Normering van digitale opsporingsmethoden

Op 1 maart 2017 is mijn nieuwe boekje ‘Normering van digitale opsporingsmethoden’ uitgebracht. Het boekje is bij de Nederlandse Defensie Academie gedrukt en stel ik hierbij in .pdf beschikbaar.

Mijn doel is om ‘de praktijk’ – dat wil zeggen professionals in de opsporing, advocaten en rechters – meer duidelijkheid te geven over de juridische basis bij de toepassing van digitale opsporingsmethoden. Tijdens mijn onderzoeksperiode voor mijn proefschrift van 2010-2016 heb ik regelmatig gehoord dat er onduidelijkheid bestaat over de vraag welke regels van toepassing zijn. Dat is vanuit rechtsstatelijk oogpunt zeer onwenselijk, want zowel de professionals in de praktijk als de betrokken burgers moeten weten waar ze aan toe zijn om willekeur van overheidsmacht tegen te gaan. Mogelijk bestaande interne richtlijnen binnen de opsporing vormen geen voorzienbaar juridisch kader waar betrokkenen een beroep op kunnen doen.

Met mijn boekje hoop ik dus meer duidelijkheid over de juridische basis van digitale opsporingsmethoden te leveren, maar ook de discussie aan te zwengelen. Het rechtsgebied is namelijk sterk in beweging. Ik verwacht dan ook dat dit werk slechts drie jaar actueel blijft. Dat komt doordat digitale opsporingsmethoden constant evolueren in verband met technologische ontwikkelingen en de onderliggende (cyber)criminaliteit, waar de opsporing op moet inspelen. Daarnaast zal het project ‘Modernisering strafvordering’ in de nabije toekomst aanzienlijke wijzigingen in het Wetboek van Strafvordering met zich mee brengen. Over de wenselijke juridische basis en waarborgen voor digitale opsporingsmethoden in toekomstige wetgeving moet dus nú worden gediscussieerd.

Investigating Cybercrime

On 10 January 2017, I successfully defended my PhD thesis ‘Investigating Cybercrime’. In this blog post, I would like the share my main research results.

Cybercrime investigations

My study shows that in cybercrime investigations, evidence is often gathered by following the two digital leads of IP-addresses and nicknames. I explain how evidence is gathered, based upon these leads. In cybercrime investigations, law enforcement officials often encounter the three challenges of anonymity, encryption and jurisdiction. These challenges can leave law enforcement officials empty-handed in certain circumstances.

However, law enforcement officials can use digital investigative methods to deal with these challenges. The following four investigative methods are identified and further analysed in the study: (1) gathering publicly available online information, (2) issuing data production orders to online service providers, (3) applying online undercover investigative methods, and (4) performing hacking as an investigative method.

Regulating digitale investigative methods on a national level

On a national level, my research shows that the identified digital investigative methods are not regulated in a foreseeable manner in the Netherlands. The reason is that the scope and manner in which investigative methods are applied are not sufficiently clear. In addition, I argue that the quality of the law for certain investigative methods is not adequate. The main and concrete results of my analysis are as follows:

  • The manual and automated gathering of publicly available online information should be regulated in detail, outside criminal procedural law. These regulations should indicate how data protection regulations should be applied in a concrete manner when these digital investigative methods are used.
  • The regulations for undercover investigative methods (both online and offline) should be improved by incorporating supervision by an investigative judge.
  • A warrant requirement should apply for obtaining traffic data and content data from online service providers. The category of ‘content data’ should be defined more clearly by the legislator or Public Prosecution Service.
  • Regulating hacking as an investigative power is necessary. The proposal to regulate this investigative method in the Computer Crime Act III is adequate. However, the investigative power is formulated in a rather broad manner and the legal consequences of its application to ‘disrupt cybercrime’ are uncertain.

Regulating digital investigative methods on an international level

On an international level, my research shows that the application of digital investigative methods are not sufficiently taken into consideration in mutual legal assistance treaties. States should realise and take into consideration that unilateral cross-border digital evidence-gathering activities already take place.

The application of digital investigative methods can endanger both State sovereignty and the legal certainty of individuals in certain circumstances. At the same time however, I argue that unilateral cross-border digital evidence-gathering activities should be permissible in certain circumstances. Ideally, States agree on what terms these evidence-gathering activities are allowed and protect the right and freedoms of the individuals involved in mutual legal-assistance treaties or on an ad-hoc basis. In the meantime, States should create a policy for their law enforcement authorities to determine under which circumstances unilateral cross-border digital evidence-gathering activities are allowed. I provide recommendations about these restrictions for the Dutch legislator.

Finally, I would like to say that it has been a pleasure performing research as a PhD Candidate at Leiden University. I will continue to do research in cybercrime, cybersecurity, digital investigations and privacy in the future.

This is a cross-post from LeidenLawBlog. My book is also commercially available at bol.com (among others).

