Varimax rotation.Centroid extraction explores subjective viewpoints rather than testing an external, or researcher's viewpoint.Varimax rotation was used to ensure that the individuals have a high loading on a single factor but low loadings on other factors, thus showing how closely individual viewpoints align with the 'typical' viewpoints indicated by the factors (Watts & Stenner 2012).After several explorations, we continued the analysis with a solution of four extracted centroids but ultimately discarded one because it did not build a consistent thematic viewpoint.We followed Watts and Stenner's (2012) suggestions that Q-factor analysis should have at least two persons loading on a factor, the eigenvalue should exceed 1.00, the factor should capture enough total variance, and a factor's content should be meaningfully interpretable ( Watts and Stenner, 2012).The statistically significant (p < 0.01) factor loading for this study was calculated to be 0.3846, which we rounded up to 0.40 in cases where a participant loaded clearly on only one factor.51 of our 74 research subjects loaded significantly (p < 0.01) on one of the three factors (Appendix 2).Of these, 18 were from the UK, 17 from Finland and 16 from Norway.It is typical for Q-studies that some participants lack a significant loading or load on two or more factors (confounded participants).These are excluded from the analysis if the purpose-as in our research-is to concentrate on distinguishable ideal viewpoints.Data obtained from the post-sort interviews were used to deepen our understanding of each of the three factors described below.While we do not quote from the interviews, they provided needed context for the three descriptions.
The main statistical figures specific to each factor are presented in the Results section with the interpretations of factors written in a narrative style.In Table 3, we illustrate the strongest rankings as a factor array (see Appendix 1 for complete figures).According to Watts and Stenner (2012), a factor array is 'a single Q-sort configured to represent the viewpoint of a particular factor' ( Watts and Stenner 2012, p. 140).It is calculated from weighted and standardised factor scores, so weaker loadings contribute less to a factor array than stronger factor loadings.

Table 3
Factor array based on statements ranked to the extreme ends + 4, + 5, −4 and −5 in at least one factor.Asterisk* displays the statistically significant differences

Three views of online surveillance
Factor 1: for human rights A total of 29 participants (UK N = 9, Finland N = 8, Norway N = 12) fall into this group (Appendix 2), which accounts for 25% of total variance with an eigenvalue of 18.5.Informants in this category represent interest groups, politicians, outside observers and one who wished to remain anonymous.Participants' factor loadings vary from 0.4308 to 0.8955 on the positive side.One respondent has a strong negative loading, indicating they hold a direct opposite opinion on the same spread of values as the other participants.
Although the context and level of progression of surveillance legislation differs in their respective countries, this view is critical about justifications for how well individual and societal rights are upheld and preserved under current or proposed legislation.Primarily focusing on protection of a fair society and preventing discrimination against more vulnerable members, the phrase 'if you have nothing to hide you have nothing to fear' is universally rejected as an unhelpful oversimplification.Unlike other groups, people here judge that surveillance can have a chilling effect, leading members of the public to self-censor their online behaviour and are concerned about how future governments may use the capabilities currently granted.Therefore, restriction (or for the UK, contraction) of power is significant to this view.Protecting key professions such as lawyers or the media is linked to this view's core stance of protecting important aspects of a democratic society and its most vulnerable members.
Central to this view is that the Internet is an important aspect of our society that must remain secure.The potential vulnerabilities triggered by attempts to weaken encryption were of particular concern, alongside reservations about surveillance other than for suspects.For example, the tapping of broadband cables represented to them a comparatively ineffective preventative tool, which unduly impinged on the rights of the public.Furthermore, according to this view, increased surveillance does not necessarily make society safer.

Factor 2: for accountable surveillance
Nine respondents from Finland, two from Norway and two from the UK load significantly on Factor 2 (Appendix 2).Of these individuals, six are outside observers, four are representatives of interest groups and three are users.The eigenvalue of Factor 2 is 10.4, which explains 14% of the total variance.Individual loadings of the Finnish and UK participants on this factor vary between 0.5275 and 0.7651 whereas the loadings of the Norwegian participants remain under 0.5 (Appendix 2), indicating a weaker association with the factor.
Factor 2 captures a viewpoint that effective online surveillance capabilities are necessary, but the system must be subjected to robust democratic and legal controls, as well as firm regulation.The view expresses confidence that these conditions are met in their home countries, concluding that in this context, online surveillance will not cause harm, but rather advance security.One sign of trust towards the system may be that a surveillance method is regarded as targeted, even if it captures communications other than those directly linked to the suspect.It also promotes public debate as a genuine contribution to law drafting because it emphasises additional opinions to those of the security authorities.
In this view, well-regulated national cybersecurity that protects businesses is seen as producing global credibility for the country and is therefore worth pursuing even if it limits authorities' access to private communications.For example, it strongly objects to requests for companies to hand over decryption keys to the authorities.In addition, this viewpoint perceives a difference in the level of intrusion between content and metadata, though highlighting that from the perspective of intelligence gathering, metadata may be more revealing than the content data.

