A call to make a guideline for online investigations accessible

The gathering of publicly available online information is nowadays part of ‘most police investigations’. Some call this information the ‘new social DNA’ for law enforcement. Indeed people publish massive amounts of information about themselves on the internet on a voluntarily basis. At the same time other people can also publish information about individuals on the web. Law enforcement authorities make use of this information to fulfil their tasks, such as maintaining public order, and as a source of information in criminal investigations. In this blog post I submit that Dutch law enforcement authorities and the Public Prosecution Service should publish their policy on the use of publicly available online information in criminal investigations.

Accessibility and foreseeability

A policy on the use of privacy-interfering investigative methods should be accessible and foreseeable to the individuals involved. Accessibility means that a guideline or regulation is published and made publicly available to individuals to take notice from. Foreseeability means that the scope of investigative methods and the manner they are applied are clear to the individuals involved. An arbitrary interference by governmental authority powers in the private lives of individuals can be avoided with a foreseeable legal framework.

Murky legal basis

At the moment it is likely that the gathering of publicly available online information takes place on the legal basis of law enforcement officials’ statutory task description for the investigation of crimes (art. 3 of the Dutch Police Act). This is implied in legislative history (the explanatory memoranda on the Act on special investigative powers and the Computer Crime Act II). Although these acts go back more than 15 years – at a time when the Internet looked very different and social media services were not as popular – this is the only legislative history available. In addition a court in The Hague decided in 2011 that law enforcement officials can make use of Google Earth on the basis of art. 3 Police Act.

However this legislative history and court decision become murky when they explicitly mention that “information cannot be gathered systematically and stored in police systems” upon the basis of art. 3 of the Police Act. When exactly is information gathered systematically about individuals? Is it when a “more or less complete picture of certain aspects of an individual’s private life” is obtained? And then what? What special investigative powers apply? Shouldn’t the investigative activity be part of the task of law enforcement officials, to gather the necessary data they require for a criminal investigation without the application of special investigative powers?

Online observation

When law enforcement officials observe the online behaviours of individuals the special investigative power of ‘systematic observation’ applies. The Dutch legislator suggested at the time that factors such as the duration, place, intensity, frequency and the use of technical devices should be taken into consideration to determine whether the behaviours of individuals are observed ‘systematically’. Still, these abstract factors were originally written for application in the physical world and provide a lot of leeway for law enforcement officials and public prosecutors to decide when application of the special investigative power of systematic observation is required.

Data protection regulations

It is clear however that data protection regulations on the gathering of personal data restrict the investigative activity. Data protection regulations apply as soon as law enforcement officials look for the information on their computers or use an automated data collection system, to gather the information. These regulations thus apply at an earlier stage than when the results of the search are stored in police systems. Earlier research (see for instance this report and this report (in Dutch)) raises questions about how automated data collection systems meet key principles of data protection regulations. Yet these questions remain unanswered by law enforcement authorities and the legislator.

Conclusion

We – the people – require an explanation of how and under which conditions law enforcement authorities gather publicly available online information. Interestingly, in a 2016 master thesis (.pdf in Dutch) an internal procedure on the ‘gathering of data from social media services’ is mentioned. If such a policy indeed exists, but is not made available to the public, the law is not accessible and foreseeable to the individuals involved. For that reason I urge Dutch law enforcement authorities, the Public Prosecution Service and the Dutch legislator to make such a policy public. If such a policy does not exist, a guideline should be developed and published online as soon as possible.

This is a cross-post from LeidenLawBlog.

A warrant requirement for analysing data stored on smartphones?

On 22 April 2015, the Dutch high court of Arnhem-Leeuwarden possibly set a precedent with far-reaching consequences. In this particular criminal case, a law enforcement official seized a smartphone and subsequently read and copied WhatsApp messages stored on the smartphone. The defence successfully argued that the investigation method was in violation of the right to privacy as articulated in art. 8 ECHR. The high court of Arnhem-Leeuwarden agreed and deemed the current regulations not foreseeable.

Currently, as explained in my previous blog post, law enforcement officials can seize a smartphone and examine all data stored on it in the context of a criminal investigation to obtain evidence without any notable legal thresholds. However, the high court points out that smartphones contain “not only access to traffic data, but also the contents of communications and private information of a smartphone user” . Because the analysis of such data severely infringes in the right to privacy, the current regulations for seizing and analysing data stored on smartphones are not adequately regulated according to the court.

Right to privacy and analysis of information on smartphones

Indeed, the European Court of Human Rights (ECtHR) recently decided in the case of Prezhdarovi v Bulgaria that (1) a judicial warrant requirement and (2) a limitation of the scope of the sought after data on computers is preferable when law enforcement authorities seize computers and analyse data stored on computers. Considering the serious privacy infringement that takes place when personal data that is stored on computers is analysed by law enforcement authorities, adequate safeguards in the domestic laws of States should protect the involved individuals against arbitrary interferences of State in their personal lives according to the ECtHR.

The decisions of the high court of Arnhem-Leeuwarden and ECtHR indicate that the Dutch regulations for the seizure of computers such as smartphones require amendments in order to adequately protect the right to privacy. In June 2014, the Dutch Ministry of Security and Justice already suggested that amendments were required for analysing data on computer systems. Yet, these amendments only suggested the legal thresholds of an order of a public prosecutor, whereas the ECtHR seems to prefer a prior review of an investigating judge – i.e., basically a warrant requirement – to analyse data on computer systems.

