The advent of cross-border remote searches?

Last Monday (15 October 2012) our minister of Safety and Justice (under resignation), Opstelten, sent a letter (.pdf) to Parliament proposing several far reaching investigatory powers to fight cybercrime more effectively. Opstelten suggests incorperating the following investigatory methods in our Code of Criminal Procedure:

  • Remote access to computer systems and the placement of ‘technical devices’ (spyware) in computers.
  • Remote searches in computers, regardless of the location of the computer.
  • Disabling the accessibility of illegal files on computers, regardless of the location of computers.

All of these investigatory methods require an in-depth legal analysis. In this blog post I will only briefly discuss the possibility of cross-border remote searches in computers.

Cross-border remote searches

A cross-border remote search is the collection of evidence via the Internet in computers in other countries. More concretely, based on the letter, I can think of three types of cross-border remote searches that can be distinguished: 1. Using the login name and password of a suspect or hacking an account (accessed by a web portal) of a suspect in order to access and gather evidence from Gmail, Hotmail, or other cloud based online services, 2. Hacking in order to gather evidence from botnets, 3. Hacking a suspect’s personal computer in order to gather evidence remotely.

International criminal law issues

The most interesting legal problem of cross-border remote searches is whether such a search violates the international principle of territoriality and sovereignty of the country in which the data is stored. In the Netherlands we used to uphold a ‘server-orientated jurisdiction principle’, which basically meant that data in servers outside the Dutch territory could not be accessed without permission (before or after the infringement on their territory) or a treaty with the affected state.

It is not clear whether our state authorities are willing to completely let go of the principle, because when ‘the location of a server is clear’ traditional legal aid requests must be used (p. 5 of the letter). According to our minister, the location of a server is unclear in the case of services of cloud providers, because the data changes all the time from different servers at different locations. This is true, but in my opinion it is quite clear where and how evidence can be gathered from cloud service providers. I believe that with article 32(B) of the Convention on Cybercrime many states agreed that data can be gathered directly from companies on a voluntarily basis (and under their own conditions). If they don’t cooperate we can use legal aid requests. Many U.S. companies work well with law enforcement authorities and I wonder whether it is necessary to perform online remote searches in these accounts (although it might be necessary under certain circumstances). I guess the real problem is that Dutch law enforcement authorities want to apply Dutch law and collect evidence possibly located in other countries directly in a criminal case, instead of relying on the willingness of businesses or states when gathering evidence outside the Netherlands.

Dorifel-virus

Article 32 of the Convention of Cybercrime does not solve the problem of servers that are (eventually) localized at so-called “bullet proof hosting providers” who do not cooperate with law enforcement authorities’ evidence gathering activities. As we have seen with the Dorifel-virus, this could lead to disastrous consequences (governmental employees working on type writers instead of computers, because computers were infected and unsafe to use). Maybe the time has come for us to no longer accept such situations, and to view the infringement of another state’s territory as a necessary evil in certain circumstances. The proposed investigatory methods may be suitable for a situation such as Dorifel. One must point out however that being able to use hacking as a investigatory method, does not mean the suspect will be successfully prosecuted, because a state may decide not to extradite their own citizen or prosecute him or her themselves.

Rest assured, the discussion about legalizing cross-border remote searches has just started. It will take a long time (maybe years) and require democratic processes before these far reaching investigatory powers will be implemented in our Code of Criminal Procedure.

This is a cross post from LeidenLawBlog.nl