Click here to see Mr Polakiewicz's Presentation

 Check against delivery

Reconciling security and fundamental rights

How to square the circle: Ensuring effective law enforcement access to electronic evidence while protecting privacy

Conference on Criminal Justice in Cyberspace

Bucharest, 26 February 2019

Jörg Polakiewicz[1]

Introduction. 2

Setting the scene 1: transborder access by law enforcement authorities to electronic evidence 2

Setting the scene 2: transborder access and data protection. 5

Is all this too European for our globalised world?. 8

The way forward: what conditions for obtaining subscriber information from service providers in another jurisdiction?. 13

Conclusions 17

Introduction

Ladies and gentlemen, dear colleagues and friends,

It’s a great pleasure to be in Bucharest. I would like to thank the organisers for the opportunity to present some reflections on how to reconcile security and fundamental rights. This is a vast subject. As a premise, I would stress that in the Council of Europe we are convinced that effectively fighting against crime requires respect for fundamental rights. Or, as Aharon Barak, President of Israel’s Supreme Court, has put it so poignantly, “[s]ometimes, a democracy must fight with one hand tied behind its back. Nonetheless, it has the upper hand. Preserving the rule of law and recognition of individual liberties constitute an important component of its understanding of security. At the end of the day, they strengthen its spirit and strength and allow it to overcome its difficulties.”

But instead of general considerations, I would like to address our theme from a very practical point of view, focusing on issues which are of relevance for the current negotiations on a new additional protocol to the Budapest Convention. As you all know, one of the main aims of this process is to establish a more effective legal framework for access to electronic evidence by law enforcement authorities (LEAs).

Setting the scene 1: Transborder access by law enforcement authorities to electronic evidence

Requests for transborder access to e-evidence occur in over half of total investigations. However, in the EU alone, two thirds of crimes involving transborder access to e-evidence cannot be properly investigated or prosecuted.^[1] Challenges to obtain such evidence are even greater worldwide. While crime syndicates operate successfully across borders, LEAs still rely on means and procedures that have been developed in the last century, mainly through mutual legal assistance treaties and, since its entry into force on 1 July 2004, the Budapest Cybercrime Convention.

On the other hand, it is an open secret that LEAs of many states are already engaged in transborder access to data beyond the scope of MLAT and the Budapest Convention, often on an uncertain legal basis, with obvious risks to the procedural and privacy rights of individuals.

Here are two examples of the scenarios we face:

LEAs in country A investigate a case involving the illegal selling of arms. The investigation shows that certain transactions are carried out using an email address of a provider located in country B. LEAs from country A thus seek cooperation from country B and/or the relevant service provider to find the identity of the person behind the email address.

LEAs from country A are investigating a child pornography case. During their investigations on several websites, they come across one particular IP address. However, the server is located in country B.

In those circumstances, are LEAs from country A entitled to ask those from country B to disclose information about the user of the email account or the holder of the IP address? Can LEAs address their requests directly to service providers such as Gmail or Yahoo? Under which conditions? Is a mere suspicion enough to require subscriber information from foreign authorities? Or must there be a criminal investigation be opened, which often requires a decision by a judge? What are the obligations that the authorities of country A and country B must meet in terms of data protection and the rights of the suspect? Should dynamic IP addresses be treated in the same way as static IP addresses? How should one define the competent jurisdiction (and applicable law) when the relevant data is moving or even fragmented over different jurisdictions?

Terminology around transborder access to electronic evidence is crucial. In the following, I shall focus on subscriber information, which is the most commonly requested information. As opposed to traffic data (which relates to communications) and content data (such as emails or pictures), subscriber information is limited to identifying “the user of a specific Internet Protocol (IP) address or, vice versa, the IP addresses used by a specific person. Subscriber information also comprises data from registrars on registrants of domains”.^[2]

The variety of interpretations around what exactly constitutes subscriber information makes the analysis complex for all stakeholders and it will be of paramount importance to come up with a clear and unambiguous definition for the protocol.

For the time being, every state has its own interpretation of how broad access by LEAs to e-evidence should be and what safeguards apply, which makes the situation especially illegible.

Take for example the current practice based on voluntary disclosure adopted in the US. Already in 2015, European countries sent more than 170,000 requests – mostly for subscriber information – directly to major US service providers.^[3] US law[4] allows US-based service to disclose non-content data to foreign authorities on a voluntary basis.