A call to make a guideline for online investigations accessible

The gathering of publicly available online information is nowadays part of ‘most police investigations’. Some call this information the ‘new social DNA’ for law enforcement. Indeed people publish massive amounts of information about themselves on the internet on a voluntarily basis. At the same time other people can also publish information about individuals on the web. Law enforcement authorities make use of this information to fulfil their tasks, such as maintaining public order, and as a source of information in criminal investigations. In this blog post I submit that Dutch law enforcement authorities and the Public Prosecution Service should publish their policy on the use of publicly available online information in criminal investigations.

Accessibility and foreseeability

A policy on the use of privacy-interfering investigative methods should be accessible and foreseeable to the individuals involved. Accessibility means that a guideline or regulation is published and made publicly available to individuals to take notice from. Foreseeability means that the scope of investigative methods and the manner they are applied are clear to the individuals involved. An arbitrary interference by governmental authority powers in the private lives of individuals can be avoided with a foreseeable legal framework.

Murky legal basis

At the moment it is likely that the gathering of publicly available online information takes place on the legal basis of law enforcement officials’ statutory task description for the investigation of crimes (art. 3 of the Dutch Police Act). This is implied in legislative history (the explanatory memoranda on the Act on special investigative powers and the Computer Crime Act II). Although these acts go back more than 15 years – at a time when the Internet looked very different and social media services were not as popular – this is the only legislative history available. In addition a court in The Hague decided in 2011 that law enforcement officials can make use of Google Earth on the basis of art. 3 Police Act.

However this legislative history and court decision become murky when they explicitly mention that “information cannot be gathered systematically and stored in police systems” upon the basis of art. 3 of the Police Act. When exactly is information gathered systematically about individuals? Is it when a “more or less complete picture of certain aspects of an individual’s private life” is obtained? And then what? What special investigative powers apply? Shouldn’t the investigative activity be part of the task of law enforcement officials, to gather the necessary data they require for a criminal investigation without the application of special investigative powers?

Online observation

When law enforcement officials observe the online behaviours of individuals the special investigative power of ‘systematic observation’ applies. The Dutch legislator suggested at the time that factors such as the duration, place, intensity, frequency and the use of technical devices should be taken into consideration to determine whether the behaviours of individuals are observed ‘systematically’. Still, these abstract factors were originally written for application in the physical world and provide a lot of leeway for law enforcement officials and public prosecutors to decide when application of the special investigative power of systematic observation is required.

Data protection regulations

It is clear however that data protection regulations on the gathering of personal data restrict the investigative activity. Data protection regulations apply as soon as law enforcement officials look for the information on their computers or use an automated data collection system, to gather the information. These regulations thus apply at an earlier stage than when the results of the search are stored in police systems. Earlier research (see for instance this report and this report (in Dutch)) raises questions about how automated data collection systems meet key principles of data protection regulations. Yet these questions remain unanswered by law enforcement authorities and the legislator.

Conclusion

We – the people – require an explanation of how and under which conditions law enforcement authorities gather publicly available online information. Interestingly, in a 2016 master thesis (.pdf in Dutch) an internal procedure on the ‘gathering of data from social media services’ is mentioned. If such a policy indeed exists, but is not made available to the public, the law is not accessible and foreseeable to the individuals involved. For that reason I urge Dutch law enforcement authorities, the Public Prosecution Service and the Dutch legislator to make such a policy public. If such a policy does not exist, a guideline should be developed and published online as soon as possible.

This is a cross-post from LeidenLawBlog.

Criminal procedure and the digital revolution

A digital revolution has taken place for law enforcement authorities. A treasure trove of information is currently publicly available on the Internet. In addition, large amounts of information can be gathered from third parties, such as telecommunication providers, financial institutions and online service providers. Furthermore, law enforcement authorities can analyse every piece of information on seized computers with specialised software. All that information can be combined and processed and thereby provides great investigative potential for law enforcement authorities.

The Dutch legislator is currently seeking to amend (in Dutch) the Dutch Criminal Code of Criminal Procedure (DCCP) and aims to take into account the influence of Information and Communication Technology on police work. However the current plans only take into consideration the gathering of publicly available information and the seizure of computers. Yet these investigation methods are not the full spectrum of digital investigation methods that is available to law enforcement authorities. Remarkably, even the planned amendments to the DCCP to accommodate these two investigation methods – and beef up the safeguards to protect the individuals involved – have now been put on hold or will be further researched to assess their desirability.

‘Open source information’

Publicly available online information provides a powerful tool for surveillance by law enforcement authorities. People willingly post large amounts of personal information about themselves on online forums and social media services. Other individuals can also post information about people on the Internet. In law enforcement terms that information is called ‘open source’ information, i.e. information that anyone can access, purchase, or gather by observation. The thing is that law enforcement officials do not even know themselves under which conditions and to what extent the information can be collected.

Also note that the collected information can be combined with other information collected from third parties and further processed. By use of specialised software an intricate picture of certain aspects of an individual’s life and relationships with other individuals can be obtained. In first instance, the Dutch legislator proposed creating detailed regulations in the DCCP to regulate the investigation method. However the Dutch police do not support this proposal and the Dutch Minister of Security and Justice has now put these plans on hold to assess their desirability.

