RightsCon session on cross-border access to e-evidence – key interventions

European Digital Rights organised a session at the RightsCon conference in Brussels on 31 March 2017, in order to build awareness among stakeholders about the multiple international developments on law enforcement access to electronic evidence.

The bulk of the discussions focussed on a possible new protocol to the Cybercrime (Budapest) Convention of the Council of Europe (CoE). The CoE initiative is far broader than the Council of Europe area, covering all 53 countries that have ratified the Cybercrime Convention (including the USA, Australia, Canada and others). It is not necessary for countries to have ratified the data protection or human rights Conventions of the CoE before ratifying the Cybercrime Convention. Some of the issues surrounding the instrument are assessed in an “issue paper” by Professor Douwe Korff on the “Rule of Law on the Internet and in the Wider Digital World” prepared for the Council of Europe Human Rights Commissioner (with input from EDRi).

To ensure accuracy and balance, speakers were given the opportunity to edit the draft summary of their own interventions. The text below is, therefore, not a perfect record of what was actually said.

The key speakers were Alexander Seger, head of the Cybercrime Division of the Council of Europe, Lani Cossette from Microsoft, Owen Bennett from the European Internet Services Providers Association (EuroISPA) and Javier Ruiz from EDRi member Open Rights Group (ORG).

Alexander Seger opened by arguing that cross-border is a rather fictional concept on the internet. He said that the Cybercrime Convention is a criminal justice treaty, so data access is about access to specific data in specific criminal investigations, and not about bulk data collection or national security measures. All measures fall under criminal law, which is where countries have the strongest safeguards. In addition, the starting point in any such discussions is that, as detailed in the European Convention on Human Rights (ECHR) [note: the Convention is open to countries that are not a party to the ECHR], there is a positive obligation on states to protect citizens from crime.

He pointed out that if there are a hundred cybercrimes reported, then cases that actually lead to a court judgement might be 0,1% or even less. This raises questions as to whether this positive obligation is being met. He mentioned that, in other meetings, he asked participants to think of three types of crime where evidence would not be, to some extent, on a computer system, but few examples could be found. In reality, there is almost always some evidence on a computer system. However, access to such evidence is extremely complicated.

There are areas the Cybercrime Committee of the Council of Europe have identified where action is possible, in particular regarding how to deal with evidence in the “cloud” (i.e. servers equipment in foreign, multiple, shifting or unknown jurisdictions). The Committee looked at the issues for two and a half years and produced five recommendations.

Four of the five recommendations have been followed and a work on a fifth will be subject to a decision in June 2017.

1. Mutual Legal Assistance Treaty (MLAT) arrangements to be made more efficient. MLA remains the most important tool to obtain evidence from foreign jurisdictions. This is not an effort to get around existing procedures. Examples include a way to find a “light” system for getting access to basic “subscriber information” or to deal with emergency situations. The United States legal system has such options, but many national legal systems do not. For example, MLATs in South America often go through foreign ministries rather than through criminal justice systems, which is complicated and causing delays.
2. Guidance Note on Article 18 (Production orders for subscriber information) to be produced. This is about subscriber information, not content or traffic data. This is the type of data that is needed most often. Big US companies receive thousands of requests per year directly from law enforcement authorities (LEAs) abroad. Article 18a is about production orders in a given jurisdiction. The Guidance Note says that it does not matter where the data is stored, the decisive question is who is in possession or control. This is the same as when banks repatriate data to deal with a fraud in a country. Article 18.1.b covers situations where a service provider based abroad is providing a service to users in another country. However, there is lack of clarity regarding how to service production orders to companies in such situations and no enforcement mechanism if the provider fails to provide the requested data.
3. Governments to fully implement Article 18. Procedures on this point need to be precise rather than the broad powers that are often used at the moment. Such rules need to be clearly defined in national law to meet rule of law requirements.
4. Development of practical measures for cooperation with providers and making available of an online tool, to facilitate procedures. That will allow providers to understand the domestic law of the country making the request and respecting these legal requirements. It will also allow for more understanding from requesting authorities of companies’ procedures.
5. Decision to be made on the possible drafting of an additional protocol on access to evidence in the cloud in June 2017. The draft plan is to take about 2.5 years to reach agreement on a draft protocol.

Current plans focus on four key topics:

1. Additional possibilities for mutual legal assistance, including emergency and light procedures.
2. Transborder access to data. Some countries may already get access to data, but such access is often on a shaky legal framework. Access under the Budapest Convention at the moment is under very narrow conditions and this was confirmed in Guidance Note on Article 32. Are there additional options – if the persons are in the jurisdiction and the crime is in the jurisdiction, what protections are needed? Work on this issue was suspended, as moving forward in the aftermath of the Snowden revelations. Work to avoid a situation where states unilaterally develop their own solutions, thereby creating a jungle.
3. Direct cooperation with providers in other jurisdictions. Can we do more in that environment?
4. Data protection and rule of law safeguards. The more innovation that is proposed, the more safeguards will be needed.