Under US law, as a rule, service providers “cannot voluntarily disclose customers’ non-content records to any governmental entity.”^[5] However, foreign LEAs do not qualify as “governmental entities” which means that – strictly speaking - the prohibition of disclosure for non-content data does not apply to them. That is why some LEAs do not hesitate to request data directly from service providers such as Google or Facebook, particularly in urgent situations. As companies, these service providers are pursuing policies enabling them to provide non-content data as long as they are requested in the scope of an ongoing legal process, consistent with international norms.

Given that one of the major problems of the current system relates to the delay for completing requests, such a practice can be considered an improvement. About 60% of the foreign requests are answered positively by US service providers, which has significantly facilitated criminal investigations worldwide.^[6]

However, ‘voluntary disclosures’ do not involve as many checks and balances (and therefore as strong safeguards) as other instruments such as MLA agreements. Moreover, service providers enjoy more or less unfettered discretion as to whether they will or will not hand over non-content data to foreign authorities. Providers have created their own policies or decide on a case-by-case basis on whether and how to cooperate.

The volatility of this practice and the fact that European service providers usually do not disclose non-content data on the same basis demonstrate the importance of establishing a new framework with effective and rapid procedures which at the same time respect commonly agreed fundamental rights safeguards.

Setting the scene 2: Transborder access and data protection

Any communication of e-evidence involving personal data by service providers to LEAs constitutes an interference with data protection rights. The right to privacy and data protection is guaranteed by most national constitutions and internationally by the International Covenant on Civil and Political Rights (ICCPR) and European Convention on Human Rights (ECHR). More detailed principles and rules have been developed in Data Protection Convention 108.[7]

Private life in the sense of article 8 ECHR protects the privacy of communications online and offline. It covers the security and privacy of mail, telephone, email and other forms of communication. The ECtHR recognised that the mere storing of personal information interferes with the rights under article 8 ECHR.

The ECtHR and the ECJ (applying the EU Charter of Fundamental Rights) have established important principles with respect to data protection:

• Domestic law must afford appropriate safeguards to prevent any misuse or abuse of personal data, including vis-à-vis interferences by non-state actors. It must also ensure that the storing and processing of data are relevant and not excessive.

• There must be adequate and effective guarantees against abuse and arbitrariness. These include accessible, clear and specific rules about the circumstances in which authorities are empowered to access and process personal data. The rules must be prescribed by law rather than left to subsidiary regulations which often are subject to change and sometimes not even accessible.

• Any discretion of authorities collecting and processing data must be constrained by clear and specific conditions regarding procedures to follow and time limitations for the storage of personal information. The ECHR requires accountability, effective supervision and review by independent and competent authorities.

• Finally, there must be accessible and effective remedies not only to challenge the storage and use of personal data, but also to secure the destruction of the files or the erasure or rectification of unlawfully stored information kept in them.

  The imperatives of national security and the prevention and sanction of crime are recognised as legitimate grounds for state interference. Under the ECHR, states have a duty to protect the lives of their citizens.

  This was precisely the subject at issue in the case of K.U. v. Finland,[8] where a 12 year-old boy was the target of an advertisement of a sexual nature on the internet. During the investigation, the service provider refused to disclose any information on the identity of the author, pursuant to the regulation on confidentiality of telecommunications. The ECtHR held that the child’s right to respect for his private life had been violated, emphasising that a balance must be struck between data protection rules and other fundamental rights. Freedom of expression and privacy of communication “cannot be absolute, and must yield … to the prevention of disorder or crime or the protection of the rights and freedoms of others.”

  Similar standards are applied by the ECJ and national courts in many jurisdictions. It is also important to underline that the application of human rights standards under the ECHR and the ICCPR is not restricted to the national territory or citizens alone. The ECtHR has accepted that acts or omissions by contracting parties performed or producing effects outside their territories with regard to any individual can come within its jurisdiction albeit under exceptional circumstances. Under the ECHR, the concepts of jurisdiction and state responsibility are not interchangeable. They are separate concepts, though the former is necessarily the pathway to establish the latter. The relevant ECHR case law, which has been developed mainly in the field of military operations abroad, uses the notion of effective control over territory and individuals.