A warrant for computer searches

The second amendment proposed was for the seizure and subsequent analysis of data stored on computers. The Dutch Minister of Security and Justice acknowledges (p. 83) the serious privacy interference that takes place when computers are seized and suggests that ‘a higher authority’ should authorise the seizure. In my previous blog post I argued that a warrant requirement and mandatory limitation of the scope of the warrant are therefore appropriate safeguards for the seizure of computers. These safeguards can be derived from case law by the European Court of Human Rights regarding computer searches. Yet the Dutch Minister of Security and Justice does not even refer to that case law or current Dutch case law on the subject. Dutch law enforcement authorities fear a significant administrative burden (p. 8) due to proposed changes in legislation. Therefore further research has been announced to investigate the desirability of the amendment. Indeed, a warrant requirement will bring with it more paperwork. Yet it is an important safeguard in protecting individuals from the arbitrary interference of law enforcement authorities in our private lives. Possibly the Dutch Supreme Court will step in and require a warrant for seizing and analysing the contents stored on computers in the meantime.

Concluding remarks

In my view, the proposed Dutch reforms for criminal procedure do not fully appreciate the consequences that technology bring with for criminal investigations. The amount of data that law enforcement authorities can collect and the tools at their disposal to process every piece of that information should not be underestimated. The two proposed amendments are a start in thinking about those consequences and how to regulate digital investigation methods. Therefore it is unfortunate that those amendments will now be put on hold, possibly toned down, and further researched for their desirability.

Arguably, the ambition of updating criminal procedure law to fit the new digital investigation landscape is too ambitious and a separate legislative project is desirable. In addition, it is possible that certain restrictions on investigation methods are better suited for regulation outside criminal procedure. However, in any case, there should be a sense of urgency to accommodate digital investigation methods in our legal framework and provide sufficient safeguards for the individuals involved. To be continued I hope.

This blog post is cross-post from LeidenLawBlog.nl

A warrant requirement for analysing data stored on smartphones?

On 22 April 2015, the Dutch high court of Arnhem-Leeuwarden possibly set a precedent with far-reaching consequences. In this particular criminal case, a law enforcement official seized a smartphone and subsequently read and copied WhatsApp messages stored on the smartphone. The defence successfully argued that the investigation method was in violation of the right to privacy as articulated in art. 8 ECHR. The high court of Arnhem-Leeuwarden agreed and deemed the current regulations not foreseeable.

Currently, as explained in my previous blog post, law enforcement officials can seize a smartphone and examine all data stored on it in the context of a criminal investigation to obtain evidence without any notable legal thresholds. However, the high court points out that smartphones contain “not only access to traffic data, but also the contents of communications and private information of a smartphone user” . Because the analysis of such data severely infringes in the right to privacy, the current regulations for seizing and analysing data stored on smartphones are not adequately regulated according to the court.

Right to privacy and analysis of information on smartphones

Indeed, the European Court of Human Rights (ECtHR) recently decided in the case of Prezhdarovi v Bulgaria that (1) a judicial warrant requirement and (2) a limitation of the scope of the sought after data on computers is preferable when law enforcement authorities seize computers and analyse data stored on computers. Considering the serious privacy infringement that takes place when personal data that is stored on computers is analysed by law enforcement authorities, adequate safeguards in the domestic laws of States should protect the involved individuals against arbitrary interferences of State in their personal lives according to the ECtHR.

The decisions of the high court of Arnhem-Leeuwarden and ECtHR indicate that the Dutch regulations for the seizure of computers such as smartphones require amendments in order to adequately protect the right to privacy. In June 2014, the Dutch Ministry of Security and Justice already suggested that amendments were required for analysing data on computer systems. Yet, these amendments only suggested the legal thresholds of an order of a public prosecutor, whereas the ECtHR seems to prefer a prior review of an investigating judge – i.e., basically a warrant requirement – to analyse data on computer systems.

International trend?

Interestingly, almost a year ago, the U.S. Supreme Court decided in the landmark case of Riley v. California that a judge’s warrant is required in order to seize a smartphone and analyse data stored on a smartphone. The protection of the warrant requirement was deemed appropriate, because: “Modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans “the privacies of life”.

Obviously, modern cell phones do not contain the ‘privacies of life’ only for Americans. So tell me, does your domestic State law require a warrant to seize computers and analyse data stored on those devices?

This is a cross-post from LeidenLawBlog.nl.

=== Updata ===

My commentary (in Dutch) on the case of 22 April 2015 is available here (in .pdf).

Note that, in the meantime, the Dutch courts of Oost-Brabant and Noord-Holland desmissed the verdict of the high court of Arnhem-Leeuwarden, stating that article 94 of the Dutch Code of Criminal Procedure allows for the seizure of smartphones and subsequent search of data stored on the device.

