Criminal justice authorities need to be able to secure electronic evidence, including on servers in the cloud, to protect society and individuals against crime online. The powers to obtain such evidence must to be subject to data protection and other safeguards. Proposals to move ahead are now available.
Offences against computer systems and data are increasing. They include the theft of hundreds of millions of users’ data, to computer intrusions and denial of service attacks against critical infrastructure, media, civil society or public institutions – including, at the end of November 2016, the European Commission.
But few of these offences are ever reported to criminal justice authorities. Of these, only a very small number of cases are successfully prosecuted. The same applies to offences by means of computers, from fraud and other types of financial crime, to online child abuse, xenophobia, racism and other forms of hate speech contributing to radicalisation and violent extremism.
Computer systems also host evidence in relation to crimes: ransom emails in cases of kidnapping or extortion, data on deals between drug traffickers, on corrupt arrangements, on the grooming of children, or data on terrorists conspiring to carry out an attack. However, many investigations are abandoned because of lack of access to such evidence.
Governments have an obligation to protect society and individuals against crime, but when it comes to cyberspace, their ability to meet this obligation remains limited. Progress has been made in Europe and other regions in terms of policies, legislation and criminal justice capacities. But this progress is often overtaken by the sheer scale of cybercrime, the number of devices, users and victims involved, and technical hurdles such as encryption or anonymisers.
Obtaining electronic evidence for use in criminal proceedings is essential for the rule of law. As I wrote for Europe’s World last year, “the ability of governments to ensure the rule of law in cyberspace will remain limited unless they can overcome impediments to accessing data and thus electronic evidence for criminal justice purposes. No data means no evidence, no justice and thus no rule of law.”
The challenges to securing electronic evidence are compounded by cloud computing. While data may be stored on, moving between or fragmented over servers in foreign, multiple or unknown jurisdictions – or hidden under multiple layers of service providers in various jurisdictions – the powers of criminal justice authorities are restricted to their specific territory.
So we need solutions allowing authorities to secure electronic evidence in the cloud.
The question of jurisdiction in cyberspace was a priority of the Dutch Presidency of the EU Council in the first half of 2016. It resulted in a set of Council conclusions in June 2016. The European Commission has been asked to submit concrete proposals by mid-2017.
At the Council of Europe in 2014 the parties to the Budapest Convention on Cybercrime – currently comprising 41 European states as well as Australia, Canada, Dominican Republic, Israel, Japan, Mauritius, Panama, Sri Lanka and USA – established a working group to identify “solutions on criminal justice access to evidence stored in the cloud and in foreign jurisdictions.”
The results are now available. In November 2016, the Cybercrime Convention Committee – representing the parties to this treaty – discussed the recommendations of its ‘Cloud Evidence Group’. They include the following:
- Parties should implement a set of practical measures to render mutual legal assistance more efficient – for example, through allocation of resources, streamlining of procedures or the establishment of emergency procedures. There are doubts that MLA is suitable to secure volatile electronic evidence. Nevertheless, it remains the most widely accepted means to obtain evidence from other jurisdictions while protecting the rights of individuals and the sovereignty of states.
- Domestic production orders to request subscriber information directly from service providers should apply not only to those providers with a seat in the territory of a criminal justice authority but also those based elsewhere who offer a service in that territory. The main difficulty is to determine when a service provider is sufficiently connected to a territory to bring the provider under the jurisdiction of the authorities of that territory. The rationale is that subscriber details are the information that is the most often sought in a criminal investigation. European authorities are already sending more than 100,000 requests a year directly to companies such as Apple, Google, Facebook, Microsoft, Twitter or Yahoo on an uncertain legal basis, raising data protection and other concerns.
- There should be more consistent implementation of Article 18 of the Convention, domestic rules on the production of subscriber information. Currently, rules vary greatly between parties to this treaty, including between members of the European Union.
- Greater practical measures are needed to facilitate cooperation between criminal justice authorities and service providers across borders. Examples include online tools with information on provider policies and procedural powers, standardised request forms and regular exchanges between the Cybercrime Convention Committee and major providers.
- Parties should negotiate a protocol to the Convention with additional options for more efficient mutual legal assistance and for cooperation with providers and with rules and limitations on cross-border access to data, data protection and other safeguards.
While these recommendations received broad support from the Cybercrime Convention Committee in its session last month, talks continue. With the European Union also addressing these issues, the Committee coordinates closely with the European Commission. It is expected that the Committee will make a final decision, including on the preparation of a protocol, by June 2017. The solutions aim to adapt the agreed framework of the Budapest Convention to meet the challenges of cloud computing.
In a fast-changing world, common solutions with clear rule-of-law safeguards are preferable to unilateral solutions – otherwise a jungle of diverse approaches presents risks for inter-state relations and the rights of individuals.
Alexander Seger is Executive Secretary of the Cybercrime Convention Committee, Council of Europe. He has been with the Council of Europe (Strasbourg, France) since 1999. He is currently the Head of Data Protection and Cybercrime Division and Secretary of the Committee of the Parties to the Budapest Convention on Cybercrime. Prior to October 2011, he headed the Economic Crime Division where he was responsible for the Council of Europe’s cooperation programmes against cybercrime, corruption and money laundering. From 1989 to 1998, he was with what is now the United Nations Office on Drugs and Crime in Vienna (Austria), Laos (Head of Office) and Pakistan (Assistant Director of the Regional Office for Afghanistan, Iran and Pakistan) and a consultant for German Technical Cooperation (GTZ) in drug control matters. Alexander Seger is from Germany and holds a PhD in political science, law and social anthropology after studies in Heidelberg, Bordeaux and Bonn.
This article first appeared in December 2016 in the Friends of Europe’s think tank, Europe’s World: the only independent Europe-wide policy journal. Since its launch over 10 years ago, Europe’s World has established itself as the premier platform for new thinking on political, economic and social issues. Its 100,000 readers – drawn from politics, business, the media, academia, think tanks and NGOs – are a powerful and influential audience who value Europe’s World for its thought-provoking articles, Europe-wide outlook and lack of national or political bias.
To date, over 1,500 of today’s most respected thinkers and influential leaders have contributed articles firmly strengthening Europe’s World’s reputation as the leading forum for ground-breaking ideas, and proving beyond doubt that great minds don’t think alike.