Data protection organisations, civil society and industry will be consulted in the process.

For context, six major providers in the US directly received 138 000 requests from Parties to the Budapest Convention other than the US.

Lani Cossette, representing Microsoft stressed that the company complies with legal obligations and does not volunteer access to data. Microsoft prefers obligation rather than cooperation. She said that there is confusion at the moment as regards what law applies in what country.

The current legal framework was written when “the cloud,” as we know it, did not exist. Things were fairly simple in the 1980s. Emails were stored on local servers. Later, data centres were built in the US. More recently, more and more data centres are being built in Europe, opening up new questions regarding whose law applies in various scenarios.  Jurisdiction is traditionally rooted in territoriality, so jurisdiction over digital evidence has been challenging to sort out because data does not always sit in one territory. Microsoft has data centres in Ireland, which serves users and customers in Europe, which means that there are legal conflicts even within Europe, not just between the US and Europe.

Microsoft has participated in the consultation of the Commission task force on e-evidence.  The Commission was asked:

• could procedures be improved;
• could MLA procedures be improved to unburden the system; and
• is legislation needed with regard to enforcement jurisdiction?

The Commission’s current work cycle on this issue started in July 2016, with stakeholder meetings. The consultation process includes civil society.

In June 2016, the Council of the EU (the institution representing EU Member State governments in the EU decision-making process) produced a document on “improving criminal justice in cyberspace”, which sets out the broad policy direction to be followed.

This led the European Commission to produce a report in December 2016, which details a problem definition and details different options for jurisdiction, requests for data, etc.

Commissioner Jourova (responsible for justice, consumers and gender equality) has indicated that she expects the Commission to present three or four options for moving forward with the file at the next Justice and Home Affairs Council (JHA) Council meeting on 8 June, so the timetable is very compact. However, we do not expect a full legislative proposal at that stage.

Owen Bennett from the European Internet Services Providers Association (EuroISPA) said that systems are designed around the needs and capabilities of bigger companies. However, more cross-border access issues are rising for small companies due, for example, to lower roaming prices, more cross-border services. There is a huge increase in cross-border requests, which can create significant burdens.

EuroISPA stresses three key principles:

1. On a high level, it is important that smaller services should only ever be expected to cooperate with local law enforcement. It is important to have clear rules to build on existing good cooperation. There are increasing demands received in foreign languages from foreign jurisdictions, with little clarity on legal obligations. Sometimes there is a legal obligation not to respond.
2. Direct access is very worrying. There are also issues regarding the financing of procedures and the financial burden of the legal assessment of requests for data.
3. Mutual legal assistance arrangements should remain the core of any new framework in this policy area.

Javier Ruiz then gave a summary of Open Rights Group’s (ORG) views of the negotiations between the United Kingdom and the US on access to data.

ORG met senior staff from the UK government during spring 2016 to discuss the proposed UK-US treaty. The discussion was based on US documents as the UK has not to date produced any paper trail.

The first thing to clarify is that, despite MLAT being portrayed as the problem this initiative has to solve, the proposed treaty is not about MLAT, but law enforcement accessing communications at an early stage of investigations, not to put the pieces together after a crime has been committed. MLAT would still need to be fixed.

Also, the proposed treaty would cover only interception of communications, which, in the UK at least, is not supposed to include requests for metadata. The UK police already asks US companies for metadata and it is legally possible for companies to disclose this information under US law. This does not cover content.

On the basis of the available information, ORG raised concerns that the system proposed was extremely weak with regard to safeguards or processes to smooth the interoperability of the UK and US jurisdictions. ORG saw it as throwing the systems against each other and hoping for the best. There have been lots of complaints from the US side of civil society about UK processes not being to the same level, which the UK government strenuously denies. Issues raised are independent authorisation, inadmissibility of intercept evidence in court, lack of equivalence to US restrictions on live wiretapping, etc.

ORG complained to UK government officials that the system appears to be designed from the point of view of UK access to US data, with little thought being invested in the reverse process. The response was that in real life such requests would never happen.  ORG also raised concerns with the lack of accountability mechanisms, purely relying on existing reporting. Since then, the Home Office (the UK ministry of the interior) has stated that they will be strengthening the processes, with a single point of contact out of the country. This is not enough, as US companies would have to deal directly with the British system, and vice versa.  At least you would need some common processes, and for the final administrative step of the warrant to be undertaken domestically so appeals and complaints could be handled in the same country.