International trend?

Interestingly, almost a year ago, the U.S. Supreme Court decided in the landmark case of Riley v. California that a judge’s warrant is required in order to seize a smartphone and analyse data stored on a smartphone. The protection of the warrant requirement was deemed appropriate, because: “Modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans “the privacies of life”.

Obviously, modern cell phones do not contain the ‘privacies of life’ only for Americans. So tell me, does your domestic State law require a warrant to seize computers and analyse data stored on those devices?

This is a cross-post from LeidenLawBlog.nl.

=== Updata ===

My commentary (in Dutch) on the case of 22 April 2015 is available here (in .pdf).

Note that, in the meantime, the Dutch courts of Oost-Brabant and Noord-Holland desmissed the verdict of the high court of Arnhem-Leeuwarden, stating that article 94 of the Dutch Code of Criminal Procedure allows for the seizure of smartphones and subsequent search of data stored on the device.

The court of Amsterdam decided on 18 June 2015 that art. 8 ECHR was not infringed, because law enforcement restricted the search of data stored on the smartphone to  contact details. Thefefore, the search was not deemed disproportionate. Interestingly, other judges of the court of Noord-Holland decided on 4 June 2015 in a different case that seizing a smartphone based on art. 94 DCCP does infringe art. 8 ECHR. Clearly, the courts in the Netherlands are devided on the question whether seizing a smartphone based on art. 94 DCCP infringes art. 8 ECHR. Apparently, the Public Prosecution’s Office went in appeal and the question will be brought  to the Dutch Surpeme Court.

Leaving out notification requirements for data collection orders?

Each time you make a phone call with your mobile phone, the (i) date, (ii) time and (iii) duration of your phone call, as well as the (iv) numbers dialed and the (v) location of the antennas (or region (Cell ID)) your mobile phone connects to are retained by your telecommunication service provider. The data is retained in order to ensure the availability of the data for serious crime investigations by law enforcement authorities.The Dutch Minister of Safety and Justice believes that data collection orders from third parties only create ‘minor infringements’ to your right to privacy. Taking this into account, he reasons that the poorly enforced requirement that law enforcement authorities must notify individuals about data collection orders when reasonably possible, causes too much of an administrative burden and should therefore be abolished. His bill proposing the measure caused some controversylast week (10 October 2013) in the Netherlands (article is in Dutch).

But ask yourself: do you know exactly what data is retained by telecommunication providers? And does data retention create only ‘minor’ privacy infringements? Is this a valid argument to get rid of the notification requirements?

Minor privacy infringements?

The European Data Retention Directive from 2006 obliges telecommunication providers  to retain subscriber data (name and address data) and ‘traffic data’ (such as the date, time and duration of the call as well as the numbers dialled) between 6 and 24 months (see article 5 of the Directive). The subjects of data collection orders are not only suspects. In some cases they could also be other individuals, on the condition that the data collected is relevant to the criminal investigation. The problem is that the categories of data described in art. 5 of the Data Retention Directive are, in my opinion, relatively abstract and leave a lot of leeway in terms of what is exactly retained by what provider.

In order to gain more clarity about exactly what data is retained by telecom providers and to get a feeling of what that might mean for the right to privacy, I conducted a few data access requests (a right provided by European privacy laws) with my telecommunication providers. Only focusing on my ‘location data’ and accompanying ‘time stamps’ related to my mobile phone in a period of 3 days, my data request revealed the following (interactive) map:

The blue, red and green points represent the antennas my mobile phone connected to on the 25th, 26th and the 27th of April 2013, each time my mobile phone made a connection with my telecommunication provider (49 times in total). The red line indicates a railway to emphasise the route I took when I travelled by train to Utrecht Central Station and back to Leiden CS (travelling via Schiphol on the 26thof April 2013). On the 27th of April I worked from home as can be seen by the green points. I used a public tool (BatchGeo) to create the map using the raw data provided by my provider, but law enforcement officials can also easily create maps as shown above and even visualise the movements the individual concerned made within a particular time frame with specialized software. It is not hard to imagine why data retention is useful for law enforcement authorities. The data can also be enriched with other data, such as public transportation data from public transportation chip cards, CCTV footage, ANPR data and other network communication data when available. This is what investigating crime in a networked world looks like. The minister stated in the explanatory report on the bill, that collecting data from third parties is now “almost standard to criminal investigations”.

So ask yourself again: does the collection of data by law enforcement authorities from third parties, as illustrated above, create only ‘minor’ privacy infringements? Personally I do have some sympathy with the argument that notification is not desirable for all investigatory methods, taking efficiency reasons into consideration. But I do not think that data collection orders create minor privacy infringements and that this would be a valid reason for abolishing notification. Also bear in mind that without notification, many individuals would not be aware that the government had collected the data, depriving them of the opportunity to object to the data collection. This raises issues relating to art. 13 of the European Convention on Human Rights (not so much art. 8 ECHR as mentioned in the explanatory report), although this aspect is not further considered here.