Factor 3: for functional surveillance
Factor 3 consists of nine participants, seven from the UK and two from Norway (Appendix 2).There are no Finns loading on this factor.Of the participants, six are users, two are outside observers and one is a politician.Notably, despite representing different categories by their current position, all but one has a background associated with policing.Factor 3 has an eigenvalue of 7.4 and explains 10% of the total variance.Individual loadings vary between 0.4136 and 0.7418.There is a correlation with Factor 2 of 0.5134, which indicates some overlap between Factors 2 and 3.However, factors are distinct enough to be interpreted separately since both receive a meaningful, individual interpretation.
This viewpoint represents a practice perspective, emphasising issues concerning ground rules for good practice and getting the job done.It highlights the importance of sufficiently updated tools and capabilities, but also the importance of a shared set of principal values that guide decision-making.The view expresses a belief that surveillance should be non-discriminatory, and respondents from both countries believe that it is currently so.It also stresses the difficulty of keeping up with technological developments and the importance of international cooperation, both issues that in different ways highlight overarching challenges that have implications for officers in their day-to-day work.While expressing a strong belief in the moral conduct of individual officers and belief in the importance of a system regulating practice, the viewpoint also emphasises that legislative processes put limitations on officers, delaying access to new technologies and capabilities.
Further highlighting the perspective of practitioners, this viewpoint is characterised by strong opinions on matters of detail, such as how long data should be retained and how it should be stored, the necessity of assistance from the Internet service providers, and the practical difference between metadata and content.Table 4 presents a summary of the three factors.

Areas of consensus
Despite the distinctive viewpoints represented by the three factors, stakeholders agree on four central statements across the factors (Table 3 and Appendix 1: see the statements without asterisk).Notably, most of the consensus statements are in the direction of the highest agreement.First, participants acknowledge cyberspace as a place where basic rights should apply equally compared to other spaces of life.Second, they are ready to set restrictions on surveillance by limiting the use of the most invasive methods to the most serious security issues, and by subjecting surveillance systems to democratic control.Furthermore, the stakeholders favour legal whistle-blowing channels.A question about whether to cooperate in intelligence sharing with states that do not respect human rights conventions was approached with general uncertainty-the complexity of the issue was clearly recognised, even though it did not fully meet the statistical criteria of a consensus statement.

Contrasting the countries
In this section, we interpret the factors by country.Distinguishing national features from shared ones, we reflect the findings on our previous work using the same data separated by country.

The United Kingdom
UK participants load onto all three factors, but most are split between Factor 1 'For human rights' and 3 'For functional surveillance'.Unlike Finland and Norway, patterns of alignment for UK participants match closely those factors that emerge when exploring UK-specific data.At the time of the study, the UK had recently passed the 2016 Investigatory Powers Act.Most public debate centred on controversial aspects such as perceived increases in powers allocated to agencies or the ethicality of bulk surveillance.It is thus fitting that most UK respondents who were not directly involved with using or developing this legislation combine under Factor 1, taking the role of critical challenger of these new powers.Importantly, although this factor centres on resistance to expanding further online state surveillance powers, for UK respondents this focus shifts to a desire for a contraction of, or additional restrictions on, what is already in place.Reference to the chilling effect (leading to self-censoring of online behaviour) predominantly emerges from UK participants, where the concept is more evident in public debates, although in post-sort interviews participants acknowledge that the evidence base for this requires further development.
The two UK participants who load to Factor 2 'For accountable surveillance', which corresponds with a high confidence in current legislation, were both involved to a degree in the drafting of it.This 'insider' perspective also explains belief in the necessity of online state surveillance practices to confront contemporary security threats.Although Norwegian and Finnish participants in this factor consider it beneficial to have an independent advocate to protect the rights of those whose cross-border network traffic has been placed under surveillance, this is a novel concept in the UK.This can explain why it does not feature highly, nor is discussed post-sort in the UK data.