The court of Amsterdam decided on 18 June 2015 that art. 8 ECHR was not infringed, because law enforcement restricted the search of data stored on the smartphone to  contact details. Thefefore, the search was not deemed disproportionate. Interestingly, other judges of the court of Noord-Holland decided on 4 June 2015 in a different case that seizing a smartphone based on art. 94 DCCP does infringe art. 8 ECHR. Clearly, the courts in the Netherlands are devided on the question whether seizing a smartphone based on art. 94 DCCP infringes art. 8 ECHR. Apparently, the Public Prosecution’s Office went in appeal and the question will be brought  to the Dutch Surpeme Court.

Hacking without a legal basis

In May 2014, the Dutch Public Prosecution Office announced that the Dutch police participated in a global action against ‘Blackshades’ malware. Blackshades enables individuals to remotely take over computers and copy information (among other functionalities). The Dutch press release stated that:

“Team High Tech Crime of the Dutch police saw an opportunity to enter the Blackshades server and secure a large amount of information. The location of the server is unknown”.

This statement implies that Dutch law enforcement authorities entered the server remotely to copy data. Said in other words, Dutch law enforcement authorities hacked a server without knowing the location of the server to secure information. Indeed, recent answers to parliamentary questions confirmed the computer was ‘remotely accessed’(hacked) by law enforcement authorities during the operation in May. In addition, the Dutch Minister of Security of Justice stated in the letter to the Dutch Parliament that art. 125i of the Dutch Code of Criminal Procedural (DCCP) provides for a legal basis to access computer remotely (by hacking) and copy information.

The problem with this letter is that there is arguably no legal basis for hacking in Dutch criminal procedural law. The statement of the Minister of Safety and Justice is in my view worrisome, because a special investigation power is interpreted very broadly by the minister to suit the needs of law enforcement authorities. This undermines a fundamental principle of our criminal law system.

Art. 125i DCCP does not provide a legal basis for hacking

Art. 125i DCCP provides for an ill-understood investigation power that allows law enforcement authorities to search a place in order to secure information stored on computers. The article specifically refers to existing investigation powers for search and seizure at a particular place by law enforcement authorities. Therefore, art. 125i DCCP should always be read in conjunction with the power to search a place, seize a computer and subsequently search data on a computer. In the letter, the minister seems to ignore these explicitly referred to powers of search and seizure at a particular place.

For example, a public prosecutor can seize a computer located at hosting provider and search the data stored on a computer in an effort to secure the sought after data upon the legal basis of art. 125i DCCP jo art. 96c DCCP. These powers for search and seizure are simply different from hacking as an investigation method. The most notable difference between hacking and the search and seizure of computers is that hacking takes place remotely in secret, whereas the search and seizure of computers takes place at a particular place in the presence of witnesses.

There are good reasons to think that the Dutch legal framework to analyse data on computers is outdated. Additionally, there are good reasons why law enforcement authorities feel the need to be able to access computers remotely to acquire information relevant to a criminal investigation. But a key principle and essential to the rule of law is that law enforcement authorities are bound by the law. In my view, as I argued extensively in 2011 and 2013 (in Dutch), Dutch criminal procedural law does not provide for the investigation power to hack computers by law enforcement authorities.

Criminal procedural legality principle

In Dutch criminal procedural law, investigation methods that infringe in the right to privacy in more than a minor way or threaten the integrity of a criminal investigation require detailed regulations. This ‘criminal procedural legality principle’ with regard to the regulation of investigation methods ensures that governmental powers are controlled by the law and prevent arbitrary interferences by the government in the private lives of citizens. The principle also ensures that governmental powers to investigate crime are foreseeable to citizens. In essence, this legality principle harnesses governmental power which is essential to the rule of law.

Therefore, I find it curious our Minister of Security and Justice endorses a broad and highly debatable interpretation of the law to enable law enforcement authorities to hack computers, especially considering that a new legislative proposal is under way which aims to regulate hacking as an investigation power. This ‘Computer Crime Act III’ will be send to the Dutch Parliament in early 2015.

A democratic legislative process is required to provide Dutch law enforcement authorities with the powers that a majority of the elected representatives of the Dutch people find appropriate. Perhaps hacking computers under stringent conditions to allow for evidence gathering activities is desirable as a new investigation power. But in the meantime, the criminal procedural legality principle as a key principle in Dutch criminal procedural law should not be ignored.

This is a cross post from LeidenLawBlog.nl

Reforming the legal regime for search and seizure of computer data

On 6 June 2014, the Dutch Ministry of Security and Justice published several ‘discussion documents’ about reforming Dutch criminal procedural law. Of particular interest to this blog post is the document relating to search and seizure (in Dutch). The authors of this discussion document suggest amending the legislation with regard to the search and seizure of data on computer systems. In my view, that is a very good idea considering the old-fashioned approach we now have towards search and seizure of computer systems.

