Members of the Italian parliament have advanced a proposal for regulating government hacking activities, including the use of hacking tools, such as Trojans and other software designed to extract data from internet-connected devices. Released in February, the proposed regulations are out for public comment, and Access Now has submitted feedback to help lawmakers improve the provisions that impact human rights, referring to our 2016 guidance paper: A Human Rights Response to Government Hacking.
Access Now does not condone government hacking, and in fact has called for a presumptive global ban on this activity. However, when governments nevertheless engage in these practices, we support the development of strong legal frameworks to provide absolutely critical and necessary safeguards for users, including protections for digital security and fundamental human rights.
In our analysis of the draft law before the Italian parliament, we identified several elements that will serve to protect human rights. The legislation has provisions to:
Limit hacking operations
The proposal includes a number of provisions that impose use limitations to ensure that hacking operations are engaged in only for specific purposes, with a set time frame (for which judicial approval is required). Specifically, the draft states that all operations must be undertaken with respect for human dignity and privacy, and that hacking must be used only as a final resort. Moreover, the draft prohibits contractors from using government hacking tools, and requires that tools are removed after a hacking operation has ended.
Maintain integrity of data acquired
The legislation includes provisions to maintain the integrity, authenticity, and immutability of the information that is acquired and the devices that are impacted through hacking operations. To accomplish this, the proposal calls for an agency to approve hacking tools and to evaluate the processes for using them, to ensure they are properly uninstalled and will not degrade the security of impacted devices. Furthermore, the proposal states that any information acquired in violation of set standards cannot be used and must be purged, and adds additional requirements to ensure that the evidence gathered during an operation has not been tampered with.
Preserve “digital domicile” and keep important distinctions under the law
We commend Italy’s constitutional right to the inviolability of the “digital domicile,” and the distinctions that are made between traditional searches and those conducted through hacking; they are different, and as such, should be treated differently. We also applaud the prohibition in the proposed legislation against adding or modifying data on a device that has been impacted in a hacking operation.
However, we also have several recommendations to improve the protections for human rights. The government should:
Include additional limits on hacking operations
The draft legislation has admirable provisions to limit the use of hacking tools, but there are some areas that need improvement. The legislation should place limits on access to the data that are collected and the scope of data retained, as well as defining how long the information is retained, so that it is not stored in perpetuity. Notably, we also encourage limiting the use of hacking to devices in Italy; otherwise, law enforcement should utilize the Mutual Legal Assistance Treaty (MLAT) process. Targeting people outside the country would not only undermine this process, but also undermine human rights protections.
Add provisions to increase transparency and oversight
Access Now recommends adding a number of transparency and oversight mechanisms to ensure best practices with regard to human rights. Among these are publishing an annual report that includes the number of users and devices impacted, the length of operations, unexpected consequences, and the number of times tools were either removed successfully or caused problems with the device or software impacted. We also recommend that the government publish a separate human rights impact assessment annually. Additionally, the government should submit a new application to a judicial authority for each device impacted.
Take care to educate the judiciary, and keep hacking operations in line with human rights obligations
We recommend that any judge selected to approve/reject applications for hacking operations be provided with the resources necessary to fully understand the scope of such operations. We further recommend that the proposal’s language on increased penalties for criminal abuse of hacking tools be clarified, as it could be interpreted to allow for over-broad prosecution. Finally, overall, we encourage lawmakers to keep the legislation in line with Italy’s human rights obligations, as well as within the general standards for data retention under the European Union’s legal framework.