Finland
Finnish participants load only on Factor 1 and Factor 2, illustrating the attitudes towards the proposed legislation: for and against.Despite these stances, postsort interviews and the fact that the intelligence laws were passed in Parliament unanimously without a vote, suggest that the groups are closer to each other in Finland than in the UK and Norway.Interestingly, Factor 3 represents a view that did not surface in the Finnish public debate.Since the Finns' presence in the two other factors is prominent, this result suggests national variance in the composition of the debate.
Factor 1 emphasises respondents' concern for a free and democratic society.However, most of the Finnish respondents do not reach as high factor loadings on this as the British and Norwegians (Appendix 2).The same respondents gather around this factor in the Finland-specific analysis, but there are nuances that indicate small differences among the Finns and other respondents ( Leppänen and Houtsonen 2022).First, the Finns seem to be slightly more content with the general level of online surveillance legislation.Second, they suggest practical improvements to the Finnish law proposal by singling out the statements, which have been significant in national discussions, such as limiting international intelligence sharing, extending the authorities' obligation to report online surveillance to the targets, protecting communications of certain professional groups, and involving an independent advocate in the warrant procedure.Third, the Finns associating with this factor tend to focus more on traditional human rights than cybersecurity, despite cybersecurity being a substantial topic in the Finnish debate, indicating the theme's emergence in a different context.
Factor 2 highlights accountable and controlled online surveillance, and most of its associated participants come from Finland.This factor therefore illustrates well the Finnish view and concentrates on the features that make online surveillance acceptable to these stakeholders.The general atmosphere among them is satisfaction about the proposed legislation and, as in the UK, many of them were involved in the drafting process.

Norway
Norwegian participants are found in all three factors.The strongest presence is in Factor 1 which contains 12 of the 25 Norwegian participants.The two remaining factors contain two respondents each, with as many as five respondents being confounded between these two.Five seems a high number compared with two British and one Finn, suggesting that viewpoints characterising accountability and functionality are more blurred in the Norwegian debate.This observation also gains support from the Norway-specific study where the Q-factor analysis resulted in two rather than three factors (Flinterud et al 2020).Factor 1 corresponds to the first Norwegian factor, while respondents whose main agreement in the national context was approval of expanded capabilities, are divided into two distinct viewpoints when analysed in conjunction with the Finnish and British debates.It could be argued that this comparative study uncovers aspects within the Norwegian debate that did not appear in the national study alone.
One such aspect might be the link between online surveillance and cybersecurity, which is visible in Factor 2, strongly influenced by the Finns.When comparing concourses, the private sector's influence appeared weaker in Norway than in Finland, where commercial companies argued that authorities' capabilities are necessary, provided they are under democratic control and do not weaken the general level of cybersecurity.When paired with the Finnish debate, this viewpoint emerges, although less pronounced.
The practice-oriented perspective in Factor 3 closely matches the second Norwegian factor.Strong contributions by the British and Norwegians could mean that the reality on the ground looks similar in these countries.Furthermore, most Norwegians in the comparative Factor 1 have strong factor loadings, as do the UK respondents.A viewpoint highlighting human rights and fundamental freedoms is easily detected from the debate.The negative view on monitoring cross-border communications of non-suspects corresponds to arguments used in the debate over the suggested new capabilities for the MIA.It is interesting to note that, although specific to the Norwegian context, the arguments match the UK debate more closely than the Finnish one.