More transparency about data collection

Even after years of research, it is still not clear to me exactly what data (especially internet related data) is retained by what provider. In addition, the minister refuses to provide statistics on the collection of data, other than telecommunication providers, citing ‘national security interests’ and that it is ‘not in the interest of police investigations’. As I have stated in a previous blog post, I believe that more transparency, by way of providing these statistics, is essential. Parliamentary Members can then pose questions to the governmental representatives involved, in order to maintain (some) control over these far-reaching investigatory powers and try to uphold the integrity of the investigatory process.

This is cross post from LeidenLawBlog.nl

Van een “Take down”-bevel naar internetfilters voor politiedoeleinden?

De nieuwe Wet Computercriminaliteit III (concept) is een wetsvoorstel om computercriminaliteit te bestrijden. Het conceptwetsvoorstel is vooral controversieel vanwege de voorgestelde hack-bevoegdheden voor politie en justitie. Echter, de voorgestelde ‘Notice and Take Down’ (NTD)-bevoegdheid is een ander aspect dat onze aandacht verdient.

Notice and Take Down

Notice and Take Down is een concept waarbij bedrijven of personen worden verzocht om illegale web content te verwijderen op verzoek van een derde. In Nederland heeft zelfregulering geleid tot een gedragscode (.pdf) met betrekking tot ‘Notice and Take Down’ voor aanbieders van openbare telecommuncatiediensten en –netwerken. Personen, bedrijven en opsporingsambtenaren kunnen een bedrijf vragen om online content te verwijderen wanneer de inhoud op een bepaalde website onmiskenbaar illegaal of onrechtmatig is. Kinderporno is het standaard voorbeeld van web content dat op verzoek van een derde door een beheerder van een website verwijderd zou moeten worden.

Uitvoeringsproblemen

Het op verzoek offline halen van web content op basis van de gedragscode (of algemene voorwaarden van een bedrijf) is op dit moment geen verplichting voor internetproviders. Onze minister van Veiligheid en Justitie wil dit veranderen door het mogelijk te maken ‘Notice and Take Down’ als handhavingsinstrument in te zetten (zie het nieuwe voorgestelde artikel 125p van het Wetboek van Strafvordering (Sv)). De meerwaarde van het instrument is volgens p. 44 van de Memorie van Toelichting vooral dat het voorgestelde bevel óók kan worden gericht aan hosting providers en beheerders van een website.

Het NTD-bevel

Op basis van het voorgestelde artikel 126p Sv zou een officier van justitie – met de toestemming van een rechter-commissaris – een bevel kunnen geven aan een ‘elektronische communicatie provider’ (ECP) om ‘alle redelijke maatregelen te nemen’ om gegevens ontoegankelijk te maken teneinde een misdrijf te beëindigen of nieuwe strafbare feiten te voorkomen. De maatregel is bedoeld voor alle misdrijven in het Wetboek van Strafrecht. Zoals aangeven wordt ook beoogd dat de officier van justitie het bevel aan websitebeheerders kan afgeven, maar dat blijkt niet uit de tekst van artikel 125p Sv.

Politie en justitie hadden in theorie deze bevoegdheid al voor telecommunicatieproviders op grond van artikel 54a van het Wetboek van Strafrecht (Sr). Aan artikel 54a Sr kleefden echter zoveel juridische bezwaren dat een “Take down”-bevel van illegale web content op basis dit artikel in de praktijk niet altijd door de rechtbanken werd geaccepteerd. Het voorgestelde artikel 125p Sv kan daarom als reparatie van artikel 54a Sr worden gezien. Artikel 54a Sr blijft overigens bestaan en wordt iets aangepast om de vervolgingsuitsluitingsgrond in dit artikel te verhelderen.

Als het bedrijf of de betrokken persoon niet meewerkt, kan deze worden vervolgd voor het niet nakomen van een ambtelijk gegeven bevel. Opmerkelijk is dat de tekst van de voorgestelde maatregel in artikel 126p Sv impliceert dat de tussenpersoon een ‘verdachte’ is die het recht hebben op een advocaat tijdens een hoorzitting over de maatregel. Belanghebbenden kunnen een klaagschrift bij de rechtbank indienen als ze het niet eens zijn met de opgelegde sanctie. De Take down-bevoegdheid is bedoeld als een tijdelijke maatregel die opnieuw wordt beoordeeld door een zittingsrechter aan het eind van een strafproces. De Minister wil niet een uitspraak van de zittingsrechter afwachten voordat de maatregel kan worden opgelegd, want het zou onwenselijk zijn als het enkele maanden langer zou duren voordat de gegevens ontoegankelijk worden gemaakt. Persoonlijk hoop ik dat een Notice and Take down-bevel inderdaad altijd gepaard gaat met een strafproces en niet op zichzelf wordt gebruikt als instrument om gegevens ontoegankelijk te maken die politie en justitie illegaal vinden.

Het bevel is alleen bedoelt in gevallen waarbij een NTD-verzoek niet vrijwillig wordt uitgevoerd, bijvoorbeeld in het geval van haatzaaien of laster waarbij de tussenpersoon en de officier van justitie het niet eens zijn over de vraag of de inhoud illegaal is. Naar mijn mening is de voorgestelde NTD-sanctie een vergaande en – in sommige gevallen – bruut instrument, dat slechts gedeeltelijk doeltreffend kan zijn. Soms worden namelijk veel websites gehost op één webserver. Het uitschakelen van een webserver kan dan leiden dat het ontoegankelijk maken van veel meer (legale) websites. Belangrijker vind ik nog dat een Take Down-bevel ook aan access providers kan worden opgelegd en daarmee mogelijk leidt tot door de overheid opgelegde internetfilters.