  How can one apply such a notion in cyberspace where many states have the technical capability to conduct surveillance measures outside their jurisdiction?

  The traditional effective control test seems inadequate for today’s cyber and communications realm.^[9] As regards personal data, physical control over persons or territory is unnecessary.^[10] Electronic communications can be remotely controlled from abroad. Intelligence and law enforcement agencies can eavesdrop on those communications and may be able to filter the communications received or alter the content thereof.^[11] Instead of the traditional physical control test, a ‘virtual control’ test provides a possible solution addressing the challenges of rapidly evolving technology.^[12] We shall have to consider to what extent the use of legislative and enforcement powers to interfere with electronic systems^[13] brings data and data subjects within the jurisdiction of state authorities using such powers.

Is all this too European for our globalised world?

I do not think so. The standards of article 8 ECHR are quite similar to those of article 17 ICPPR, especially as regards electronic surveillance and interception of data for law enforcement purposes. The UN Human Rights Committee and the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism have taken very similar approaches.

I would submit that courts and tribunals use converging standards of reasoning regarding law enforcement and protection of privacy, at least within the community of states parties to the Budapest Convention. Constitutional and supreme courts all over the world are developing strict conditions for the collection and processing of personal data. The 1988 Brazilian constitution was the first to introduce the right to an effective remedy (habeas data), Uruguay the first non-European country to accede to Convention 108. In 2012, the largest Korean-based portal NAVER was successfully sued for making voluntary disclosures about subscriber information without any restraint.^[14] Korean courts held that, as a matter of data protection law, subscribers have a right to know whether and if so to which LEA subscriber identification has been made available.^[15]

In Carpenter v. United States, the US Supreme Court ruled that protection of privacy involves the requirement of a warrant to collect and operate on cell sites data (GPS data destined to trace someone’s phone). Some US courts went even further in protecting people’s private lives. For instance, a Californian judge has recently ruled that US law enforcement authorities cannot force anyone to unlock a mobile phone with their biometric features, even with a warrant. This would amount to oblige suspects to incriminate themselves. Biometrics locks are not to be considered as traditional passwords, which can be given willingly and verbally.^[16]

* * *

Coming back to our scenarios, the information most commonly required by LEAs is subscriber information, exclusively aimed at identifying account users. It is necessary to demystify the idea according to which communicating such data necessarily violates international data protection standards. The conditions laid down in the case law of national courts, the ECJ and the ECtHR all converge in weighing the competing public and private interests at stake, using quite similar ‘balancing tests’ which take into account the breadth and intensity of the interference and the public interests put forward to justify them. Domestic courts in Korea have adopted a similar approach precisely in cases involving voluntary disclosure of subscriber information to LEAs.^[17]

In the recent judgment Ministerio fiscal,[18] the ECJ used “seriousness criteria” in order to justify the interference of law enforcement with the right to data protection. Following the robbery of a mobile phone, the Spanish police had requested access to data identifying the users of the phone. The judge denied that access, as the offence was not considered as “serious” enough. Yet, the ECJ held that the seriousness of the crime is not of utmost importance. What matters is the seriousness of the interference with the right to data protection, which in this particular case could not be deemed “serious” as the “interference” was specifically targeted and did not imply any potential profiling of the users.

As long as only subscriber information is concerned, interferences with the right to privacy are typically limited. This was exactly the view taken by the ECtHR in the above-mentioned case of K.U. v. Finland.

Is there a special case to be made for access to dynamic IP addresses, as some have suggested following the judgment of the German Federal Constitutional Court (GFCC) of 24 January 2012, where the GFCC partly upheld complaints concerning the retrieval of information on dynamic IP addresses stored by telecommunications service providers,[19] and the similar ECHR case of Benedik v. Slovenia?[20]

The GFCC based the application of article 10 (1) of the Basic Law “on the fact that when the telecommunications enterprises identify a dynamic IP address, they have to take an intermediate step, in which they examine the relevant connection data of their customers, that is, [they] must access specific telecommunications events. These telecommunications connections individually stored by the service providers are subject to the secrecy of telecommunications, irrespective of whether they have to be kept available by the service providers under a statutory duty ... or whether they are stored by them on a contractual basis.”

