This project has received funding from the European Union s Seventh Framework Programme for research, technological development and demonstration under Legal Notice: The views expressed in the course of this research are the sole responsibility of the author and do not necessarily reflect the views of European Commission.
A brief outline of The EVIDENCE project 2
About EVIDENCE Project co-ordinator: Institute of Legal Information Theory and Techniques of the National Research Council (CNR-ITTIG) Funded by the FP7 programme EU funding: 1,924,589.00 Project duration: 30 month 01/03/2014 31/08/2016 9 project partners involved 3
Scope legal proceedings rely on the production of evidence electronic data may be easier to manipulate than traditional data Legislation on criminal procedures in many European countries was enacted before current technologies appeared Lack of harmonisation throughout Europe Criteria for collection, use, exchange and admissability are different and partly uncertain across the European Union 4
Analysis of status quo Analysis of impact and testing Methodology Review the legal, ethical and societal implications of the desired options, test selected approaches (case studies) Finding a way forward Create a Road Map and guidelines that would enable the setup of a Common European Framework for the regulation and standardisation of electronic evidence gathering and exchange. 5
The EVIDENCE impact Offer a forum for stakeholders, bring together experts Governments, law enforcement agencies Judges and magistrates, prosecutors and lawyers Experts in digital forensics Companies dealing with security issues Research and academia Media and civil society Final goal: the EVIDENCE road map Positively influence the (legal)handling of digital evidence 6
A short overview on General issues related to electronic/digital evidence 7
What is electronic evidence? Lack of legal definition in most (all?) member states Possible Definition: Any information of potential or tangible probative value that is generated through, stored on or transmitted by any electronic device. 8
What is electronic evidence? Any information of potential or tangible probative value that is generated through, stored on or transmitted by any electronic device. Is this too broad? If evidence is only transmitted electronically (e.g. Fax), does this include the same increased risk of (intentional or unintentional) alteration as for evidence collected/stored electronically? 9
What is electronic evidence? Any information of potential or tangible probative value that is generated through, stored on or transmitted by any electronic device. Is this too broad? Should the scope be limited to digital (as opposed to electronic evidence? Non-digital electronic evidence (e.g. VHS-Video) may be similar rather to conventional evidence in terms of risks 10
Lacking legal framework (I) rule of law requires legal basis for any measure impacting fundamental rights such legal basis is required to provide for the precise conditions under which a measure can be taken, e.g. only to investigate serious crimes only if other, less intrusive measures appear to be less effective the safeguards to be taken, e.g. judicial warrant approval of head of authority, or even superior ministry clearly defined proceedings, incl. rules to guarantee originality the limitations, e.g. certain special departments and specially trained officers limited period of time of the measure (e.g. interception) to guarantee proportionality of the measure 11
Lacking legal framework (II) Lack of particular provisions serving as legal basis leads to fallback to general clauses Missing particular and appropriate safeguards or to legal bases stemming from the age of physical evidence Existing safeguards may be insufficient or inefficient to grant the protection needed to encounter the risks stemming from the digital nature of particular evidence 12
Rule of Law - Proportionality what may be proportionate for averting a grief danger (Gefahrenabwehr), may not be proportionate for criminal investigations (or only under stricter pre-conditions) E.g. 20k BKAG but is this same all over Europe? (questionable) SIS often hold the most powerful legal competences to access data of targets can such data later be used as digital evidence in criminal proceedings? in Germany forbidden by law! (Proportionality!) but in other countries? 13
Some examples for Particular issues related to electronic/digital evidence 14
15
16
Unclear Jurisdiction in Cross-Border Scenarios Example: cloud services Suspect may access the cloud from anywhere in the world the data may be stored anywhere in the world compentece of German authorities, if the German suspect uploads data out of Philipines through an Indian cloud provider to a data center in Brazil? 17
Lawful Interception on a Terminal Device (Quellen-TKÜ) Lawful interception on a terminal device means the practice of monitoring the communication directly on the suspect s device (avoiding encryption of data in transfer, e.g. on Skype) Issues: General regulation for lawful interception in 100a StPO applicable and providing for sufficient safeguards? Does not 20l I BKAG systematically imply that already for averting dangers such measure requires high safeguards? Should this not apply the more for measures taken for criminal investigations? How about the rest of Europe? 18
Computer-Assisted Search This project has received funding from the European Computer-assisted search means the practice of secretly getting access to data that is stored on a suspect s device. Mellowbow, flickr 19
Issues: Computer-Assisted Search Legal Basis in Germany only for averting dangers by BKA ( 20k BKAG) Situation across Europe? Can a fundamental right to Integrity and Privacy of IT- Systems be recognised on a European level (or in other member states)? Implications for statutory law! 20
Issues: Seizure of Data Can data be seized in a technical sense, as it is not physical? Are the existing provisions really sufficient? Is seizure of a computer really comparable to seizure of e.g. a knife used to commit a crime? Seizing a knife means a minor impact on the fundamental right to property (only) Seizing a computer will most likely have an impact on the fundamental rights to privacy and (possibly) telecommunications privacy in addition! Seizing a computer may have serious economic and other consequences 21
Data retention CherryX, Wikipedia 22
Data retention Are member states free to establish (unharmonized) rules for data retention (as before the directive went into force in 2006)? Possible counter argument: 2002/58/EC will need to be interpreted in line with the ECJ ruling, which may prevent any form of data retention However, not all member states may follow this approach... 23
Thank you! Thank you for your kind attention! stoklas@iri.uni-hannover.de 24