Van Notice and Take Down tot Internet filters

Op p. 84 van de Memorie van Toelichting op het conceptwetsvoorstel wordt gezegd dat “in geval het materiaal in het buitenland wordt gehost en ontoegankelijkheidsmaking noodzakelijk is, het bevel tot access providers kan worden gericht”. Die ontoegankelijkheidsmaking kan vervolgens worden uitgevoerd door IP-adressen te blokkeren (zie p. 85). De blokkering “dient voort te duren zolang de gegevens worden aangeboden”, aldus de Memorie van Toelichting. Daarbij moet de officier van justitie overigens bij het afgeven van het bevel wel rekening houden met de technische mogelijkheden en de kosten om onderdelen van pagina’s of websites ontoegankelijk te maken.

Ik leid hier uit af dat de voorgestelde NTD-bevoegdheid er onder omstandigheden toe kan leiden dat specifieke websites op last van de officier van justitie gefilterd moeten worden. Zoals we allemaal weten zijn dergelijke filters eenvoudig te omzeilen door middel van proxy- en VPN-servers, maar daar wordt in de Memorie van Toelichting niet over gesproken. Ondertussen zijn Nederlandse hosting bedrijven en ISP’s bezorgd over de kosten van de voorgestelde maatregel en hun concurrentiepositie in de industrie.

Conclusie

De voorgestelde Notice and Take Down-bevoegdheid is bedoeld voor strafzaken waarin een persoon of bedrijf gegevens offline kan halen, maar niet bereid is dit vrijwillig te doen. Met de voorgestelde bevoegdheid kan een officier van justitie (na machtiging van een rechter commissaris) aanbieders van elektronische communicatiediensten dwingen gegevens ontoegankelijk te maken onder dreiging van strafvervolging.

De voorgestelde regeling is meer vergaand dan het oude (en slecht afdwingbare) artikel 54 van het Wetboek van Strafrecht en kan resulteren in een filter-verplichting voor specifieke websites. Onze parlementsleden moeten grondig nadenken en debatteren over de voorgestelde blokkerings- en filteringsmaatregelen alvorens ze het goedkeuren als instrument voor handhavingsinstanties.

Extraterritorial use of policeware in the United States?

Last week, the story broke that a judge from Texas (United States) had published a decision  (.pdf) denying a warrant for the placement of “policeware” on a computer of an unknown suspect at an unknown location. Policeware is special surveillance software, also called “spyware”, utilized to secretly monitor all kinds of internet activities of a computer user. The decision is interesting because it sheds light on the use of policeware in the United States.

Capabilities of the software

Judge Smith explains that the FBI requested to install “data extraction software” on the “Target Computer” (presumably the computer of a suspect). This software has the capability to search the computer’s hard drive, random access memory, and other storage media (thus perform a “remote search”). Additionally, the software can “activate the computer’s built-in camera, generate latitude and longitude coordinates for the computer’s location and transmit the extracted data to FBI agents in the district”. By installing the software, the FBI wishes to obtain information such as web browsing history, e-mail contents, e-mail contacts, chat logs, photographs and correspondence. The law enforcement agency also wishes to use the built-in camera to make photographs to identify the person using the target computer.

Extraterritorial application of a warrant to install policeware

The Texan judge then ascertains whether the request complies with the warrant requirements as described in Rule 41 of the U.S. Federal Rules of Criminal procedure. This blog post does not allow to me elaborate on the judge’s decision and the requirements of a “Rule 41 warrant”, but I do want to point out that the judge establishes that Rule 41 only allows for searches “in the district of the judge”. In this case the territoriality requirement is not met, because the search does not take place within the district, “so far as the Government’s application shows”, according to the judge. Note the judge’s witty remark that the search takes place: “not in the airy nothing of cyberspace, but in the physical space with a local habitation and a name”.

U.S. digital surveillance expert Orin Kerr analyzed the court decision of judge Smith on the popular legal blog “The Volokh Conspiracy”. I found his considerations about the applicability of the warrant requirement on a potentially foreign suspect particularly fascinating. It is standing case law (under United States v. Verdugo-Urquidez, 494 U.S. 259 (1990) that the warrant requirement of the Fourth Amendment of the U.S. Constitution does not apply outside the United States. Since it is likely the physical computer will be searched overseas (because the last known IP address is traced back somewhere in Southeast Asia), the government does not need a warrant to search the physical computer. However, Kerr believes the search also takes place in the United States when the information is analyzed by U.S. law enforcement officials and therefore a warrant is required “for that part of the search that takes place in judge Smith’s home district”.  Kerr ultimately finds the arguments presented by judge Smith to deny the warrant unconvincing.

Conclusion

Kerr’s analysis of the case begs the question: is it desirable that the United States could potentially perform searches of computers and install policeware on computers in foreign territory by unilaterally applying their criminal procedural rules to foreigners? If the answer is no, keep in mind that the Dutch government suggested more or less the same thing on p. 34-35 in their announcement today (in Dutch) to amend the Dutch Code of Criminal Procedure to make hacking and the placement of spyware possible on computers “if their location is unknown” (see also this blog post).