In Benedik, the ECtHR was faced with the same issue of characterisation of ‘IP addresses’ in a child abuse material case. The Slovenian police had obtained subscriber information from the service provider without any court order. Although considering that IP addresses were included in traffic data, the Slovenian Constitutional Court concluded that the applicant, who had not hidden in any way his IP address, had consciously exposed himself to the public and could therefore not legitimately have expected privacy. The ECtHR by contrast, weighing the interference against public safety and security, held that searching for the user’s identity had necessarily revealed a great deal of information about him which amounted to profiling. It concluded that access to this kind of information without a court order constituted a violation of the ECHR.

I would however be cautious about deducing too general conclusions from these two judgments which concerned particular cases in a specific national context. Benedik was not referred to the Grand Chamber. While it is true that the identification of the individual behind a certain dynamic IP address involves the processing of potentially large amounts of this individual’s personal data, it must be taken into account that this processing is carried out by the service provider only and the data generated during the processing will not be communicated to anybody. Acting within a contractual relationship, the service provider will have to respect the applicable national or EU data protection standards regarding the processing and storage of this data. What will eventually be communicated to the requesting LEA is merely subscriber information which does not reveal anything about the individual’s personal circumstances, his or her preferences or internet usages. We are thus outside the realm of profiling. Hence, overriding public interests such as the safety and security of citizens ought to prevail.

It should normally be sufficient that there is an ongoing criminal investigation having led at least to an initial suspicion (“Anfangsverdacht”) or “probable cause”. It would be excessive to require the formal opening of criminal proceedings which in many jurisdictions requires a decision by a magistrate. As soon as LEAs are engaged in criminal investigations, overriding interests of public safety and security can be relied upon to justify the production of subscriber information by internet service providers as long as the LEAs respect fundamental data protection principles such as purpose and storage limitation. Subscribers have a right to know whether and if so to which LEA subscriber information has been made available.

In that context, the effective functioning of the criminal justice system must take precedence over privacy concerns, as the GFCC recently underlined. The Order of 20 December 2018 concerned again the obligation of email service providers to share with LEAs the IP addresses of subscribers accessing their accounts in the context of telecommunications surveillance.[21] According to the GFCC, the endeavour to devise a business model that ensures the highest data protection standards cannot exempt service providers from compliance with statutory obligations that give effect to the constitutional requirement of ensuring a functioning criminal justice system. As the Slovenian Constitutional Court had already emphasised in the Benedik case “[i]f there is a suspicion of a criminal offense the police must have the ability to identify the individuals who have participated in a certain communication related to an alleged criminal offense, because the perpetrators are harder to trace due to this principle of anonymity on the internet.”

The way forward: what conditions for obtaining subscriber information from service providers in another jurisdiction?

Paraphrasing former UN Secretary-General Ban Ki-Moon, I submit that the internet is a prime example of how criminals can behave in a truly transnational way; in response, states need to think and function in an equally transnational manner. This was precisely the objective pursued with the drafting of the Budapest Convention.

Based on almost twenty years of experience, we are now about to draft a (second) additional protocol with a view to facilitating access by LEAs to subscriber information held by any service provider within the jurisdiction of one of the parties to the convention. The proposals currently on the table aim at facilitating transborder access by LEAs to personal data within the jurisdiction of another party. Robust data protection safeguards will be key to ensure that legitimate requests by LEAs are not refused on fundamental rights grounds. The new procedures to be established by the protocol will have to ensure respect for internationally recognised key data protection principles such as necessity, proportionality, or purpose limitation.

WHY?

Agreeing on international standards instead of purely European ones will be of paramount importance considering the international character of the Budapest Convention.

In case of non-agreement, every state party would carry on with their own interpretation of what data protection standards should apply. In the absence of agreed standards, certain states are already opting for data localisation requirements or extraterritorial application of their laws, always with a view to controlling access to personal information.

For example, according to Russian legislation, all companies doing business involving the processing of personal data of Russian citizens have to locate their databases in Russia. This means that before data can be transferred abroad, it must automatically be stored within the frontiers. When data is held by Russian service providers, national LEAs can access the personal information concerned without a court order.

This is only one example, but it reveals how differing national approaches can become obstacles for effective transnational cooperation. Only if we all apply the same principles will we be able to avoid the possibility that data protection and privacy standards may be used as obstacles to prevent effective law enforcement across borders and jurisdictions.