Computer systems as regular objects

In 1993, the Dutch legislator decided to treat computer systems as regular tangible objects which can be seized and subsequently analysed for evidence gathering purposes in criminal investigations. The reason for this is that data in itself cannot be seized in a criminal investigation, because data can be copied, whereas only tangible ‘goods’ can be taken out of the possession of the owner. Although data cannot be copied, the data carrier can be seized like all other goods. The regular rules for search and seizure of goods are applicable for data carriers (computers). Similar to the seizure of a bloody baseball bat in a murder investigation, computers can be seized and indefinitely analysed for evidence. Such an analysis to ‘ascertain the truth’ of what happened by analysing computer systems in a murder investigation is not far-fetched, as this case shows in which the intent to commit a murder was proven by analysing the search history of the personal computer of the suspect.

Considering the modern software tools which law enforcement authorities can utilise to analyse data on computers, it is easy to imagine that such a search may heavily infringe on an individual’s right to privacy. Perhaps it is time to amend the legislation for search and seizure of computers. Indeed, the authors of the discussion document recognise that “taking knowledge and securing stored e-mail correspondence, photos and videos, personal notes and internet search history” can heavily interfere with the personal lives of the individuals involved. “In comparison”, the authors state, “the seizure of all photo albums, video tapes, is soon deemed disproportional” (see p. 37). Possibly, specialised software can filter out information and thus limit the privacy infringement that occurs.

Location based legal regime

Currently, which conditions apply for the seizure of computers and subsequent analysis of data depends on the location at which the computer is located. If the computer is located (a) on public streets or a vehicle, law enforcement officials can seize the computer, (b) in an office building, a public prosecutor can give the order to seize a computer and (c) in a residence, an order from a public prosecutor and a warrant from an examining judge is required (leaving out exceptions to these rules). One could wonder: is this differentiation correct? Does a different privacy infringement occur when the information on a computer is analysed, depending on the location at which the computer is seized? I think not. I think in all circumstances a serious infringement of the right to privacy occurs when computers are seized and individuals must be adequately protected against the arbitrary interference of the government in their private lives.

How to deal with privileged communications, chain of custody, etc.

The discussion document also raises other important issues relating to the search and seizure of computers systems. The authors rightfully point out that regulations are possibly required to make sure that (a) privileged communications cannot be accessed by law enforcement officials, (b) the regulations for the seizing of letters also applies to digital communications and (c) more attention is required for the regulations regarding the ‘chain of custody’ when data is analysed (see p. 42-49). Clearly, digital forensic investigators can also contribute to better regulations for the search and seizure of computer data in criminal investigations.

Hopefully, we will soon be able to read more observations regarding the discussion documents online, in order to further the debate about the necessary reforms in criminal procedure law!

This is a cross post from LeidenLawBlog.nl

————

Update

Days after this blog post first appeared, the U.S. Surpreme Court  decided in Florida vs Riley that a warrant was required to search a modern cell phone. The Surpreme Court noted: “Modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans “the privacies of life”.”. See this New York Times article for more information about the Riley case.

Perhaps inspired by the Riley decision, Dutch Parliamentary Members soon proclaimed that a warrant for a house search should be required to search phones in the Netherlands. Probably the warrant would be extended for different types of computers as well. Parliamentary Member Jeroen Recourt elaborated in an interview that the announced reforms of the Dutch Criminal Procedure Code may provide a good opportunity to better protect the confidentially and integrity of mobile phones. Note however, how he also left open the option the data on a computer can be searched after an order of a public prosecutor.

Is data retention useless?

“Data retention of web data is useless” were the headlines of some news outlets in the Netherlands a few weeks ago. In my view the journalists jumped to conclusions after quickly reading the evaluation report (.pdf) of the Research and Documentation Centre of the Dutch Ministry of Safety and Justice with regard to data retention (English summary is available on p. 151-159). I think some more nuance is needed and it may be interesting to compare the report to my own research results with regard to data retention after several successful data access requests.

Retention of telephony data

The authors of the report explain that telephony data is nowadays used in almost every criminal investigation. Location data and call detail records are particularly useful according to interviewed investigators and based on case law.

Two researchers tried to obtain their own telecommunications data with a data access request, but were unable to obtain location data. My own data access request proved more successful as described is a previous blog post. I recognize the researchers experience it was too difficult to obtain the data and stress there are questions surrounding our governments plans to leave out notification requirements after certain types of data have been collected by law enforcement officials.

Retention of internet data

The retention of internet related data regards internet access, e-mail provided by ISPs and managed VoIP-telephony. The full list of data that must be retained for 6 months is available here at section “B”. Thus, search queries and visited websites are not retained by telecommunication companies, as well as the ‘contents’ of e-mail messages and other messages or conversations held using the Internet.

My own data request at broadband internet access provider revealed that in a period of three days was only one IP-address and the subscriber data was retained. Since I do no use the e-mail client provided by my ISP, there is no e-mail data available. The report tellingly quoted a law enforcement official that stated that practically “only 55-years-olds and above” still privately use e-mail of their internet access providers. Webbased telecommunication services are not obligated to retain data. The available data can only be obtained using legal aid requests. Researchers point out there are significantly less data requests in the Netherlands at these foreign providers than in other EU countries, but they cannot explain why.