I’m curious to hear from international criminal law legal experts and others as to what they think of this.

This is a cross post from LeidenLawBlog.nl.

Remote searches and jurisdiction on the Internet

Are Dutch law enforcement officers allowed to log into the Gmail-account of a suspect and check their e-mail for evidence gathering purposes?

This question has captivated me for the last 1,5 years. In 2011 I argued that hacking is not a legitimate investigatory method in the Netherlands. That might change soon, because the Dutch Minister of Safety and Justice plans to propose a bill which makes that possible (see also my earlier blog post on cross-border remote searches). However, interesting questions remain in relation to international criminal law and remote searches.

Old discussion

After the extensive study of Dutch parliamentary documents in relation to the investigatory method of a “network search”, I concluded in a new article (.pdf in Dutch) I wrote together with Charlotte Conings of the KU Leuven, that online investigatory methods can only be used on “computers in Dutch territories”. The exception to this rule is when officers are (a) “in good faith” that the computer resides on Dutch territory, (b) they have permission from another state to execute their investigatory methods on a computer in their territory, or (c) they operate on the basis of a treaty. Based on literature, most legal scholars affirm the general rule that secretly gathering evidence from computers in the territory of another state is in violation of international law.

Renewed discussion

The problem is that the “computer orientated jurisdiction rule” described above is hard to work with in practice. Especially due to cloud computing techniques, by way of which fragmented data can reside on many different servers in different countries, making it is increasingly hard to pinpoint the location of data on a server. Some suggest that because of this “loss of location” of data, law enforcement authorities are increasingly left in the dark as to which state “controls the data” and which state to ask for permission. As a consequence, they resort to gathering evidence remotely – via the Internet – under their own national procedural rules. The influence of cloud computing and criminal investigations is described in this interesting WODC-report (.pdf in Dutch. English summary available here) released two weeks ago.

In my opinion, it is quite clear in many cases which jurisdiction and thus which procedural rules apply to the majority of electronic communication services that make use of cloud computing. The reason for this is that many popular “cloud services” are US electronic communication service providers. As described in their law enforcement guideline, Google for example provides user data under specific conditions based on US law. With regard to data requests from “foreign law enforcement authorities” they explain that: “On a voluntary basis, we may provide user data in response to valid legal process from non-U.S. government agencies, if those requests are consistent with international norms, U.S. law, Google’s policies and the law of the requesting country.” I wonder how they deal with inconsistencies between the different norms prescribed by law..

The actual problem is that law enforcement authorities would much rather access the accounts directly, under their own rules, rather than waiting for Google to reply and having the uncertainty of whether they will actually provide the data.

Towards new jurisdictional rules?

In our new article, Charlotte and I analyzed the interesting “pragmatic approach” of Belgium towards online jurisdictional issues and investigatory methods. Under specific conditions, they will allow a remote search of connected computers, such as servers from webmail and online payment services, even if those servers are possibly situated in a different territory. We believe this pragmatic approach is interesting and maybe even desirable under certain conditions, as long as the investigatory methods are used on citizens and persons in the states own territory. If we would allow remote searches of the personal online accounts of foreigners, states would impose their own national rules on foreign nationals which in turn would create legal uncertainty for people about which procedural rules apply. Based on the reciprocity principle, states could do the same in our territory. This pragmatic approach is not ideal and does not solve the problem that the company who possesses the data may simply regard the unauthorized access of foreign authorities as a crime and treat it as such. In an ideal world, states would agree with one another under which conditions data can be gathered remotely over the Internet, but I doubt if that’s possible. The debate about online (enforcement) jurisdiction is far from over.

This is a cross post from LeidenLawBlog.nl.

Is the ‘decryption order’ a good idea?

In December 2010, the Robert M.-case shocked the Netherlands. Robert M. was prosecuted and convicted for the sexual abuse of 67 children, of which many were younger than 3 years old. During the investigation the police found that the suspect used high grade encryption, impossible to crack without using the proper key. Fortunately for the police and public prosecutor, Robert M. gave up his key voluntarily. Other suspects derived from the Robert M-case did not cooperate so well. This led Members of the Parliament to call for a so-called ‘decryption order’, by way of which suspects could be forced to give up their key. The Minister of Safety and Justice commissioned research into the feasibility of decryption orders in the light of the right against self incrimination. About two weeks ago the research was published and it concluded that theoretically it is possible to regulate the decryption order. As a result, the Minister of Safety and Justice enthusiastically announced (in Dutch) the preparation of new regulations to make decryption orders possible in cases of child pornography and terrorist crimes. However, in my opinion, we should think twice before going down this path.

The decryption order

Prof. Koops of Tilburg University conducted thorough and in my view excellent research (.pdf in Dutch) into decryption orders. Both the technical and legal aspects were taken into consideration and a legal comparison was made from many different countries. An English summary of the report can be found here (.pdf). The author suggests that a decryption order (under threat of a criminal sentence) is legally possible, but only under stringent conditions. For example, the order could only be given in cases in which there are clear indications that the suspect is hiding something by using encryption.