Another challenge is the temptation to apply national or EU standards extraterritorially. Effective access to e-evidence depends to some extent on the requirements LEAs and service providers must meet to transfer such data abroad. The extraterritorial application of national or EU standards risks leading to a race to the bottom for privacy. States with a low level of personal data protection will be able to accept more requests than those implementing stronger safeguards, which is clearly counterproductive considering the aims of the Budapest Convention.

Finally, there are risks resulting from “double standards” in the access to e-evidence for LEAs on the one hand and intelligence services on the other. Paradoxically, bulk data is in many countries more easily disclosed for purposes of national security and in some countries intelligence services seem to have access even to content data, while it remains very difficult for LEAs to have access to much smaller-scale data, sometimes affecting only one individual during criminal investigations.

If we do not want to encourage large-scale abuse of access via intelligence services, without any adequate safeguards, we may have to accept that not all our currently existing safeguards can be retained without any alteration. We should be aware that internationally agreed standards - a precondition for effective mutual legal assistance - will not necessarily require a harmonisation of laws and procedures, but at least a certain degree of approximation with a view to ensuring interoperability.

HOW? Long-term objective of a community of states bound simultaneously by the Budapest Convention and Data Protection Convention 108

Currently parties to the Budapest Convention are abound by a variety of data protection standards, some by the ECHR and Convention 108, others moreover by EU law, many, in particular the non-European parties, only by their domestic law. In the event of alleged ECHR violations, only European states will be subject to the jurisdiction of the ECtHR, just as only EU member states are answerable before the ECJ for breaches of EU law.

Due to the various data protection standards in force, access cannot be granted a priori by an automatic application of what one party would perceive as ‘good faith’ or ‘exigent circumstances’ because the interpretation and application of such concepts vary in different legal systems. Even the inclusion of additional safeguards, which will by definition be very general given the nature of the Budapest Convention as an international legal instrument, may not be sufficient.

In order to ensure a common baseline on privacy standards, it will be ideal if all parties to the Budapest Convention also accede to Convention 108. Drafted in a simple and technologically-neutral way, Convention 108 represents an internationally agreed minimum standard setting high-level rules while leaving the details up to national implementation. In substance very similar to the OECD and UN standards, Convention 108 has the advantage of being a treaty with legally binding force, thus providing legal certainty and predictability in international relations. Its fundamental standards have been the basis for EU law and were reaffirmed in various bilateral and multilateral agreements.

Convention 108 is already now in force for half of the world’s countries which have enacted comprehensive data protection legislation.[22] In total, 53 states have ratified the Convention which has the potential to be applied worldwide. Currently Argentina, Morocco and Burkina Faso have been invited to accede. Convention 108 constitutes the best treaty-based possibility for a truly international data protection framework.^[23]

With the amending protocol opened for signature on 10 October 2018, Convention 108 has been comprehensively revised, in parallel and consistent with EU law, as regards principles of proportionality, transparency and additional safeguards on data processing. The resulting Convention 108+ corresponds to the call for internationally agreed global standards from business and civil society alike. I am convinced that, with the active participation of countries and stakeholders from all over the world, Convention 108 will eventually fulfil the vision of its drafters and become a truly international standard for data protection.

In case of states being reluctant about a common membership in the Budapest Convention and Convention 108+, identifying at least general safeguards in the new protocol could be an intermediate step. Those safeguards could be inspired by those found for example in the umbrella agreement concluded between the EU and the US to implement a data protection framework for EU-US law enforcement cooperation. The new protocol could provide for safeguards such as clearly circumscribed limitations on data use, regulations on onwards transfers, limitation of retention periods, and implementation of foreign judicial redress proceedings.

Conclusions

It is an illusion to think that we can have complete privacy and total security. However, a fair balance can – and must – be struck. Forfeiting citizen protection in favour of secret surveillance undermines the very essence of the democratic values which we seek to defend.

I am convinced that our endeavours to address cybercrime and data protection on a global scale will not remain a dream. “Wisdom is to have dreams that are big enough not to lose sight when we pursue them” (Oscar Wild).

We must never lose sight of that “big dream” – to find a fair balance between data protection and security, allowing LEAs to operate effectively, while respecting the privacy rights of the people who they exist to protect.