Identifying internet users

An important question is how internet related data retention data is used in criminal investigations. The authors of the report explain that the retention of internet data is primarily used in cybercrime investigations (investigations in which the Internet plays a facilitating role in the commission of the crime). The retention of the assigned IP-address to the router of a broadband internet connection may enable law enforcement officials to (eventually) identify suspects. In cybercrime investigations, in some cases a logged IP-address of a device used to perpetrate a crime is the only lead available. Tracing back the IP-address may to an ISP, depending on what service is used to access the Internet and whether anonymizing services are used.

Since suspects may just as well live in a different country than the Netherlands when committing a cybercrime, the trace often leads to a foreign ISP. According to the author of the report, investigators therefore largely depend legal aid requests to collect the available data. When data retention regulations are in place, the data is at least available for a period of time. However, not all EU Member States implemented the EU Data retention directive and local regulations always differ which can be frustrating for law enforcement officials.

Most significantly, the researchers suggest it may be very difficult to identify mobile internet users solely upon the basis of an IP-address (p. 102-106). My own data access request at my telephone provider revealed that the assigned IP-addresses by the telephone company was often the same. It is likely that many people at the same time make use of the same IP-address using Network Address Translation (NAT) technologies, after which the internet traffic is distributed further through the companies infrastructure. All these people then make use of the same IP-address. When there is no additional information retained about the devices it may be difficult to identify individual users who were all assigned the same IP-address. I cannot determine upon the basis of the available information whether telecommunication providers are able to trace back individual users upon the basis of an IP-address, but if I’m reading it correctly the research report suggests they cannot. That seems as a rather significant conclusion to me.

Interestingly, the interviewed law enforcement officials unanimously agree the retention period of 6 months for internet related data is too short. Taking in consideration the amount of time criminal investigations can take I understand these statements from an investigation perspective. But the Dutch parliamentary shortened the retention of internet data from 1 year to 6 months in 2011 citing privacy concerns. The researchers report also explain how many of the interviewed law enforcement officials were unaware internet related data was retained. Internet related retention data is primarily used in cybercrime investigations. The researchers point out there is still a knowledge deficit among law enforcement officials on how to the use internet related data in criminal investigations regarding crimes of all types.

Conclusion

Contrary to what some news articles suggest, the collection of data at telecommunication providers – of which the availability is ensured by data retention legislation – is almost standard practice in criminal investigations. It is deemed as ‘very useful’ by investigators and case law suggests the data is relatively often used as evidence in criminal cases.

Data retention of internet related communications prove to be particularly useful in many cybercrime investigations, because the retention of assigned IP-addresses to broadband Internet customers may enable law enforcement officials to identify internet users. When a different internet connection than a household internet connection is used, it may be difficult to identify internet users. Perhaps internet users can even stay anonymous by using a mobile internet connection. This seems strange, because data retention legislation is specifically created to identify people and aid in criminal investigations. Indeed, the obligatory retention of mobile internet related data seems rather useless in case the information cannot be used to identify people. However, the location data that is retained every time data is transmitted through a telecommunications network still often aids in criminal investigations.

Before the legislator considers to expand data retention regulations, it may be worth considering whether there is other information available at third parties that can be collected to identify internet users. People also often have to login to make use of the internet access service which may provide for leads and there may be camera footage available for example. The regulations for the retention of internet data must be reviewed on its own merits, because it is simply not the same as telephony data. The future will tell us how the legislators respond to the research findings of the report. The Dutch minister of Security and Justice already announced he will review in the coming months whether expanding the list of data retention is desirable.

Leaving out notification requirements for data collection orders?

Each time you make a phone call with your mobile phone, the (i) date, (ii) time and (iii) duration of your phone call, as well as the (iv) numbers dialed and the (v) location of the antennas (or region (Cell ID)) your mobile phone connects to are retained by your telecommunication service provider. The data is retained in order to ensure the availability of the data for serious crime investigations by law enforcement authorities.The Dutch Minister of Safety and Justice believes that data collection orders from third parties only create ‘minor infringements’ to your right to privacy. Taking this into account, he reasons that the poorly enforced requirement that law enforcement authorities must notify individuals about data collection orders when reasonably possible, causes too much of an administrative burden and should therefore be abolished. His bill proposing the measure caused some controversylast week (10 October 2013) in the Netherlands (article is in Dutch).

But ask yourself: do you know exactly what data is retained by telecommunication providers? And does data retention create only ‘minor’ privacy infringements? Is this a valid argument to get rid of the notification requirements?

Minor privacy infringements?

The European Data Retention Directive from 2006 obliges telecommunication providers  to retain subscriber data (name and address data) and ‘traffic data’ (such as the date, time and duration of the call as well as the numbers dialled) between 6 and 24 months (see article 5 of the Directive). The subjects of data collection orders are not only suspects. In some cases they could also be other individuals, on the condition that the data collected is relevant to the criminal investigation. The problem is that the categories of data described in art. 5 of the Data Retention Directive are, in my opinion, relatively abstract and leave a lot of leeway in terms of what is exactly retained by what provider.