Proving that the suspect probably used encryption to hide his criminal activities may be difficult, especially when certain encryption programs such as ‘TrueCrypt’ are used. The report warns that decryption orders may advance the use of such programs among criminals. In Great Britain (obviously a much bigger country than the Netherlands), governmental power was successfully used in only a handful of cases per year. What I found even more interesting is that public prosecutors were very skeptical about the practical uses of this governmental power. They preferred obtaining the key using alternative methods, namely by intercepting keys remotely via the Internet. The author of the report does not deny that this is an interesting and feasible alternative route to take, but suggests that legislator should choose between the two. Instead, the Ministry of Safety and Justice suggests in his letter we should do both.

Note that the ‘solution’ of a decryption order is limited to accessing data stored on a device at a different phase of a criminal investigation. An important argument for using alternative methods, more concretely the use of hacking, spyware and bugs as investigatory methods, is that they also aid law enforcement in dealing with the growing problem of the encryption of communications (not just stored data) and avoids the active cooperation of suspects in their own criminal case.

The least privacy infringing solution for the encryption problem?

The decryption order is considered by some (including prof. Koops) as the least privacy intrusive solution for the encryption problem. I dare to disagree. The solution of a ‘decryption order’ may be more far-reaching than most people think. As suggested in the report, it should include disabling the security measures on all computer devices, such as laptops, tablet computers and smartphones. It also may be possible for the government to force civilians to hand over passwords to access online social media services, webmail services and personal online storage services.

Forcing civilians under a criminal sanction to actively help law enforcement by providing them with access to their own data is incredibly intrusive and would be new to the criminal law system. The fact it may be theoretically possible to regulate a decryption order under the threat of a criminal sanction does not mean that we should.

This is cross post from LeidenLawBlog.nl.

The advent of cross-border remote searches?

Last Monday (15 October 2012) our minister of Safety and Justice (under resignation), Opstelten, sent a letter (.pdf) to Parliament proposing several far reaching investigatory powers to fight cybercrime more effectively. Opstelten suggests incorperating the following investigatory methods in our Code of Criminal Procedure:

  • Remote access to computer systems and the placement of ‘technical devices’ (spyware) in computers.
  • Remote searches in computers, regardless of the location of the computer.
  • Disabling the accessibility of illegal files on computers, regardless of the location of computers.

All of these investigatory methods require an in-depth legal analysis. In this blog post I will only briefly discuss the possibility of cross-border remote searches in computers.

Cross-border remote searches

A cross-border remote search is the collection of evidence via the Internet in computers in other countries. More concretely, based on the letter, I can think of three types of cross-border remote searches that can be distinguished: 1. Using the login name and password of a suspect or hacking an account (accessed by a web portal) of a suspect in order to access and gather evidence from Gmail, Hotmail, or other cloud based online services, 2. Hacking in order to gather evidence from botnets, 3. Hacking a suspect’s personal computer in order to gather evidence remotely.

International criminal law issues

The most interesting legal problem of cross-border remote searches is whether such a search violates the international principle of territoriality and sovereignty of the country in which the data is stored. In the Netherlands we used to uphold a ‘server-orientated jurisdiction principle’, which basically meant that data in servers outside the Dutch territory could not be accessed without permission (before or after the infringement on their territory) or a treaty with the affected state.

It is not clear whether our state authorities are willing to completely let go of the principle, because when ‘the location of a server is clear’ traditional legal aid requests must be used (p. 5 of the letter). According to our minister, the location of a server is unclear in the case of services of cloud providers, because the data changes all the time from different servers at different locations. This is true, but in my opinion it is quite clear where and how evidence can be gathered from cloud service providers. I believe that with article 32(B) of the Convention on Cybercrime many states agreed that data can be gathered directly from companies on a voluntarily basis (and under their own conditions). If they don’t cooperate we can use legal aid requests. Many U.S. companies work well with law enforcement authorities and I wonder whether it is necessary to perform online remote searches in these accounts (although it might be necessary under certain circumstances). I guess the real problem is that Dutch law enforcement authorities want to apply Dutch law and collect evidence possibly located in other countries directly in a criminal case, instead of relying on the willingness of businesses or states when gathering evidence outside the Netherlands.

Dorifel-virus

Article 32 of the Convention of Cybercrime does not solve the problem of servers that are (eventually) localized at so-called “bullet proof hosting providers” who do not cooperate with law enforcement authorities’ evidence gathering activities. As we have seen with the Dorifel-virus, this could lead to disastrous consequences (governmental employees working on type writers instead of computers, because computers were infected and unsafe to use). Maybe the time has come for us to no longer accept such situations, and to view the infringement of another state’s territory as a necessary evil in certain circumstances. The proposed investigatory methods may be suitable for a situation such as Dorifel. One must point out however that being able to use hacking as a investigatory method, does not mean the suspect will be successfully prosecuted, because a state may decide not to extradite their own citizen or prosecute him or her themselves.

Rest assured, the discussion about legalizing cross-border remote searches has just started. It will take a long time (maybe years) and require democratic processes before these far reaching investigatory powers will be implemented in our Code of Criminal Procedure.