Conclusion
Our study offered an inclusive set of stakeholders in three countries a unique opportunity to consider and take a stand on an extensive set of core issues related to security authorities' online surveillance powers.By 'inclusive', we are referring to a broad range of ideological positions, from a broad scope of practitioners, policy makers, third sector organisations and other interested parties such as journalists and academics.The purpose of this empirical analysis was to understand the varied subjective viewpoints of stakeholders to examine whether British, Finnish and Norwegian participants' views form patterns crossing national borders, despite the countries having characteristic features and histories when it comes to state surveillance and position in world politics.
Our analysis produced three distinctive stakeholder viewpoints on online surveillance: Factor 1 'For human rights', Factor 2 'For accountable surveillance' and Factor 3 'For functional surveillance'.Additionally, we found that even if the factors were distinct, there were a few areas of consensus uniting the viewpoints.
Participants in Factor 1 share primarily a critical attitude towards surveillance capabilities and highlight protecting human rights such as the right to privacy.Participants in Factors 2 and 3 perceive online surveillance as necessary and have faith in the system in their respective countries, even though the systems are different.Factor 2 diverges from Factor 3 based on its strong emphasis on the goal of secure cyberspace, adequate safeguards and control measures for protecting the rights of people.Factor 3 concentrates largely on the practice of conducting surveillance and reveals a set of values guiding practice.At the time of data collection, the British and Norwegian stakeholders were closer in opinion than to the Finns, and there are important idiosyncrasies inside the national debate, as the Norwegian example demonstrates.The observation that Finland lacked one viewpoint, while the UK's pattern remained similar, highlights the importance of both national and comparative analysis.This is reinforced by previous publications from the authors of this paper in Finland ( Leppänen and Houtsonen 2022) and in Norway (Flinterud et al 2020), who conducted an analysis of their countries in isolation using their respective Q-sorts from this research.In the analysis for Finland (Leppänen and Houtsonen 2022), three factors emerge, but they are not the same three factors as were described here.Similarly in Norway, Flinterud et al (2020) reveal only two factors, whereas in this paper the Norwegian participants load on all three.
This study demonstrates the significance of studying global trends in relation to current national debates: even though the general issues and themes of debate are global and circulate easily across state borders, their specific meaning and details emerge in the local context.We have demonstrated the further nuance of this debate in that views may also transgress occupational or organisational boundaries.As Stevens and Allen-Robertson (2021) have argued, understanding the nuance and relationships of actors in this multi-actor process is vital.We differ from Stevens and Allen-Roberson (2021), however, by showing divergence within organisational boundaries.Employing Q-methodology reveals how individuals from similar institutions or groups may have differing views on a topic.This is also reflected in the work of Oomens et al (2023) in their study of the security vs privacy debate for digital intelligence powers in The Netherlands.However, in their case, there was a prominent focus in the Q-statements on trust in specific security services which we did not emphasise in ours.We reduced some of the national specificity in our Q-statements to undertake a robust international comparative analysis.
Our findings have also revealed important areas of consensus, as discussed above, which were obscured when considering national debates alone (see Leppänen and Houtsonen 2022;and Flinterud et al 2020), and which contrast with the usual polarised public discourses.In the areas of consensus, stakeholders agreed on the importance of competent control of surveillance, legal whistle-blowing channels, the existence of fundamental rights in cyberspace and reserving pervasive surveillance only for serious cases.Following Hendriks (2006), we argue for using these areas of consensus as a platform on which to build a more informed and effective policy debate in relation to state online surveillance.'Mixed discursive spheres', according to Hendriks (2006), allow for open debates that bring a diversity of actors together and avoid the tendency towards polarisation.These are described as facilitated