In order to gain more clarity about exactly what data is retained by telecom providers and to get a feeling of what that might mean for the right to privacy, I conducted a few data access requests (a right provided by European privacy laws) with my telecommunication providers. Only focusing on my ‘location data’ and accompanying ‘time stamps’ related to my mobile phone in a period of 3 days, my data request revealed the following (interactive) map:

The blue, red and green points represent the antennas my mobile phone connected to on the 25th, 26th and the 27th of April 2013, each time my mobile phone made a connection with my telecommunication provider (49 times in total). The red line indicates a railway to emphasise the route I took when I travelled by train to Utrecht Central Station and back to Leiden CS (travelling via Schiphol on the 26thof April 2013). On the 27th of April I worked from home as can be seen by the green points. I used a public tool (BatchGeo) to create the map using the raw data provided by my provider, but law enforcement officials can also easily create maps as shown above and even visualise the movements the individual concerned made within a particular time frame with specialized software. It is not hard to imagine why data retention is useful for law enforcement authorities. The data can also be enriched with other data, such as public transportation data from public transportation chip cards, CCTV footage, ANPR data and other network communication data when available. This is what investigating crime in a networked world looks like. The minister stated in the explanatory report on the bill, that collecting data from third parties is now “almost standard to criminal investigations”.

So ask yourself again: does the collection of data by law enforcement authorities from third parties, as illustrated above, create only ‘minor’ privacy infringements? Personally I do have some sympathy with the argument that notification is not desirable for all investigatory methods, taking efficiency reasons into consideration. But I do not think that data collection orders create minor privacy infringements and that this would be a valid reason for abolishing notification. Also bear in mind that without notification, many individuals would not be aware that the government had collected the data, depriving them of the opportunity to object to the data collection. This raises issues relating to art. 13 of the European Convention on Human Rights (not so much art. 8 ECHR as mentioned in the explanatory report), although this aspect is not further considered here.

More transparency about data collection

Even after years of research, it is still not clear to me exactly what data (especially internet related data) is retained by what provider. In addition, the minister refuses to provide statistics on the collection of data, other than telecommunication providers, citing ‘national security interests’ and that it is ‘not in the interest of police investigations’. As I have stated in a previous blog post, I believe that more transparency, by way of providing these statistics, is essential. Parliamentary Members can then pose questions to the governmental representatives involved, in order to maintain (some) control over these far-reaching investigatory powers and try to uphold the integrity of the investigatory process.

This is cross post from LeidenLawBlog.nl

Van een “Take down”-bevel naar internetfilters voor politiedoeleinden?

De nieuwe Wet Computercriminaliteit III (concept) is een wetsvoorstel om computercriminaliteit te bestrijden. Het conceptwetsvoorstel is vooral controversieel vanwege de voorgestelde hack-bevoegdheden voor politie en justitie. Echter, de voorgestelde ‘Notice and Take Down’ (NTD)-bevoegdheid is een ander aspect dat onze aandacht verdient.

Notice and Take Down

Notice and Take Down is een concept waarbij bedrijven of personen worden verzocht om illegale web content te verwijderen op verzoek van een derde. In Nederland heeft zelfregulering geleid tot een gedragscode (.pdf) met betrekking tot ‘Notice and Take Down’ voor aanbieders van openbare telecommuncatiediensten en –netwerken. Personen, bedrijven en opsporingsambtenaren kunnen een bedrijf vragen om online content te verwijderen wanneer de inhoud op een bepaalde website onmiskenbaar illegaal of onrechtmatig is. Kinderporno is het standaard voorbeeld van web content dat op verzoek van een derde door een beheerder van een website verwijderd zou moeten worden.

Uitvoeringsproblemen

Het op verzoek offline halen van web content op basis van de gedragscode (of algemene voorwaarden van een bedrijf) is op dit moment geen verplichting voor internetproviders. Onze minister van Veiligheid en Justitie wil dit veranderen door het mogelijk te maken ‘Notice and Take Down’ als handhavingsinstrument in te zetten (zie het nieuwe voorgestelde artikel 125p van het Wetboek van Strafvordering (Sv)). De meerwaarde van het instrument is volgens p. 44 van de Memorie van Toelichting vooral dat het voorgestelde bevel óók kan worden gericht aan hosting providers en beheerders van een website.

Het NTD-bevel

Op basis van het voorgestelde artikel 126p Sv zou een officier van justitie – met de toestemming van een rechter-commissaris – een bevel kunnen geven aan een ‘elektronische communicatie provider’ (ECP) om ‘alle redelijke maatregelen te nemen’ om gegevens ontoegankelijk te maken teneinde een misdrijf te beëindigen of nieuwe strafbare feiten te voorkomen. De maatregel is bedoeld voor alle misdrijven in het Wetboek van Strafrecht. Zoals aangeven wordt ook beoogd dat de officier van justitie het bevel aan websitebeheerders kan afgeven, maar dat blijkt niet uit de tekst van artikel 125p Sv.