This is a cross post from LeidenLawBlog.nl

Our government should provide statistics about online data collection

Three weeks ago (June 25, 2012) our state secretary of the ministry of Safety and Justice answered parliamentary questions about ‘wiretapping social media services and online privacy’. A parliamentary member repeatedly requested (four times in total) statistics about the use of ‘social media wiretaps’ in collecting evidence by law enforcement authorities. Once again the Dutch state secretary Mr. Teeven refused to provide these statistics, stating that it would harm criminal investigations and prosecutions. Our minister of Safety and Justice also refused to provide transparency about ‘social media
wiretaps’ last Sunday (August 12 2012), according to this article on the popular Dutch news website Nu.nl. In this blog post I will make several observations on the subject. First of all, I believe it is wrong to speak of ‘social media wiretaps’ and secondly, in my opinion, the government should provide these statistics.

Social media wiretaps?

The parliamentary member who sent the written questions to the cabinet members responsible assumed that communication via social media services can be wiretapped, just as public (electronic) telecommunication services can. This is however not the case, as an electronic communication provider is, legally speaking, different to an electronic public telecommunication service or network provider. Not all electronic communication
providers have to change their infrastructure to facilitate wiretapping, unlike public electronic telecommunication service providers. They do, however, have to comply with requests for the collection of data.

One of the most common grounds for data collection requests by law enforcement is the collection of user data or registration data on the basis of article 126na, 126nc or 126n of the Dutch Code of Criminal Procedure. For law enforcement officials it is possible to
collect all other data on the grounds of article 126nd of the Dutch Code of Criminal Procedure, except ‘sensitive data’ such as data about the religious beliefs or health of an individual and stored communication data. Another commonly used investigatory power is article 126ng(2) of the Dutch Code of Criminal Procedure by which stored communication data – such as ‘private messages’ that are sent from one person to another via social media services – can be collected by law enforcement authorities.

In sum, it is (so far) not possible to legally wiretap a social media service without its cooperation, although law enforcement authorities can request this type of data from social media services.

Transparency about online data collection

In my view data collection from online social media services and other communication providers will become an increasingly important investigatory power of law enforcement authorities. There are two important reasons for this. The first reason is that people use
more and more online communication services to communicate with each other. It is difficult to wiretap all these different services and sometimes it is not legally (and some say technically) possible to force these services to place a wiretap. The second reason is that encryption makes data over Internet wiretaps unreadable for law enforcement authorities. By having that data collected by communication service providers directly, law enforcement authorities can obtain the communication data anyway (this is described in more detail in my (Dutch) article (.pdf) about Internet wiretaps). Note that the same trend is developing overseas, for example in the United States. Read for example this paper on SSRN from Peter Swire.

For the past couple of years – and because of the asserted pressure of members of the parliament and civil rights movements – our government has provided statistics about the use of (Internet) wiretaps. Although these figures are often misinterpreted by the media, they do provide an insight into the use of investigatory powers by law enforcement and also a reason to request an explanation from the cabinet members responsible.
Because online data collection partly replaces the investigatory technique of wiretapping, I believe it is important and logical to provide statistics about the use of this investigatory power as well. I do not see how providing this statistical data would harm investigations. Such statistical data would only tell us how often these privacy infringing investigatory powers are used. Therefore in my opinion the cabinet member(s) responsible should try their best to provide more transparency about online data collection, rather than using weak arguments to support their refusals to provide statistics.

This blog post is a crosspost from Leiden Law Blog.

Debat over aftappen

Twee weken geleden (23 mei 2012) heb ik een seminar bijgewoond over aftappen naar
aanleiding van het WODC-onderzoek ‘het gebruik van de telefoon- en internettap in de opsporing‘. De media schreef over het rapport met name dat ‘Nederland koploper in aftappen is’ (zie bijvoorbeeld nu.nl).

Kamerleden duikelden vervolgens over elkaar heen om in de media te herhalen dat
het een schande is dat Nederlands koploper is en de notificatieplicht moet worden nagekomen. Andere onderzoeksresultaten uit het rapport zijn verder nauwelijks ter sprake gekomen. In dit bericht wil ik daar enkele opmerkingen over maken.

Telefoontap minder effectief?

Al voor het seminar begon en het rapport officieel aan het publiek beschikbaar werd
gesteld kwam de Volkskrant al met het berichtdat de ‘telefoontap steeds minder effectief
wordt
’. Dat was misschien niet zo netjes van de Volkskrant, maar het haalde wel een
belangrijke boodschap uit het rapport. Namelijk dat steeds meer mensen van andere communicatiemiddelen dan de telefoon gebruik maken en daardoor niet alle communicatie meer over de reguliere tap komt. Het is daarom niet verbazend dat
opsporingsdiensten meer van de internettap gebruik zijn gaan maken en het aantal ingezette internettaps is verdubbeld van 1704 taps in 2010 naar 3331 taps in 2011. Volgens de demissionaire regering (brief van 25 mei 2012, Kamerstukken II 2011/12, 30 517, nr. 25)is dat te verklaren door de toename van het gebruik van internettoepassingen op smartphones. De WODC-onderzoekers geven aan dat door gebrek aan capaciteit en kennis bij de politie het aantal ingezette internettaps nog relatief laag is gebleven.