Fig. 1
Fig. 1 Process of developing the Q-method concourse

(
a vital tool in a free and democratic society.The products and services in support of this should not be compromised by handing over decryption invasive of privacy, such as equipment interference, should only be reserved for the most serious criminal offences or serious threats of national receive valuable information on national security threats, we must strengthen our international nothing to hide, you need not be concerned about surveillance by the authorities surveillance methods must not be discriminatory, i.e. they must not be based on race, religious beliefs, opinions, membership of a social group or other personal factors without just , the communications of sensitive professions, such as lawyers, journalists or doctors, should be subject to surveillance if they are communicating with a person who poses a risk to national security that people be accorded the same basic rights on networks as they have outside surveillance as a consequence of terrorist attacks, we weaken the very ideals attacked by being under online surveillance leads to self-censorship and fear, ultimately suffocating demoborder digital surveillance is [/would be] based on filtering data against specific parameters before it is sent for analysis, therefore it is targeted, not mass surveillance difference in level of privacy intrusion between examining content of communications data and collat be informed afterwards if their online communications have been accessed, stored or used in investhe service provider for law enforcement purposes should be kept for 12 months to allow investigative opportunities to be fully utilised democratic control, those who are responsible for the oversight and regulation of Secret Intelligence Agencies must have sufficient awareness of, and the technical competence to understand, all their capabilities proposed legislation on intelligence and digital surveillance measures is so ambiguous and fragmented that it is difficult to understand, and open to broad make an independent and full scope assessment for each warrant application, and should not rule simply on the basis of the applicants' in online surveillance can introduce further risk by unreasonably inhibiting or delaying important lines of investigative enquiry privilege, the communications of sensitive professions, such as lawyers, journalists or doctors, should be subject to surveillance if they are communicating with a person who poses a risk to national security vital that people be accorded the same basic rights on networks as they have outside online surveillance as a consequence of terrorist attacks, we weaken the very ideals attacked by the terrorists 2* −3 −4 18 The possibility of being under online surveillance leads to self-censorship and fear, ultimately suffocating democratic discussion and freedom of thought 3* −4* −1* 19 We must restrict what powers of surveillance we allow authorities to have now because we can't control how they might be used by future governments 3* −2 −3 20 Agencies over rely on, and are over confident in the ability of digital communications -border digital surveillance is [/would be] based on filtering data against specific parameters before it is sent for analysis, therefore it is targeted, will always find ways around being detected by online surveillance, for example by moving to Internet Service Providers in other, less intrusive nations −public are ok with their privacy being impinged for the sake of security, it is because they do not fully understand why privacy is so important in digital age 0* −3* −2* 30 There is no difference in level of privacy intrusion between examining content of communications data and collating metadata −1* −5 −4 31 In matters of National Security, legislation regarding online surveillance should be decided by our government, not external powers such as the EU −2* 1* −1* 32 A citizen should be informed afterwards if their online communications have been accessed, stored or used in investigation 2* 0* −4* 33 Big data analysis of online communications will lead to poor decision-making about individuals through misjudged inferences 0* −2 −2 34 Data retained by the service provider for law enforcement purposes should be kept for 12 months to allow investigative opportunities to be fully utilised −3* −1* 4* 35 It ceases to be targeted surveillance if it also captures data from those not communicating directly with the person under suspicion 0 −3* 0 36 The public should be informed about the extent and outcome of online surveillance, on a sufficiently frequent and detailed basis, in order to uphold public trust in law enforcement and avoid suspicion that operations are wider reaching than full democratic control, those who are responsible for the oversight and regulation of Secret Intelligence Agencies must have sufficient awareness of, and the technical competence to understand, all their capabilities control mechanisms are a more effective way of ensuring our rights are protected than trying to restrict or remove the capabilities available to and proposed legislation on intelligence and digital surveillance measures is so ambiguous and fragmented that it is difficult to understand, and open to broad interpretation 1 −4* 1 41The courts should make an independent and full scope assessment for each warrant application, and should not rule simply on the basis of the applicants-making process on warrants for monitoring cross-border network traffic should involve not only the judge and the intelligence agency but also an independent public interest advocate or such, in order to safeguard the rights and interests of those placed under the use of spyware should include analysis of any possible damage the software may cause to a data system or process that it controls, as well as a plausible description of how the software can be removed without posing Common law police powers run in parallel with statute-based statutory frameworks.Common law privacy rights, as recognised recently in B C and Others v Chief Constable Police Service of Scotland and Others, sit alongside statutory rights in the Human Rights Act and the UK-GDPR, often in uneasy coexistence or latent conflict (B C and others v Chief Constable Police Service of Scotland and others 2019; Leiser & Custers 2019).In post-Brexit UK, this landscape faces further fragmentation.The main legal instrument emerging from 2000 onwards that both enabled and constrained surveillance by public bodies is the Regulation of Investigatory Powers Act 2000 (RIPA), and since 2016 the Investigatory Powers Act (IPA) with its extensive Codes of Practice.In between we find the short-lived Data Retention and Investigatory Powers Act 2014, ruled in parts unlawful by the High court in 2015 and on appeal finally declared incompatible with Article 8 of the European Convention of Human Rights by the Court of Justice of the European Union and replaced by the IPA (David Davis and others -v-Secretary of State for the Home Department 2015; ECJ Joined Cases C-203/15 and C-698/15; For details on the IPA see

Table 1
Context of the three countries at the time of research

Table 2
3 Interest group covers companies and NGOs, who have a publicly stated agenda on the topic.Users are officials working at ministries or agencies whose operations are authorised by the legal authority, i.e. potential users of the online surveillance capabilities.Politician refers to politicians and politically appointed officials, e.g.political advisors.Outside observer includes, e.g.oversight organisations, researchers and journalists, actors typically regarded as watchdogs or knowledge brokers.
44 An anonymous, independent, legal channel for reporting misuse of secret powers must be guaranteed available at all levels to support staff without risk to themselves or national security