Politie en justitie hadden in theorie deze bevoegdheid al voor telecommunicatieproviders op grond van artikel 54a van het Wetboek van Strafrecht (Sr). Aan artikel 54a Sr kleefden echter zoveel juridische bezwaren dat een “Take down”-bevel van illegale web content op basis dit artikel in de praktijk niet altijd door de rechtbanken werd geaccepteerd. Het voorgestelde artikel 125p Sv kan daarom als reparatie van artikel 54a Sr worden gezien. Artikel 54a Sr blijft overigens bestaan en wordt iets aangepast om de vervolgingsuitsluitingsgrond in dit artikel te verhelderen.

Als het bedrijf of de betrokken persoon niet meewerkt, kan deze worden vervolgd voor het niet nakomen van een ambtelijk gegeven bevel. Opmerkelijk is dat de tekst van de voorgestelde maatregel in artikel 126p Sv impliceert dat de tussenpersoon een ‘verdachte’ is die het recht hebben op een advocaat tijdens een hoorzitting over de maatregel. Belanghebbenden kunnen een klaagschrift bij de rechtbank indienen als ze het niet eens zijn met de opgelegde sanctie. De Take down-bevoegdheid is bedoeld als een tijdelijke maatregel die opnieuw wordt beoordeeld door een zittingsrechter aan het eind van een strafproces. De Minister wil niet een uitspraak van de zittingsrechter afwachten voordat de maatregel kan worden opgelegd, want het zou onwenselijk zijn als het enkele maanden langer zou duren voordat de gegevens ontoegankelijk worden gemaakt. Persoonlijk hoop ik dat een Notice and Take down-bevel inderdaad altijd gepaard gaat met een strafproces en niet op zichzelf wordt gebruikt als instrument om gegevens ontoegankelijk te maken die politie en justitie illegaal vinden.

Het bevel is alleen bedoelt in gevallen waarbij een NTD-verzoek niet vrijwillig wordt uitgevoerd, bijvoorbeeld in het geval van haatzaaien of laster waarbij de tussenpersoon en de officier van justitie het niet eens zijn over de vraag of de inhoud illegaal is. Naar mijn mening is de voorgestelde NTD-sanctie een vergaande en – in sommige gevallen – bruut instrument, dat slechts gedeeltelijk doeltreffend kan zijn. Soms worden namelijk veel websites gehost op één webserver. Het uitschakelen van een webserver kan dan leiden dat het ontoegankelijk maken van veel meer (legale) websites. Belangrijker vind ik nog dat een Take Down-bevel ook aan access providers kan worden opgelegd en daarmee mogelijk leidt tot door de overheid opgelegde internetfilters.

Van Notice and Take Down tot Internet filters

Op p. 84 van de Memorie van Toelichting op het conceptwetsvoorstel wordt gezegd dat “in geval het materiaal in het buitenland wordt gehost en ontoegankelijkheidsmaking noodzakelijk is, het bevel tot access providers kan worden gericht”. Die ontoegankelijkheidsmaking kan vervolgens worden uitgevoerd door IP-adressen te blokkeren (zie p. 85). De blokkering “dient voort te duren zolang de gegevens worden aangeboden”, aldus de Memorie van Toelichting. Daarbij moet de officier van justitie overigens bij het afgeven van het bevel wel rekening houden met de technische mogelijkheden en de kosten om onderdelen van pagina’s of websites ontoegankelijk te maken.

Ik leid hier uit af dat de voorgestelde NTD-bevoegdheid er onder omstandigheden toe kan leiden dat specifieke websites op last van de officier van justitie gefilterd moeten worden. Zoals we allemaal weten zijn dergelijke filters eenvoudig te omzeilen door middel van proxy- en VPN-servers, maar daar wordt in de Memorie van Toelichting niet over gesproken. Ondertussen zijn Nederlandse hosting bedrijven en ISP’s bezorgd over de kosten van de voorgestelde maatregel en hun concurrentiepositie in de industrie.

Conclusie

De voorgestelde Notice and Take Down-bevoegdheid is bedoeld voor strafzaken waarin een persoon of bedrijf gegevens offline kan halen, maar niet bereid is dit vrijwillig te doen. Met de voorgestelde bevoegdheid kan een officier van justitie (na machtiging van een rechter commissaris) aanbieders van elektronische communicatiediensten dwingen gegevens ontoegankelijk te maken onder dreiging van strafvervolging.

De voorgestelde regeling is meer vergaand dan het oude (en slecht afdwingbare) artikel 54 van het Wetboek van Strafrecht en kan resulteren in een filter-verplichting voor specifieke websites. Onze parlementsleden moeten grondig nadenken en debatteren over de voorgestelde blokkerings- en filteringsmaatregelen alvorens ze het goedkeuren als instrument voor handhavingsinstanties.