De vermeende ineffectiviteit heeft niet geleid tot een daling van het aantal taps.
De traditionele telefoontap is zelfs meer ingezet dan ooit (van 22006 in 2010 naar 24718 in 2011). De telefoontap blijkt nog steeds een effectieve opsporingsmethode te zijn. In de brief van de regering wordt bevestigd dat de telefoontap vooral nuttig indirect bewijsmateriaal oplevert. Soms geeft het ook aanleiding tot een effectieve en efficiënte inzet van andere opsporingsbevoegdheden. Tijdens het seminar werd ook door een officier van justitie toegelicht dat een verdachte soms wel van 8 prepaid telefoons gebruik maakt en dat kan ook (deels) een verklaring leveren voor het hoge aantal ingezette taps. Persoonlijk kreeg ik bij het seminar de indruk (door het gebrek aan debat daarover) dat de internettap nog niet zo’n grote rol speelt in opsporingsonderzoeken. Deze opsporingsbevoegdheid is volgens mij vooral relevant in de meer high tech opsporingsonderzoeken waarbij verdachten voornamelijk via internet communiceren. Afgevraagd kan worden of dit in de toekomst gaat veranderen als steeds meer mensen voor hun communicatie vooral van internet gebruik maken. Ik denk dat het belangrijk is
daar nu al over na te denken en debat te voeren.

De overwegingen in de brief van de regering over de internettap vond ik zelf wel interessant en die wil ik hier nog kort uitlichtten. Over de internettap werd gezegd dat
inmiddels ‘geselecteerde internettoepassingen’ kunnen worden afgetapt, waardoor
niet het gehele netwerkverkeer hoeft te worden geanalyseerd. Naast dat dit efficiënter is, komt dat natuurlijk ook de privacy van de betrokkene ten goede.
Opstelten geeft nogmaals aan ‘zowel nationaal als internationaal wordt onderzocht of er aanpassing van wet- en regelgeving nodig is om ook op internet de juiste mogelijkheden te hebben voor de opsporing’. Voor het zomerreces moet de Kamer daarover worden geïnformeerd.

In mijn eigen artikel over de internettap geef ik aan dat door versleuteling het in toenemende mate lastig wordt de inhoud van communicatie via internet af te tappen. Tegelijkertijd kan met de inzet van alternatieve opsporingsmethoden veel worden bereikt. De bijzondere opsporingsbevoegdheid van direct afluisteren (artikel 126l Sv), inclusief de mogelijkheid tot het plaatsen van een keylogger, biedt mogelijk een interessant alternatief om het probleem van versleuteling te omzeilen. De opsporingsbevoegdheid mag in een woning echter slechts worden toegepast bij misdrijven waar een gevangenisstraf van 8 jaar of meer op staat. De praktische toepassing van deze opsporingsmethode is daardoor beperkt. In de Verenigde Staten wordt wellicht vaker van deze opsporingsmethode gebruik gemaakt om het probleem van versleuteling te omzeilen. Zie bijvoorbeeld ook deze analyse cryptografie-deskundige Matt Blaze over de Amerikaanse ‘wiretap report’ van 2010 (die van 2011 verschijnt hopelijk later deze maand).

Het is mij niet duidelijk geworden in hoeverre opsporingsdiensten in Nederland concreet
gehinderd worden door versleuteling. Ook ben ik benieuwd in hoeverre de nieuwe versie van het IP-protocol (IPv6) in de nabije toekomst mogelijk een probleem gaat vormen voor opsporingsdiensten. Wellicht zou de Nederlandse politie daar over wat meer kunnen zeggen naar voorbeeld van hun overzeese collega’s. In de Verenigde Staten probeert de FBI namelijk duidelijk te maken dat dit wel degelijk een probleem is. Zie daarover bijvoorbeeld dit interessante bericht op CNET.

Reactie Kamerleden

Van de reactie van Kamerleden had ik om eerlijk te zijn wel wat meer verwacht. Kamerlid El Fassed stuurde twee dagen voor het verschijnen van het rapport een viertal Kamervragen in. In mijn ogen maakt hij terecht een punt over het verschaffen van transparantie over het aantal vorderingen van gegevens bij sociale mediadiensten. Ik zie niet in hoe informatie over het aantal verzoeken tot gevolg kan hebben dat verdachten hun gedrag daarop zouden aanpassen, zoals staatssecretaris Teeven eerder heeft aangegeven.

Daarnaast stelt El Fassed de vraag of het niet verstandig zou zijn of voor het aftappen
van telefoons en sociale media door opsporingsautoriteiten dezelfde voorwaarden
moeten gelden. Blijkbaar is El Fassed of GroenLinks niet goed op de hoogte van de wetgeving. Sociale mediadiensten zijn (vooralsnog?) niet aftapplichtig; daar kunnen slechts gegevens worden gevorderd. Voor het vorderen van opgeslagen gegevens
(o.g.v. artikel 126ng lid 2 Sv) gelden verder dezelfde voorwaarden als voor een telecommunicatietap. Dit heb ik overigens ook uitvoerig uiteen gezet in mijn artikel over de internettap.

Persoonlijk vind ik het jammer dat een debat over de niet-aftapbaarheid van telecommunicatie en telecommunicatiediensten die zich soms aan de aftapplicht
lijken te onttrekken is uitgebleven. Wat mij betreft zijn dit ook belangrijke vragen waar over gediscussieerd moet worden.Wellicht biedt de toekomstige brief van Opstelten over
opsporingsbevoegdheden op internet hiervoor een mooie aanleiding.